forked from hak5/sharkjack-payloads
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sharkjack.sh
executable file
·360 lines (314 loc) · 10 KB
/
sharkjack.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
#!/bin/bash
# Shark Jack
#
# sharkjack.sh - Helper script for linux/OSX for convenient interaction with your Hak5 Shark Jack
# (C) Hak5 2019
#VERSION=1.0.0
function exitscript(){
echo -e "\nExited\n"
exit $1
}
function err() {
echo -e "\n[FATAL] $1\n"
exitscript 1
}
function cleart() {
printf "\033c"
}
function banner(){
cleart
echo -e "\n\n\n\n########################################################\n\n\n"
printf "\
\_____)\_____ Shark Jack _____/(_____/
/--v____ __°< by Hak5 >°__ ____v--\\
)/ \(
"
echo -e "\n\n########################################################\n\n"
}
function iptables_check() {
if [[ -z $(which iptables) ]]; then
err "[!] iptables required to detect Shark on linux"
fi
}
function os_check() {
if [[ "$OSTYPE" == "darwin"* ]]; then
echo -e "\nOSX Detected\n"
OS=1
elif [[ "$OSTYPE" == "cygwin" ]]; then
err "Cygwin not supported"
else
OS=0
iptables_check
fi
}
function root_check() {
if [[ "$EUID" -ne 0 ]]; then
printf "\n%s\n" "Please re-run as root"
usage
exitscript 1
fi
}
function connection_error(){
IFACE=''
printf "\n%s\n" "[!] error communicating with the Shark Jack"
}
function connection_check(){
sleep 1
ping -c 1 172.16.24.1 &>/dev/null && echo -e " [+] Shark Jack Detected..." && return 0
connection_error && return 1
}
function locate_interface_to_shark() {
printf "\n%s" 'Waiting for a Shark Jack to be connected..'
while [[ -z $IFACE ]]; do
printf "%s" .
IFACE=$(ip route show to match 172.16.24.1 2>/dev/null| grep -i 172.16.24.1 | cut -d ' ' -f3 | grep -v 172.16.24.1)
sleep 1
done
echo -e "\n"
connection_check || locate_interface_to_shark
}
function osx_locate_interface_to_shark(){
printf "\n%s" 'Waiting for a Shark Jack to be connected..'
while [[ -z $IFACE ]]; do
printf "%s" .
IFACE=$(ifconfig |cut -d ' ' -f1 |grep en|cut -d ':' -f1 | xargs -I {} sh -c "ipconfig getifaddr {}|grep -i 172.16.24 &>/dev/null && echo {}")
sleep 1
done
echo -e "\n"
connection_check || osx_locate_interface_to_shark
}
function locate_shark(){
if [[ $OS -eq 1 ]]; then
osx_locate_interface_to_shark
else
locate_interface_to_shark
fi
}
function ssh_connect(){
printf "\n\tLogging into Shark Jack...\n\n"
printf "\n\t[!] Ensure Shark Jack is in Arming Mode (middle switch position) or connection will be refused...\n\n\n"
ssh [email protected] || return 1
}
function connect() {
locate_shark
printf "\n\tAttempting to establish SSH connection...\n"
ssh_connect || return 1
}
function check_ip6tables_rule_exists(){
if [[ -z $(ip6tables -vL|grep $IFACE) ]];then
echo 1
else
echo 0
fi
}
function cleanup() {
printf "\n%s\n" "[!] Cleaning up..."
}
function get_payload_path(){
read -p "FULL PATH to payload (q to return to menu): " PAYLOADPATH
if [[ $PAYLOADPATH == "q" ]]; then
cleart
printf "\n%s\n" "[!] Returning to main menu..."
sleep 2
main_menu
else
[[ ! -e $PAYLOADPATH ]] && printf "\n%s\n" "[!] $PAYLOADPATH does not exist" && sleep 2 && main_menu
fi
}
function push_payload(){
echo -e "\n [+] Push Payload to Shark Jack"
echo -e "\n----------------------------------------"
get_payload_path
locate_shark
echo -e "\n [+] Pushing payload to device..."
