Skip to content
/ hook-fstab Public

Drive Badger extension: parse /etc/fstab files and exfiltrate NFS/Samba shares

drivebadger.com/

License

MIT license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

drivebadger/hook-fstab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

handle-cifs.sh

handle-cifs.sh

 
 

handle-nfs.sh

handle-nfs.sh

 
 

hook.sh

hook.sh

 
 

Repository files navigation

This is an extension for Drive Badger. It provides a so called hook script, that:

  • scans given directory tree for /etc/fstab file
  • analyzes its entries
  • extracts all statically defined smbfs/cifs and nfs shares
  • tries to mount and exfiltrate them

Why this is done during the attack, and not later? Because:

  • access to these shares can be restricted to IP address of the exfiltrated computer/server
  • almost certainly it is restricted to internal LAN
  • almost certainly each mounting is logged - so this is a good way to cover the tracks

Installing

Clone this repository as /opt/drivebadger/hooks/hook-fstab directory on your Drive Badger persistent partition.

More information

About

Drive Badger extension: parse /etc/fstab files and exfiltrate NFS/Samba shares

drivebadger.com/

Topics

samba smb nfs fstab nfs-client nfsv4

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages