61 | ``` 62 | 63 | Delete single IPTables rule matching the input. 64 | ```bash 65 | ./setips.sh -d

66 | ``` 67 | 68 | Add list of IPTables rules from file - Reads file and appends SRC-NAT rules to the iptables file. 69 | File Format, one entry per line:

70 | ```bash 71 | ./setips.sh -f 72 | ``` 73 | 74 | Update setips.sh scripts with RELEASE version from the Redteam wiki. 75 | ```bash 76 | ./setips -u 77 | ``` 78 | 79 | ## Troubleshooting 80 | 81 | ### Cloning error - "error: server certificate verification failed." 82 | Add the following to your "git clone" command 83 | ``` 84 | -c http.sslVerify=false 85 | ``` 86 | 87 | ## License 88 | Setips by spatiald is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/legalcode). 89 | 90 | ### You are free to: 91 | ```Share``` — copy and redistribute the material in any medium or format 92 | 93 | ```Adapt``` — remix, transform, and build upon the material for any purpose, even commercially. 94 | 95 | The licensor cannot revoke these freedoms as long as you follow the license terms. 96 | 97 | ### Under the following terms: 98 | ```Attribution``` — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. 99 | 100 | ```ShareAlike``` — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. 101 | 102 | ```No additional restrictions``` — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. 103 | 104 | ### Notices: 105 | You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation. 106 | No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material. 107 | -------------------------------------------------------------------------------- /setips-releasenotes.md: -------------------------------------------------------------------------------- 1 | # setips.sh RELEASE NOTES 2 | 3 | ## Current Version 4 | Version: '3.4 (2025Apr06-2116)' 5 | - CyberX2025 Version 6 | - Cleaned code; refactored YAML 7 | 8 | Version: '3.3 (2024Apr12-0133)' 9 | - CyberX2024 Version 10 | - Updated redirector tools (libreadline5 -> readline-common) 11 | - Updated default YAML for recent changes to config file (checked with yamllint) 12 | - Adding spacing on initial install for readability 13 | - (3.3a) disableStubResolver also removes soft link /etc/resolv.conf 14 | - (3.3b/c) updates to YAML config and use of netplan get/set 15 | - (3.3d/e) updates to YAML; add MTU back to YAML; add check to clean addsubints file 16 | 17 | Version: '3.2 (2022Apr11-1658)' 18 | - CyberX2022 Version 19 | - Fixed masquerade changes to target specific interface 20 | - Fix MTU sed bug 21 | 22 | Version: '3.1 (2021Feb06-1017)' 23 | - CyberX2021 Version 24 | - Massive clean and update to support netplan structure/ip commands 25 | - Removed unused modules (dual-gateways; autoSetIPsOnStart; installRecommendedTools) 26 | 27 | Version: '3.0d (2020Apr15-1200)' 28 | - CyberX2020 Version 29 | 30 | Version: '3.0c (2018May13-1646)' 31 | - Cyber Guard 2018 Version 32 | - Updated sshfix script to run on setips script run and use systemd commands (enables ssh service and allows passwords) 33 | - On newer Ubuntu/Kali releases, ip forwarding is enabled in /etc/sysctl.conf (fixed!) 34 | 35 | Version: '3.0 (2018Apr10-1701)' 36 | - Requires >= Kali 2018.1 or Ubuntu 17.04 37 | - Removed /etc/resolv.conf 38 | - Converted to systemd 39 | 40 | Version: '2.9 (2017Jun12-2311)' 41 | - Major code cleanup to minimize ifconfig use; bug fix most functions; add function to remove socat pivots (v2.9) 42 | 43 | Version: '2.8 (2017Mar30-2112)' 44 | - Set default opMode to "ask"; ready for next event 45 | - Fixed static IP setup function; added redirector setup w/tools (v2.8a) 46 | - Added function to randomize source IP on all outgoing packets; do not randomize source IPs by default on addInts and SSH SOCKS Proxy functions (v2.8b) 47 | 48 | Version: '2.7 (2017Feb15-2147)' 49 | - Updated inundator (-x option) to check for pre-reqs and install/download, if necessary 50 | - /etc/rc.local wasn't modified correctly to be executable 51 | - networkLevel check refined; off doesn't prompt for networkLevel 52 | - Added support to remotely setup redirectors; under Setup menu 53 | - Added option to add more redirector ips to current box 54 | - Changed menu option "Export" to "View-Info" to more accurately reflect its purpose (and because Don and John couldn't figure out what it was doing) 55 | - Added dual gateway support (v2.7d) 56 | - Fix interface identification; caused issues with various functions (v2.7e) 57 | - Changed ipconfig to ifconfig (oops); reworked setupStaticIP function (v2.7f) 58 | - Poor attempts to fix what the "in-game" Kali broke in networking output (v2.7g-v2.7i) 59 | - MASSIVE update to support both "normal" and "in-game" Kali instances that are dumb (v2.7j) 60 | - Collect static IP info prior to changing /etc/network/interfaces (v2.7k) 61 | - Error checking on add sub ints; fixed remove sub ints fail; cleaned up tabs vs spaces (v2.7l) 62 | 63 | Version: '2.6 (2016Feb15-1435)' 64 | - Updated setips 65 | 66 | Version: '2.4 (2016Jan11-1300)' 67 | - Fix the updater for master/beta versions 68 | 69 | Version: '2.3 (2016Jan11-1118)' 70 | - Bug fixes in Snort community.rules download/update 71 | 72 | Version: '2.2 (2016Jan07-1033)' 73 | - Formal release 74 | - Added Powershell Empire support 75 | - Updated setips support to Veil running on Kali 2.0 76 | - Add snort community rules for Inundator 77 | - Fixed inundator support on Kali 2.0 78 | 79 | Version: '2.0 (2015Nov24-1433)' 80 | - Updates galore...review the menus to see new options 81 | 82 | Version: '1.11 (2015Jun18-0002)' 83 | - Lots o' bug fixes 84 | - Added ability to update to BETA version with './setips.sh -z' 85 | - Running './setips.sh -r' will hopefully repair problems with the system dropping subinterfaces/iptables on reboot 86 | 87 | Version: '1.10 (2015Jun17-1645)' 88 | - Bug fixes 89 | 90 | Version: '1.9 (2015Jun16-2302)' 91 | - Add check to ensure /etc/rc.local is executable 92 | - SOCKS setup - shows netstat at end of setup to verify your SOCKS setup correctly (most common problem is mistyped password) 93 | - Changed all 'Y' or 'N' answers to not submit automatically; allowing the operator to correct their mistypes 94 | - Fixed bug in inundator script 95 | - Fixed bug in single SRC NAT entry 96 | 97 | Version: '1.8 (2015Jun14-1936)' 98 | - Fixed the script that re-adds your sub interfaces on system reboot (run 'setips.sh -r' to fix your already installed instance) 99 | - Built-in script updater functionality; added "-u" option to update to latest release verison 100 | - Fixed bug in script checking for the existence of the new setips-files directory and trying to make it twice 101 | - Updated Inundator script to allow for use of local proxy...asks for more details during build 102 | - Minor bug fixes 103 | 104 | Version: '1.7 (2015Jun11-2000)' 105 | - Added option to Utilities menu to fix your /etc/ssh/sshd_config file so that root can login with password 106 | - Added "-x" option to start Inundator - setup subinterfaces (if necessary), run inudator to replay snort rules that "inundates" snort sensors by sending all the default snort rules across their sensors 107 | - Changed "port" to "interface" when asking what port the user wants is setting up 108 | 109 | Version: '1.6 (2015Jun09-1910)' 110 | - Added MASQUERADE back in but to the bottom of the ruleset as a catch all 111 | - Fix error from different iptables when trying to restore SNAT rules - error "multiple -j flags not allowed" 112 | - CRITICAL ERROR - failed to set "echo 1 > /proc/sys/net/ipv4/ip_forward" when running -f and -s 113 | 114 | Version: '1.5 (2015Jun09-0635)' 115 | - New "interface" and options for quickly adding rules, deleting rules, and viewing current iptables plus the normal interactive mode ("./setips.sh -h" will provide a full help menu) 116 | - Cleans up iptables rulesets, removing duplicate lines 117 | - Added a core "setips-files" folder in /root for storing all setips created files 118 | - SOCKS setup does not echo your password as you type 119 | - Redirector friendly - actually changes your source address on every connection 120 | -- this was noticed during SOCKS proxy testing and all outbound connections, regardless of proxychains ip list had the core IP of the redirector as its source port...arg! 121 | -- because of this, change your /etc/proxychains to "strict_chain"; comment out "random_chain", "chain_len", "proxy_dns"; you only need the core ip set in the list (example, "socks4 1.2.3.4 1080") 122 | - Fixes error with the setips-atboot.sh being named setips-atstart.sh 123 | - Added protocol and subinterface IP to IPTables rules for more granularity on traffic (re)direction 124 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Creative Commons 4 | Attribution-ShareAlike 4.0 International 5 | Official translations of this license are available in other languages. 6 | 7 | Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. 8 | 9 | Using Creative Commons Public Licenses 10 | 11 | Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. 12 | 13 | Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors. 14 | 15 | Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public. 16 | 17 | Creative Commons Attribution-ShareAlike 4.0 International Public License 18 | 19 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 20 | 21 | Section 1 – Definitions. 22 | 23 | Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 24 | Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 25 | BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License. 26 | Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 27 | Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 28 | Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 29 | License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. 30 | Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 31 | Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 32 | Licensor means the individual(s) or entity(ies) granting rights under this Public License. 33 | Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 34 | Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 35 | You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. 36 | 37 | Section 2 – Scope. 38 | 39 | License grant. 40 | Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 41 | reproduce and Share the Licensed Material, in whole or in part; and 42 | produce, reproduce, and Share Adapted Material. 43 | Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 44 | Term. The term of this Public License is specified in Section 6(a). 45 | Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 46 | Downstream recipients. 47 | Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 48 | Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. 49 | No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 50 | No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 51 | 52 | Other rights. 53 | Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 54 | Patent and trademark rights are not licensed under this Public License. 55 | To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. 56 | 57 | Section 3 – License Conditions. 58 | 59 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 60 | 61 | Attribution. 62 | 63 | If You Share the Licensed Material (including in modified form), You must: 64 | retain the following if it is supplied by the Licensor with the Licensed Material: 65 | identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 66 | a copyright notice; 67 | a notice that refers to this Public License; 68 | a notice that refers to the disclaimer of warranties; 69 | a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 70 | indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 71 | indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 72 | You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 73 | If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 74 | ShareAlike. 75 | 76 | In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. 77 | The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. 78 | You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. 79 | You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. 80 | 81 | Section 4 – Sui Generis Database Rights. 82 | 83 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 84 | 85 | for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; 86 | if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and 87 | You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 88 | 89 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 90 | 91 | Section 5 – Disclaimer of Warranties and Limitation of Liability. 