Time To Bash on Windows (Bourne Again Shell That Is)

Editor’s Note: This is another awesome guest post from our friend, Robert Schwass. If you’d like to guest post contact us here.

One Does Not Simply - ONE DOES NOT SIMPLY Run BASH Commands on a Windows SystemI had heard the rumors about the Windows Subsystem for Linux (WSL) and recently I watched a demo video using it for devops to push updates to a Linux-based web server in Azure with a bash shell.

Has this put a stop to the endless Windows vs Linux debate?

Most likely not, But I don’t subscribe, and who really cares?

I was however presented with a solution for the age-old question:

How can I create PowerShell payloads and push them out with tools that only run on Linux with ease?

So the research began.

I decided to drink the Kool-Aid and opt-in to the Windows 10 Insider Program.

The first step is of course to set up your Windows 10 system for the Insider Preview Program, and get bash up and running. If you need help with that consult the internet.  There are many guides to setting the environment up. I personally downloaded the latest ISO from Microsoft and did an upgrade install by mounting it inside the OS and running setup.exe. From there you simply add the feature to Windows 10 and you’re up and running bash. (Approx 45 Min)

I have been working with macros extensively lately and have created a PowerShell script (PSPayload) that will generate macros from PowerShell scripts and even create the Excel file.

I have always been a huge fan of the Social Engineering Toolkit (SET) and how easy it is to send out Phishing attacks. Although this tool is Python based and does run on Windows; the Windows version lacks functionality, the Linux version is full featured.

So my next step was to get SET running within the subsystem environment. If you want all the features of SET, which I do; you also have to install Metasploit. Getting Metasploit and all of its dependencies installed took some research, but I have provided a list of commands to run here to save anyone interested some headache. Mainly the issues were getting a solid copy of Ruby installed.

Now SET by default allows you to use Metasploit to generate payloads such as PDF’s and ZIP files to be sent out in Phishing attacks, but I couldn’t quite figure out how to use an external file with the SET Framework as is. This functionality may exist by default, full disclosure I’m a newb. I created the feature request on the SET Github nonetheless. Until I hear back from the SET devs, I made my own work around by copying and modifying the email script SET uses and putting it in SET’s root directory. The script can be downloaded from here.

The script utilizes core functionality and modules within the framework so it has to be in the root directory of SET, in my case /opt/set within the bash environment.

Demo

Phase 1. Create the PowerShell Payload aka Macro aka Excel .xls file

(The payload is a simple ‘get-process;read-host’, list processes and pause.)

The .xls file has been created, and also a .txt file that contains just the macro. Let’s examine the .xls file. (In Excel Developer Tab → VBA button)

Click on the “ThisWorkbook” item Under VBAProject to view the macro.

The ”ThisWorkbook” Object will execute the created macro once the document opens. The user will have to allow macros, but they are easily fooled most of the time.

The macros generated by PSPayload by default run in the background.  I will edit the one in this demo by removing the “-NoP -NonI -W Hidden” so we can see the results later.

Phase 2. From Bash Send the Email

SET has a series of questions it asks.

I want to keep the file name.

For this demo I do a single email but you can easily read addresses from a list with Mass Mailer.


Set the Subject, Plain Text or HTML, and The Body.

I used the same Gmail for sender and recipient.

Set the sender name, password, and if you want to flag the email as important.


If everything worked you will see the above.

Message is in my inbox

Inside we see the message body an attachment.

Download the attachment, open it, and enable editing and enable content.

Remember the PowerShell oneliner was a “get-process;read-host” which is what the windows that popped up showed. Also, remember I intentionally disabled the stealthiness.

Conclusion

So there you have it. I used a Linux-based tool to push out a payload I created with PowerShell, all on a Windows system. This is just the first of what could be some great tool combining utilizing WSL.

Another cool feature is that you can delete and reinstall the entire bash filesystem and start from scratch with a few commands in the cmd prompt.

lxrun /uninstall /full

lxrun /install

PSPayload can take much larger and more complex scripts and put them into macro form. I have tested it with multiple line scripts and even payloads generated from the PowerCat module. All of that information is available on the Github.

Caveats

WSL is still very very new and it is seriously limited.  For example, it cannot open network sockets and has trouble sending ICMP packets. The networking issues limit SET’s capabilities to send out it’s own payloads and start listeners. So this concept currently is not ready for prime time. However, Microsoft is developing this at a very fast rate, and I suspect in the near future they may have the networking bugs fixed.

I did reach out to TrustedSec on Github, and since conducting this research they have added the functionality into SET to use email attachments not generated with SET itself. So if you are using the latest version of SET you may not need to use my Email_attachment.py script.

Metasploit does not run correctly by itself, I just needed it to satisfy SET. Hopefully in the future Metasploit will be up and running in this environment as well.

Now, I know this will never replace Linux running via boot disk or installed to the PC directly accessing hardware. There are many cases when you simply must use Linux such as for wireless network audits. This idea is not intended to replace Linux but merely enhance Windows.