Yes, Bash Can Get Uglier: Introducing Bashfuscator, A Bash Obfuscation Framework

bash
obfuscation
programming
linux

#1

Hey guys,
I’ve been working on a huge project since the beginning of August, and now that finals are done I plan to be working more on it. But before I start adding too many more features, I would really like some people to test it out in its current state and give me feedback. So I thought posting it here would be a good way to do that :smiley:

Without further ado, let me introduce you to Bashfuscator, a modular Bash obfuscation framework written in Python 3.

Link: https://github.com/Bashfuscator/Bashfuscator

Demo video: https://asciinema.org/a/6LmMVyoxUbDIwvl5yzynVbrS1

Example obfuscated payload (input is cat /etc/passwd):

${@~}eval "$(pr""i''n\t${@%%G}f "\x$(""${*##x:}prin""$'\x74'f %s 'P?'|${*//_f/M:}md5\s''\um|${@,,}c""\ut -b 24-25)""${@^^}";${*~~}prin''t\f "\x$(prin"${@,,}"tf %s '~'|${*%%>}m$'\144'5s$'\165'\m|${*##hG}$'\x63'$'\x75'${@##N|}t -b 4-5)";''${*%%Z}print$'\x66' "\x$(p''r$'\x69'n""\t$'\x66' %s '2['|md${*##+}5""sum|${@##l}cu${[email protected]}t -b 17-18${@^^})"${*^}&&p""r""$'\151'ntf "\x$($'\x70'r${@/m}int$'\x66' %s '1'|${*,}m\d5${!*}su$'\155'|${*%%E}c${*%%#}ut -b 16-17)";$'\160'''\r$'\151'\n""t""${@,}f "\x$(p\rintf %s 't9'${*//i/wm}|${*/J\)}m"${@//j/6=}"d5s''um|"${@}"''c${*#L\{}u${*//0}t -b 2-3${*})"&&${*~~}pri''nt\f "\x$(p\ri$'\x6e't\f %s 'g}'${*//\!J}|[email protected]''${*~}d5su${@/99}m|${*/7}"${@,}"c''ut -b 2-3)""${@//#p/B\(}";p""${*#=}r${*/\{/]}in$'\x74'f "\x$(\p"${@,,}"rin$'\x74'\f %s 'sW'|md\5''su""m"${@//rR/#i}"|cut -b 7-8)"&&""\p$'\x72'$'\x69'nt\f "\x$(p""${*//3U}r${*,}in${*/me}t''f %s '.'${@%g}|''"${@~}"md\5$'\x73'${*%#X}um|"${@,}"""$'\x63'\u$'\x74' -b 13-14)"${*~}&&${@~~}$'\x70'r$'\x69'ntf "\x$(\printf %s 'g'${*#Jh}|md$'\65'""sum|""c\u\t -b 2-3${@^^})"&&${*~~}pri""\ntf "\x$(p''r''\i$'\156'''t''f %s 'fC'${*//F-/^}|${@,}m$'\x64'5sum|''cut -b 19-20)"${*,}&&"${@//9/*#}"pr''i\n"""${@~}"tf "\x$(${@,}p\r""$'\x69'$'\x6e'$*t\f %s 'ys'|$'\155'""d5sum$*|cu\t -b 12-13"${@^^}")"${@//yZ}&&p""$'\162'in$'\164'f "\x$(printf %s '('|${@}""md5''$'\163'''$'\x75'm|c$'\165'\t -b 7-8${*//\(P/k})"&&${*/rd}$'\160'${*//Q5/u}r"${@//</3}"i${*~}n""tf "\x$(p\r${*//W}in$'\x74'f %s '{J'${*~}|md${@%%NA}5\sum|c$'\165'$'\x74' -b 27-28"${@^^}")"${*^^};printf "\x$(""p""rintf %s ';e'|m${@/4}d5sum|${[email protected]}c''$'\x75't -b 3-4"${@,}")"&&$*${*^^}prin$'\x74'f "\x$(""p""\r"[email protected]"i""\n''tf %s 'q;'"${@~~}"|${*,,}m''d5sum"${@~~}"|"${@,,}"cu''\t -b 14-15)")"

Bashfuscator makes obfuscating Bash one-liners and scripts incredibly easy. It can be used from the command line, or as a Python library. You can manually specify commands or scripts for Bashfuscator to obfuscate, feed it stdin to obfuscate and pass output though a pipeline, or use it an existing Python 3 project.

A great example of Bashfuscator’s use as a library is integration with a reverse or bind shell handler. In only 3 extra lines of code, every command you send through your reverse or bind shell will now be obfuscated transparently. Example:

from bashfuscator.core.obfuscation_handler import ObfuscationHandler

# socket code here

obHandler = ObfuscationHandler()

inputCmd = input("$ ")
obfCommand = obHandler.genObfuscationLayer(inputCmd)

# send command to reverse/bind shell

I intend for red teamers to use Bashfuscator to evade or bypass detections or make incident response much more time consuming. The modular and extendable nature of Bashfuscator allows red teams to build their own innovative and custom obfuscation modules, to keep blue team on their toes :wink:

Conversely, I intend for blue teamers to use Bashfuscator to generate thousands of varied, complex, and layered payloads that they can use to improve or create robust Bash obfuscation detections. This tool wasn’t just built for the red team, blue team’s gotta have some fun too :grin:


So, if you’re still interested in this project, please try it out and let me know any and every thought or criticism you have. Installation and basic usage instructions are in the README, but I would recommend also viewing the usage docs and help menu for advanced usage. Bashfuscator really comes to life when you’re cooking your own obfuscation recipe :wink: (Hint: try the --choose-mutators option).

