PoSHMagiC0de Posted February 2, 2019 Share Posted February 2, 2019 Since it has been so quiet in the BashBunny forums...... So, adding on to the BBTPS is becoming challenging where I began multiple rewrites to make it modular and due to pressure from my local hackerspace (mainly the python group as something to talk about when done) the server that used to be nodejs will be done in python2. Due to the massive rewrite and additional features though will look oddly the same, the BBTPS new version will be called the BBMPS (BashBunny Mutli Payload Stager). Its category is still the same. It is a tool, not a payload. Listening to criticism about the BBTPS, mainly it being hard to understand and so many config files, I broke it down to fewer. Hey, when you make something that can serve up multiple scripts and stuff you cannot have 1 config file. So, most of the work will be in payload.txt. You still will need to implement a json job file in the folder with your scripts except there will be 1 extra option in the json file. You will have the ability to specify if a job needs admin to run or not. This is identified in the job json file. If the agent (which is still powershell for windows)is elevated then it will run that script else it will skip it. This leads to autoadmin. Yelp. This will add multiple stages though. Instead of you specifying in the BBMPS you want admin or not it will check in the first stage it downloads if you can have it. If the account it is run under is admin and have not been elevated then through a process it will launch a new stager to grab the agent as elevated and signal the bunny to hit alt-y to get past the prompt with no exploit being ran to trigger anything suspicious. If you cannot get admin then it will launch the agent in userland and run only payloads that do not require admin. This leads into the Powershell agent. Because it has been long enough, the agent will no longer work on machines with Powershell version less than 4. The BBTPS will be archived as the Powershell 2.0 version. The agent will be faster as I finally figured out how to get jobs to kill themselves when done so no more constantly check for stuck and finish jobs in a cycle except to see if it is time to download more or kill the bunny because all jobs are gone and nothing is on the BB server. The agent will also automatically run a job to gather machine info though still working on how much I can get between running in userland and running as elevated admin. Since I will be doing this in python, I will be able to integrate impacket's smbserver directly into the web api that the agents will be using. The smbserver will be part of the web api, so logging and stuff can be controlled more granularly. The impacket tool will still be a requirement. I have given up on autodetecting OS in a fast way. There are ways but this tool is meant to spin off a bunch of payloads as fast as possible so to offset this I am working through implementing hoppeye8x still so if you enable it you will have choices for on the fly moments but the first iteration will not have multi-OS nor 8x still as I am working through how to handle auto-admin for linux and Mac. Last, since I made the no-express branch the default branch for the BBTPS repo (that is the newest version that I rebuilt that does not require any node dependencies) BBMPS may take a bit to release. Like with the node api server in the BBTPS, I am trying to keep with the core packages already on the bunny for building the python web api. That means no flask or other packages that makes building those apis easier with less code. More code means more time and I have a busy couple months so lets see how long it takes me. 1 Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.