Using Bashfuscator to Generate Complex Layered Bash Obfuscation

all right uh come on hear me all right hello everyone this is not resale wars uh sorry about that last minute change uh this is yes bash can get uglier using bashful skater to generate complex layered bash obfuscation this is a talk about diving into the depths of bash um everything is capable of and just generating some really really really ugly commands so first who am i my name is andrew lefevre i am a junior at liberty university uh around central virginia area so four or five hours from here i am pursuing a bachelor's computer science and uh i am somewhat frequently on twitter and definitely frequently in github uh both on the handle cap and space hook that's a long story

but uh um so motivation why would i study or why would i try to delve in the research of bash office getting bash right well um daniel hannon from fire mandiant he's given numerous talks on uh bat or powershell obfuscation uh and recently cmd.exe obfuscation great stuff uh released in poke obfuscation invoked office station so he's just really showing us a powershell obfuscation is proven to be affected by attackers right like i mean yes powershell is dying now at terms offensively like microsoft is you know tons of logs and everything like tons of uh insight and optics into that it's great it's amazing but for a while and in still even some now attackers are really leveraging the the

um powers of powershell and using it um invoked obfuscation helped defenders deal with powershell obfuscation by providing them a tool through which they could generate thousands and thousands of just different varied obfuscated samples they can use to test their detections against and uh so why is windows getting all the love right i'm like i'm i'm more of a windows guy right i i love diving into windows internals all that but i'm like you know like i i don't know if i can do any more research on windows like what about linux what's what's there on the linux side so bash bash is one of the most widely known and used shells right i'm thinking like okay powershell

windows what's equivalent on linux bash right sure there's tons of other shelves you got seashell corn shell fish you know all that stuff but if you think of the one shell that your system admin or you if you have a linux system you just most likely have used at some point in time it's bash it's used by cis admins and attackers alike you know for post exploitation stuff if you drop on a mac os system chances are there's batch if you drop on a linux system like fedora based system you know on some of the bsds there might not be bash but i'm mainly going to be focusing on linux this will cover later and but so and

again at the time when i started around july or august of last year uh hardly any research on bash obfuscation at the time existed there is a small amounts now which i'll go over but uh it's some of it came about right as i was starting pursuits which is pretty cool but it's it's only really a few tweets there's nothing really formal anything plus i just wanted a good excuse to learn bash i'm like hey what better way to learn the language to learn to obfuscate the crap out of it right so uh some bash obfuscation of the wild this is a very simple sample that uh uses base64 and xor to encode the payload

it runs through nope it runs through a simple for loop to base64 decode it and then xor decoded as well it's pretty simple this is found by uh dissects malware i'll have the slides on everything so you can go find this if you want but as far as actual obfuscated samples there was very very few i could find in the wild and uh this is this is one of them uh so my the reason for me doing research was very different than daniel haynes i i wasn't starting doing research because attackers were already abusing an office getting bash i wanted to think okay like if i want to stay one step ahead of them if i want to go

on engagements as a red chamber which i'm not you know student but in the future if i want to bring something to the table that's new or you know help defenders out proactively hey what could attacks be doing like you know why don't we practically start building these textures against this you know nothing really uses this and they could obviously pretty easily obscure bash so uh and as far as like actual tools that are out there to obfuscate bash um the metasploit actually has some encoders for shelf scripts they have like three or four uh dudes i haven't really used them much but looking in the comments some of them they pretty much blatantly say don't

rely on this it may break um as far as i can tell it's pretty much only used for hiding blocks of characters if you're passing through a waff you know you don't want like black characters getting through there stuff like that it's not it's not for robust obfuscation like frustrating analysis like really slipping past detections just more just like a quick and dirty tried if it works right and then there's these bad boys i discovered actually after i finished a lot of my research which is kind of sad but we're going to refer to them as bash f to just keep this family friendly two of these seemingly almost identical uh pretty close repos and github that

basically it's a it's akin to brain f the language or javascript f that what you can do with that basically just uh takes input bash and spits out a version of it with only special characters which i ended up doing in a different way after i learned or i and i learned about these after which is kind of sad about what helped me but these do exist also here's a little sample of what they can do some fun stuff but you'll see more of that later but yeah they just use basket means entirely special special characters there's no alphanumeric in there at all well except for the very beginning there that's actually there's a little bit

