PoSHMagiC0de Posted April 5, 2017 Share Posted April 5, 2017 Hello all, I have been trying to figure out a good payload to make for the BashBunny. Seems like most of you thought of the simple ones. The ones I was going to improve it seems the authors are on it so just dropping help here and there is really all that is needed. So, what could I write. Welp, after contributing to Powershell Empire and using other frameworks and having a partial framework I stopped working on myself in Powershell I decided to re-purpose parts of it and put it toward the BB. I been hearing people asking about dynamic switching and stuff like that. Welp, I decided work on a Bash Bunny Total Pwn System. I am terrible at names. It comprises of a nodejs server on the bash bunny serving payloads to Powershell agent that is launched on the machine. The whole process will be triggered by a stager that is quacked off onto the victim's machine. The stager will wait for the nodejs server to come up and pull the agent which it will execute. The agent will check in and check for jobs. It pulls a job from the server every 2 seconds. Each job is in json that includes a name for what the job to be called, and filename to be called for the return info on the BB. Jobs are defined on the server in a json file. After all jobs are deployed and none are left, the agent will continue to check the server for jobs while there are still jobs running on the agent. Job results can be delivered as text back to the nodejs server or files can be delivered back to the BB via SMB. SMB delivery has to be included with the script job being ran as the agent does not do this. When each job finishes on the agent, either its results will be returned or the job stats will be. When all jobs are done and none are left to retrieve, the agent will send the quit command back to the server so it can die and continue on in the payload script. The nodejs server will control the leds to let you know its status between each stage. The reason for the continuing to search for jobs after none are left is if you have a script that will check or do something before it can do something else, you can pull that as a job and call back to the server to push a job to be deployed. It will be picked up on the next cycle making this dynamic. So far I am 90% done with the server and about 30-40% done with the Powershell agent. I hope to have a rough working version of it on github in about a week or two depending on how busy I am with work. If you are wondering about it working on Mac and Linux. The server will fully neutral. That means if you have the skills, you can create an agent for those two Oses. I will be busy with the server and powershell agent mostly. A good example on building a python agent can be seen by looking at the Empire 2.0 python agent code on Github. That could give you some ideas minus all the roll your own crypto it does. Payloads will have the ability for you to format them before loading them on the BB as regular text, base64 encoded (utf8, not unicode so you can use python to encode it even without have to add 0x00 after each byte) or compressed. I will be putting some Powershell tools to help with creating these payloads on github as well. I modified Powersploit's Out-encodedcommand to only the compressed encoded script without the command to decompress it and the powershell part. The agent has a function to handle decompressing it back to full form. This is useful for large scripts. I said a lot about it so far. I will probably have the code up before I can build detailed docs for it so first iteration will be instructions on what is necessary to get started. Future additions after first release will include an extras url for pulling down extra files like dlls or what not in base64 encoding that you can use in your script like reflectiveinjection or like one of mine I built to Empire and have it all modularize and everything and have yet to submit a push to Empire repo. It is a proxy hijacker. If you are admin, have a burp session running and the public cert, this script can point a victims machine at your burp computer to be proxied via http and https and install the burp cert to the machines local machine trusted root auth's. I like to call it "Perfect Man in the Proxy" or "ProxyHijack". The cert can be pulled by the script later to be used from the extras url. No more typing, more coding. Stay tuned. Yeah, kinda big for my first BB project. 1 Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 10, 2017 Author Share Posted April 10, 2017 Update: I finally got time to put some serious work in on this thing. I have been thinking about making it a tool instead of it being use as a payload. Anyway, js server itself works. It serves jobs, it receives jobs. You can push jobs to it and you can send a quit command to stop the js server. The purpose of that is the server is suppose to be a stopping point where you do all your work via payloads. When they are done, the agent will send the server the quit command before doing garbage cleanup and exiting. This can signal whatever else you want to happen after all payloads are done to happy on the BB. I would say the server is 99% done minus me redoing the leds for the new update inside the js server itself. Powershell Agent I spent all day on today and it is working. I wanted the handling of all jobs completed to or failed/blocked to be handled asynchronously via job events but seen why the Powershell Empire guys chose to do polling of jobs and server instead. Makes it more simple and scoping is a mother when it comes to jobs. So the agent still does jobs but has a polling that goes off every 2 seconds to poll its jobs for any that are completed, failed or blocked and process them plus cleanup job queue and to check the server for any new jobs. When the server had no more jobs and the agent job queue is empty, it will continue the poll cycle 4 more times before calling it quits and sending the quit command to server before cleanup. Took me a bit to find out what was going on hence when I am done you will see I added a lot of verbose to the agent that you can trigger to test your own troubled jobs by hand firing the again with the -verbose parameter and you will get information overload on what is happening as the server and agent does their thing. The json serializer needed to be enlarge so accommodate large scripts. I send everything as json to prevent too much back and forth. To help with obfuscation or shrinking your payloads, the agent understand jobs that are regular text, base64 and compressed. I will have some functions I redid and made in Powershell that will help in making