92 | 93 | Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. 94 | To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. 95 | 96 | The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 97 | 98 | Section 6 – Term and Termination. 99 | 100 | This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 101 | 102 | Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 103 | automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 104 | upon express reinstatement by the Licensor. 105 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 106 | For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 107 | Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 108 | 109 | Section 7 – Other Terms and Conditions. 110 | 111 | The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 112 | Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 113 | 114 | Section 8 – Interpretation. 115 | 116 | For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 117 | To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 118 | No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 119 | Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 120 | 121 | Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” The text of the Creative Commons public licenses is dedicated to the public domain under the CC0 Public Domain Dedication. Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. 122 | 123 | Creative Commons may be contacted at creativecommons.org. 124 | 125 | Additional languages available: Bahasa Indonesia, Nederlands, norsk, suomeksi, te reo Māori, українська, 日本語. Please read the FAQ for more information about official translations. 126 | -------------------------------------------------------------------------------- /setips.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #set -x 3 | ############################################################################ 4 | # Shellscript: "setips.sh" Generates randoms ips for secondary interfaces 5 | # and automates the creation of proxy servers, pivots, web/ftp servers, and 6 | # other useful red team capabilities. 7 | # 8 | # Author : spatiald 9 | ############################################################################ 10 | 11 | scriptVersion=3.4 12 | 13 | # Check that we're root 14 | if [[ $UID -ne 0 ]]; then 15 | echo "Superuser (i.e. root) privileges are required to run this script." 16 | exit 1 17 | fi 18 | 19 | # Print version only, if requested 20 | if [[ $1 == "--version" ]]; then 21 | echo $scriptVersion 22 | exit 0 23 | fi 24 | 25 | # Setup setips folder (for saving setips scripts/backup files) 26 | setipsFolder="$HOME/setips-files" # Main setips data folder 27 | if [[ ! -d "$setipsFolder" ]]; then 28 | mkdir -p $setipsFolder > /dev/null 2>&1 29 | fi 30 | 31 | # Logging 32 | exec &> >(tee "$setipsFolder/setips.log") 33 | 34 | createConfig(){ 35 | cat > $setipsConfig << 'EOF' 36 | # Setips config file 37 | # Add custom variables here and they will supercede the default ones 38 | 39 | ## NETWORK INFO 40 | IP="" # Secondary addresses are listed in comma-separated format "192.168.1.1/24,192.168.1.2/24" 41 | GATEWAY="" 42 | MTU="1500" # Normal is 1500 43 | NAMESERVERS="" # Comma-separated format "1.1.1.1,9.9.9.9" 44 | networkManager="networkd" 45 | ethInt="" 46 | 47 | ## OTHER 48 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 49 | netplanConfig="/etc/netplan/setips-network.yaml" 50 | defaultMTU="1500" # The default MTU (change only when needed) 51 | setipsFolder="$HOME/setips-files" # Main setips data folder 52 | setipsGitFolder="$HOME/setips" # Cloned Git repo for setips 53 | internet="" # "0"=Offline, "1"=Online, ""=(ie Blank) Force ask 54 | redteamGogs="" # Redteam wiki full web address 55 | EOF 56 | } 57 | 58 | ### Setup config file 59 | setipsConfig="$setipsFolder/setips.conf" 60 | if [[ ! -f $setipsConfig ]]; then 61 | createConfig 62 | fi 63 | 64 | if [[ ! `grep -v "#Setips config file" $setipsConfig` ]]; then 65 | createConfig 66 | fi 67 | 68 | ### Import config file 69 | setipsConfigClean="/tmp/setips.tmp" 70 | # check if the file contains something we don't want 71 | if egrep -q -v '^#|^[^ ]*=[^;]*' "$setipsConfig"; then 72 | echo "Config file is unclean, cleaning it..." >&2 73 | # filter the original to a new file 74 | egrep '^#|^[^ ]*=[^;&]*' "$setipsConfig" > "$setipsConfigClean" 75 | mv $setipsConfigClean $setipsConfig 76 | fi 77 | # now source it, either the original or the filtered variant 78 | source $setipsConfig 79 | 80 | #stty sane # Fix backspace 81 | trap cleanup EXIT # Cleanup if script exits for any reason 82 | 83 | ### DO NOT CHANGE the following 84 | os="$(awk -F '=' '/^ID=/ {print $2}' /etc/os-release 2>&-)" 85 | osIssue="$(cat /etc/issue|awk -F '\' '{ print $1 }')" 86 | osVersion=$(awk -F '=' '/VERSION_ID=/ {print $2}' /etc/os-release 2>&-) 87 | osFullVersion=$(awk -F '=' '/VERSION=/ {print $2}' /etc/os-release 2>&-) 88 | currentDateTime=$(date +"%Y%b%d-%H%M") 89 | # currentgw=$(route -n|grep eth0| head -n 1|cut -d"." -f4-7|cut -d" " -f10) 90 | # ipsSaved="$setipsFolder/ips-saved.txt" # Save file for restoring IPs 91 | ipsCurrent="$setipsFolder/ips.current" 92 | ipsArchive="$setipsFolder/ips-archive.txt" # IP archive listed by date/time for reference during exercises 93 | pivotRulesBackup="$setipsFolder/pivotRules" 94 | iptablesBackup="$setipsFolder/iptables" 95 | iptablesBackupFile="iptables-$currentDateTime" 96 | subintsBackup="$setipsFolder/subints" 97 | downloadError="0" 98 | counter=0 99 | fping=$(which fping) 100 | ping=$(which ping) 101 | wget=$(which wget) 102 | curl=$(which curl) 103 | iptables=$(which iptables) 104 | socatDownload="apt -y install socat" 105 | userAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.3124.72" 106 | 107 | printGood(){ 108 | echo -e "\x1B[01;32m[+]\x1B[0m $1" 109 | } 110 | 111 | printError(){ 112 | echo -e "\x1B[01;31m[-]\x1B[0m $1" 113 | } 114 | 115 | printStatus(){ 116 | echo -e "\x1B[01;35m[*]\x1B[0m $1" 117 | } 118 | 119 | printQuestion(){ 120 | echo -e "\x1B[01;33m[?]\x1B[0m $1" 121 | } 122 | 123 | # Test function 124 | testingScript(){ 125 | $2 126 | exit 1 127 | } 128 | 129 | cleanup(){ 130 | # Remove clear screen commands from log file <-- created by the Veil scripts 131 | sed -i '/=======/d' $setipsFolder/setips.log 132 | # kill $! # Kills the last run background process 133 | # trap 'kill $1' SIGTERM 134 | 135 | # stty sane 136 | # echo; exit $? 137 | } 138 | 139 | osCheck(){ 140 | if [[ -z "$os" ]] || [[ -z "$osVersion" ]] || [[ -z "$osIssue" ]]; then 141 | printError "Internal issue. Couldn't detect OS information." 142 | elif [[ "$os" == "kali" ]]; then 143 | printGood "Kali Linux ${osVersion} $(uname -m) detected" 144 | elif [[ "$os" == "ubuntu" ]]; then 145 | osVersion=$(awk -F '["=]' '/^VERSION_ID=/ {print $3}' /etc/os-release 2>&- | cut -d'.' -f1) 146 | printGood "Ubuntu ${osFullVersion} $(uname -m) detected" 147 | elif [[ "$os" == "debian" ]]; then 148 | printGood "Debian ${osVersion} $(uname -m) detected" 149 | else 150 | printGood "$(echo $osIssue)" 151 | fi 152 | } 153 | 154 | opMode(){ 155 | opModeOnline(){ 156 | printGood "Script set for 'ONLINE' mode." 157 | internet="1" 158 | setOnline 159 | checkInternet 160 | } 161 | opModeOffline(){ 162 | printGood "Script set for 'OFFLINE' mode." 163 | internet="0" 164 | setOffline 165 | } 166 | if [[ -z $internet ]]; then 167 | # printGood "Script set for 'ASK EVERY TIME' mode." 168 | echo; printQuestion "Do you want to run in ONLINE or OFFLINE mode?" 169 | select MODE in "ONLINE" "OFFLINE"; do 170 | case $MODE in 171 | ONLINE) 172 | opModeOnline 173 | break 174 | ;; 175 | OFFLINE) 176 | opModeOffline 177 | break 178 | ;; 179 | esac 180 | printGood "Done." 181 | break 182 | done 183 | elif [[ $internet == "0" ]]; then 184 | opModeOffline 185 | elif [[ $internet == "1" ]]; then 186 | opModeOnline 187 | fi 188 | } 189 | 190 | # Check internet connectivity 191 | checkInternet(){ 192 | echo; printStatus "Checking internet connectivity..." 193 | if [[ $internet == "1" || -z $internet ]]; then 194 | # Use multiple methods to verify connectivity 195 | # 1. Try DNS resolution first (faster than full HTTP requests) 196 | if host -W 2 1.1.1.1 >/dev/null 2>&1 || host -W 2 google.com >/dev/null 2>&1; then 197 | # 2. Try ICMP ping to multiple reliable targets 198 | if $ping -c 1 -W 2 1.1.1.1 >/dev/null 2>&1 || $ping -c 1 -W 2 8.8.8.8 >/dev/null 2>&1; then 199 | # 3. Finally, try HTTP connectivity to diverse endpoints 200 | if $wget -q --spider --timeout=3 --tries=2 -U "$userAgent" https://1.1.1.1 >/dev/null 2>&1 || 201 | $wget -q --spider --timeout=3 --tries=2 -U "$userAgent" https://www.cloudflare.com >/dev/null 2>&1 || 202 | $curl -s --connect-timeout 3 -A "$userAgent" https://www.google.com >/dev/null 2>&1; then 203 | printGood "Internet connection confirmed...continuing." 204 | internet=1 205 | return 0 206 | fi 207 | fi 208 | fi 209 | 210 | # If we get here, all checks failed 211 | echo; printError "No internet connectivity; entering 'OFFLINE' mode." 212 | internet=0 213 | return 1 214 | fi 215 | return 0 216 | } 217 | 218 | # Capture a users Ctrl-C 219 | ctrlC(){ 220 | #stty sane 221 | echo; printError "Cancelled by user." 222 | echo; exit $? 223 | } 224 | 225 | # Check if command executed successfully...or not 226 | commandStatus(){ 227 | export EXITCODE="$?" 228 | if [[ $EXITCODE != 0 ]]; then 229 | printError "Command failed. Exit code: $EXITCODE" 230 | export downloadError="1" 231 | else 232 | printGood "Command successful." 233 | fi 234 | } 235 | 236 | firstTime(){ 237 | echo; printStatus "Running initial setup \"firstTime\" script" 238 | runningFirstTime=1 239 | # Set a root password, if needed 240 | echo; echo "[--------- ROOT PASSWORD ---------]" 241 | echo; printStatus "We need to set a password on the root user. If you already have one set, please select 'N'" 242 | printQuestion "Do you want to set/change root's password? (Y/n)"; read REPLY 243 | if [[ $REPLY =~ ^[Nn]$ ]]; then 244 | printGood "We will NOT change the root password." 245 | else 246 | passwd 247 | fi 248 | 249 | # Update netplan config to setips naming 250 | if [[ ! -f $netplanConfig ]]; then 251 | echo; echo "[--------- NETPLAN ---------]" 252 | mkdir -p $setipsFolder/netplan.backups 253 | cd /etc/netplan 254 | for file in *.yaml*; do 255 | printStatus "Backing up all current network yaml scripts to $setipsFolder/netplan.backups folder." 256 | mv -nv -- "$file" "$setipsFolder/netplan.backups/$file.$(date +"%Y-%m-%d_%H-%M-%S")" > /dev/null 2>&1 257 | done 258 | fi 259 | 260 | # Change hostname [optional] 261 | setHostname 262 | 263 | # Identify ethernet interface 264 | echo; echo "[--------- ETHERNET INTERFACE ---------]" 265 | whatInterface 266 | # ethInt="$(ip l show | grep ^2: | cut -f2 -d':' | sed 's/^ *//g')" 267 | 268 | # Disable/stop DNS stub resolver 269 | disableStubResolver 270 | 271 | # Setup static IP 272 | setupStaticIP 273 | 274 | echo; printGood "Initial setup \"firstTime\" script complete." 275 | } 276 | 277 | # Pull core interface info into variables 278 | getInternetInfo(){ 279 | local internetInfo=$( ip r | grep default ) 280 | printf "%s" "$( echo $internetInfo | cut -f$1 -d' ' )" 281 | } 282 | 283 | # List IPs with interface assignments, one per line 284 | listIPs(){ 285 | echo; printStatus "Ethernet interface $ethInt assigned addresses:" 286 | #ip address show | grep "inet" | grep -v "inet6" | awk '{ print $2, $7, $8 }' | sed '/127.0/d' 287 | netplan get ethernets.$ethInt.addresses | cut -d "\"" -f2 | cut -d "\"" -f1 288 | } 289 | 290 | # List only subinterface assignments, one per line 291 | listSubIntIPs(){ 292 | ip address show $ethInt | grep "inet" | grep -v "inet6" | awk '{ print $2, $7, $8 }' | sed '/127.0/d' | tail -n +2 293 | } 294 | 295 | # List IPs, one per line 296 | listIPsOnly(){ 297 | ip address show $ethInt | grep "inet" | grep -v "inet6" | awk '{ print $2 }' | cut -d/ -f1 | sed '/127.0/d' 298 | } 299 | 300 | # List IPs, single line, comma-seperated for use in Armitage/Cobalt Strike "Teamserver" 301 | listIPs-oneline(){ 302 | listIPsOnly | awk '{printf "%s,",$0} END {print ""}' | sed 's/.