there but uh so let's dive into let's go over some basic basic obfuscation techniques you can do with bash right how do we come up with obfuscation techniques well we make changes to command the bash ignores so you pepper the command or just manipulate the command in such a way that when mash is parsing it they're they're almost kind of like no ops and like assembly or something like that it's just kind of just throwing a whole peppering like an assembly thing with a bunch of no ops around it so like you're you know like the ones that bash actually parsing and executing it just ignores that stuff but if you're looking at it it obviously

breaks it up more drastically better so let's start with the fairly common command you might see an attacker use post exploitation right they're getting your system they're going to cat your etsy password see what users are on the system they're going to grep attack e they're going to see basically hey of all these users on here which users have a login shell which users can i log in as potentially like you know escalate privileges to a lot of the move whatever right maybe from different box like so this is the somewhat common command you might see packer using so how can we start breaking this up how we start off getting this well one of the first things we can do

is we can throws or we can just randomly escape a lot of these different characters and what bash does here is unless they are special characters that have a special meaning for example the dollar sign it just means hey like there's a variable starting here bash completely ignores this so when it's parsing this it'll just basically just throw those away and it'll say okay backslash c backslash a i don't that's nothing so i'm just going to take those out just ignore where you put those there so perfect for obfuscation so yeah so these characters like uh the asterisk the bang for history expansion astroturf lobbing and uh the dollar sign for variables and parameter expansions if you escape those

they will have a different meaning but if you're just escaping uh most built-in or command names it'll almost always do nothing the caveat here is that technically in linux which are surprised to find out you can have a file name which in turn could be a binder you're calling it can contain any character except the null byte so you could potentially just can't you can't escape any character in any command because it could contain stuff like that but um it's just something to be aware of but most stuff obviously it's human readable it's just using alphabetical stuff so um binary built-in function names can be escaped safely um aliases cannot i still don't know why

but you can't do this to aliases it'll break stuff but everything else is fine another thing you can do and cc coding this is a really fun one so basically what happens here is bash it's this is very effective for observation you can what this is used for though what this is intended for it's intended for basically inserting normally non-printable characters into your script so stuff like a vertical tab or stuff like i don't know there's there's a bunch of extended ascii like weird stuff like from ascii like the zero or the first or zero value down to like the 20th or something there's a lot of weird characters in there that you never type they're not available on your

keyboard but if you know the octal or yeah how useful is that but if you know the uh hex um octal representation of those codes the unicode like the hex value like a size four um so basically it's like a lowercase u 0 0 0 or whatever it is or if you know the hex 8 like a size 8 version of it then you could basically insert those non-printable characters in there but it doesn't just work for non-printable characters it works for anything so right there i'm just using 63 6174 which correspond to cat and hex like the hex they maps the um ascii values c8t and x but you can use octal x64 whatever right but you can mix and match

syntax types for some really nasty stuff so here we have octal in there 141 that's just which corresponds to a you know the ascii representation uh that's also respond to c like you see what you can do here right so what's also cool is i don't know if you can see that that's that's pretty dark but that c right in the beginning there you can shove stuff in there like okay so like you can like shove like normal characters in there just kind of mix it up so if you're writing like a naive parser for like this type of obfuscation you might go hey like you know like i see go back one here like we always see like you

zero zero six three like you know 141 x74 like those are all you know either hex octal or unicode representation of those characters right then you see a c what is that what what is that doing i don't exactly that's in the bash manual whatever it doesn't specify you can do this it's just one of the quirks of the parser one of the many but you can just throw like normal you know unobscured characters in there and bash will just interpret as a c and then just parse the the a and the t after it so you can randomize that and just really get do some there's a lot of possibilities with that um throwing the t on the back uh

throw an a in the middle there the only thing you need to be careful of so you don't interfere with ncc quoting syntax which is for example the octal it's most of three digits so if you have like uh or say for hex if you have like right here x 74 i think oh yeah i do a t here but if you threw a something that would correspond in hex so if you say through an a or something after that seven four that would actually mean something different or potentially because bash would then interpret that as the actual hex thing so there are limits to what you can do with this but if you're staying within the ncc quoted

syntax uh it's the bash manuals where you can find that stuff but uh you you can obscure that pretty well yeah um you can also quote random characters this is just the same thing like if you just want to quote random things like bash just like hey you're quoting this but you don't do anything in here so i'm just gonna ignore that right you can do single or double quotes uh something to keep in mind when using double quotes just you know just strong versus weak quoting and bash in general uh if you're just quoting random you know non-special characters it won't make any difference but there is a big difference between double quoting a single quotient bash you