EXPANDEDPATH=$(echo $PAYLOADPATH |cd)
scp -r $EXPANDEDPATH [email protected]:/root/payload/payload.txt && echo -e "\n [+] Payload copied to Shark" || echo -e "\n [!] ERROR copying paylod to Shark"
exitscript 0
}
function connect_and_upgrade(){
echo -e "\n [+] Upgrading Shark Jack firmware"
echo -e "\n----------------------------------------"
locate_shark
upgrade_firmware
}
function path_firmware_upgrade(){
read -p "Path (including filename) to Shark Jack firmware file (q to return to menu): " FWFILEPATH
if [[ $FWFILEPATH == "q" ]]; then
cleart
printf "\n%s\n" "[!] Returning to main menu..."
sleep 2
main_menu
else
[[ -z $FWFILEPATH ]] && printf "\n%s\n" "[!] $FWFILEPATH does not exist" && sleep 2&& local_file_menu && main_menu || connect_and_upgrade
fi
}
function download_latest_fw(){
echo -e "\n Downloading latest Shark Jack firmware\n"
echo -e "\n----------------------------------------\n"
curl -L https://downloads.hak5.org/api/devices/sharkjack/firmwares/latest --output shark-upgrade.bin && echo -e "\n [+] Firmware download complete!\n\n" || err "[!] Firmware Download Failed"
FWFILEPATH="shark-upgrade.bin"
connect_and_upgrade
}
function ls_cwd(){
banner
echo -e "\n Listing .bin files in current working directory: $(pwd) \n"
ls -l $(pwd) |grep -i '.bin'
echo -e "\n----------------------------------------\n"
local_file_menu
}
function local_file_menu(){
echo -e "\n Upgrade Shark Jack firmware using local file"
echo -e "\n----------------------------------------"
echo -e "\n Where is the new Shark Jack firmware file located? "
printf "\n\
[$(tput bold)L$(tput sgr0)]ist bins in current directory\n\
\n\
[$(tput bold)P$(tput sgr0)]rovide path to file\n\n\
[$(tput bold)M$(tput sgr0)]ain Menu\n\
[$(tput bold)Q$(tput sgr0)]uit\n\n"
read -r -sn1 key
case "$key" in
[lL]) ls_cwd;;
[pP]) path_firmware_upgrade;;
[mM]) main_menu;;
[qQ]) exitscript 0;;
*) local_file_menu;;
esac
}
function reset_key(){
printf "\n\tRemoving Shark Jack key from known_hosts file...\n\n"
HOMEDIR=$(eval echo "~$USER")
ssh-keygen -f "$HOMEDIR/.ssh/known_hosts" -R 172.16.24.1
}
function do_sysupgrade(){
printf "\n%s\n" "User Confirmed Power Source, continuing with upgrade..."
echo -e "\n Shark Jack Firmware Upgrade"
echo -e "\n----------------------------------------"
printf "\n%s\n\n" "Logging into Shark Jack to Start Upgrade..."
ssh [email protected] -t 'sysupgrade -n /tmp/upgrade.bin'
trap '' SIGINT
banner
printf "\n%s\n" "[!] DO NOT UNPLUG THE DEVICE UNTIL IT HAS REBOOTED"
printf "\n%s\n" "[!] Shark Jack Firmware Upgrading..."
COUNT=0
while [[ $COUNT -lt 146 ]]; do
printf "%s" .
COUNT=($COUNT+1)
sleep 1
done
trap - SIGINT
reset_key
printf "\n%s\n" "Ready to attempt reconnection to your newly upgraded Shark Jack..."
exitscript 0
}
function upgrade_firmware(){
printf "\n%s\n\n" "Copying Firmware to Shark Jack..."
scp $FWFILEPATH [email protected]:/tmp/upgrade.bin
cleart
printf "\n%s\n" "ONCE STARTED - DO NOT UNPLUG THE DEVICE FROM NETWORK OR POWER"
printf "\n%s\n" "[!] SHARK JACK MUST BE POWERED OVER USB-C [!]"
printf "\n%s\n" "[!][!] Attempting Firmware Upgrade ON BATTERY will likely brick your device. [!][!]"
echo -e "\nFirmware File to Flash: $FWFILEPATH"
ls -lah $FWFILEPATH
echo "Checksum:"
sha256sum $FWFILEPATH
echo -e "\nIs your Shark Jack connected to a good power source and is the file listed above correct?"
