Jump to content

Want a Powershell delivery agent?


PoSHMagiC0de

Anyone want a general purpose Powershell Agent?  

2 members have voted

  1. 1. Would you like a Powershell agent created for you for payload delivery to windows systems?

    • Yes
      2
    • No
      0
    • I can do my own damn agent, thank you.
      0


Recommended Posts

Hopefully I get the voting thing right as I wanted to add content, we will see.  If you see 2 separate posts, it is because I am ignant.  (spelled wrong on purpose).

So, in my travels on this board, I have come across people building agents to run their Powershell scripts.  Most make out fine.  What has prompted this is I have been asked a few times about how I build an agent or even help in building one.

The BBTPS is awesome, it just is advanced and scary to some.  Plus if you are running only 1 payload and need no dynamic payload delivery then BBTPS is too much.

Welp, I like helping, some of the time.  In this case I am a helper.  Who here would like a general purpose Powershell agent?  All of its control can be done from the parameters for the function.

Plan:

  • It will be a single run only agent meaning once script is ran, it will exit unless the script doesn't end.
  • Delivery of contents and results back to the server is not controlled by the agent like in its original version but controlled by the script ran.  This means your script is responsible for talking back to the BB in whatever way you choose to deliver its contents.
  • Instead of the version 1.0 version of bbAgent.ps1 that assumes all scripts are compressed, this will be the pre 1.0 which can take a script as text, compressed or plain utf8 base64 encoded.
    • This means whatever format you choose, the script has to be formatted as such with launcher command if it is a function that requires calling.
  • All configuration is done from parameters used when the function for the agent is launched.
    • Protocol (SMB, HTTP, USB)
      • Location: Dynamic param and depends on Protocol if this will be full url, network path or drive path for the script to be ran.
    • Encoding: Is it text, compressed or base64.
    •  

I have more but first want to know the interest before I leave the BBTPS for a minute to do this.

For it to work it will be a 2 stage launch like in a chain.  Your Quack command will be calling the agent with parameters.  It will download the agent and run it with parameters which should be pointing to your script you want to run.  It will download, decode if it has to and run our script.  It will check on the job every two seconds.  if it ends, it removes the job and exits cleanly.  If the script keeps running, the agent keeps doing this cycle forever.

Yeah, I type a lot.

Link to comment
Share on other sites

Maybe explaining what 'Powershell agent' means to those who do not know? You keep saying 'Powershell agent' constantly in all your projects, but you have never really explain what it is/why it is called an agent.

Edited by Dave-ee Jones
Link to comment
Share on other sites

Lol, you are killing me.  I'll have to explain with examples of what is out there.  Have you used Metaploit or PowershellEmpire?  Those two capitalize on agents.  Metasploit as different shells but its popular one is the Meterpreter Agent.  It is simply code that is running in memory but stays and communicates back to the server in intervals checking for jobs.  For the frameworks I mentioned above, these jobs are on a server and queued up by the server master through a console in which the jobs are queued up in a database or files.  When the agent checks in, it gets those jobs and runs them.  With all the routines for their custom commands and stuff it simulates a reverse shell giving you control of the box remotely by serving commands to the agent from the server as jobs, including a command to kill the agent or even some to tell it to go silent for some time and begin checkin in again after that time.

This is not that advanced.  The BBAgent in the main project has the ability to receive a "list" of jobs you pre-queue up on the Bunny.  When the agent is downloaded and ran it will begin to pull jobs from the bunny server and run them.  It will return their text results but if you run smbserver.py you can tell your script to send files to it.  The current server can issue jobs and get new jobs from the agent for dynamic payloads but the script has to already be present on the bunny to use it.  WHen all jobs are ran, it signals the BB server it is exiting and the server gives out the appropriate LEDs for it being finished.  That is pretty much like an agent.  An automated piece of code (in this case it is in Powershell) that is running in the background to pull your scripts for you and run them.

The bbagent I am talking about will be toned down.  It will only download and run 1 script and then die or run forever if your script does.  All info delivery and file exfiltration back to the Bunny will have to be handled by your script.  What I am doing is releasing the pre 1.0 version of the bbagent modified and able through parameters pull from whatever transport type you choose and encoding you want of your script and run it.

You probably run an agent now, it is a tiny one but it is one just the same.  Issue with that is you do not have a choice to obfuscate unless you do it in the initial pulled script and include the procedure to de-obfuscate and run in the script.  In the original pre 1.0 of the bbagent it can take scripts in text, base64 and compressed.  I plan on including utilities in the project to create the compressed and base64 scripts though it is just standard utf8 base64 encoding.