should be aware of that um it's basically the same principle it's it's it's a little different but like it's if you're just quoting like some arguments or uh commands it's the same principle as uh off-screen forward slashes just escaping stuff you're just escaping stuff that doesn't need to be or shouldn't be escaped so bash just it's just like a no op basically uh you can also do string concatenation so what's happening here is the bash would by default if you have multiple strings just right next to it on top of each other bash will internally just when it's person concatenate them all right so right here we just shove an empty string in the middle of grep

so bash when it's parsing it's like hey we gotta escape g okay it's just a g we got an r we empty string and we got a e and you know quoted p so so the swash goes away the quotes go away the empty string it's like okay we're just going to like you know concatenate that string with the f and just grab right so that's just how it works it's it's really nice you can you can you can see pretty quick how you can all these little things by themselves don't do a lot but when you start mixing them all together it it can be really really nasty uh yeah bash automatic automatically joins jason strings

and this is a very interesting one uh if you've ever used bash for any extended point of time you should know or i'm sure you've used sub shells basically what sub shells are it's you throw a command in the sub shell and a sub shell returns the result of that command back to the top layer right so but if you just have an empty sub shell it bash will just basically interpret that and be like hey okay we're gonna we're gonna x or eval evaluate the expression inside of the sub shell it's nothing so it basically returns an empty string and then we go back to what we just learned it just concatenates that to

nothing so but empty sub shells treat like empty strings because they return empty strings essentially so bash is you know there's almost like a no op it does do some execution there so if you throw a bunch of them in there it'll you know still try to execute and parse some and everything so there will be increased run time but as far as actually like functionality of your command it won't change at all uh any amount of space can be used in there is still empty i mean there's no there's no command in there it's just space so obviously space and bash does nothing so or for most places like if it's just you know use a command

if you just enter a whole bunch of spaces and press enter bash is going to do nothing so you can get creative with it you can use the alternate syntax the old graves the deprecated graves that can be fun if you're doing a lot of single quoting or yeah uh yeah single quote stuff because they just blend in really well and oh no rmtack rf slash right that's terrible right but if you notice up there we have a pound we have a that's actually a comment it's a comment inside of a sub shell so bash parses that and it's like hey look it's a comment and then we're going to see if there's anything after it no okay basically the

same thing as an empty subshell you can throw anything you want in there right you can call out hey my twitter handle's just like what whatever you know mislead commands like you can put anything you want in there in a sub shell that's commented out doesn't do anything so that you can really mislead people they're just glancing over it right um that that is pretty interesting uh so one of my favorite things i discovered about bash obfuscation uh that you can do with it is the special characters or special variables sorry um the dollar sign at i don't know what to refer them as the dollar sign uh asterisk variables they what they allowed to do they actually

contain the value well their value is the empty string interactive shell because oops um [Music] because uh they actually contain the arguments of what badge was called with so if you're an interactive shell you just call bash right it's just it's just nothing even if you do like pass bash from arguments in an interactive shell like okay bash like tacx or whatever it'll still evaluate to nothing if but if you have a script that you know has a shebang with bash and you pass the script some arguments these will actually contain the arguments you pass the bash right but the value is gonna be string right so based on what we learned we could surmise that

it's free real estate we can throw these in here let us be parsed out you know have some fun with them so we can just pepper these in here same thing as everything else we've been doing they'll just be taken right out by bash um and they they hold their arguments conversion back called called this uh but there's even more that can be done these magical variables right so anyone here ever heard of or used parameter expansions in bash anyone and one person two people they're not very well known but this there's i'm not gonna go over all these it's just for reference but this is just these are just some like a half or less of the parameter expansions

bash has to offer but these are the parameter expansions you can actually use with uh this command or these variables to basically just obfuscate them and so you can do stuff like this and like they're they're basically manipulating the stuff inside of the variable so like the first one is just saying hey everything inside of you know like uh the first one it's just saying hey uppercase everything in there but it's an empty string so you can't operate a simple string it still results in empty string so you can do this kind of stuff you can insert garbage in here like these what the first one is saying is just say hey everything like it's searching for uh that string

in there which is not going to find and then just trying to remove it but since this empty string doesn't do anything again so you can just put almost whatever you want in there you just have to be careful to not put another because it's parameter expansion you can't put another uh right brace in there it'll terminate it early but you can just throw a lot of garbage in there so how can we make this better right we have all these obfuscation techniques but if you want to have some really robust observation if you want to like you know be able to generate this stuff how do we make this better right we can automate

