Scripting the client
Now that we have a server (the forensics workstation) waiting for us to send information, we will turn our attention toward scripting the client (subject system). Because it would be bothersome to include the forensics workstation IP address and ports with every action, we will start by setting some environment variables to be used by other client scripts. A simple script to do just that follows.
setup-client.sh
#
Simple script to set environment variables for a
system under investigation. Intended to be # used as part of initial live response. # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com.
usage () {
echo “usage: source $0
echo “Simple script to set variables for communication to forensics workstation” exit 1
} # did you specify a file? if [ $# -lt 1 ] ; then usage fi export RHOST=$1 if [ $# -gt 1 ] ; then export RPORT=$2 else export RPORT=4444 fi if [ $# -gt 2 ] ; then export RFPORT=$3 else export RFPORT=5555 fi
if [ $# -gt 3 ] ; then export RFTPORT=$4 else export RFTPORT=5556
fi
Notice that there is no she-bang at the beginning of this script. Why not? Recall that you want to run your known-good version of bash, not the possible vandalized one in the /bin directory. Another reason this script is she-bang free is that it must be sourced in order for the exported variables to be available in new processes in your current terminal. This is done by running the command source ./setup-client.sh {forensics workstation IP} in a terminal.
The script repeatedly uses the export command which sets a variable and makes it available to other processes in the current terminal or any child processes of the current terminal. Variables that are not exported are only visible within the process that created them and we create a new process each time we type bash {script name}. Setting these values would be pointless if they were never seen by the other client scripts. Since the server IP address is required, we store it in the RHOST variable. Then we check to see if any of the optional parameters were supplied; if not we export a default value, if so we export whatever the user entered.
The following script will execute a command and send the results wrapped in a header and footer to the forensics workstation. As with the previous script, there is no she-bang and you must explicitly run the script by typing bash ./send-log.sh {command with arguments}.
send-log.sh
#
Simple script to send a new log entry # to listener on forensics workstation. Intended to be # used as part of initial live response. # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com.
defaults primarily for testing
[ -z “$RHOST” ] && { export RHOST=localhost; } [ -z “$RPORT” ] && { export RPORT=4444; } usage () { echo “usage: $0
echo “Simple script to send a log entry to listener” exit 1
} # did you specify a command?
if [ $# -lt 1 ] ; then
usage else echo -e “++++Sending log for $@ at $(date) ++++\n $($@) \n–-end–-\n” | nc $RHOST $RPORT fi
The script starts out with a couple of lines that will set RHOST and RPORT to default values if they have not already been set. These lines demonstrate a powerful technique to use in your shell scripts known as short circuiting. The line [ -z “$RHOST” ] && { export RHOST=localhost; } consists of two statements separated by the logical AND operator. The first half tests the RHOST environment variable to see if it is zero (null or unset). Notice that the variable complete with the leading $ is enclosed in double quotes. This forces the shell to interpret this value as a string for the test to work as expected. If the statement doesn’t evaluate to true there is no reason to bother with the second half of the line so it is skipped (short circuited). The curly brackets in the second half are used to explicitly group everything together in a statement.