This document provides a detailed step-by-step explanation of how the steal_files_ssh.py script operates. This script connects to remote SSH servers using provided credentials, searches for specific files, and downloads them to a local directory.

Overview

Description

Filename: steal_files_ssh.py
Purpose: To connect to remote SSH servers using provided credentials, search for specific files, and download them to a local directory.

Initialization and Setup

Importing Modules

The script imports the following modules:

Standard Libraries:
- os
- paramiko
- logging
- time
- threading.Timer
External Libraries:
- rich.console
Custom Modules:
- SharedData
- Logger

Configuring the Logger

The logger is configured to log messages for steal_files_ssh.py at the DEBUG level, ensuring detailed logging of events and errors.

Defining Global Variables

Global variables are defined to provide metadata about the class and module, including:

b_class = "StealFilesSSH"
b_module = "steal_files_ssh"
b_status = "steal_files_ssh"
b_parent = "SSHBruteforce"
b_port = 22

`StealFilesSSH` Class

Purpose

The StealFilesSSH class manages the process of connecting to SSH servers, searching for specific files, and downloading them.

Initialization

Attributes: Initializes shared data and sets up the state for SSH and SFTP connections.
Logger: Logs the initialization process.

Methods

`connect_ssh(ip, username, password)`

Purpose: Establishes an SSH connection to the specified IP using the provided username and password.
Logging: Logs the connection attempt and outcome.
Returns: An SSH client object if the connection is successful.

`find_files(ssh, dir_path)`

Purpose: Searches for files in the specified directory on the remote server based on configuration criteria (file extensions and names).
Logging: Logs the number of matching files found.
Returns: A list of matching file paths.

`steal_file(ssh, remote_file, local_dir)`

Purpose: Downloads a specified file from the remote server to a local directory.
Logging: Logs the download process and outcome.

`execute(ip, port, row, status_key)`

Purpose: Orchestrates the file-stealing process by connecting to the remote server, searching for files, and downloading them.
Logging: Logs the overall process, including connection attempts, file searches, and downloads.
Returns: A status string indicating success or failure.

Detailed Execution Flow

Step 1: Initialization

The StealFilesSSH class is initialized with shared data, setting up necessary attributes and logging the initialization.

Step 2: Establish SSH Connection

The connect_ssh method attempts to establish an SSH connection using provided credentials.
Successful connections are logged, and an SSH client object is returned.

Step 3: Search for Files

The find_files method searches for specific files in a given directory on the remote server.
Files that match the configured criteria are logged and returned as a list of file paths.

Step 4: Download Files

The steal_file method downloads each identified file from the remote server to a local directory.
The download process and outcome are logged.

Step 5: Execute File Stealing

The execute method orchestrates the overall process, handling connection attempts, file searches, and downloads.
Credentials are retrieved from a pre-configured file, and each credential is tried sequentially.
A timeout mechanism ensures that the process does not hang indefinitely if an SFTP connection is not established.

Variables and Configuration

Target Files and Directories

`self.shared_data.steal_file_extensions`

Purpose: Specifies the file extensions to look for when searching for files on the remote server.
Type: List of strings.
Example: ['.txt', '.log', '.conf']

`self.shared_data.steal_file_names`

Purpose: Specifies the file names (or parts of file names) to look for when searching for files on the remote server.
Type: List of strings.
Example: ['important', 'secret', 'config']

`self.shared_data.sshfile`

Purpose: The file that contains the SSH credentials (username and password) cracked from previous brute force attacks.
Type: String (file path).
Example: '/path/to/sshfile.csv'

`self.shared_data.datastolendir`

Purpose: The directory where the stolen files will be saved locally.
Type: String (directory path).
Example: '/path/to/datastolendir/'

Example Configuration

self.shared_data.steal_file_extensions = ['.txt', '.log', '.conf']
self.shared_data.steal_file_names = ['important', 'secret', 'config']
self.shared_data.sshfile = '/path/to/sshfile.csv'
self.shared_data.datastolendir = '/path/to/datastolendir/'

Integration with Orchestrator

Parent-Child Relationship

The StealFilesSSH class is a child of the SSHBruteforce class in the orchestrator's workflow. This means that the file-stealing process is initiated only after the successful execution of the brute force attack managed by SSHBruteforce.

Method Call

The StealFilesSSH class is called by the orchestrator via its execute method. The process involves:

Receiving Target Details: The orchestrator provides IP, port, and credential details to the StealFilesSSH class.
Performing File Stealing: The execute method connects to the remote server, searches for files, and downloads them.
Updating Orchestrator: The status (success or failure) is returned to the orchestrator for further action.

Example Workflow

Initialization: The orchestrator initializes the StealFilesSSH class.
Execution: For each target IP and port, the orchestrator calls the execute method of StealFilesSSH.
Logging and Status Update: The StealFilesSSH class logs each step and updates the status based on the outcome of the file-stealing process.

By following these detailed steps, the steal_files_ssh.py script connects to SSH servers, searches for specified files, and downloads them to a local directory. It integrates seamlessly with the orchestrator for coordinated security operations, ensuring that file-stealing actions are performed only after successful brute force attacks.

Steal Files SSH steal_files_ssh.py