$//' 303 | } 304 | 305 | # List interfaces available 306 | listInts(){ 307 | ip address show | grep "mtu" | awk '{ print $2 }' | sed "s/://g" | sed "/lo/d" 308 | } 309 | 310 | # List subinterface IPs, one per line 311 | listSubIntIPsOnly(){ 312 | ip address show $ethInt | grep "inet" | grep -v "inet6" | awk '{ print $2 }' | sed '/127.0/d' | tail -n +2 | cut -d/ -f1 | awk '{printf "%s\n",$0} END {print ""}' | sed '/^$/d' 313 | } 314 | 315 | # List subints with CIDR, one per line 316 | listSubInts(){ 317 | #ip address show | grep secondary | awk '{ print $2 }' 318 | netplan get ethernets.$ethInt.addresses | tail -n+2 | cut -d "\"" -f2 | cut -d "\"" -f1 319 | } 320 | 321 | # Find the core IP address in use 322 | listCoreInterfaces(){ 323 | echo; printStatus "Core IP addresses on this system:" 324 | ip address show | grep "inet" | grep -v "inet6" | grep -v "secondary" | awk '{ print $2, $NF }' | sed '/127.0/d' 325 | } 326 | 327 | listCoreIP(){ 328 | ip address show | grep "inet" | grep -v "inet6" | awk '{ print $2 }' | sed '/127.0/d' | head -n 1 329 | } 330 | 331 | # Ask which ethernet port you want to create subinterfaces for 332 | whatInterface(){ 333 | #stty sane 334 | # ints=$(ip address show | grep "inet" | grep -v "inet6" | grep -v "secondary" | awk '{ print $2, $7 }' | grep -v "127.0.0.1/8" | awk '{ print $2 }') 335 | listCoreInterfaces 336 | ints=$(ip address show | grep state | grep -v LOOPBACK | awk '{ print $2 }' | cut -d: -f1) 337 | echo; printQuestion "What ethernet interface?" 338 | select int in $ints; do 339 | export ethInt=$int 340 | sed -i "/^ethInt=/c\ethInt=\"$int\"" $setipsConfig 341 | break 342 | done 343 | exec &> >(tee -a "$setipsFolder/setips.log") 344 | } 345 | 346 | # List IPs, single line, comma-seperated 347 | listIPs-oneline(){ 348 | # List IPs for use in Armitage/Cobalt Strike "Teamserver" 349 | ip address show $ethInt |grep "inet" |grep -v "inet6"|awk '{ print $2 }'|cut -d/ -f1| awk '{printf "%s,",$0} END {print ""}' | sed 's/.$//' 350 | } 351 | 352 | # Tests IP for connectivity 353 | pingTest(){ 354 | # Check for ping response (test 1) 355 | if [[ `which fping` ]]; then 356 | $fping -qc1 $unusedIP && (echo $unusedIP >> $tmpUsedIPs; return 1) || availIP=$unusedIP 357 | else 358 | $ping -qc1 $unusedIP && (echo $unusedIP >> $tmpUsedIPs; return 1) || availIP=$unusedIP 359 | fi 360 | # Check if in the running used IP list (test 2) 361 | if [[ $(cat $tmpUsedIPs | grep $availIP) ]]; then 362 | return 1 363 | else 364 | echo $availIP >> $tmpUsedIPs 365 | echo $availIP >> $tmpIPs 366 | fi 367 | } 368 | 369 | # Calculate # of IPs within the range requested 370 | howManyIPs(){ 371 | if [[ $class="A" ]]; then 372 | numOct2=$(echo $(( $(echo $octet2 | cut -d- -f2) - $(echo $octet2 | cut -d- -f1) + 1 ))) 373 | numOct3=$(echo $(( $(echo $octet3 | cut -d- -f2) - $(echo $octet3 | cut -d- -f1) + 1 ))) 374 | numOct4=$(echo $(( $(echo $octet4 | cut -d- -f2) - $(echo $octet4 | cut -d- -f1) + 1 ))) 375 | numPossIPs=$(($numOct2 * $numOct3 * $numOct4)) 376 | elif [[ $class="B" ]]; then 377 | numOct3=$(echo $(( $(echo $octet3 | cut -d- -f2) - $(echo $octet3 | cut -d- -f1) + 1 ))) 378 | numOct4=$(echo $(( $(echo $octet4 | cut -d- -f2) - $(echo $octet4 | cut -d- -f1) + 1 ))) 379 | numPossIPs=$(($numOct3 * $numOct4)) 380 | elif [[ $class="C" ]]; then 381 | numOct4=$(echo $(( $(echo $octet4 | cut -d- -f2) - $(echo $octet4 | cut -d- -f1) + 1 ))) 382 | numPossIPs=$numOct4 383 | fi 384 | } 385 | 386 | # Remove all secondary addresses 387 | removeSubInts(){ 388 | tmp=`mktemp` 389 | # rm -f $tmp 390 | # sed -i -e "0,/\[$[^]]*$\]/s|\[$[^]]*$\]|[$(listCoreIP)]|" $netplanConfig 391 | #netplan get ethernets.$ethInt.addresses | head -1 | cut -d "\"" -f2 | cut -d "\"" -f1 > $tmp 392 | listCoreIP > $tmp 393 | netplan set ethernets.$ethInt.addresses=null 394 | netplan set ethernets.$ethInt.addresses=[$(cat $tmp)] 395 | netplan generate; netplan apply 396 | echo; printStatus "Removed all secondary addresses." 397 | } 398 | 399 | octet1NumCheck(){ 400 | while true; do 401 | if [[ ! $octet1 =~ ^([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])$ ]]; then 402 | printError "You didn't specify a valid number." 403 | echo; printQuestion "What is the IP's first octet (number; ie 1-255)?"; read octet1 404 | else 405 | break 406 | fi 407 | done 408 | } 409 | octet2NumCheck(){ 410 | while true; do 411 | if [[ ! $octet2 =~ ^([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])$ ]]; then 412 | printError "You didn't specify a valid number." 413 | echo; printQuestion "What is the IP's second octet (number; ie 1-255)?"; read octet2 414 | else 415 | break 416 | fi 417 | done 418 | } 419 | octet3NumCheck(){ 420 | while true; do 421 | if [[ ! $octet3 =~ ^([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])$ ]]; then 422 | printError "You didn't specify a valid number." 423 | echo; printQuestion "What is the IP's third octet (number; ie 1-255)?"; read octet3 424 | else 425 | break 426 | fi 427 | done 428 | } 429 | octet2RangeCheck(){ 430 | while true; do 431 | if [[ ! $octet2 =~ ^([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\-([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])$ ]] || [[ ! $(echo $octet2 | cut -d"-" -f1) -le $(echo $octet2 | cut -d"-" -f2) ]]; then 432 | printError "You didn't specify a valid range." 433 | echo; printQuestion "What is the IP's second octet (range; ie 1-255)?"; read octet2 434 | else 435 | break 436 | fi 437 | done 438 | } 439 | octet3RangeCheck(){ 440 | while true; do 441 | if [[ ! $octet3 =~ ^([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\-([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])$ ]] || [[ ! $(echo $octet3 | cut -d"-" -f1) -le $(echo $octet3 | cut -d"-" -f2) ]]; then 442 | printError "You didn't specify a valid range." 443 | echo; printQuestion "What is the IP's third octet (range; ie 1-255)?"; read octet3 444 | else 445 | break 446 | fi 447 | done 448 | } 449 | octet4RangeCheck(){ 450 | while true; do 451 | if [[ ! $octet4 =~ ^([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\-([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])$ ]] || [[ ! $(echo $octet4 | cut -d"-" -f1) -le $(echo $octet4 | cut -d"-" -f2) ]]; then 452 | printError "You didn't specify a valid range." 453 | echo; printQuestion "What is the IP's fourth octet (range; ie 1-255)?"; read octet4 454 | else 455 | break 456 | fi 457 | done 458 | } 459 | # Add subinterfaces 460 | addSubInts(){ 461 | tmpIPs=`mktemp` 462 | tmp2IPs=`mktemp` 463 | tmpUsedIPs=`mktemp` 464 | 465 | # SUBNET 466 | echo; printQuestion "What subnet class are you creating IPs for?" 467 | select class in "A" "B" "C"; do 468 | case $class in 469 | A) 470 | class="A" 471 | # Find out the range that we are setting 472 | echo; printQuestion "What is the IP's first octet (number)?"; read octet1 473 | octet1NumCheck 474 | printQuestion "What is the IP's second octet (range; ie 1-255)?"; read octet2 475 | octet2RangeCheck 476 | printQuestion "What is the IP's third octet (range; ie 1-255)?"; read octet3 477 | octet3RangeCheck 478 | printQuestion "What is the IP's fourth octet (range; ie 1-255)?"; read octet4 479 | octet4RangeCheck 480 | 481 | # Calculate # of IPs within the range requested 482 | howManyIPs 483 | 484 | # Ask how many subinterface ips the user would like 485 | echo; printQuestion "How many virtual ips (subinterfaces) would you like?"; read numberIPs 486 | until [[ $numberIPs = $(wc -l < $tmpIPs) ]]; do 487 | if [[ $(wc -l < $tmpUsedIPs) == $numPossIPs ]]; then echo; printError "Maximum number of possible IPs reached; you need to expand your IP pool."; return 1; fi 488 | unusedIP=$octet1"."$(shuf -i $octet2 -n 1)"."$(shuf -i $octet3 -n 1)"."$(shuf -i $octet4 -n 1) 489 | if [[ ! $(cat $tmpUsedIPs | grep $unusedIP) ]]; then pingTest; fi 490 | done 491 | sort -u $tmpIPs > $tmp2IPs; mv $tmp2IPs $tmpIPs 492 | echo; printGood "Identified $numberIPs available IPs; setting subinterface IPs!" 493 | break 494 | ;; 495 | 496 | B) 497 | class="B" 498 | # Find out the range that we are setting 499 | echo; printQuestion "What is the IP's first octet (number)?"; read octet1 500 | octet1NumCheck 501 | printQuestion "What is the IP's second octet (number)?"; read octet2 502 | octet2NumCheck 503 | printQuestion "What is the IP's third octet (range; ie 1-255)?"; read octet3 504 | octet3RangeCheck 505 | printQuestion "What is the IP's fourth octet (range; ie 1-255)?"; read octet4 506 | octet4RangeCheck 507 | 508 | # Calculate # of IPs within the range requested 509 | howManyIPs 510 | 511 | #Ask how many subinterface ips the user would like 512 | echo; printQuestion "How many virtual ips (subinterfaces) would you like?"; read numberIPs 513 | until [[ $numberIPs == $(wc -l < $tmpIPs) ]]; do 514 | if [[ $(wc -l < $tmpUsedIPs) == $numPossIPs ]]; then echo; printError "Maximum number of possible IPs reached; you need to expand your IP pool."; return 1; fi 515 | unusedIP=$octet1"."$octet2"."$(shuf -i $octet3 -n 1)"."$(shuf -i $octet4 -n 1) 516 | if [[ ! $(cat $tmpUsedIPs | grep $unusedIP) ]]; then pingTest; fi 517 | done 518 | sort -u $tmpIPs > $tmp2IPs; mv $tmp2IPs $tmpIPs 519 | echo; printGood "Identified $numberIPs available IPs; setting subinterface IPs!" 520 | break 521 | ;; 522 | 523 | C) 524 | class="C" 525 | # Find out the range that we are setting 526 | echo; printQuestion "What is the IP's first octet (number)?"; read octet1 527 | octet1NumCheck 528 | printQuestion "What is the IP's second octet (number)?"; read octet2 529 | octet2NumCheck 530 | printQuestion "What is the IP's third octet (number)?"; read octet3 531 | octet3NumCheck 532 | printQuestion "What is the IP's fourth octet (range; ie 1-255)?"; read octet4 533 | octet4RangeCheck 534 | 535 | # Calculate # of IPs within the range requested 536 | howManyIPs 537 | 538 | #Ask how many subinterface ips the user would like 539 | echo; printQuestion "How many virtual ips (subinterfaces) would you like?"; read numberIPs 540 | until [[ $numberIPs == $(wc -l < $tmpIPs) ]]; do 541 | if [[ $(wc -l < $tmpUsedIPs) == $numPossIPs ]]; then echo; printError "Maximum number of possible IPs reached; you need to expand your IP pool."; return 1; fi 542 | unusedIP=$octet1"."$octet2"."$octet3"."$(shuf -i $octet4 -n 1) 543 | if [[ ! $(cat $tmpUsedIPs | grep $unusedIP) ]]; then pingTest; fi 544 | done 545 | sort -u $tmpIPs > $tmp2IPs; mv $tmp2IPs $tmpIPs 546 | echo; printGood "Identified $numberIPs available IPs; setting subinterface IPs!" 547 | break 548 | ;; 549 | esac 550 | done 551 | 552 | # Pull current ips - not needed as Netplan v0.105+ set command is additive and doesn't replace 553 | #cat $netplanConfig | grep "/" | cut -d "[" -f2 | cut -d "]" -f1 | sed "s/\,/\n/g" > $tmpUsedIPs ## old, replace ',' with new line 554 | netplan get ethernets.$ethInt.addresses | cut -d "\"" -f2 | cut -d "\"" -f1 | sed "s/\,/\n/g" > $tmpUsedIPs 555 | 556 | # Identify the CIDR, append to each of the new IPs, and add to list of current IPs 557 | #CIDR=$(listCoreIP | sed -n 's/.*\///p') 558 | CIDR=$(netplan get ethernets.$ethInt.addresses | head -1 | cut -d "\"" -f2 | cut -d "\"" -f1 | sed -n 's/.*\///p') 559 | for ip in $(cat $tmpIPs); do echo $ip/$CIDR >> $tmpUsedIPs; done 560 | 561 | # Unique addrs w/out sorting, and then replace new lines with ',' 562 | cat $tmpUsedIPs | awk '!x[$0]++' | sed ':a; N; $!ba; s/\n/,/g' > $tmpIPs 563 | 564 | # Add clean addresses to netplan 565 | #sed -i '0,/addresses/s|addresses:.*|addresses: ['$(cat $tmpIPs)']|' test.yaml 566 | netplan set ethernets.$ethInt.addresses=[$(cat $tmpIPs)] 567 | 568 | netplan generate; netplan apply 569 | printGood "Done."; echo 570 | 571 | # Append ips to running log 572 | echo -e "\n$(date)" >> $ipsArchive 573 | cat $tmpIPs >> $ipsArchive 574 | cat $tmpIPs > $ipsCurrent 575 | 576 | printGood "Your IP settings were saved to two files:"; 577 | echo " - $ipsCurrent -> current IPs assigned to server and listed in $netplanConfig"; 578 | echo " - $ipsArchive -> running log of all IPs used during an exercise/event"; 579 | } 580 | 581 | # Check for subinterfaces 582 | checkForSubinterfaces(){ 583 | tmp=`mktemp` 584 | listSubInts >> $tmp 585 | if [[ ! -s $tmp ]]; then 586 | echo; printQuestion "No subinterfaces exist...would you like to create some? (y/N) "; read REPLY 587 | if [[ $REPLY =~ ^[Yy]$ ]]; then 588 | addSubInts 589 | fi 590 | else 591 | echo; printStatus "Current subinterfaces:" 592 | listSubIntIPs 593 | echo; printQuestion "Do you want to change your current subinterface IPs? (y/N) "; read REPLY 594 | if [[ $REPLY =~ ^[Yy]$ ]]; then 595 | removeSubInts 596 | addSubInts 597 | fi 598 | fi 599 | } 600 | 601 | # Restore subinterface IPs from file 602 | restoreSubIntsFile(){ 603 | # Identify the subinterfaces save file 604 | echo; printStatus "The subinterface save file should be a one-line, comma-seperated list of IP/CIDR; for example, '192.168.1.1/24,192.168.1.55/24'" 605 | echo; printQuestion "What is the full path to the subinterfaces save file (default is $ipsCurrent)?"; read savefile || return 606 | if [[ -z ${savefile:+x} ]]; then 607 | printGood "Restoring from $ipsCurrent" 608 | savefile=$ipsCurrent 609 | else 610 | printGood "Restoring from $savefile" 611 | fi 612 | 613 | # Add clean addresses to netplan 614 | #sed -i '0,/addresses/s|addresses:.