ronin-post_ex

• Website
• Source
• Issues
• Documentation
• Discord | Twitter | Mastodon

Description

ronin-post_ex is a Ruby API for Post-Exploitation.

This library is used by ronin-payloads, ronin-c2, and ronin-exploits to provide a Post-Exploitation API around payloads, C2 sessions, or even exploits.

ronin-post_ex is part of the ronin-rb project, a Ruby toolkit for security research and development.

Features

• Defines a syscall-like API for Post-Exploitation.
• Provides classes for interacting with the Post-Exploitation API.
  • Ronin::PostEx::System - allows interacting with a remote system.
  • Ronin::PostEx::System::FS - allows interacting with the file-system.
  • Ronin::PostEx::System::Process - allows manipulating the current process or child processes.
  • Ronin::PostEx::System::Shell - allows interacting with an interactive shell..
  • Ronin::PostEx::RemoteFile - allows reading/writing files.
  • Ronin::PostEx::RemoteDir - allows reading the contents of directories.
  • Ronin::PostEx::RemoteProcess - allows reading/writing to an running command.
• Supports interacting with interactive shell commands.
• Provides interactive command shells for interacting with systems.
• Supports Linux/BSD/UNIX systems.
• Provides common post-exploitation session classes for interacting with shells, bind shells, and reverse shells.
• Supports defining custom post-exploitation session classes.

Limitations

• Does not currently support Windows systems.
• Does not fully support bidirectional fully interactive shell commands.

Examples

Bind Shell

session = Ronin::PostEx::Sessions::BindShell.connect(host,port)
system  = session.system

system.shell.ls('/')
# => "..."

Reverse Shell

session = Ronin::PostEx::Sessions::ReverseShell.listen(host,port)
system  = session.system

system.shell.ls('/')
# => "..."

Custom Session Class

Define a custom session class which defines the Post-Exploitation API methods:

class RATSession < Ronin::PostEx::Sessions::Session

  def initialize(host,port)
    # ...
  end

  def rpc_call(method,*arguments)
    # ...
  end

  def fs_read(path)
    rpc_call("fs_read",path)
  end

  def shell_exec(command)
    rpc_call("shell_exec",command)
  end

  # ...

end

session = RATSession.new
system  = session.system

System

Interact with the system's remote files as if they were local files:

file = system.fs.open('/etc/passwd')

file.each_line do |line|
  user, x, uid, gid, name, home_dir, shell = line.split(':')

  puts "User Detected: #{user} (id=#{uid})"
end

Get information about the current process:

system.process.pid
# => 1234

system.process.getuid
# => 1001

system.process.environ
# => {"HOME"=>"...", "PATH"=>"...", ...}

Execute commands on the remote system:

system.shell.ls('/')
# => "bin\nboot\ndev\netc\nhome\nlib\nlib64\nlost+found\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsnap\nsrv\nsys\ntmp\nusr\nvar\n"

system.shell.exec("find -type f -name '*.xls' /srv") do |path|
  puts "Found XLS file: #{path}"
end

Spawn an interactive command shell:

system.shell.interact
$

Spawn an interactive post-exploitation system shell:

system.interact

ronin-post_ex> help
  help [COMMAND]                    Prints the list of commands or additional help
  fs.chdir DIR                      Changes the current working directory
  fs.pwd                            Prints the current working directory
  fs.readfile FILE                  Reads the contents of a given FILE
  fs.readlink SYMLINK               Reads the destination path of a symlink
  fs.readdir DIR                    Reads the contents of a given directory
  fs.hexdump FILE                   Hexdumps a given file
  fs.copy SRC DEST                  Copies the SRC file to the DEST path
  fs.unlink FILE                    Deletes a given file
  fs.rmdir DIR                      Removes a given directory
  fs.mv SRC DEST                    Moves or renames a given file or directory
  fs.link SRC DEST                  Creates a link from the source to the destination
  fs.chown USER PATH                Changes the owner of a given file or directory
  fs.chgrp GROUP PATH               Changes the group of a given file or directory
  fs.chmod MODE PATH                Changes the permission mode of a given file or directory
  fs.stat PATH                      Prints file system information about a given file or directory
  fs.open PATH [MODE]               Opens a file for reading or writing
  files                             Lists opened files
  file.seek FILE_ID POS [WHENCE]    Seeks to a position within the file
  file.read FILE_ID LENGTH          Reads LENGTH of data from an opened file
  file.write FILE_ID DATA           Writes data to an opened file
  file.close FILE_ID                Closes an open file
ronin-post_ex> 

Requirements

• Ruby >= 3.0.0
• fake_io ~> 0.1
• hexdump ~> 1.0
• ronin-core ~> 0.1

Install

$ gem install ronin-post_ex

Gemfile

gem 'ronin-post_ex', '~> 0.1'

gemspec

gem.add_dependency 'ronin-post_ex', '~> 0.1'

Development

1. Fork It!
2. Clone It!
3. cd ronin-post_ex/
4. bundle install
5. git checkout -b my_feature
6. Code It!
7. bundle exec rake spec
8. git push origin my_feature

License

Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)

ronin-post_ex is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

ronin-post_ex is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with ronin-post_ex. If not, see https://www.gnu.org/licenses/.