BBMPS (Coming Soon)

[PoSHMagiC0de]

Since it has been so quiet in the BashBunny forums......

 

So, adding on to the BBTPS is becoming challenging where I began multiple rewrites to make it modular and due to pressure from my local hackerspace (mainly the python group as something to talk about when done) the server that used to be nodejs will be done in python2.  Due to the massive rewrite and additional features though will look oddly the same, the BBTPS new version will be called the BBMPS (BashBunny Mutli Payload Stager).  Its category is still the same.  It is a tool, not a payload.

Listening to criticism about the BBTPS, mainly it being hard to understand and so many config files, I broke it down to fewer.  Hey, when you make something that can serve up multiple scripts and stuff you cannot have 1 config file.  So, most of the work will be in payload.txt.  You still will need to implement a json job file in the folder with your scripts except there will be 1 extra option in the json file.

You will have the ability to specify if a job needs admin to run or not.  This is identified in the job json file.  If the agent (which is still powershell for windows)is elevated then it will run that script else it will skip it.

This leads to autoadmin.  Yelp.  This will add multiple stages though.  Instead of you specifying in the BBMPS you want admin or not it will check in the first stage it downloads if you can have it.  If the account it is run under is admin and have not been elevated then through a process it will launch a new stager to grab the agent as elevated and signal the bunny to hit alt-y to get past the prompt with no exploit being ran to trigger anything suspicious.  If you cannot get admin then it will launch the agent in userland and run only payloads that do not require admin.

This leads into the Powershell agent.  Because it has been long enough, the agent will no longer work on machines with Powershell version less than 4.  The BBTPS will be archived as the Powershell 2.0 version.  The agent will be faster as I finally figured out how to get jobs to kill themselves when done so no more constantly check for stuck and finish jobs in a cycle except to see if it is time to download more or kill the bunny because all jobs are gone and nothing is on the BB server.  The agent will also automatically run a job to gather machine info though still working on how much I can get between running in userland and running as elevated admin.

Since I will be doing this in python, I will be able to integrate impacket's smbserver directly into the web api that the agents will be using.  The smbserver will be part of the web api, so logging and stuff can be controlled more granularly.  The impacket tool will still be a requirement.

I have given up on autodetecting OS in a fast way.  There are ways but this tool is meant to spin off a bunch of payloads as fast as possible so to offset this I am working through implementing hoppeye8x still so if you enable it you will have choices for on the fly moments but the first iteration will not have multi-OS nor 8x still as I am working through how to handle auto-admin for linux and Mac.

 

Last, since I made the no-express branch the default branch for the BBTPS repo (that is the newest version that I rebuilt that does not require any node dependencies) BBMPS may take a bit to release.

Like with the node api server in the BBTPS, I am trying to keep with the core packages already on the bunny for building the python web api.  That means no flask or other packages that makes building those apis easier with less code.  More code means more time and I have a busy couple months so lets see how long it takes me.

[PoSHMagiC0de]

Grrr..

So, I knew trying to go the Python route would hurt.  Right now I have the pythonists at the hackerspace I going into scratching their heads on slack on how to exit BaseHTTPServer.BaseHTTPRequestHandler class.

I mean, seriously.  I can exit in node by just exiting.  In python I get a python error dump and I am still stuck in serve_forever.  Even built my own exception to try and raise but seems like it doesn't exit the server_forever.  Hell, even handle_request() is not acting right.

Soooo, I told my pythonists friends that I am scratching the python language server and going back to what I know works great...node.  So, new server will still be in nodejs.

 

[icarus255]

Wow! Very ambitious project. The mother of all "payloads" so to speak 🙂

I don't dare to imagine the coding (or debugging) involved.

Please keep us updated. You have my vote 😄

 

[kione]

Got into the forums today because of an issue and decided to take a look. Seams very interesting, is this still on the go?

 

[PoSHMagiC0de]

Still in progress.  Keeps changing when I begin.  It is just a more enhanced version of the BBTPS I built which his listed on here somewhere and at repo.

I guess I should do an update.

Looks like I am going for GoLang for the server code now.  There are other things I been thinking of implementing.  As it got complex, node got harder.  Since this thing is going to be able to quack back with the alt-y for autoadmin and depends on the the stager being launched in a specific way it wants to work then thinking of sucking the quack stages into the server as well as templates it can use.  In the end to make it so it is one since binary been thinking of using gobuffalo/packr to pack in the quack templates for initial launch and even the powershell agent.

Of course that means people who want it will have to get the Go compiler and compile it which is not as bad as it sounds.

Hopefully in the end you only have a payload text for some environmental variables you configure...or params that are fed into the server.

 

Issues, time.  I have gotten really busy.  Or have I ever not been busy? Just been busy.