*|addresses: ['$(cat $savefile)']|' $netplanConfig 615 | sed -i '/^[[:space:]]*$/d' $savefile # remove newlines and white space 616 | netplan set ethernets.$ethInt.addresses=null # the current core IP maybe different from the savefile first IP...what is desired? 617 | netplan set ethernets.$ethInt.addresses=[$(listCoreIP),$(cat $savefile)] 618 | } 619 | 620 | # Change hostname [optional] 621 | setHostname(){ 622 | echo; echo "[--------- HOSTNAME ---------]" 623 | echo; hostnamectl 624 | echo; printQuestion "Do you want to change the hostname of this server? (Y/n)"; read REPLY 625 | if [[ $REPLY =~ ^[Nn]$ ]]; then 626 | printGood "Hostname NOT changed." 627 | else 628 | printQuestion "What name would you like to set for this server?"; read REPLY 629 | hostnamectl set-hostname $REPLY 630 | sed -i '0,/127\.0\.1\.1/s|127\.0\.1\.1.*|127\.0\.1\.1 '$(echo $REPLY)'|' /etc/hosts 631 | printGood "Hostname changed to \"$REPLY\" - reboot to see changes." 632 | fi 633 | } 634 | 635 | # Set IP 636 | setIP(){ 637 | echo; echo "[--------- IP ---------]" 638 | echo; REGEX='(((25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?))(\/([8-9]|[1-2][0-9]|3[0-2]))([^0-9.]|$)' 639 | IP=$(listCoreIP) 640 | staticIPLoop(){ 641 | until [[ $valid_ip == 1 ]] 642 | do 643 | valid_ip=0 644 | printQuestion "What would you like to set as your primary static IP/CIDR (i.e. 192.168.1.1/24)? "; read IP 645 | if [[ "$IP" =~ $REGEX ]]; then 646 | printGood "Valid IP: $IP" 647 | valid_ip=1 648 | else 649 | printError "You didn't provide a valid IP: $IP" 650 | echo "Please provide your IP/CIDR in this format example - 192.168.1.1/24" 651 | fi 652 | done 653 | } 654 | printStatus "Configuring a static IP on the server." 655 | if [[ -z $IP ]]; then 656 | staticIPLoop 657 | else 658 | echo "The current IP on this server is: $IP" 659 | printQuestion "Would you like to set the current IP as the primary static IP on the server? (Y/n)"; read REPLY 660 | if [[ $REPLY =~ ^[Nn]$ ]]; then 661 | staticIPLoop 662 | fi 663 | fi 664 | # Update the config file 665 | sed -i "/^IP=/c\IP=\"$IP\"" $setipsConfig 666 | 667 | # Update netplan with the new IP, replacing only the primary address 668 | # Get current addresses to preserve secondary ones 669 | currentAddresses=$(netplan get ethernets.$ethInt.addresses | tail -n+2 | cut -d "\"" -f2 | cut -d "\"" -f1) 670 | 671 | # Clear existing addresses first 672 | netplan set ethernets.$ethInt.addresses=null 673 | 674 | # Set the primary IP address 675 | if [[ -n "$currentAddresses" ]]; then 676 | # If we had secondary addresses, add them back 677 | netplan set ethernets.$ethInt.addresses=[$IP,$currentAddresses] 678 | else 679 | # Just set the primary IP 680 | netplan set ethernets.$ethInt.addresses=[$IP] 681 | fi 682 | 683 | printGood "Primary IP updated to $IP in netplan configuration" 684 | } 685 | 686 | # Set default gateway 687 | setGateway(){ 688 | echo; echo "[--------- GATEWAY ---------]" 689 | echo; printStatus "Current route table:" 690 | ip route; echo 691 | currentgw="$( getInternetInfo 3 )" 692 | if [[ -z ${currentgw:+x} ]]; then 693 | printError "You do not have a default gateway set." 694 | else 695 | echo "Your primary gateway is: $currentgw" 696 | fi 697 | printQuestion "Do you want to update your gateway? (y/N) "; read REPLY 698 | if [[ $REPLY =~ ^[Yy]$ ]]; then 699 | printQuestion "What is the IP of the gateway?"; read currentgw 700 | printGood "Your gateway was updated to: $currentgw" 701 | 702 | # Update the config file 703 | sed -i "/^GATEWAY=/c\GATEWAY=\"$currentgw\"" $setipsConfig 704 | 705 | # Update netplan with the new gateway 706 | # First remove existing routes 707 | netplan set ethernets.$ethInt.routes=null 708 | 709 | # Then add the new default route 710 | netplan set "ethernets.$ethInt.routes=[{to: 0.0.0.0/0, via: $currentgw, on-link: true}]" 711 | 712 | printGood "Gateway updated to $currentgw in netplan configuration" 713 | else 714 | printError "Gateway not changed." 715 | fi 716 | } 717 | 718 | # Set DNS 719 | setDNS(){ 720 | echo; echo "[--------- DNS ---------]" 721 | echo 722 | if [ ! -f /etc/resolv.conf ]; then 723 | printError "You do not currently have DNS setup." 724 | dnsips="8.8.8.8,8.8.4.4" 725 | else 726 | dnsips=$(cat /etc/resolv.conf | grep nameserver | cut -d " " -f2 | awk '{printf "%s,",$0} END {print ""}' | sed 's/.$//') 727 | printStatus "Your current DNS server(s): $dnsips" 728 | fi 729 | printQuestion "Do you want to change your DNS servers? (y/N) "; read REPLY 730 | if [[ $REPLY =~ ^[Yy]$ ]]; then 731 | printQuestion "What are the DNS server IPs (comma separated)?"; read dnsips 732 | printGood "Your DNS settings were updated." 733 | 734 | # Update resolv.conf 735 | echo "# This file was automagically created by the setips script." > /etc/resolv.conf 736 | for i in ${dnsips//,/ } 737 | do 738 | echo "nameserver $i" >> /etc/resolv.conf 739 | done 740 | 741 | # Update config file 742 | sed -i "/^NAMESERVERS=/c\NAMESERVERS=\"$dnsips\"" $setipsConfig 743 | 744 | # Set the global NAMESERVERS variable for use in createStaticYAML 745 | NAMESERVERS="$dnsips" 746 | 747 | # Update netplan's nameservers configuration 748 | netplan set ethernets.$ethInt.nameservers.addresses=[$dnsips] 749 | else 750 | printError "DNS not changed." 751 | fi 752 | } 753 | 754 | # Set MTU 755 | setMTU(){ 756 | echo; echo "[--------- MTU ---------]" 757 | 758 | # Check if interface is set 759 | if [[ ! $ethInt ]]; then 760 | whatInterface 761 | elif [[ -z $runningFirstTime ]]; then 762 | echo; printStatus "Targeted interface: $ethInt" 763 | printQuestion "Do you want to adjust the targeted interface? (Y/n)"; read REPLY 764 | if [[ $REPLY =~ ^[Nn]$ ]]; then 765 | echo; printStatus "Changing the interface..." 766 | whatInterface 767 | fi 768 | else 769 | printStatus "Interface: $ethInt" 770 | fi 771 | 772 | # Get current MTU 773 | currentMTU="$( ip a | grep $ethInt | grep mtu | grep -v lo | awk '{for(i=1;i<=NF;i++)if($i=="mtu")print $(i+1)}' )" 774 | printStatus "Current MTU: $currentMTU" 775 | 776 | # Ask if user wants to change MTU 777 | printQuestion "Do you want to change your MTU (normally 1500)? (y/N)"; read REPLY 778 | if [[ $REPLY =~ ^[Yy]$ ]]; then 779 | printQuestion "What is your desired MTU setting (default is normally 1500)?"; read MTU 780 | if [[ -z ${MTU:+x} ]]; then MTU=1500; fi 781 | printGood "Setting MTU of $MTU." 782 | 783 | # Update MTU in setipsConfig 784 | sed -i "/^MTU=/c\MTU=\"$MTU\"" $setipsConfig 785 | 786 | # Use netplan set to update the MTU in the netplan configuration 787 | netplan set ethernets.$ethInt.mtu=$MTU 788 | 789 | printGood "MTU updated to $MTU in netplan configuration." 790 | else 791 | MTU=$currentMTU 792 | printError "MTU not changed." 793 | return 0 # Exit function early if no change requested 794 | fi 795 | } 796 | 797 | # Disable/stop DNS stub resolver 798 | disableStubResolver(){ 799 | echo; echo "[--------- CONFIGURE DNS STUB RESOLVER ---------]" 800 | echo; printStatus "Disabling the local DNS stub resolver" 801 | systemctl disable systemd-resolved.service 802 | systemctl stop systemd-resolved 803 | rm /etc/resolv.conf; echo "nameserver 8.8.8.8" >> /etc/resolv.conf 804 | } 805 | 806 | # Change /etc/ssh/sshd_config conifguration for root to only login "without-password" to "yes" 807 | checkSSH(){ 808 | if cat /etc/ssh/sshd_config | grep '#PermitRootLogin' >/dev/null; then 809 | echo; printError "I have to fix your sshd_config file to allow login with password." 810 | sed -i 's/.*\#PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config 811 | echo; printStatus "Checking SSH service is enabled and accepts passwords." 812 | systemctl restart ssh 813 | systemctl enable ssh 814 | printGood "Root login permitted." 815 | fi 816 | } 817 | 818 | setupSSHKey() { 819 | # Create .ssh directory if it doesn't exist 820 | if [[ ! -d /root/.ssh ]]; then 821 | mkdir -p /root/.ssh 822 | chmod 700 /root/.ssh 823 | fi 824 | 825 | # Check if the key already exists 826 | if [[ ! -f /root/.ssh/setips_proxy ]]; then 827 | echo; printStatus "Creating SSH key for SOCKS proxy and other functions" 828 | ssh-keygen -t ed25519 -f /root/.ssh/setips_proxy -N "" -C "setips automated key" 829 | 830 | # Add the key to authorized_keys for local connections if not already there 831 | if ! grep -q "$(cat /root/.ssh/setips_proxy.pub)" /root/.ssh/authorized_keys; then 832 | cat /root/.ssh/setips_proxy.pub >> /root/.ssh/authorized_keys 833 | chmod 600 /root/.ssh/authorized_keys 834 | printGood "SSH key added to authorized_keys" 835 | fi 836 | 837 | printGood "SSH key created at /root/.ssh/setips_proxy" 838 | else 839 | printStatus "Using existing SSH key at /root/.ssh/setips_proxy" 840 | 841 | # Make sure the key is in authorized_keys even if we didn't create it 842 | if ! grep -q "$(cat /root/.ssh/setips_proxy.pub)" /root/.ssh/authorized_keys; then 843 | cat /root/.ssh/setips_proxy.pub >> /root/.ssh/authorized_keys 844 | chmod 600 /root/.ssh/authorized_keys 845 | printGood "Existing SSH key added to authorized_keys" 846 | fi 847 | fi 848 | 849 | # Configure SSH client to use this key for localhost 850 | if [[ ! -f /root/.ssh/config ]] || ! grep -q "Host localhost" /root/.ssh/config; then 851 | cat >> /root/.ssh/config << EOF 852 | Host localhost 853 | IdentityFile /root/.ssh/setips_proxy 854 | StrictHostKeyChecking no 855 | UserKnownHostsFile=/dev/null 856 | PasswordAuthentication no 857 | EOF 858 | chmod 600 /root/.ssh/config 859 | printGood "SSH config updated to use the key for localhost connections" 860 | fi 861 | } 862 | 863 | # Create systemd unit files for starting multiple SOCKS proxies 864 | autoStartSOCKSProxy() { 865 | # Make sure SSH key is set up 866 | setupSSHKey 867 | 868 | # Identify running SOCKS proxies using ss 869 | # Get all listening ports with SSH that aren't the SSH server itself 870 | proxy_processes=$(ss -ltpn | grep -v grep | grep 0.0.0.0 | grep -v sshd | grep ssh) 871 | 872 | if [ -z "$proxy_processes" ]; then 873 | echo; printError "No active SOCKS proxies found. Please set up at least one proxy first." 874 | return 1 875 | fi 876 | 877 | # Extract the ports from the proxy processes 878 | proxy_ports=($(echo "$proxy_processes" | grep -o "0.0.0.0:$[0-9]\+$" | cut -d':' -f2 | sort -u)) 879 | 880 | if [ ${#proxy_ports[@]} -eq 0 ]; then 881 | echo; printError "Failed to identify active SOCKS proxy ports" 882 | return 1 883 | fi 884 | 885 | echo; printStatus "Found ${#proxy_ports[@]} active SOCKS proxies on ports: ${proxy_ports[*]}" 886 | 887 | # First, disable and remove any existing autostart services 888 | systemctl disable autostart_socks.service >/dev/null 2>&1 889 | rm -f /etc/systemd/system/autostart_socks.service >/dev/null 2>&1 890 | 891 | # Create a service file for each proxy port 892 | for port in "${proxy_ports[@]}"; do 893 | cat > /etc/systemd/system/socks_proxy_${port}.service << EOF 894 | [Unit] 895 | Description=SOCKS proxy on port ${port} 896 | After=network.target sshd.service 897 | Wants=sshd.service 898 | 899 | [Service] 900 | Type=simple 901 | ExecStart=/usr/bin/ssh -i /root/.ssh/setips_proxy -o StrictHostKeyChecking=no -N -D 0.0.0.0:${port} root@127.0.0.1 902 | Restart=on-failure 903 | RestartSec=5 904 | 905 | [Install] 906 | WantedBy=multi-user.target 907 | EOF 908 | # Enable the service 909 | systemctl enable socks_proxy_${port}.service 910 | systemctl start socks_proxy_${port}.service 911 | echo; printGood "Created and enabled SOCKS proxy service for port ${port}" 912 | done 913 | 914 | systemctl daemon-reload 915 | 916 | echo; printGood "Created and enabled systemd services for ${#proxy_ports[@]} SOCKS proxies (ports: ${proxy_ports[*]})." 