your scripts in those formats. Agent is about 99% also. So far I know the server works on the BB. No compatibility issues there. I just have to package up the agent with the server and create a stager for it. I also have to workout the whole payload.txt to make everything work. I was going to have smbserver.py in there but since the change, where impacket structure is now for everyone depends on their preference on how they included it in their tools folder or if they hand added it via ssh so that part I leave to you to add if you have payloads need to deliver or pickup files. Scripts have to have their contents encapsulated as functions like in Powersploit. This makes it so you can server the command in the joblist. This makes your scripts transportable to be used in other scripts easier but also I plan on making the commandline variable for the job have some dynamic fields that can be pulled from the environment sometime in the future. I will be refining the payload.txt and testing with a live machine (versus using my linux box to run the server and my Windows VM to run the agent and payloads) to get cohesion down with the bunny and the system. Last thing. I have been giving it some thought and see this looking more like a tool than a payload. After people get their hands on it and play with it, I will let you decide. Would not be hard to modify to look at switch payload folder for payloads and agents and lootfolder. It right now is configured all by exported environment variables or defaults if none. no change directories, it uses absolute paths. My only concern is how easy would it be to update tools on the BB. I know about the tools folder and the autocopy it does, does it replace folders when one of the same name is present? Future plan: After I get this out there, I am going to go back to looking at the eventing for the job states again. I liked it before I noticed the thing threw up 100 empty jobs on my test machine when it only should have been running 3. Found out it was scoping so will need to trace that out to see if I can nail it down so the agent polling cycle will be only to throttle how fast it hits the BB server to check and get new/next job and seeing if the local job queue is empty for some time before killing server and agent. The events will handle, when the job finishes, processing the data and returning it. Funny story. I was finishing up the agent and doing some final testing. I was using the original Invoke-Mimikatz. It is a big script and caused by json to break so was fixing my code around it. When I finally got it to work, the Avast on my test machine went off like a Christmas tree during downloading of the script. I laughed. I always run an AV on my test VM and rigs to let me know when something I am doing may trigger alerts or get stopped. I then decided now was a good time to test my encoding so I just did a simple base64 encoding which enlarge the payload but the json sizing I did worked and it still deserialized and it ran with no AV incident. I just have to test the compressed encoding now, would help with those big scripts. Another reason why your scripts should be a function. So you can encode, encrypt or whatever. The script will be turned to its original form in the end and your command to run it will be appended to the end and ran as an asynchronous job. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 17, 2017 Author Share Posted April 17, 2017 Update on module. I been sick all last week so didn;t get to do much with it. Today, though. I finished Powershell Agent. I finished server and just have to add in the light procedures where I have them marked, make a payload.txt for this thing, test it on an actual BB and then release. I stomach is still raw so going to chill for a bit. In my test environment this thing works good, and fast. I decreased the sleep timer between checks to 1 second. It is wigging out when I tell it to run under Powershell version 2.0 but cannot find where since there is no debugger for 2,0 out there. Gives me an error that is none existent on my line 1. Never seen it before since Powershelling. Works fine under any other versions. I will work on the 2.0 error some other time and release as is. Maybe someone else will see what I do not. When I get it working on my BB with a payload.txt I will release as is. Detailed instructions will come later. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 18, 2017 Share Posted April 18, 2017 Powershell 2.0 is a bit limited compared to 3.0+. E.g. Doesn't have proper job scheduling and some methods don't work as fluently or conveniently as we would like. Don't forget, one of the easiest, and most effective, ways to debug is to just put echoes everywhere in your code, to see where it got up to etc. Outputting any called functions into a log file is also helpful. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 18, 2017 Author Share Posted April 18, 2017 13 hours ago, Dave-ee Jones said: Powershell 2.0 is a bit limited compared to 3.0+. E.g. Doesn't have proper job scheduling and some methods don't work as fluently or conveniently as we would like. Don't forget, one of the easiest, and most effective, ways to debug is to just put echoes everywhere in your code, to see where it got up to etc. Outputting any called functions into a log file is also helpful. If you like debugging you will love this agent then. It has write-verbose all over the place so it is testable. Issue is the function doesn't even load in 2.0. Just a general error about needing something after the "-". I was like huh? I have no empty dashes sitting nowhere. Works fine in 4.0. Just loading the agent with invoke-expression without running it throws this error. I am going to have to throw parts of it into a 2.0 session to see which part breaks but pretty soon others will be able to debug it too. The verbose parameter is there for people to debug their own payloads through the agent to see if there are issues. Yeah, I did some light debugging. Too bad once you go up in Powershell version it becomes harder to troubleshoot any 2.0 scripts due to most tools natively support the version of Posh you are on. I always had this issue even when developing payloads for Empire. I might have to bust out an old copy of Windows 7 without upgrades into a VM to do some debugging but I am prepping documentation for what is done now to release. MS was very anxious to ditch 2.0 after 3 and especially after 4 that they made it optional in Windows 10 hehe. Maybe after I release I will undo it as a function with some hard coded values to see where 2.0 is complaining at. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.