So, I plan on providing the heavy lifting for people if they want it.  If base64 obfuscation is good enough for you and you know python you can serve your payload through a python server that base64 encodes it before it sends it.  So everyone here could use it to make one delivery system for all their payloads...for Windows that is.

Another example is G2Meeting.  What the customer you are helping is the agent that talks to the G2Meeting server.  Only difference is instead of being a socketed always connected communication, the bbagent works on 2 second polls to the server for a job, or this version will check once to run.

Link to comment
Share on other sites

I have only heard of one of those examples, but never used it anyway. Sounds to me like you're naming something that is so generically used no knows/cares about the name much. If this is the case it is silly to die laughing. Could call it the JOPS (Job-offered Powershell scripts). Serve jops everywhere. I could die laughing while your like "that's the coolest name for a project ever", having no clue what it is (the long version is pretty clear though - not like Powershell Agent).

I use powershell all the time (I deal with servers/computers that use powershell scripts all the time, and I've created a few of my own programs that are based around powershell) but have never heard of a powershell agent before.

If the main use of the powershell agent is to run multiple powershell scripts - then why? You could just create a .ps1 script that says "run this, this, this and this", pointing at a few .ps1 scripts on the Bunny, served by webserver or SMB server.

Why over-complicate it? Is it faster? Does it handle the events more efficiently? Why is it beneficial to just making a few lines of code in a powershell script?

I apologise if I sound a bit rude, just very confused.

Link to comment
Share on other sites

Well I did post in my first post the name was a work in progress.  It was going to be BBMPS (MultPayload System).  I just tagged a name on it and called it a day.

 What is beneficial.  Hmm, how many separate scripts do you have that you run one at a time?  How many work good in combination, how many don't?  For example, I settled on this name because I took a payload from almost everyone here like the dumpcreds one but made them into regular function scripts.  I added a script I have but not yet made available for download that adds a backdoor to a machine using sethc.  I plan on adding the keylogger advertised on here by a user to it soon.  Now that I can clock the speed of the NIC down so the machine will use the other nick, I also can add an empire stager to it to get me a session back to my machine.  In other words, I Totally P0wned the System.  Yeah, corny play of words.

Each of those are separate scripts formatted in the recommended way of Powersploit guide and Empire guide, which are the same.  Meaning each script is a function with parameters for all possible usages you have for it so it can be fired as a function with parameters without needing to edit the script itself to reconfigure each time.  This way, if I do not want to run all of them, I can just edit the job file to not include them, which contains the script name and command to run to fire off the script with parameters.  What if I am blind to my target so I want to run a script to check for a precondition before launching this big script I have, well you can if they are met your Bunny can communicate back to the server and queue up that big job you have sitting on the bunny.  Is it faster.  As a single job payload, it is about the same, just convenient in the standalone version meaning it is built for easy reuse.  In the BBTPS project, it is faster because each script is ran as a job.  They are queued up sequentially because the server delivers one job at a time (at this time) but they run in tandem.  The agent uses Powershell Jobs to run the scripts.  Because some jobs are fast like I did just a small one to list a directory, I could not register to the job fast enough before it ended so it missed the event and job stayed.  So I could not make it eventful every time to fire off an event when job is done.  So there is a 2 second poll cycle the agent does for its whole process.

To sum it up, if you run more than 1 job with the BBTPS then yeah it is faster than lining them up in a script since they all will be ran as jobs in the agent so you can end up with 20 scripts running all at the same time...not 1 at a time if you choose so.  The formatting makes swapping out groups of payloads easy.  You can assemble the job file and line up the scripts as different attack types and keep them on your machine in directories to copy to the bunny when you want to use them.  Personally, I rarely am satisfied with running 1 script and I know people do not like reinserting on different switches.  I heard people wanted to run more than one payload but limited on switches, I made it so you can run more than one all at the same time at almost the same speed as your biggest script.  I guess I should have said from the beginning your scripts are ran asynchronous.

Of course I could make it faster by allowing the outer poll to be 2 seconds but once connection to the server is established then have no sleep timer and it will just pull as fast as the script can cycle.  Hmm, next enhancement to try.  Test script to see how no poll timer will work once jobs are received....or make it 1 second instead for sanity.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...