917 | echo; printStatus "Each proxy will run as an independent service and restart automatically if it fails." 918 | echo; printStatus "You can manage individual proxies with: systemctl [start|stop|status] socks_proxy_PORT.service" 919 | 920 | # Save list of proxies for reference 921 | echo "${proxy_ports[*]}" > $setipsFolder/proxies.autostart 922 | echo; printStatus "Port list saved to $setipsFolder/proxies.autostart" 923 | } 924 | 925 | 926 | createStaticYAML() { 927 | # Make backup directory if it doesn't exist 928 | mkdir -p $setipsFolder/netplan.backups 929 | 930 | # Backup existing netplan files if present 931 | for file in /etc/netplan/*.yaml; do 932 | if [[ -f "$file" && "$file" != "$netplanConfig" ]]; then 933 | cp "$file" "$setipsFolder/netplan.backups/$(basename $file).$(date +"%Y-%m-%d_%H-%M-%S")" 934 | fi 935 | done 936 | 937 | # Delete all YAML files in /etc/netplan/ directory 938 | rm -f /etc/netplan/*.yaml /etc/netplan/*.yml 939 | 940 | # Ensure GATEWAY is set 941 | GATEWAY=${GATEWAY:-$(getInternetInfo 3)} 942 | 943 | # Ensure MTU is set 944 | MTU=${MTU:-1500} 945 | 946 | # Ensure NAMESERVERS is set 947 | if [[ -z "$NAMESERVERS" ]]; then 948 | NAMESERVERS="8.8.8.8,8.8.4.4" 949 | printStatus "No DNS servers specified, using default Google DNS servers" 950 | fi 951 | 952 | # Create a clean YAML file 953 | cat > $netplanConfig << EOF 954 | network: 955 | version: 2 956 | ethernets: 957 | $ethInt: 958 | dhcp4: false 959 | addresses: [$IP] 960 | routes: 961 | - to: 0.0.0.0/0 962 | via: $GATEWAY 963 | on-link: true 964 | mtu: $MTU 965 | nameservers: 966 | addresses: [$NAMESERVERS] 967 | EOF 968 | 969 | # Ensure YAML is not viewable by others 970 | chmod 600 $netplanConfig 971 | 972 | printGood "Created network configuration at $netplanConfig" 973 | } 974 | 975 | setupStaticIP(){ 976 | # Get current settings first before asking for new ones 977 | currentIP=$(listCoreIP) 978 | currentGateway="$( getInternetInfo 3 )" 979 | currentMTU="$( ip a | grep $ethInt | grep mtu | grep -v lo | awk '{for(i=1;i<=NF;i++)if($i=="mtu")print $(i+1)}' )" 980 | currentDNS=$(cat /etc/resolv.conf | grep nameserver | cut -d " " -f2 | awk '{printf "%s,",$0} END {print ""}' | sed 's/.$//') 981 | 982 | # Initialize variables with current values if they exist 983 | IP=${IP:-$currentIP} 984 | GATEWAY=${GATEWAY:-$currentGateway} 985 | MTU=${MTU:-$currentMTU} 986 | NAMESERVERS=${NAMESERVERS:-$currentDNS} 987 | 988 | # Ask for new settings or confirm current ones 989 | setIP 990 | setGateway 991 | setDNS 992 | setMTU 993 | 994 | # Ensure we have values for critical variables before creating YAML 995 | if [[ -z "$IP" ]]; then 996 | printError "No IP address set. Cannot create network configuration." 997 | return 1 998 | fi 999 | 1000 | if [[ -z "$ethInt" ]]; then 1001 | printError "No interface selected. Cannot create network configuration." 1002 | return 1 1003 | fi 1004 | 1005 | # Now recreate the YAML file with the updated settings 1006 | createStaticYAML 1007 | 1008 | # Apply the changes 1009 | netplan generate 1010 | netplan apply 1011 | echo; printStatus "NOTE: You can ignore warnings about the ovsdb-server.service not running." 1012 | } 1013 | 1014 | # Display SOCKS proxies 1015 | displayProxies(){ 1016 | ip address show $ethInt |grep "inet" |grep -v "inet6"|awk '{ print $2 }'|cut -d/ -f1 | grep -v "127.0.0.1" | tail -n +2 | awk '{printf "%s\n",$0} END {print ""}' | sed '/^$/d' | awk -F:: '{ print "socks4 " $NF }' | awk '{ print $0 "'" $proxyport"'"}' 1017 | } 1018 | 1019 | # Setup SOCKS proxy 1020 | setupSOCKS(){ 1021 | # Check for dependencies 1022 | if ! which socat > /dev/null; then 1023 | echo; printError "The SOCKS proxy requires 'socat' it and will not be setup, exiting." 1024 | echo; printStatus "If online, you can install using the Install Redirector Tools option in the Utilities menu." 1025 | break 1026 | fi 1027 | 1028 | # Check for existing proxies 1029 | if ss -ltpn | grep -v grep | grep 0.0.0.0 | grep -v sshd | grep ssh > /dev/null; then 1030 | echo; printStatus "You currently have proxies running on the following ports:" 1031 | ss -ltpn | grep -v grep | grep 0.0.0.0 | grep -v sshd | grep ssh 1032 | echo; printQuestion "Do you want to remove them? (y/N)"; read REPLY 1033 | if [[ $REPLY =~ ^[Yy]$ ]]; then 1034 | echo; printStatus "Killing previous setips SSH SOCKS proxies." 1035 | stopSOCKS 1036 | else 1037 | printStatus "Keeping existing proxies and continuing." 1038 | fi 1039 | fi 1040 | 1041 | # Setup SSH key 1042 | setupSSHKey 1043 | 1044 | echo; printGood "Starting up SOCKS proxy..." 1045 | printStatus "The startup process will take ~5 secs." 1046 | echo " You will be returned to the setips menu when setup is complete." 1047 | 1048 | echo; printQuestion "What *PORT* do you want to use for your proxy?"; read proxyport 1049 | while :; do 1050 | if ss -ltpn | grep "0.0.0.0:$proxyport "; then 1051 | echo; printError "Something is already listening on that port, please try a different port." 1052 | echo; ss -ltpn | grep ":$proxyport " 1053 | echo; printQuestion "What *PORT* do you want to use for your proxy?"; read proxyport 1054 | else 1055 | break 1056 | fi 1057 | done 1058 | 1059 | echo; printStatus "Checking if the SSH server is running..." 1060 | if ps aux | grep -v grep | grep /usr/sbin/sshd > /dev/null; then 1061 | printGood "SSH server *is* running; let's rock." 1062 | else 1063 | printError "SSH server *is not* running; starting it up." 1064 | service ssh start 1065 | sleep 2 1066 | echo; printStatus "Checking if the SSH server is running after we attempted to start it up..." 1067 | if ps aux | grep -v grep | grep /usr/sbin/sshd > /dev/null; then 1068 | printGood "SSH server *is* running; let's rock." 1069 | else 1070 | printError "SSH server *is not* running. #sadpanda" 1071 | break 1072 | fi 1073 | fi 1074 | 1075 | checkSSH 1076 | 1077 | echo; printStatus "Setting up the SSH SOCKS proxy...please wait..." 1078 | sshPort=`ss -ltpn | grep "sshd" | head -n 1 | cut -d":" -f2| cut -d" " -f1` 1079 | 1080 | # Start SSH SOCKS proxy using key authentication 1081 | screen -dmS ssh_socks ssh -i /root/.ssh/setips_proxy -o StrictHostKeyChecking=no -N -D 0.0.0.0:$proxyport -p $sshPort root@127.0.0.1 1082 | # Check if it started correctly 1083 | sleep 2 1084 | if ss -ltpn | grep -v grep | grep $proxyport > /dev/null; then 1085 | echo; printGood "SUCCESS...SOCKS proxy started on Port $proxyport." 1086 | ss -ltpn | grep $proxyport 1087 | else 1088 | echo; printError "FAIL...looks like the SOCKS proxy didn't start correctly." 1089 | echo "Try running the script again or check system logs for errors." 1090 | exit 1 1091 | fi 1092 | 1093 | echo; echo "To use, copy the following to the end of your local /etc/proxychains.conf file (replace any other proxies in the file):" 1094 | displayProxies 1095 | 1096 | # Always restore socks proxies on reboot 1097 | autoStartSOCKSProxy 1098 | 1099 | # Always turn ON IP table randomization when starting SOCKS proxy 1100 | iptablesToggleRandomSource ON 1101 | 1102 | # Always save iptables and ensure they restore on reboot 1103 | saveIPTables 1104 | autoStartIPTables 1105 | 1106 | echo; printGood "IP randomization enabled and iptables persistence configured." 1107 | echo; printGood "The SOCKS proxy will restore on reboot." 1108 | } 1109 | 1110 | # Stop SOCKS proxy - improved version with reordered steps 1111 | stopSOCKS(){ 1112 | echo "Stopping all SOCKS proxies..." 1113 | 1114 | # 1. First identify all running proxy processes and their ports 1115 | echo "Identifying all SOCKS proxy processes..." 1116 | proxy_processes=$(ss -ltpn | grep -v grep | grep 0.0.0.0 | grep -v sshd | grep ssh) 1117 | 1118 | if [ -n "$proxy_processes" ]; then 1119 | echo "Found SOCKS proxy processes by port:" 1120 | echo "$proxy_processes" 1121 | 1122 | # Extract ports for use in systemd service removal 1123 | ports=$(echo "$proxy_processes" | grep -o "0.0.0.0:$[0-9]\+$" | cut -d':' -f2 | sort -u) 1124 | fi 1125 | 1126 | # 2. Identify and disable all systemd services for SOCKS proxies 1127 | echo "Identifying and disabling all SOCKS proxy systemd services..." 1128 | 1129 | # Find any systemd services matching our naming pattern 1130 | service_ports=$(find /etc/systemd/system -name "socks_proxy_*.service" | grep -o '[0-9]\+\.service' | cut -d. -f1) 1131 | 1132 | # Combine with the ports we already found from running processes 1133 | if [ -n "$ports" ] && [ -n "$service_ports" ]; then 1134 | all_ports="$ports $service_ports" 1135 | elif [ -n "$ports" ]; then 1136 | all_ports="$ports" 1137 | else 1138 | all_ports="$service_ports" 1139 | fi 1140 | 1141 | # Stop and disable each service first 1142 | if [ -n "$all_ports" ]; then 1143 | for port in $all_ports; do 1144 | if [ -f "/etc/systemd/system/socks_proxy_${port}.service" ]; then 1145 | echo "Stopping and disabling service for port $port" 1146 | systemctl stop socks_proxy_${port}.service 2>/dev/null 1147 | systemctl disable socks_proxy_${port}.service 2>/dev/null 1148 | fi 1149 | done 1150 | fi 1151 | 1152 | # Also look for any other socks proxy services that might have different naming patterns 1153 | other_socks_services=$(find /etc/systemd/system -name "*socks*.service" -o -name "*proxy*.service") 1154 | for service in $other_socks_services; do 1155 | if grep -q "SOCKS" "$service" || grep -q "ssh.*-D" "$service"; then 1156 | echo "Found additional SOCKS service: $service" 1157 | service_name=$(basename $service) 1158 | systemctl stop $service_name 2>/dev/null 1159 | systemctl disable $service_name 2>/dev/null 1160 | fi 1161 | done 1162 | 1163 | # 3. Remove all systemd service files 1164 | echo "Removing all SOCKS proxy systemd service files..." 1165 | 1166 | if [ -n "$all_ports" ]; then 1167 | for port in $all_ports; do 1168 | if [ -f "/etc/systemd/system/socks_proxy_${port}.service" ]; then 1169 | echo "Removing service file for port $port" 1170 | rm -f "/etc/systemd/system/socks_proxy_${port}.service" 2>/dev/null 1171 | fi 1172 | done 1173 | fi 1174 | 1175 | # Remove any other identified SOCKS service files 1176 | for service in $other_socks_services; do 1177 | if grep -q "SOCKS" "$service" || grep -q "ssh.*-D" "$service"; then 1178 | echo "Removing additional service file: $service" 1179 | rm -f "$service" 2>/dev/null 1180 | fi 1181 | done 1182 | 1183 | # Force systemd to reload its configuration 1184 | systemctl daemon-reload 1185 | 1186 | # 4. Clean up the autostart proxy list file early 1187 | if [ -f "$setipsFolder/proxies.autostart" ]; then 1188 | echo "Removing autostart proxy configuration" 1189 | rm -f "$setipsFolder/proxies.autostart" 1190 | fi 1191 | 1192 | # 5. Turn OFF source IP randomization explicitly before killing processes 1193 | iptablesToggleRandomSource OFF 1194 | 1195 | # 6. Now terminate screen sessions related to SSH 1196 | if screen -ls | grep -q "\.ssh"; then 1197 | echo "Killing SOCKS proxy screen sessions..." 1198 | screen -ls | grep "\.ssh" | cut -d"." -f1 | awk '{print $1}' | while read pid; do 1199 | echo "Killing screen session: $pid.ssh" 1200 | screen -X -S $pid.ssh quit 1201 | done 1202 | fi 1203 | 1204 | # 7. Kill all processes identified earlier 1205 | if [ -n "$proxy_processes" ]; then 1206 | echo "Killing SOCKS proxy processes by PID..." 1207 | pids=$(echo "$proxy_processes" | grep -o 'pid=[0-9]*' | cut -d= -f2) 1208 | for pid in $pids; do 1209 | echo "Killing process $pid" 1210 | kill -9 $pid 2>/dev/null 1211 | sleep 0.5 1212 | done 1213 | fi 1214 | 1215 | # 8. Kill all SSH processes with -D option (Dynamic forwarding/SOCKS) 1216 | echo "Looking for SSH processes with dynamic forwarding..." 1217 | socks_ssh_pids=$(ps aux | grep ssh | grep -E '\-D' | grep -v grep | awk '{print $2}') 1218 | if [ -n "$socks_ssh_pids" ]; then 1219 | echo "Found SSH processes with dynamic forwarding:" 1220 | ps aux | grep ssh | grep -E '\-D' | grep -v grep 1221 | 1222 | for pid in $socks_ssh_pids; do 1223 | echo "Killing SSH process with dynamic forwarding: $pid" 1224 | kill -9 $pid 2>/dev/null 1225 | sleep 0.5 1226 | done 1227 | fi 1228 | 1229 | # 9. Explicitly kill any SSH process connecting to localhost (likely our SOCKS proxies) 1230 | echo "Looking for SSH processes connecting to localhost..." 