printf "\n\
[$(tput bold)Y$(tput sgr0)]es / Continue\n\
[$(tput bold)N$(tput sgr0)]o / Abort\n\n\
[$(tput bold)M$(tput sgr0)]ain Menu / Abort\n\
[$(tput bold)Q$(tput sgr0)]uit / Abort\n\n"
read -r -sn1 key
case "$key" in
[yY]) do_sysupgrade;;
[nN]) echo -e "\n[!] Connect Shark Jack to Power over USB-C to upgrade firmware"; exitscript 1;;
[mM]) main_menu;;
[qQ]) exitscript 0;;
*) echo -e "\n Unrecognized response, Exiting for safety"; exitscript 1;;
esac
}
function upgrade_process_menu(){
banner
echo -e "\n Shark Jack Firmware Upgrade Menu"
echo -e "\n----------------------------------------\n"
printf "\n\
[$(tput bold)D$(tput sgr0)]ownload latest firmware from downloads.hak5.org\n\
[$(tput bold)L$(tput sgr0)]ocal firmware file\n\n\
[$(tput bold)M$(tput sgr0)]ain Menu\n\
[$(tput bold)Q$(tput sgr0)]uit\n\n"
read -r -sn1 key
case "$key" in
[lL]) banner && local_file_menu;;
[dD]) banner && download_latest_fw;;
[mM]) main_menu;;
[qQ]) exitscript 0;;
*) upgrade_process_menu;;
esac
}
function get_loot(){
locate_shark
printf "\n%s\n\n" "Logging into Shark Jack to pull collected loot..."
scp -r [email protected]:/root/loot/ .
exitscript 0
}
function setup_shark(){
locate_shark
echo -e "\nCopy ssh key to shark for passwordless login"
echo -e "\n------------------------------------------------\n"
HOMEDIR=$(eval echo "~$USER")
echo -e "\n Listing : $HOMEDIR/.ssh \n"
ls -l $HOMEDIR/.ssh
echo -e "\n----------------------------------------\n"
if [[ -z $(ls -l $HOMEDIR/.ssh|grep -i .pub) ]]; then
echo -e "\nNo key found. Calling ssh-keygen to create a new one...\n"
ssh-keygen -t rsa -b 4096
fi
read -p "FULL PATH to your SSH key or hit enter to use the default ~/.ssh/id_rsa.pub (q to return to menu): " SSHKEYPATH
if [[ $SSHKEYPATH == "q" ]]; then
cleart
printf "\n%s\n" "[!] Returning to main menu..."
sleep 2
main_menu
else
[[ -e $SSHKEYPATH ]] && printf "\n%s\n" "[!] $SSHKEYPATH does not exist" && sleep 2 && main_menu
fi
if [[ -z $SSHKEYPATH ]]; then
ssh-copy-id -i [email protected]
else
ssh-copy-id -i $SSHKEYPATH "[email protected]"
fi
exitscript 0
}
function main_menu() {
banner
if [[ $OS -eq 1 ]]; then
echo -e "\n\n OSX DETECTED \n\n"
fi
printf "\n\
Press the highlighted key to select an option (example: press C to connect)\n\n\
[$(tput bold)C$(tput sgr0)]onnect - get a shell on your Shark Jack\n\
[$(tput bold)U$(tput sgr0)]pgrade firmware\n\
[$(tput bold)P$(tput sgr0)]ush payload to Shark Jack\n\
[$(tput bold)G$(tput sgr0)]et loot saved on Shark Jack\n\n\
[$(tput bold)R$(tput sgr0)]eset known_hosts keys for the Shark Jack on this system\n\
[$(tput bold)S$(tput sgr0)]etup ssh keys for easy access\n\
[$(tput bold)Q$(tput sgr0)]uit\n\n"
read -r -sn1 key
case "$key" in
[cC]) connect;;
[uU]) upgrade_process_menu;;
[pP]) push_payload;;
[gG]) get_loot;;
[rR]) reset_key;;
[sS]) setup_shark;;
[qQ]) exitscript 0;;
*) main_menu;;
esac
}
# Validate priv / iptables
root_check
os_check
main_menu
echo -e "\nDone\n"
trap cleanup INT
exitscript 0