Tag Shell

SSH-Snake, a self-modifying worm that leverages SSH credentials.

Original Article : The Hacker News

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.

“SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network,” Sysdig researcher Miguel Hernández said.

“The worm automatically searches through known credential locations and shell history files to determine its next move.”

SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a “powerful tool” to carry out automatic network traversal using SSH private keys discovered on systems.

In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains which have multiple IPv4 addresses.

“It’s completely self-replicating and self-propagating – and completely fileless,” according to the project’s description. “In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can.”

BotNet CNC Control Hacker Infiltrates & Exploits Vulnerabilities Vie SSH TCP Both Hardware Software Exploited

Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility than other typical SSH worms.

The cloud security company said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, the IP addresses of the targets, and the bash command history following the discovery of a command-and-control (C2) server hosting the data.

How Does It Work?

These attacks involve active exploitation of known security vulnerabilities in Apache ActiveMQ and Atlassian Confluence instances in order to gain initial access and deploy SSH-Snake.
“The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread,” Hernández said. “It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold.”

When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to “discover the attack paths that exist – and fix them.”

“It seems to be commonly believed that cyber terrorism ‘just happens’ all of a sudden to systems, which solely requires a reactive approach to security,” Rogers said. “Instead, in my experience, systems should be designed and maintained with comprehensive security measures.”

Netcat file transfer chat utility. Easily Send & Receive Files Local & Remote.

“If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can’t be replicated across thousands of others.”

Rogers also called attention to the “negligent operations” by companies that design and implement insecure infrastructure, which can be easily taken over by a simple shell script.

“If systems were designed and maintained in a sane manner and system owners/companies actually cared about security, the fallout from such a script being executed would be minimized – as well as if the actions taken by SSH-Snake were manually performed by an attacker,” Rogers added.

“Instead of reading privacy policies and performing data entry, security teams of companies worried about this type of script taking over their entire infrastructure should be performing total re-architecture of their systems by trained security specialists – not those that created the architecture in the first place.”

The disclosure comes as Aqua uncovered a new botnet campaign named Lucifer that exploits misconfigurations and existing flaws in Apache Hadoop and Apache Druid to corral them into a network for mining cryptocurrency and staging distributed denial-of-service (DDoS) attacks.

The hybrid cryptojacking malware was first documented by Palo Alto Networks Unit 42 in June 2020, calling attention to its ability to exploit known security flaws to compromise Windows endpoints.
As many as 3,000 distinct attacks aimed at the Apache big data stack have been detected over the past month, the cloud security firm said. This also comprises those that single out susceptible Apache Flink instances to deploy miners and rootkits.

“The attacker implements the attack by exploiting existing misconfigurations and vulnerabilities in those services,” security researcher Nitzan Yaakov said.

Apache Vulnerability Update Available!

“Apache open-source solutions are widely used by many users and contributors. Attackers may view this extensive use as an opportunity to have inexhaustible resources for implementing their attacks on them.”

Hacker News:
Russian Hackers Have Infiltrated U.S. Household and Small Business Routers, FBI Warns
Original Article: MSN News

The FBI has recently thwarted a large-scale cyberattack orchestrated by Russian operatives, targeting hundreds of routers in home offices and small businesses, including those in the United States.

These compromised routers were used to form “botnets”, which were then employed in cyber operations worldwide.

The United States Department of Justice has attributed this cyberattack to the Russian GRU Military Unit 26165. Countermeasures undertaken by authorities ensured that the GRU operators were expelled from the routers and denied further access, ABC News reported.

The GRU deployed a specialized malware called “Moobot,” associated with a known criminal group, to seize control of susceptible home and small office routers, converting them into “botnets” — a network of remotely controlled systems.

The Justice Department, in an official statement, explained, “Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”

Utilizing this botnet, Russian hackers engaged in various illicit activities, including extensive “spearphishing” campaigns and credential harvesting campaigns against targets of intelligence interest to the Russian government, such as governmental, military, security and corporate entities in the United States and abroad.