1231 | local_ssh_pids=$(ps aux | grep ssh | grep -E 'root@127.0.0.1|root@localhost' | grep -v grep | awk '{print $2}') 1232 | if [ -n "$local_ssh_pids" ]; then 1233 | echo "Found SSH processes connecting to localhost:" 1234 | ps aux | grep ssh | grep -E 'root@127.0.0.1|root@localhost' | grep -v grep 1235 | 1236 | for pid in $local_ssh_pids; do 1237 | echo "Killing local SSH process: $pid" 1238 | kill -9 $pid 2>/dev/null 1239 | sleep 0.5 1240 | done 1241 | fi 1242 | 1243 | # 10. Final verification - check if any SSH SOCKS proxies remain 1244 | echo "Performing final verification..." 1245 | sleep 2 # Allow time for processes to terminate 1246 | 1247 | remaining_proxies=$(ss -ltpn | grep -v grep | grep 0.0.0.0 | grep -v sshd | grep ssh) 1248 | if [ -n "$remaining_proxies" ]; then 1249 | echo "WARNING: Some SSH proxies still running after cleanup:" 1250 | echo "$remaining_proxies" 1251 | 1252 | # Force kill any remaining processes 1253 | pids=$(echo "$remaining_proxies" | grep -o 'pid=[0-9]*' | cut -d= -f2) 1254 | for pid in $pids; do 1255 | echo "Force killing stubborn process $pid" 1256 | kill -9 $pid 2>/dev/null 1257 | done 1258 | 1259 | # Final check 1260 | if ss -ltpn | grep -v grep | grep 0.0.0.0 | grep -v sshd | grep ssh > /dev/null; then 1261 | echo "ERROR: Failed to stop all SOCKS proxies. Manual intervention required." 1262 | else 1263 | echo "All SOCKS proxies successfully terminated after second attempt." 1264 | fi 1265 | else 1266 | echo "All SOCKS proxies successfully terminated." 1267 | fi 1268 | 1269 | # Cleanup any temporary files 1270 | rm -f /tmp/socks.tmp 2>/dev/null 1271 | } 1272 | 1273 | cleanIPPivots(){ 1274 | tmp=`mktemp` 1275 | iptables-save | uniq > $tmp; sed -i '/--to-destination/ {d;}' $tmp; sed -i '/--to-source/ {d;}' $tmp 1276 | iptables-restore < $tmp; rm $tmp 1277 | } 1278 | 1279 | iptablesToggleRandomSource(){ 1280 | tmp=`mktemp` 1281 | # Check if current iptables is set to random source address 1282 | if [[ $1 == "OFF" || $(iptables-save | grep "SNAT") ]]; then 1283 | # Save off current iptables, delete all SNAT rules with the word "statistic", and restore the table 1284 | iptables-save > $tmp; sed -i "/SNAT/d" $tmp; iptables-restore < $tmp; rm $tmp 1285 | echo; printGood "Turned ** OFF ** outgoing source IP randomization." 1286 | else 1287 | # Randomize source IPs on all outgoing packets 1288 | randomizePivotIP 1289 | # Save off current iptables, delete all masquerade rules, and restore the table 1290 | iptables-save > $tmp; sed -i '/-o '$ethInt' -j MASQUERADE/ {d;}' $tmp; iptables-restore < $tmp; rm $tmp 1291 | echo; printGood "Turned ** ON ** outgoing source IP randomization." 1292 | fi 1293 | } 1294 | 1295 | # Create systemd unit file to restore iptable rules on reboot 1296 | autoStartIPTables(){ 1297 | # First, make sure we have a current backup 1298 | if [ ! -f "$setipsFolder/iptables.current" ]; then 1299 | saveIPTables 1300 | fi 1301 | 1302 | cat > /etc/systemd/system/restore_iptables.service << EOF 1303 | [Unit] 1304 | Description="Restore iptable rules on reboot" 1305 | After=network.target 1306 | 1307 | [Service] 1308 | Type=oneshot 1309 | ExecStart=/sbin/iptables-restore $setipsFolder/iptables.current 1310 | RemainAfterExit=yes 1311 | 1312 | [Install] 1313 | WantedBy=multi-user.target 1314 | EOF 1315 | systemctl daemon-reload 1316 | systemctl enable restore_iptables.service 1317 | echo; printGood "IPTables will be automatically restored at boot time" 1318 | } 1319 | 1320 | # Remove systemd unit file to restore iptable rules on reboot 1321 | removeStartIPTables(){ 1322 | systemctl disable restore_iptables.service 1323 | } 1324 | 1325 | # Display the current IPTables list 1326 | displayIPTables(){ 1327 | if [[ -z `iptables-save` ]]; then 1328 | echo; printError "There are no iptable rules." 1329 | iptablesCount=0 1330 | else 1331 | echo; printGood "Displaying your current iptables rules:" 1332 | echo; iptables-save 1333 | fi 1334 | } 1335 | 1336 | # Flush current IPTables rules 1337 | flushIPTablesPivotRules(){ 1338 | # Ask if you want to start the SOCKS proxy automatically on boot (careful, this will put your root password in a systemd unit file) 1339 | if [[ $iptablesCount == 1 ]]; then 1340 | echo 1341 | printQuestion "Do you want to delete your current 1-to-1 NAT rules (y/n)? "; read REPLY 1342 | while :; do 1343 | if [[ $REPLY =~ ^[Yy]$ ]]; then 1344 | iptables-save > iptables.tmp 1345 | sed -i '/DNAT/d' -i '/-o '$ethInt' -j MASQUERADE/ {d;}' iptables.tmp 1346 | iptables-restore < iptables.tmp 1347 | rm iptables.tmp 1348 | break 1349 | elif [[ $REPLY =~ ^[Nn]$ ]]; then 1350 | break 1351 | else 1352 | printQuestion "You didn't answer correctly; do you want to delete your current 1-to-1 NAT rules (y/n)? "; read REPLY 1353 | fi 1354 | done 1355 | fi 1356 | } 1357 | 1358 | # Setup IPTables SRC NAT Pivot 1359 | setupIPTablesPivot(){ 1360 | # Flush the current pivot rules? 1361 | flushIPTablesPivotRules 1362 | # Add IPTables pivot rules 1363 | echo; printGood "Let's set up some IPTables..." 1364 | listIPs 1365 | echo; echo 'Is the traffic "tcp" or "udp"?'; read prot 1366 | echo; printQuestion "What redirector subinterface *IP* should the redirector listen on?"; read subintip 1367 | while true; do 1368 | if [[ ! $subintip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then 1369 | echo; printError "That doesn't appear to be a valid IP." 1370 | printQuestion "What subinterface *IP* should the pivot listen on?"; read subintip 1371 | else 1372 | break 1373 | fi 1374 | done 1375 | echo; printQuestion "What redirector subinterface *PORT* should the redirector listen on?"; read incomingport 1376 | echo; printQuestion "What is the redteam *IP* the redirector sends incoming traffic to?"; read redteamip 1377 | echo; printQuestion "What is the redteam *PORT* the redirector sends incoming traffic to?"; read redteamport 1378 | # TESTING 1379 | # $iptables -t nat -A PREROUTING -m state --state NEW -p $prot -d $subintip --dport $incomingport -j MARK --set-mark 0x400 1380 | # $iptables -t nat -A PREROUTING -m mark --mark 0x400 -p $prot -j DNAT -d $subintip --dport $incomingport --to $redteamip:$redteamport 1381 | # original 1382 | $iptables -t nat -A PREROUTING -p $prot -j DNAT -d $subintip --dport $incomingport --to $redteamip:$redteamport 1383 | $iptables -t filter -I FORWARD 1 -j ACCEPT 1384 | # Set IPs to auto-start on reboot 1385 | autoStartIPTables 1386 | echo 1387 | } 1388 | 1389 | # Add additional iptables rule IP netblocks 1390 | setupIPTablesRedirectorIPs(){ 1391 | echo; printStatus "This function will setup the number of IPs you request and redirect them all" 1392 | echo "to the destination you specify (example, request 5 IPs listening on port 80 to redirect" 1393 | echo "to your teamserver at 1.2.3.4 on port 80)." 1394 | flushIPTablesPivotRules 1395 | listIPs 1396 | addSubInts 1397 | echo; echo 'Is the redirected traffic "tcp" or "udp"?'; read prot 1398 | echo; printQuestion "What *PORT* should the pivot subinterface listen on?"; read incomingport 1399 | echo; printQuestion "What is the redteam *IP* the pivot redirects incoming traffic to?"; read redteamip 1400 | echo; printQuestion "What is the redteam *PORT* the pivot redirects incoming traffic to?"; read redteamport 1401 | awk -F/ '{print $1}' $tmpIPs > $tmp2IPs; mv $tmp2IPs $tmpIPs 1402 | while IFS= read subintip; do 1403 | $iptables -t nat -A PREROUTING -p $prot -j DNAT -d $subintip --dport $incomingport --to $redteamip:$redteamport 1404 | $iptables -t filter -I FORWARD 1 -j ACCEPT 1405 | done < "$tmpIPs" 1406 | # Set IPs to auto-start on reboot 1407 | autoStartIPTables 1408 | # Display current rules 1409 | displayIPTables 1410 | } 1411 | 1412 | setupAnotherRedirector(){ 1413 | exec &>/dev/tty 1414 | REPLY="y" 1415 | while :; do 1416 | if [[ $REPLY =~ ^[Yy]$ ]]; then 1417 | if [[ ! -f /root/.ssh/id_rsa ]] || [[ ! -f /root/.ssh/id_rsa.pub ]]; then 1418 | echo; printStatus "No ssh keys found on the local system; I need to setup some for you." 1419 | printStatus "Just hit enter if prompted for information." 1420 | ssh-keygen 1421 | fi 1422 | echo; printQuestion "What is the IP of the redirector that you want to setup? "; read redirIP 1423 | echo; printStatus "Pinging target for viability..." 1424 | $ping -c 1 $redirIP > /dev/null 1425 | if [[ $? == 0 ]]; then 1426 | printGood "Target is alive." 1427 | sshBytes=$(sudo cat /root/.ssh/id_rsa.pub | cut -d" " -f2| tail -c 6) 1428 | echo; printStatus "Here are the last 5 characters of your public key: $sshBytes" 1429 | echo; printStatus "Checking for your SSH key on the target system." 1430 | echo; printQuestion "What username do you want to log in with?"; read username 1431 | ssh $username@$redirIP "sudo rm -f /root/setips.sh > /dev/null; sudo sed -i '/UseDNS/d' /etc/ssh/sshd_config; echo \"UseDNS no\" | sudo tee -a /etc/ssh/sshd_config; sudo service ssh restart; sudo grep $sshBytes /root/.ssh/authorized_keys" 1432 | if [[ $? -gt 0 ]]; then 1433 | echo; printStatus "SSH Key not found on target system; uploading..." 1434 | publicKey=$(cat /root/.ssh/id_rsa.pub) 1435 | ssh $username@$redirIP "sudo echo "$publicKey" >> authorized_keys; sudo mv authorized_keys /root/.ssh/; sudo chown root:root /root/.ssh/authorized_keys; sudo chmod 600 /root/.ssh/authorized_keys" 1436 | else 1437 | echo; printGood "SSH key found." 1438 | fi 1439 | echo; printStatus "Uploading current setips.sh" 1440 | scp /root/setips.sh root@$redirIP:/root/setips.sh 1441 | ssh root@$redirIP "chmod +x /root/setips.sh; /root/setips.sh -n" 1442 | else 1443 | echo; printError "That IP did not respond to ping, try again." 1444 | fi 1445 | echo; printQuestion "Would you like to setup another redirector? (y/n)"; read REPLY 1446 | elif [[ $REPLY =~ ^[Nn]$ ]]; then 1447 | break 1448 | else 1449 | echo; printError "You didn't answer correctly; do you want to setup another redirector (y/n)? "; read REPLY 1450 | fi 1451 | done 1452 | } 1453 | 1454 | # Save Pivot Rules to $setipsFolder/pivot.rules 1455 | savePivotRules(){ 1456 | tmp=`mktemp` 1457 | date +"%Y%b%d-%H%M" > $tmp 1458 | pivotRulesBackupFile="pivotRules-$(cat $tmp)" 1459 | iptables-save |grep DNAT | awk -F" " '{print $6 " " $4 " " $10 " " $14}'| sed 's/:/ /g' | sed 's/\/32//g' > $pivotRulesBackup/$pivotRulesBackupFile 1460 | cp $pivotRulesBackup/$pivotRulesBackupFile $setipsFolder/pivotRules.current 1461 | echo; printGood "Backup of pivot rules saved to $pivotRulesBackup/$pivotRulesBackupFile" 1462 | } 1463 | 1464 | # Setup Socat Pivot 1465 | setupSocatPivot(){ 1466 | # Check for dependencies 1467 | if ! which socat > /dev/null; then 1468 | echo; printError "The program socat is not installed...downloading now." 1469 | $socatDownload 1470 | commandStatus 1471 | if [[ $internet == "0" ]]; then 1472 | tar xvzf socat.tar.gz; cd socat*; ./configure; make; make install 1473 | cd ..; rm -f socat.tar.gz 1474 | fi 1475 | fi 1476 | echo; printQuestion "What port do you want to pivot (i.e. listen on)?"; read socatport 1477 | while true; do 1478 | if [[ $(ss -ltpn | grep "0.0.0.0:$socatport ") || $(ss -ltpn | grep "127.0.0.1:$socatport ") ]]; then 1479 | echo; printError "Something is already listening on that port, please try a different port." 1480 | echo; ss -ltpn | grep ":$socatport " 1481 | echo; printQuestion "What port do you want to pivot (i.e. the one socat will listen for)?"; read socatport 1482 | else 1483 | break 1484 | fi 1485 | done 1486 | echo; printQuestion "What is the redteam *IP* the pivot redirects incoming traffic to?"; read redteamip 1487 | echo; printQuestion "What is the redteam *PORT* the pivot redirects incoming traffic to?"; read redteamport 1488 | socat -d -d -d -lf $setipsFolder/socat.log TCP-LISTEN:$socatport,reuseaddr,fork,su=nobody TCP:$redteamip:$redteamport& 1489 | disown 1490 | if [[ $(ss -ltpn | grep -v grep | grep socat | grep $socatport | wc -l) -ge "1" ]]; then 1491 | echo; printGood "SUCCESS! Socat pivot setup; logging to $setipsFolder/socat.log" 1492 | ss -ltpn | grep socat 1493 | else 1494 | echo; printError "FAIL...looks like the socat pivot didn't setup correctly, check $setipsFolder/socat.log for errors." 1495 | fi 1496 | } 1497 | 1498 | # Stop SOCKS proxy 1499 | stopSocatPivot(){ 1500 | tmp=`mktemp` 1501 | ss -ltpn | grep socat | awk '{ print $6 }' | cut -d= -f2 | cut -d, -f1 | sort -u > $tmp 1502 | while read p; do kill -9 $p; done < $tmp 1503 | rm -f $tmp 1504 | } 1505 | 1506 | # Install redirector tools 1507 | installRedirTools(){ 1508 | downloadError=0 1509 | echo; printStatus "Updating package repository." 