Possible Payload of PrivateLocker on BashBunny?

InfoSecREDD · December 2, 2017

This thread is just to talk about the possibilities of PrivateLocker on BashBunny..

PrivateLocker encrypts all files in your Personal Locker (made by the Program) and writes a Unique key in a Directory in the local directory of the Program. I don't know if anyone would be interested in a Payload consisting of a "Paid" program instead of a Open-Source Program.

Only issue I could think of this Payload would be trying to figure out the transfer of the keys since all keys are written to a local directory of the EXE. (and coming up with the $$ for the Encryption Tool)

Any Ideas?

Dave-ee Jones · December 4, 2017

I was about to say that a similar scenario was already written but then realised you're the owner of it..

Anyway, are you saying that you actually want to put PrivateLocker on the BashBunny so it can be run when the BashBunny is plugged in to encrypt/decrypt files?

Why can't you use your cryptolocker project (HoldEmUp) to do this?

PoSHMagiC0de · December 4, 2017

He removed the old payload because it was during a lot of the crypto scare time and the payload was a test but could not find a beneficial use for it on a pentest. Of course, he still has the crypto bug heheh. Understandable. Crypto is pretty cool when it doesn't give you a migraine.

What are you thinking of accomplishing with the app? Is it going to be an automatic way for someone to secure their files on the bunny for transport like plug it in, it asks to retrieve or receive a file(s) or directory and either encrypts to bunny with public key set on bunny or decrypt from to computer with passworded private key?

I looked at the app and like Dave-ee said your original project could be adapted to do the same. Reminds me of a crypto locker going legit. :-P

InfoSecREDD · December 4, 2017

14 hours ago, Dave-ee Jones said:

I was about to say that a similar scenario was already written but then realised you're the owner of it..

Anyway, are you saying that you actually want to put PrivateLocker on the BashBunny so it can be run when the BashBunny is plugged in to encrypt/decrypt files?

Why can't you use your cryptolocker project (HoldEmUp) to do this?

It's written totally different.. I'll have to explain more when I wake up. Lol.

InfoSecREDD · December 4, 2017

I'm like half done with making it..

InfoSecREDD · December 4, 2017

15 hours ago, Dave-ee Jones said:

I was about to say that a similar scenario was already written but then realised you're the owner of it..

Anyway, are you saying that you actually want to put PrivateLocker on the BashBunny so it can be run when the BashBunny is plugged in to encrypt/decrypt files?

Why can't you use your cryptolocker project (HoldEmUp) to do this?

Ok the difference between this EXE and the Payload is that all the Powershell Modules are frozen to the EXE , they cant be edited or added any filetypes to the mess... and the Locker itself is hardcoded into the mess.. To prevent people from encrypting thier whole System Drive by accident or whatever...

If I released the source it would just be another brand of Ransomware.. So I locked the source down, made it into a EXE... But the issues I'm having, since I locked everything down, I'm having issues with converting it to BashBunny... Source for it works fine, but the whole point of the thread was if "This" cryptolocker, can be done...

HoldEmUp pretty much is too malicious to give the source away.. (Besides you two already have it).. So I've remade it into something useful.. Took me long enough.. :happy:

Edited December 4, 2017 by Ar1k88

Dave-ee Jones · December 4, 2017

As I said, you can write your scripts to do similar stuff as the PrivateLocker stuff quite easily. You could even program a UI with a "Choose a folder" option, decrypt/encrypt options and other cool things like that.

UI objects are known as forms in PS (I'm sure the PS master, PoSHMagiC0de can tell you a better way himself), and I'm pretty sure there are a few simple form generators online you can use to create your form and copy/paste the code into your script. Pretty simple.

InfoSecREDD · December 4, 2017

10 minutes ago, Dave-ee Jones said:

As I said, you can write your scripts to do similar stuff as the PrivateLocker stuff quite easily. You could even program a UI with a "Choose a folder" option, decrypt/encrypt options and other cool things like that.

UI objects are known as forms in PS (I'm sure the PS master, PoSHMagiC0de can tell you a better way himself), and I'm pretty sure there are a few simple form generators online you can use to create your form and copy/paste the code into your script. Pretty simple.

Well I'll definitely need to look into that..