Botnets pose a significant challenge for intelligence agencies, hindering their ability to detect foreign intrusions into their computer networks, Reuters notes.

In January 2024, the FBI executed a court-approved operation dubbed “Operation Dying Ember” to disrupt the hacking campaign. According to the Department of Justice, the FBI employed malware to copy and erase the malicious data from the routers, restoring full access to the owners while preventing further unauthorized access by GRU hackers.

FEDOR was designed as an android able to replace humans in high-risk areas, such as rescue operations,” Andrey Grigoriev, director of Russia’s Advanced Research Fund, said.

Random HTTP Request Generator – “generator.php”

This generates the Header Request Information to be sent to a Destination URL.
For Testing Purposes Only – Some Files Have Been Excluded.
The Destination URL tracks incoming HTTP Requests and filters them for “bad data” or
“Spoofed Requests” such as the requests generated here.

Using Netcat may be “Old School”, but so am I, so I love using Netcat for simple tasks or just chatting without Big Brother paying too much attention. I love using Bold Text too.

These are two separate scripts, one for use on a server, “server.sh” (home pc/Pi/laptop or and server that allows you to use Netcat) and “client.sh”, which you can use on your Android or Laptop etc from a mobile location.
Of course you’re going to have to set permissions and run them. I highly suggest editing out the sleep function and using cron if you’re savvy as this is really meant to update files such as remote sensors, cameras etc.

*Edit the IP address to your server in client.sh.

server.sh

#!/bin/bash
clear
    echo "Server Running."
        mkdir incoming
    date="$(date +'%Y-%m-%d_%H-%M')"
    file="incoming/payload.file"
# Set the Servers Port To Listen On
    echo $(nc -l 1234 > $file)
        mv $file "incoming/$date.payload"
    echo "File Recieved."
    sleep 10
./$(basename $0) && exit

client.sh

#!/bin/bash
clear
mkdir outgoing
    echo "Client Running."
        file="outgoing/payload.file"
# For Demo Only
    touch $file
    echo "Some Data" >> $file
# Set The Server IP and Port To Connect To
    echo $(nc -w 3 192.168.1.XXX 1234 < $file)
    echo "File Sent."
    sleep 60
./$(basename $0) && exit

Example script using OpenSSL AES 256 with Salt and a random generated password.
It’s the little things.

#!/bin/bash
clear
echo "Input String:"
    read input
        pass=$(echo cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 1024 | head -n 1)
        encrypt="$(echo -e $input | openssl aes-256-cbc -pbkdf2 -iter 20000 -salt -a -e -k $pass)"
        decrypt="$(echo -e $encrypt | openssl aes-256-cbc -pbkdf2 -iter 20000 -salt -a -d -k $pass)"
    echo -e "Encrypted String: "$encrypt
    echo -e "Decrypted String: "$decrypt
    echo "Hit Any Key.."
  read anykey
./$(basename $0) && exit

BashKat is pretty straight forward and really easy to use.
I made sure to add some “cute” to it with the emojis.
This bot will scrape from user input or a file using the wget function (example: urls.txt) and it’s Super Fun when using Proxychains.

#!/usr/bin/env bash
# BashKat Version 1.0.2
# K0NxT3D

# Variables
BotOptions="Url File Quit"

# Welcome Banner
clear
printf "✨ BashKat 1.0 ✨\nScrape Single URL/IP or Multiple From File.\n\n" && sleep 1

# Bot Options Menu
select option in $BotOptions; do

# Single URL Scrape
   if [ "$option" = "Url" ];
    then
      printf "URL To Scrape: "
       read scrapeurl
     mkdir -p data/
    wget -P data/ \
     -4 \
     -w 0 \
     -t 3 \
     -rkpN -e robots=off \
     --header="Accept: text/html" \
     --user-agent="BashKat/1.0 (BashKat 1.0 Web Scraper Utility +http://www.bashkat.bot/)" \
     --referer="http://www.bashkat.bot" \
     --random-wait \
     --recursive \
     --no-clobber \
     --page-requisites \
     --convert-links \
     --restrict-file-names=windows \
     --domains $scrapeurl \
     --no-parent \
         $scrapeurl