1510 | apt-get update 1511 | apt-get -y autoremove 1512 | echo; printStatus "Attempting to install: wireguard unzip fping ipcalc socat readline-common screen traceroute nmap proxychains vsftpd apache2 php" 1513 | apt-get -y install wireguard unzip fping ipcalc socat readline-common screen traceroute nmap proxychains vsftpd apache2 php libapache2-mod-php 1514 | commandStatus 1515 | systemctl stop apache2 1516 | systemctl stop vsftpd 1517 | update-rc.d apache2 disable 1518 | update-rc.d vsftpd disable 1519 | # Add vsftpd config files 1520 | mkdir -p /var/ftp/upload 1521 | chown ftp:ftp /var/ftp/upload 1522 | mkdir -p /etc/vsftpd 1523 | cat > /etc/vsftpd/vsftpd-anon.conf << 'EOF' 1524 | # Anon config file 1525 | listen=YES 1526 | local_enable=NO 1527 | anonymous_enable=YES 1528 | write_enable=YES 1529 | anon_root=/var/ftp 1530 | secure_chroot_dir=/var/ftp/upload 1531 | # 1532 | # optional 1533 | # 1534 | chown_upload_mode=0666 1535 | anon_umask=022 1536 | allow_writeable_chroot=YES 1537 | banner_file=/etc/vsftpd/banner_file 1538 | anon_mkdir_write_enable=YES 1539 | anon_other_write_enable=YES 1540 | anon_upload_enable=YES 1541 | no_anon_password=YES 1542 | xferlog_enable=YES 1543 | listen_port=21 1544 | #anon_max_rate=2048000 1545 | #listen_address=x.x.x.x 1546 | EOF 1547 | # Add banner file 1548 | cat > /etc/vsftpd/banner_file << 'EOF' 1549 | _ _ ____ _ _____ _____ ____ 1550 | | | | | ___ ___ _ __/ ___| _ __ __ _| | _____| ___|_ _| _ \ 1551 | | |_| |/ _ \ / _ \| _ \___ \| _ \ / _ | |/ / _ \ |_ | | | |_) | 1552 | | _ | (_) | (_) | |_) |__) | | | | (_| | < __/ _| | | | __/ 1553 | |_| |_|\___/ \___/| .__/____/|_| |_|\__,_|_|\_\___|_| |_| |_| 1554 | |_| 1555 | Your escape from the down-under...Copyright 1970 1556 | - - - - - 1557 | LOGIN with "anonymous" 1558 | DO NOT FORGET to change directory to "upload" to upload/download stuff 1559 | EOF 1560 | # Add vsftpd start file 1561 | cat > /root/vsftpd.start << 'EOF' 1562 | #!/bin/bash 1563 | vsftpd /etc/vsftpd/vsftpd-anon.conf& 1564 | EOF 1565 | chmod +x /root/vsftpd.start 1566 | # Add vsftpd stop file 1567 | cat > /root/vsftpd.stop << 'EOF' 1568 | #!/bin/bash 1569 | killall vsftpd 1570 | EOF 1571 | chmod +x /root/vsftpd.stop 1572 | # Install Java for Cobalt Strike 1573 | echo; printQuestion "Would you like to install Java (required for Cobalt Strike? (y/N)"; read REPLY 1574 | if [[ $REPLY =~ ^[Yy]$ ]]; then 1575 | sudo apt -y install openjdk-11-jdk 1576 | sudo update-java-alternatives -s java-1.11.0-openjdk-amd64 1577 | fi 1578 | if [[ $downloadError == 1 ]]; then 1579 | echo; printError "Something went wrong...one or more downloads didn't complete successfully." 1580 | else 1581 | echo; printGood "Done." 1582 | fi 1583 | } 1584 | 1585 | # Clean old crap from iptables 1586 | cleanIPTables(){ 1587 | tmp=`mktemp` 1588 | tmp2=`mktemp` 1589 | tmp3=`mktemp` 1590 | tmpSNAT=`mktemp` 1591 | tmpDNAT=`mktemp` 1592 | # Clean duplicate items that are next to each other; enable ipv4/ipv6 forwarding; remove old MASQUERADE method of "proxying" 1593 | # older forwarding technique 1594 | # echo 1 > /proc/sys/net/ipv4/ip_forward 1595 | # sysctl net.ipv4.ip_forward=1 1596 | iptables -I FORWARD -j ACCEPT 1597 | iptables -P FORWARD ACCEPT 1598 | # newer forwarding technique 1599 | sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf 1600 | sed -i '/net.ipv6.conf.all.forwarding=1/s/^#//g' /etc/sysctl.conf 1601 | sysctl -p > /dev/null 2>&1 1602 | sysctl --system > /dev/null 2>&1 1603 | iptables-save | uniq > $tmp; sed -i '/-o '$ethInt' -j MASQUERADE/ {d;}' $tmp 1604 | # DNAT - Clean duplicate items NOT next to each other; save off DNAT list to tmp.nat then remove all DNAT entries for tmp iptables file 1605 | cat $tmp | grep "DNAT" | sort -u > $tmpDNAT; sed -i "/DNAT/d" $tmp 1606 | # SNAT - Clean duplicate items NOT next to each other; save off SNAT list to tmp.nat then remove all DNAT entries for tmp iptables file 1607 | cat $tmp | grep "SNAT" | sort -u > $tmpSNAT; sed -i "/SNAT/d" $tmp 1608 | # Have to add "--packet 0" back into before restoring on certain version of iptables 1609 | if [[ ! `grep "packet" $tmp` ]]; then 1610 | awk 'BEGIN{OFS=FS=" "} $4~/statistic/ {$9="--packet 0 -j";}1' $tmp > $tmp2; mv $tmp2 $tmp 1611 | fi 1612 | # Restore the cleaned rules 1613 | iptables-restore < $tmp 1614 | # Add back in the cleaned DNAT rules; order doesn't matter 1615 | while read p; do $iptables -t nat $p; done < $tmpSNAT 1616 | while read p; do $iptables -t nat $p; done < $tmpDNAT 1617 | rm $tmp $tmpDNAT $tmpSNAT 1618 | # Clean masquerade rules (if applicable) 1619 | if [[ $(iptables-save | grep -E 'statistic') ]]; then 1620 | iptables-save > $tmp3; sed -i '/-o '$ethInt' -j MASQUERADE/ {d;}' $tmp3; iptables-restore < $tmp3; rm $tmp3 1621 | iptables-save > $tmp3; sed -i '/-o '$ethInt' -j MASQUERADE/ {d;}' $tmp3; iptables-restore < $tmp3; rm $tmp3 1622 | else 1623 | $iptables -t nat -A POSTROUTING -o $ethInt -j MASQUERADE 1624 | # $iptables -t nat -A POSTROUTING -m mark --mark 0x400 -j MASQUERADE 1625 | fi 1626 | } 1627 | 1628 | # Save IPTables for historical purposes 1629 | saveIPTables(){ 1630 | tmp=`mktemp` 1631 | date +"%Y%b%d-%H%M" > $tmp 1632 | iptablesBackupFile="iptables-$(cat $tmp)" 1633 | iptables-save > $iptablesBackup/$iptablesBackupFile 1634 | cp $iptablesBackup/$iptablesBackupFile $setipsFolder/iptables.current 1635 | echo; printGood "Backup of iptables rules saved to $iptablesBackup/$iptablesBackupFile" 1636 | } 1637 | 1638 | # Create IPTables to randomize source port when pivoting 1639 | randomizePivotIP(){ 1640 | tmp=/tmp/iptables.tmp 1641 | iplist="./ips.list" 1642 | # List subinterface ips randomly and put into file called "intips" 1643 | listSubIntIPsOnly | shuf > $iplist 1644 | # Save off current iptables, delete all SNAT rules with the word "statistic", and restore the table 1645 | iptables-save > $tmp; sed -i "/SNAT/d" $tmp; iptables-restore < $tmp; rm $tmp 1646 | # Identify the number of assigned subinterfaces 1647 | ipcount=`wc -l $iplist | cut -f 1 -d " "` 1648 | while read p; do 1649 | iptables -t nat -A POSTROUTING -m statistic --mode nth --every $ipcount --packet 0 -j SNAT --to-source $p 1650 | ipcount=$(($ipcount-1)) 1651 | done <$iplist 1652 | rm $iplist 1653 | # Setup forward rule, if there isn't one 1654 | iptables-save > $tmp; sed -i "/-A FORWARD -j ACCEPT/d" $tmp; iptables-restore < $tmp; rm $tmp 1655 | $iptables -t filter -I FORWARD 1 -j ACCEPT 1656 | } 1657 | 1658 | setOnline(){ 1659 | sed -i '/^internet=/d' $setipsConfig 1660 | echo 'internet="1"' >> $setipsConfig 1661 | internet="1" 1662 | } 1663 | 1664 | setOffline(){ 1665 | sed -i '/^internet=/d' $setipsConfig 1666 | echo 'internet="0"' >> $setipsConfig 1667 | internet="0" 1668 | } 1669 | 1670 | setAskEachTime(){ 1671 | sed -i '/^internet=/d' $setipsConfig 1672 | echo 'internet=""' >> $setipsConfig 1673 | internet="" 1674 | } 1675 | 1676 | # Loop function to redisplay menu 1677 | # Function to display menu - now with an option to suppress the question for submenu returns 1678 | whatToDo(){ 1679 | # Clear any previous menu display for consistency 1680 | echo 1681 | echo "If needed, click Return for menu." 1682 | echo 1683 | } 1684 | 1685 | # Start fully interactive mode (default when no options given or by adding "-i") 1686 | interactiveMode(){ 1687 | echo; printError "Remember to remove your $ipsArchive file if you are starting a new exercise."; echo 1688 | select ar in "Setup" "Subinterfaces" "Utilities" "View-Info" "Quit"; do 1689 | case $ar in 1690 | Setup ) 1691 | echo 1692 | echo "Setup Menu" 1693 | echo "----------" 1694 | echo "[Initial-Redirector] persistent static IP" 1695 | echo "[SSH-SOCKS-Proxy] sets up SOCKS proxy on a port" 1696 | echo "[IPTables-Pivot-IPs] redirects redirector IP/Port to target IP/Port" 1697 | echo "[Socat-Pivot] sets up socat listener that redirects to target IP/Port" 1698 | echo "[Static-IP] persistent static IP" 1699 | echo 1700 | select au in "Initial-Redirector" "Remote-Redirector" "Addtl-Redir-Pivot-IPs" "SSH-SOCKS-Proxy" "IPTables-Pivot-IPs" "Socat-Pivot" "Static-IP" "Main-Menu"; do 1701 | case $au in 1702 | Initial-Redirector ) 1703 | if [[ $internet = 1 ]]; then echo; installRedirTools; else printError "Need to be online to download/install required redirector tools."; fi 1704 | echo; printGood "Redirector setup completed." 1705 | break 1706 | ;; 1707 | 1708 | Remote-Redirector ) 1709 | setupAnotherRedirector 1710 | break 1711 | ;; 1712 | 1713 | Addtl-Redir-Pivot-IPs ) 1714 | whatInterface 1715 | echo; displayIPTables 1716 | setupIPTablesRedirectorIPs 1717 | cleanIPTables 1718 | savePivotRules 1719 | saveIPTables 1720 | break 1721 | ;; 1722 | 1723 | SSH-SOCKS-Proxy ) 1724 | whatInterface 1725 | checkForSubinterfaces 1726 | cleanIPTables 1727 | saveIPTables 1728 | setupSOCKS 1729 | break 1730 | ;; 1731 | 1732 | IPTables-Pivot-IPs ) 1733 | whatInterface 1734 | checkForSubinterfaces 1735 | echo; displayIPTables 1736 | setupIPTablesPivot 1737 | cleanIPTables 1738 | saveIPTables 1739 | break 1740 | ;; 1741 | 1742 | Socat-Pivot ) 1743 | setupSocatPivot 1744 | break 1745 | ;; 1746 | 1747 | Static-IP ) 1748 | whatInterface 1749 | setupStaticIP 1750 | break 1751 | ;; 1752 | 1753 | Main-Menu ) 1754 | break 1755 | ;; 1756 | esac 1757 | done 1758 | whatToDo 1759 | ;; 1760 | 1761 | Subinterfaces ) 1762 | echo 1763 | select su in "Add-Subinterfaces" "Add-Subinterfaces-From-File" "Remove-All-Subinterfaces" "Restore-Subinterfaces" "Main-Menu"; do 1764 | case $su in 1765 | Add-Subinterfaces ) 1766 | whatInterface 1767 | addSubInts 1768 | autoStartIPTables 1769 | break 1770 | ;; 1771 | 1772 | Add-Subinterfaces-From-File ) 1773 | whatInterface 1774 | restoreSubIntsFile 1775 | netplan generate; netplan apply 1776 | autoStartIPTables 1777 | break 1778 | ;; 1779 | 1780 | Remove-All-Subinterfaces ) 1781 | whatInterface 1782 | listIPs 1783 | removeSubInts 1784 | break 1785 | ;; 1786 | 1787 | Restore-Subinterfaces ) 1788 | whatInterface 1789 | removeSubInts 1790 | restoreSubIntsFile 1791 | setDNS 1792 | setGateway 1793 | netplan generate; netplan apply 1794 | listIPs 1795 | printGood "Your settings where restored."; 1796 | break 1797 | ;; 1798 | 1799 | Main-Menu ) 1800 | break 1801 | ;; 1802 | 1803 | esac 1804 | done 1805 | whatToDo 1806 | ;; 1807 | 1808 | Utilities ) 1809 | echo 1810 | select ut in "Install-Redirector-Tools" "Reset-Setips-Config" "Change-Internet-OpMode" "Set-Git-Server" "Set-Hostname" "Set-Gateway" "Set-DNS" "Set-MTU" "Disable-DNS-Stub-Resolver" "IPTables-flush" "IPTables-clean-pivots" "IPTables-toggle-random-source-IPs" "IPTables-restore-on-startup" "IPTables-REMOVE-restore-on-startup" "SOCAT-Pivots-REMOVE-ALL" "SOCKS-Proxy-REMOVE-ALL" "Main-Menu"; do 1811 | case $ut in 1812 | Install-Redirector-Tools ) 1813 | if [[ $internet = 1 ]]; then echo; installRedirTools; else printError "Need to be online to download/install required redirector tools." ; fi 1814 | break 1815 | ;; 1816 | 1817 | Reset-Setips-Config ) 1818 | rm -f $setipsConfig 1819 | createConfig 1820 | echo; printGood "Setips config file created/recreated." 1821 | break 1822 | ;; 1823 | 1824 | Change-Internet-OpMode ) 1825 | echo; printStatus "Change Internet OpMode" 1826 | echo "----------------------" 1827 | echo "Persistently changes this script's operational mode (can be changed at any time)." 1828 | # Default the internet opmode 1829 | internet="" 1830 | opMode 1831 | break 1832 | ;; 1833 | 1834 | Set-Git-Server ) 1835 | printQuestion "What is the IP or domain for the Git Server? "; read REPLY 1836 | sed -i "/^redteamGogs=/c\redteamGogs=\"$REPLY\"" $setipsConfig 1837 | break 1838 | ;; 1839 | 1840 | Set-Hostname ) 1841 | setHostname 1842 | break 1843 | ;; 1844 | 1845 | Set-Gateway ) 1846 | listIPs 1847 | setGateway 1848 | netplan generate; netplan apply 1849 | break 1850 | ;; 1851 | 1852 | Set-DNS ) 1853 | setDNS 1854 | netplan generate; netplan apply 1855 | break 1856 | ;; 1857 | 1858 | Set-MTU ) 1859 | setMTU 1860 | netplan generate; netplan apply 1861 | break 1862 | ;; 1863 | 1864 | Disable-DNS-Stub-Resolver ) 1865 | disableStubResolver 1866 | setDNS 1867 | break 1868 | ;; 1869 | 1870 | IPTables-flush ) 1871 | flushIPTables 1872 | echo; printGood "IPTables successfully flushed." 1873 | break 1874 | ;; 1875 | 1876 | IPTables-clean-pivots ) 1877 | cleanIPPivots 1878 | echo; printGood "IPTables successfully cleaned of all pivots." 