Do note that the project is still in development; there are bugs, but overall I believe the project is reasonably stable. If you find a bug, checkout the ‘dev’ branch, and verify it exists there as well before reporting it to me please. I’ve done a lot of work there that I haven’t merged into master yet.

Also, as I’ve previously mentioned, Bashfuscator is a framework, designed to be extended with additional obfuscation modules. There isn’t any formal documentation regarding how to create an obfuscation module, but if you contact me I’ll be happy to walk you through the process. I’ve had a few people add modules already, but I could always use some more. I’m sure you guys have some crazy ideas in you!

One last thing: I have a lot of ideas for features I’m going to be adding to the project in the near future. Check the issues panel for issues I self-assigned, that’ll give you an idea for what’s to come :sunglasses:


(Co-Founder and Part-time Fool ) #2

Wow man this is really cool.

It sort of reminds me of a project I worked on that converted text to base64, and then turned base64 into words (the first letter was a base64 character).

Obviously, the really cool thing here is that your obfuscated bash is fully runnable; this is amazing. I’ve also been looking into making a python-obfuscator script (perhaps for obfuscating a reverse shell that uses this module :smiley:

Infact, I’d love to couple this with XIP - IP addresses mutation, you could really make a forensic responders life difficult.

Let me know when you’re next working on a project, I’d love to see early additions of your stuff!


(ghstonex) #3

I think it is good to someone,but i can`t still understand why obfuscate the bash?
mind if u help me why it need?


#4

It says it in the post, if you are part of a red team you want to remain undetected for as much as possible, if you have a shell running on a target machine that is monitored regularly you need to encrypt or encode your data, if you don’t want an analyst to find plain text commands inside the packets or if you wish to bypass IDS and firewall rules.

With this you can also buy yourself some time in case the blue team finds out suspicious activities, recognizing the purpose of a command after it’s been obfuscated by the program seems to be impossible if you don’t execute it yourself, imagine how much time it would take the team to understand exactly everything the attackers have done in order to stop them if all the commands they had to analyze were obfuscated this way. The advantage is that with encoding and encryption you will always need to obtain the original command back at some point, while this obfuscator leaves the command in a completely executable and hard to read form at the same time. I think it’s brilliant, already cloned it in my box.


(ghstonex) #5

Thank you for your kindness!
See you often here.:frowning_face::slightly_smiling_face:


(Shadow04) #6

Uh… why?

I’m not kidding…


#7

Thanks man! I really appreciate the kind words. Yeah the goal from the start was to have obfuscated payloads be runnable in Bash… though with so many different versions of Bash in the wild, and GNU vs BSD style utilities in different distros, supporting an Bash shell just isn’t feasible. But I aim to support as much as possible.

It’s kind of amazing how much Bash is capable of… the Special-Char-Only module for instance, turns Bash input into entirely special characters. Not a single alphanumeric character present in the final payload. To think that Bash can do that is… crazy. I actually ported that obfuscator from Invoke-Obfuscation, the guy who wrote that tool is a genius haha.

Wow, I didn’t realize that there was a good repo for IPfuscation… I actually discovered IPfuscation through Vysec on Twitter, and integrated it into Shellpop this summer, but it’s definitely not as robust as XIP. I will definitely be looking into that…

As for obfuscating a Python reverse shell, if your target is a Linux system, you could obfuscate the python payload with Bashfuscator and execute it in Bash :wink:


#8

Why is Bashfuscator relevant/useful? As far as I know, currently there is no kinds of detections of any kind for Bash obfuscation. I’m sure some vendors or corporate networks somewhere have built some, but as far as public, well known vendors, there doesn’t appear to be much at all. So I created this project to spread awareness of this fact, as well as allow red teamers to have some fun :wink:

For example, the Linux.BtcMin.174 virus is fairly sophisticated mining malware, almost exclusively written in Bash. In fact, it has multiple layers that are all written in Bash. Signatures have been made for the unobfuscated variants, via ClamAV or whatever. But when you obfuscate them with Bashfuscator, 0/57 engines detect it on VirusTotal.

What’s even more distressing though, is simple Base64 encoding can also defeat most AntiVirus scanners. I took the same known-malicious sample, Base64 encoded it, and fed it to VirusTotal. Again, 0/57 engines detected it.

As a red teamer, you could take this one of two ways.

  1. Bash obfuscation isn’t nessesary, I’ll just Base64 encode my commands and be set.

OR

  1. If vendors aren’t catching Base64 encoded malware, they definitely won’t catch Bashfuscated payloads… time to start using those.

To any defenders out there, this should be alarming… which is why I am going to be working on providing signatures for Bashfuscated payloads in the near future. But because Bashfuscator is a modular framework though, any red teamer can easily add a new, never-before-seen obfuscation module to Bashfuscator to bypass the default Bashfuscator signatures. It’s always a cat and mouse game.

Eventually, I hope for the industry to get to the point of where Powershell obfuscation detection and logging is now; attackers are shifting away from using Powershell as a Post-Exploitation language now because of the wealth of detection and logging available for defenders. Hopefully someday, that will be the same with Bash.


#9

Brilliant explanation mate, you hit the nail right on the head :+1: And as far as lengthening IR, I’ve got a feature that I’m going to start working on soon that will take that to the max… :sunglasses:

Please let me know your thoughts on Bashfuscator, good or bad! Always looking to improve it!


#10

That’s why we mainly look for malicious behavior, not payloads. Good job with the tool though the techniques seem interesting :slight_smile:


(ghstonex) #11

Hi.
You are cool.:sunglasses:
Can you help me?


(system) #12

This topic was automatically closed after 30 days. New replies are no longer allowed.