      printf "🏁Scrape Complete.\nHit Enter To Continue.👍"
       read anykey
./$(basename $0) && exit

  elif [ "$option" = "File" ];
   then
      printf "Path To File: "
       read filepath
     while IFS= read -r scrapeurl
      do
     mkdir -p data/
    wget -P data/ \
     -4 \
     -w 0 \
     -t 3 \
     -rkpN -e robots=off \
     --header="Accept: text/html" \
     --user-agent="BashKat/1.0 (BashKat 1.0 Web Scraper Utility +http://www.bashkat.bot/)" \
     --referer="http://www.bashkat.bot" \
     --random-wait \
     --recursive \
     --no-clobber \
     --page-requisites \
     --convert-links \
     --restrict-file-names=windows \
     --domains $scrapeurl \
     --no-parent \
         $scrapeurl 
     done < "$filepath"
      printf "🏁Scrape Complete.\nHit Enter To Continue.👍"
       read anykey
./$(basename $0) && exit

 elif [ "$option" = "Quit" ];
 then
   printf "Quitting🏳"
    sleep 1
     clear
      exit
# ERRORS
  else
   clear
    printf "❌"
    sleep 1
   ./$(basename $0) && exit
  fi
 exit
done

Paparazzi: A basic Screenshot Utility (Bot) for collecting screenshots of IP addresses and or URLs.
This script requires a personal API key and you can get yours here: BrowShotAPI

#!/usr/bin/env bash
# Paparazzi 1.0 - K0NxT3D 2021
# Website ScreenShot Utility
# Bash: ./bot

# Variables
    BotOptions="Url File Quit"
    images="./images"

# Welcome Banner - Create Directories
    mkdir -p $images
    clear
    printf "Paparazzi 1.0 - K0NxT3D\n"
    sleep 1

# Bot Options Menu
    select option in $BotOptions; do

# Single URL/IP Scan
    if [ "$option" = "Url" ];
     then
      printf "IP/URL To Scan: "
    read url
        curl -L "https://api.browshot.com/api/v1/simple?url=$url&key=ENTER YOUR KEY HERE" -o $images/$url.png
      printf "Finished Scanning.\nHit Enter To Continue.."
    read anykey
./bot

# Multiple URL/IP Scan From File (example: urls.txt)
    elif [ "$option" = "File" ];
     then
      printf "Path To File: "
    read filepath
        while IFS= read -r url
        do
          curl -L "https://api.browshot.com/api/v1/simple?url=$url&key=ENTER YOUR KEY HERE" -o $images/$url.png
        done < "$filepath"
    printf "Finished Scanning.\nHit Enter To Continue.."
 read anykey
./bot

# Quitter!!!
    elif [ "$option" = "Quit" ];
     then
        printf "Quitting!"
    sleep 1
clear
exit

# ERRORS
    else
    clear
        printf ""
    sleep 1
   bash ./bot
fi
exit
done

Installing Linux Apache, MySql and PhP also known as a LAMP Server can be an easily automated process and save you from  countless hours of headaches.

LAMP Server Installation Script (Dry Build – Test Before Running):

#!/usr/bin/env bash
###############################################
# #
# Basic Server Installer - K0NxT3D 2020 #
# DRY BUILD - DO NOT RUN #
# #
###############################################

# Configuration
#
# Variables:
INST_DIR="/var/www/html/" # Default Linux Apache2 Install Directory
PASQL="Your-MySql-Root-Password-Goes-Here" # Set the MySql root Password
BROWS="Your-Default-Browser" # firefox, google-chrome, google-chromium, safari
MYURL="localhost" # Default Setting
#
# END Configuration

# Begin The Basic Server Install
sudo apt-get install lamp-server^ -y
clear

# Configure MySql
sudo mysql -u root
echo ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '$PASQL'; && set -v
echo FLUSH PRIVILEGES;&& set -v
echo quit && set -v
sudo service mysql restart && set -v
clear