1879 | break 1880 | ;; 1881 | 1882 | IPTables-toggle-random-source-IPs ) 1883 | iptablesToggleRandomSource 1884 | cleanIPTables 1885 | saveIPTables 1886 | autoStartIPTables 1887 | break 1888 | ;; 1889 | 1890 | IPTables-restore-on-startup ) 1891 | autoStartIPTables 1892 | echo; printGood "Created systemd unit file to restore iptable rules on reboot." 1893 | break 1894 | ;; 1895 | 1896 | IPTables-REMOVE-restore-on-startup ) 1897 | removeStartIPTables 1898 | echo; printGood "Removed systemd unit file to restore iptable rules on reboot." 1899 | break 1900 | ;; 1901 | 1902 | SOCAT-Pivots-REMOVE-ALL ) 1903 | stopSocatPivot 1904 | echo; printGood "All SOCAT pivoting stopped." 1905 | break 1906 | ;; 1907 | 1908 | SOCKS-Proxy-REMOVE-ALL ) 1909 | stopSOCKS 1910 | cleanIPTables 1911 | saveIPTables 1912 | autoStartIPTables 1913 | echo; printGood "SSH SOCKS Proxies stopped." 1914 | break 1915 | ;; 1916 | 1917 | Main-Menu ) 1918 | break 1919 | ;; 1920 | esac 1921 | done 1922 | whatToDo 1923 | ;; 1924 | 1925 | View-Info ) 1926 | echo; printQuestion "What IP format do you want to view?"; echo 1927 | select ex in "Proxychains" "Show-Current-IPs" "Show-Previously-Used-IPs" "Show-IPTables" "Main-Menu"; do 1928 | case $ex in 1929 | Proxychains ) 1930 | echo; printQuestion "What *PORT* do you want to use for your proxy?"; read proxyport 1931 | echo; echo "Copy the following to the end of /etc/proxychains.conf" 1932 | displayProxies 1933 | break 1934 | ;; 1935 | 1936 | Show-Current-IPs ) 1937 | echo; printStatus "CHECK IT OUT -> You can find the save file here: $ipsCurrent" 1938 | listIPs 1939 | break 1940 | ;; 1941 | 1942 | Show-Previously-Used-IPs ) 1943 | echo; printStatus "CHECK IT OUT -> You can find the archive file here: $ipsArchive" 1944 | cat $ipsArchive 1945 | break 1946 | ;; 1947 | 1948 | Show-IPTables ) 1949 | displayIPTables 1950 | break 1951 | ;; 1952 | 1953 | Main-Menu ) 1954 | break 1955 | ;; 1956 | esac 1957 | done 1958 | whatToDo 1959 | ;; 1960 | 1961 | Quit ) 1962 | echo; printGood "Exiting, nothing to do."; echo 1963 | break 1964 | ;; 1965 | esac 1966 | done 1967 | } 1968 | 1969 | printHelp(){ 1970 | echo "Usage: [-h] [-i] [-l] [-r] [-a ]" 1971 | echo " [-f ] [-d ] [-u]" 1972 | echo 1973 | } 1974 | 1975 | #### MAIN PROGRAM #### 1976 | 1977 | # Starting core script 1978 | echo; echo "Setips Script - Version $scriptVersion" 1979 | printGood "Started: $(date)" 1980 | printGood "Configuration and logging directory: $setipsFolder" 1981 | 1982 | # Check OS version 1983 | osCheck 1984 | 1985 | # Process command-line arguments first 1986 | if [[ "$1" == "-n" ]]; then 1987 | # Skip firstTime check for the -n option 1988 | : # Null command (do nothing) 1989 | # Ask to run interface setup or, if setup, collect information 1990 | else 1991 | if [[ ! -f $setipsFolder/setupComplete ]]; then 1992 | firstTime 1993 | touch $setipsFolder/setupComplete 1994 | fi 1995 | 1996 | # Determine the operational mode - ONLINE or OFFLINE 1997 | opMode 1998 | 1999 | # Check for iptables backup folder 2000 | if [[ ! -d $iptablesBackup ]]; then 2001 | mkdir -p $iptablesBackup 2002 | fi 2003 | 2004 | # Check for pivotRules backup folder 2005 | if [[ ! -d $pivotRulesBackup ]]; then 2006 | mkdir -p $pivotRulesBackup 2007 | fi 2008 | fi 2009 | 2010 | # Checking ssh service is turned on and enabled for password login 2011 | checkSSH 2012 | 2013 | if [[ $1 == "help" || $1 == "--help" ]]; then 2014 | echo; printStatus "setips.sh provides an interactive menu (-i) or arguements (see usage below)" 2015 | echo; printHelp 2016 | elif [[ $1 == "" ]]; then 2017 | interactiveMode 2018 | else 2019 | IAM=${0##*/} # Short basename 2020 | while getopts ":a:d:f:hilno:rstu" opt 2021 | do sc=0 #no option or 1 option arguments 2022 | case $opt in 2023 | (a) # IMPORT - Quick entry to iptables src nat 2024 | if [[ $# -lt $((OPTIND + 1)) ]]; then 2025 | echo; echo "$IAM: Option -s argument(s) missing...needs five!" >&2 2026 | echo; printHelp >&2 2027 | exit 2 2028 | fi 2029 | OPTINDplus1=$((OPTIND + 1)) 2030 | OPTINDplus2=$((OPTIND + 2)) 2031 | OPTINDplus3=$((OPTIND + 3)) 2032 | protocol=$OPTARG 2033 | eval subintip=\$$OPTIND 2034 | eval subintport=\$$OPTINDplus1 2035 | eval tgtip=\$$OPTINDplus2 2036 | eval tgtport=\$$OPTINDplus3 2037 | $iptables -t nat -A PREROUTING -i $ethInt -p $protocol -j DNAT -d $subintip --dport $subintport --to $tgtip:$tgtport 2038 | $iptables -t filter -I FORWARD 1 -j ACCEPT 2039 | printGood "Imported rule specified." 2040 | cleanIPTables >&2 2041 | saveIPTables >&2 2042 | echo 2043 | sc=4 #5 args 2044 | ;; 2045 | (d) # DELETE - Quick delete iptables rule 2046 | if [[ $# -lt $((OPTIND + 1)) ]]; then 2047 | echo; echo "$IAM: Option -s argument(s) missing...needs five!" >&2 2048 | echo; printHelp >&2 2049 | exit 2 2050 | fi 2051 | OPTINDplus1=$((OPTIND + 1)) 2052 | OPTINDplus2=$((OPTIND + 2)) 2053 | OPTINDplus3=$((OPTIND + 3)) 2054 | protocol=$OPTARG 2055 | eval subintip=\$$OPTIND 2056 | eval subintport=\$$OPTINDplus1 2057 | eval tgtip=\$$OPTINDplus2 2058 | eval tgtport=\$$OPTINDplus3 2059 | $iptables -t nat -D PREROUTING -i $ethInt -p $protocol -d $subintip --dport $subintport -j DNAT --to-destination $tgtip:$tgtport 2060 | echo; printGood "Deleted rule specified." 2061 | saveIPTables >&2 2062 | echo 2063 | sc=4 #5 args 2064 | ;; 2065 | (f) # IMPORT - Import list of src nat entries from file 2066 | #File format, one entry per line:

2067 | srcnatfile=$OPTARG 2068 | sed -i '/^\x*$/d' $srcnatfile > /tmp/srcnatfile #Remove blank lines 2069 | # Delete current rules 2070 | cleanIPPivots 2071 | while IFS=" " read protocol subintip subintport tgtip tgtport; do 2072 | # echo "$iptables -t nat -A PREROUTING -i $ethInt -p $protocol -j DNAT -d $subintip --dport $subintport --to $tgtip:$tgtport" 2073 | echo "Redirecting $subintip:$subintport to $tgtip:$tgtport" 2074 | # TESTING 2075 | # $iptables -t nat -A PREROUTING -m state --state NEW -p $protocol -d $subintip --dport $subintport -j MARK --set-mark 0x400 2076 | # $iptables -t nat -A PREROUTING -m mark --mark 0x400 -p $protocol -j DNAT -d $subintip --dport $subintport --to $tgtip:$tgtport 2077 | # original below 2078 | $iptables -t nat -A PREROUTING -i $ethInt -p $protocol -j DNAT -d $subintip --dport $subintport --to $tgtip:$tgtport 2079 | done <$srcnatfile 2080 | echo; printGood "Imported rules from file: $srcnatfile" 2081 | cleanIPTables >&2 2082 | saveIPTables >&2 2083 | echo 2084 | ;; 2085 | (h) # Print help/usage statement 2086 | echo; printHelp 2087 | echo; echo "Examples:" 2088 | echo "./setips.sh -h" 2089 | echo "Displays this help menu." 2090 | echo; echo "./setips.sh -i" 2091 | echo "Interactive mode." 2092 | echo; echo "./setips.sh -l" 2093 | echo "List current IPTables rules." 2094 | echo; echo "./setips.sh -r" 2095 | echo "Repair current IPTables ruleset by removing duplicates, removing rules that conflict with SNAT source IP manipulation, and saving a backup." 2096 | echo; echo "./setips.sh -a

" 2097 | echo "Add single IPTables rule - by default, it will append to the iptables file." 2098 | echo; echo "./setips.sh -d

" 2099 | echo "Delete single IPTables rule matching the input." 2100 | echo; echo "./setips.sh -f " 2101 | echo "Add list of IPTables rules from file - Reads file and appends SRC-NAT rules to the iptables file." 2102 | echo "File Format, one entry per line:

" 2103 | echo; echo "./setips -u" 2104 | echo "Updates the setips.sh script (when configured)." 2105 | echo 2106 | ;; 2107 | (i) # Fully interactive mode *historical as this is now the default operation* 2108 | interactiveMode >&2 2109 | ;; 2110 | (l) # List current IPTables rules 2111 | displayIPTables >&2 2112 | ;; 2113 | (n) # New setup - restore to default state 2114 | echo; printStatus "Restoring this endpoint to a default state..." 2115 | 2116 | # Stop services 2117 | stopSocatPivot 2118 | stopSOCKS 2119 | cleanIPTables 2120 | saveIPTables 2121 | 2122 | # Remove the setips-files folder 2123 | rm -rf $setipsFolder 2124 | 2125 | # Create the setips-files folder with only an empty log file and basic config 2126 | mkdir -p $setipsFolder 2127 | touch "$setipsFolder/setips.log" 2128 | createConfig 2129 | 2130 | # Create a basic DHCP netplan configuration 2131 | if [[ -f /etc/netplan/setips-network.yaml ]]; then 2132 | # Backup existing config first 2133 | cp /etc/netplan/setips-network.yaml /etc/netplan/setips-network.yaml.bak 2134 | fi 2135 | 2136 | # Detect primary interface if possible 2137 | primaryInterface=$(ip route | grep default | awk '{print $5}' | head -n 1) 2138 | # If no interface found, use ethInt from config or just "eth0" as fallback 2139 | primaryInterface=${primaryInterface:-${ethInt:-eth0}} 2140 | 2141 | # Create DHCP config 2142 | cat > /etc/netplan/setips-network.yaml << EOF 2143 | network: 2144 | version: 2 2145 | ethernets: 2146 | $primaryInterface: 2147 | dhcp4: true 2148 | dhcp-identifier: mac 2149 | EOF 2150 | 2151 | # Set proper permissions 2152 | chmod 600 /etc/netplan/setips-network.yaml 2153 | 2154 | # Apply the configuration 2155 | netplan generate 2156 | netplan apply 2157 | 2158 | echo; printGood "Endpoint restored to default state with DHCP enabled." 2159 | echo; printGood "When you next run setips.sh, it will perform first-time setup." 2160 | exit 0 2161 | ;; 2162 | (o) # IMPORT - Setup 1:1 redirector 2163 | if [[ $# -lt $((OPTIND)) ]]; then 2164 | echo; echo "$IAM: Option -s argument(s) missing...needs two!" >&2 2165 | echo; printHelp >&2 2166 | exit 2 2167 | fi 2168 | subintip=$OPTARG 2169 | eval tgtip=\$$OPTIND 2170 | 2171 | # Adding 1:1 IP redirection 2172 | $iptables -t nat -A PREROUTING -d $subintip -j DNAT --to-destination $tgtip 2173 | $iptables -t nat -A POSTROUTING -s $tgtip -j SNAT --to-source $subintip 2174 | printGood "Imported rule specified." 2175 | cleanIPTables >&2 2176 | saveIPTables >&2 2177 | echo 2178 | sc=1 #2 args 2179 | ;; 2180 | (r) # REPAIR - quick repair; doesn't hurt if run multiple times. 2181 | printGood "Cleaning up/repair the current IPTables ruleset." 2182 | printGood "Saving backup of your IPTables before repair attempt to $iptablesBackup/$iptablesBackupFile" 2183 | iptables-save > $iptablesBackup/$iptablesBackupFile 2184 | cleanIPTables >&2 2185 | #iptables-save | grep -v statistic | iptables-restore 2186 | autoStartIPTables >&2 2187 | saveIPTables >&2 2188 | printGood "Repair complete, saving IPTables backup...run './setips.sh -l' to view current IPTables." 2189 | ;; 2190 | (s) # Run first time script 2191 | firstTime >&2 2192 | ;; 2193 | (t) # Testing script 2194 | testingScript >&2 2195 | ;; 2196 | (u) # UPDATE - Update setips.sh to the latest release build. 2197 | if [[ $internet == 1 ]]; then 2198 | mv /root/setips /root/setips.backup 2199 | git clone https://github.com/spatiald/setips.git 2200 | if [[ -d $setipsGitFolder ]]; then 2201 | cd /root/setips 2202 | git checkout master 2203 | commandStatus 2204 | ln -sf $HOME/setips/setips.sh $HOME/setips.sh 2205 | chmod +x /root/setips/setips.sh 2206 | if [[ -f /root/setips.sh ]]; then echo; printGood "setips.sh downloaded to /root/setips.sh"; fi 2207 | rm -rf /root/setips.backup 2208 | else 2209 | printError "The git repo failed to download...restoring original folder." 2210 | mv /root/setips.backup /root/setips 2211 | fi 2212 | else 2213 | echo; printStatus "You are currently in OFFLINE mode." 2214 | if [[ ! -z $redteamGogs ]]; then 2215 | if [[ ! -d $setipsGitFolder ]]; then 2216 | cd $HOME 2217 | GIT_SSL_NO_VERIFY=true git clone https://$redteamGogs:3000/spatiald/setips.git 2218 | ln -sf $setipsGitFolder/setips.sh $HOME/setips.sh > /dev/null 2>&1 2219 | else 2220 | cd $setipsGitFolder; GIT_SSL_NO_VERIFY=true git pull 2221 | ln -sf $setipsGitFolder/setips.sh $HOME/setips.sh > /dev/null 2>&1 2222 | echo 2223 | fi 2224 | else 2225 | printQuestion "What is the IP or domain for the Git Server? "; read REPLY 2226 | sed -i "/^redteamGogs=/c\redteamGogs=\"$REPLY\"" $setipsConfig 2227 | bash $0 -u 2228 | fi 2229 | fi 2230 | ;; 2231 | (\?) #Invalid options 2232 | echo "$IAM: Invalid option: -$OPTARG" >&2 2233 | printHelp >&2 2234 | exit 1 2235 | ;; 2236 | (:) #Missing arguments 2237 | echo "$IAM: Option -$OPTARG argument(s) missing." >&2 2238 | printHelp >&2 2239 | exit 1 2240 | ;; 2241 | esac 2242 | if [[ $OPTIND != 1 ]]; then #This test fails only if multiple options are stacked after a single "-" 2243 | shift $((OPTIND - 1 + sc)) 2244 | OPTIND=1 2245 | fi 2246 | done 2247 | fi --------------------------------------------------------------------------------