PoSHMagiC0de · December 4, 2017

Better yet, just build it in .NET so you can have all the graphical bells and whistles and able to do it in Visual Studio. Just make sure it compiles to a single .NET executable else you will have to send over each dll and load those first before loading the exe and running main function.

Why?

Will be much smaller and you can then use powershell to load it reflectively and then execute the entrypoint (or main function). As a .NET app Powershell can load it. Doesn't even have to touch the HD, copy it over to powershell as base64, decode back to bytes and reflectively load it as an assembly. Then run the entry point.

I have many different versions of crypto via code on my machine before I saw holdemup. .NET, python, nodejs, and powershell. All using AES and RSA examples. I wanted to see if it was possible and even I had an idea to create a crypto payload but was going to be for Powershell Empire. I changed my mind also on that because there was no practical use for it in a pentest environment. It would just end up in the troll section of the modules. I do use it for in transit objuscation. One example is use aes to encrypt script on fly on server in aes with the iv and key prepended to the front of the encrypted script before sending. Why? I am not caring about hiding it from humans trying to crack it, I am hiding it from the ids seeing what it is in transit. I call it Lazy AES Obfuscation.

Dave-ee Jones · December 5, 2017

5 hours ago, PoSHMagiC0de said:

Better yet, just build it in .NET so you can have all the graphical bells and whistles and able to do it in Visual Studio. Just make sure it compiles to a single .NET executable else you will have to send over each dll and load those first before loading the exe and running main function.

I hated writing in Visual Studio. It seemed really limited, I could never understand it and it was always slow. Granted, it was probably so slow because it was on a generic laptop but still, very slow and hard to work with.

5 hours ago, PoSHMagiC0de said:

I do use it for in transit objuscation.

Dawhut? Obfuscation? What is objuscation? Can you objustifiy that word?

5 hours ago, PoSHMagiC0de said:

I am not caring about hiding it from humans trying to crack it, I am hiding it from the ids seeing what it is in transit. I call it Lazy AES Obfuscation.

Makes sense - people aren't going to look into something they're not suspicious of.

As the once-off-wise-man-said:
"If you want to hide something, hide it in plain sight."

RazerBlade · December 5, 2017

10 hours ago, Dave-ee Jones said:

I hated writing in Visual Studio. It seemed really limited, I could never understand it and it was always slow. Granted, it was probably so slow because it was on a generic laptop but still, very slow and hard to work with.

Dawhut? Obfuscation? What is objuscation? Can you objustifiy that word?

Makes sense - people aren't going to look into something they're not suspicious of.

As the once-off-wise-man-said:
"If you want to hide something, hide it in plain sight."

obfuscation

ɒbfʌsˈkeɪʃ(ə)n/

noun

noun: obfuscation; plural noun: obfuscations

the action of making something obscure, unclear, or unintelligible.

"when confronted with sharp questions they resort to obfuscation"

PoSHMagiC0de · December 5, 2017

What Razor said. Like if someone was to obfuscate Lazagne, they would make the python scripts look completely different, probably like garbage, but if ran through python it will come out to perfect sense at runtime. They would do it by renaming functions, string substitution, partial base 64 of some of the code to be converted back and loaded at runtime, etc. Example would be to encrypt a powershell script with the IV and key on the front. The cradle on the victim machine that will receive it knows how to decrypt it by pull the key from the front (which it knows its size) and IV (once again it knows) and using them to decrypt the payload and run it.

Obfuscation is mainly a means to bypass security like AV and IDS. Even hide it from human eyes of understanding. Mimidogz is a semi-obfuscated version of powershell mimikatz and used to work very well at AV evasion because of it. Think mimidogz is known by AV now.

Dave-ee Jones · December 7, 2017

On 12/6/2017 at 2:21 AM, RazerBlade said:

obfuscation

ɒbfʌsˈkeɪʃ(ə)n/

noun

noun: obfuscation; plural noun: obfuscations

the action of making something obscure, unclear, or unintelligible.

"when confronted with sharp questions they resort to obfuscation"

...

I think you misunderstand, he said "objuscation". I was making fun of this, knowing it was obfuscation. If you read my deliberate spelling mistakes you might realise this :P

Sign In

Possible Payload of PrivateLocker on BashBunny?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members