# Install PhpMyAdmin
sudo apt-get install phpmyadmin -y
#sudo apt install phpmyadmin php-mbstring php-gettext
clear

# Install WordPress
cd $INST_DIR
wget https://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz
cd wordpress
mv * $INST_DIR
cd $INST_DIR
rm -r wordpress
clear

# Finish WordPress Install
$BROWSE $MYURL

Lamp Server Removal Script:

#!/usr/bin/env bash
###############################################
# #
# Basic Server UnInstaller - K0NxT3D 2020 #
# DRY BUILD - DO NOT RUN #
# #
###############################################

# This will remove LAMP not Site Files.
sudo service apache2 stop
sudo apt-get purge apache2 apache2-utils apache2.2-bin apache2-common
sudo apt remove apache2.*
sudo apt-get autoremove
whereis apache2
sudo rm -rf /etc/apache2

# This will remove PHP
sudo apt-get purge `dpkg -l | grep php7.2| awk '{print $2}' |tr "\n" " "`
sudo apt-get purge php7.*
sudo apt-get autoremove --purge
whereis php
sudo rm -rf /etc/php

# This will remove MYSql
sudo service mysql stop
sudo apt-get remove --purge *mysql\*
sudo apt-get remove --purge mysql-server mysql-client mysql-common -y
rm -rf /etc/mysql
sudo apt-get autoremove
sudo apt-get autoclean

sudo reboot

You can add custom lines to the install script and mirror them in the removal script as well.
This is just a basic installation to get a site up and running. I use PhPMyAdmin or my Hosting Cpanel to setup the user database for WordPress separately.

Bash is a Unix Shell and Command Language which runs in the form of a file (myscript.sh) and issues commands to the machine(s) it’s running on or connected to. Bash Scripts can save countless hours of time editing files or performing operations, so it’s quite versatile and useful.

A simple Bash Script might look something similar to this:

#!/bin/bash
# Monitor Network Connections - K0NxT3D 2021
clear

# All Connections to File
# sudo netstat -atupen >> output.txt

# Established Connections To File
# sudo netstat -atnp | grep ESTA >> output.txt

# Live Monitoring No File
sudo watch -d -n3 "netstat -atnp | grep ESTA"

The use of the pound sign at the beginning and following text is called the “Shebang” and is critical to your script environment, while also being used alone to Comment lines out in the rest of the script.
The Shebang is only used at the beginning of the script.

Scripts can be run on Linux based operating systems as well as Windows, my examples here are exclusive to Linux.

Sometimes you need a very “Personal” script to edit particular data from one or more files and might end up with something more like this processing script which gives me an output of the ip or website currently connected to my machine.

#!/bin/bash
#netstat -a -c -tp (Run As Sudo For More Details)
clear
   date=$(date +"%m-%d-%Y_%H-%M")
   file="output.txt"
   ipo='^[0-9]+([.][0-9]+)?$'
   #file="$date-netstat.output"
  touch $file
  netstat -tp|awk '{print $5}' >> $file
sleep 10
     sed -i 's/:https//' $file
     sed -i 's/:http//' $file
     sed -i 's/servers)//' $file
     sed -i 's/Address//' $file
     sed -i 's/edge-msgr-latest-//' $file
     sed -i 's/edge-star-shv-01-//' $file
     sed -i 's/localhost:netbios-ssn//' $file
     sed -i '/^\s*$/d' $file
sleep 10
   while IFS= read -r ip
do
   ping -c 1 $ip &> /dev/null && echo $ip >> IPS.txt || echo Could Not Connect.
done < $file
   rm $file

This script simply removes lines of information I don’t need from the output file it generates and cleans up my data and the mess.

Sometimes, I just wanna mess with my dogs.
FOREVER!

#!/bin/bash
i=0
   until [ $i -gt 3 ]
do
   random=$(cat /dev/urandom | tr -dc '0-9' | fold -w 4 | head -n 1)
   ffplay -f lavfi -i "sine=frequency=$random:duration=1" -autoexit -nodisp
   ((i=i-1))
done

You can always read more information here on Wikipedia.