we can just you know write tools scripts everyone loves automation to automate this process we can mix and match obfuscation techniques all the stuff like we're doing but lots more we can create a framework for make writing observation techniques easily everyone likes frameworks right you know not if you're given to your shirt not everyone likes writing them but you know they're they're useful right and uh so introducing baffle skater this is the tool i wrote it's almost 4000 rings of python 3. it takes in bash commands and just just mangles the heck out and just just shows shoves you back massive commands you can tweak a lot and just uh gives you um just how much just just you

know stuff that does the same thing that looks different so a little running short on time here so there's uh five different types in here basically all you need to know is uh encoders they just encode bash commands right compressors they can press your command make them all smaller uh command off the skaters okay um the command office skaters basically take your command just using simple stuff like rev or uh stuff like that just reverse your command string office skaters just use a bunch of binaries like core util stuff to just mangle stuff you know token off skaters off skate use using bash functionality right but i know you guys you want to see this

like what what do i have here right so i'm going to try and do a live demo i know this this never works out very well but we'll see there's no internet access or anything so okay if i can ever pass oh i don't know why that didn't show there uh okay just log in here all right so the command is back to skater we can just enter the same thing we did earlier oh is that is that big enough right there okay so we're gonna hear cat sc password pipe grep attack e bash and basically there are right now 12 different obfuscation modules so i'm just going to choose one so first i'm going to use uh string

hex hash which is a lot uh module written by one of the members audience here elijah parker uh basically yeah some scroll up and see that so it's really big so you know it's it takes up it's a lot if you if you make the screen smaller it's you know it doesn't it'll fit in the screen mostly but yeah you can see right here it is it's pretty big uh so does this work right does it work let's test it there you go those are the users on my system that i have a login shell and if we want to copy to a clipboard we can just say hey just copied clipboard and because it's new clipboard i won't

show you the whole thing because you know it's right there so if you want to paste this in here and execute it there it is you can copy that uh throw in your payloads whatever right so but uh let's just let's do a little bit more with that right so the the great thing about automating the stuff is you you can you can stack stuff on top of each other right so you have string hex hash there's another one uh token 4 code this basically here turn off the mangling that just makes a lot worse it basically just takes takes your command splits it into a randomized like array and basically just builds out um your command from that

array it's i don't really have time to explain it fully but danny actually um introduced this technique and invoked escalation but uh i just poured it to bash you can do a lot of stuff right and then we have uh this is my favorite one took me a month to do correctly character special character only so this is catastrophe password type graph e bash and only entirely special characters right so does this work this should not work will it work yes so let's copy that let's just give you a taste of it looks like so this is entirely special characters there is not a symbol single alpha numeric character in there right and the great thing about this i

don't have time to show you if anyone's familiar with bash the bug mode it'll take commands and basically just say hey like step through step by step everything that happens and print out you know what's going on to the screen right if you run this in debug mode it will break and um basically it does crazy stuff like um and like um on purpose and generating bash errors sending the standard error two variables and then processing them and it's just a mess if you want to learn how it works talk to me afterwards it's been a month writing it it was it was just a mess um but even a lot of fun stuff so it's a

last minute quick demo we can take that we can compress it since it compresses really well we can throw another thing on here token 4 code and we have this monstrosity that's 12 000 no 121 000 characters right let's compress that again and will this run let's test it there you go four let me see four different layers well two layers each compressed batch observation you can stack mix and match stuff as much as you like uh so there you have it live demo worked how's that then real quick uh if you want to download batch skater it's on github on i github.com on twitter github as captain's face hook and didn't have time to show it but two

people audience right down here elijah parker and charity barker uh they elijah developed a bunch of the uh different office skaters crazy stuff uh it's been a while since i've got them i understand most of them but they're just crazy stuff uh and their charity developed a bunch of size and time graphs which um are in a dev branch of documentation but we'll be in soon so basically you can pick any of the dozen office gators and see hey given given this size of input how large will my output be or given you know this size of my output like how much more time will this obstacle increase my own time stuff like that it's great

and uh daniel have hatfield who's not here um row a module for bachelor so if you want to ask any questions my dms are open uh traininglogic both on twitter you can ask us anything if you wanna you know whatever so uh yep thanks and also thanks to uh these people from some way or another helped me and it's researched the depths of bash it's it's a frustrating thing but yeah thank you very much everyone you