Slack Shell Bot
By Russel Van Tuyl
I really, really, really like shells. Nothing is better than that feeling you get when a shell comes in. There are many ways to get a shell, but some of them take a while to produce. A phishing campaign that leverages malicious payloads is a good example where there might be delayed gratification on receiving a shell. The emails might be sent at eight in the morning, but who knows what time of day a victim will read the email and open the malicious attachment in such a manner that causes the payload to execute? Another example is a malicious USB device. It could be configured with a malicious payload and dispersed in a work area or parking lot, but who knows how long it will take for one to be plugged in?
I wanted a way to instantly be notified when a shell came in so I could drop everything I’m doing and immediately do a pwn dance. There are many ways this can be done, but I decided to leverage Slack for notification. I chose Slack because it can be installed on your mobile phone, or your computer, or run in a web browser. The options are numerous. There is a solid chance I always have my phone with me, so I really like the idea of notifications on my phone.
This notification system relies on Slack’s incoming WebHooks custom integrations. To create a new WebHook, click on the “Add Configuration” button for a Slack channel you control and start populating the integration settings. Figure 2 shows how I have my ShellBot integration configured. We will need the channel name, Webhook URL, username, and custom emoji (if used) to configure SlackShellBot later.
Figure 1: Slack Incoming Webhooks
Figure 2: Shellbot Integration Settings
I created a python-based script that I call SlackShellBot, ssb for short, to post notifications to Slack when a new shell comes in. The code can be retrieved from https://github.com/Ne0nd0g/slackshellbot.git. This Python script reads in configuration information from ssb.conf that must be in the same directory as the Python script itself. Here is an example of configuration file:
[slack] slackHook = https://hooks.slack.com/services/ botName = ShellBot channel = #shellbot [slackShellBot] sleepTime = 60 [empire] db = /opt/Empire/data/empire.db [msf] msfRpcHost = 127.0.0.1 msfRpcPort = 55552 msfRpcUser = msf msfRpcPass = SuperSecret
Most of the configuration file is self-explanatory. The slackHook parameter should be set to the value retrieved when the WebHook was created along with the botName and channel parameters as shown in Figure 2. The sleepTime parameter is the value in seconds that the bot will sleep before checking to see if there are any new shells. The only thing the configuration file needs for Empire is the path to its database. Metasploit requires a bit more setup. SlackShellBot uses Metasploit’s MSGRPC interface. Additional information about the interface can be found here: https://help.rapid7.com/metasploit/Content/api-rpc/getting-started-api.html. There are many ways to get the interface configured, but the easiest and most practical solution is to type load msgrpc into your currently running Metasploit instance where you already have a listener setup as shown in Figure 3. Take the values returned to by Metasploit and add them to your configuration file.
I have hardcoded in an :empire: and :metasploit: emoji into the script. Be sure to grab those emojis from the SlackShellBot emoji directory and configure your slack instance to use them.
Once the configuration file is populated, run SlackShellBot with: python ssb.py. SlackShellBot will warn the user if it isn’t able to reach the Metasploit RPC interface or the Empire database. The program will continue so long as Empire or Metasploit can be reached. Now that script is running, launch a shell on a test host using any method you desire and you will get a notification via slack.
Here is an example of receiving an Empire agent:
Figure 4: SlackShellBot New Empire Agent
Associated Slack notification:
Figure 5: ShellBot Slack Notification for Empire Agent
Here is an example of receiving a Meterpreter agent:
Figure 6: SlackShellBot new Meterpreter Agent
Associated Slack Notification:
Figure 7: ShellBot Slack Notification for Meterpreter Agent
Pair this SlackShellBot with my previous article on Multi-Tool Multi-User HTTP Proxy and you have a good recipe for a C2 infrastructure with a notification system. I can promise you that you’ll find this handy. One day I was driving across the state when I got a notification on my phone from SlackShellBot letting me know there was a new agent check in. I immediately pulled over into a rest stop, got out my laptop, and started enjoying the fruits of my labor. I hope you find this useful too. Happy hunting.
Russel Van Tuyl is the managing consultant for security assessments at Sword & Shield Enterprise Security. His primary role is conducting network vulnerability assessments and penetration tests but also performs web application assessments, firewall configuration audits, wireless assessments, and social engineering.
He has more than 11 years of experience in the technical field in roles such as database design, field device support, help desk, IT asset management, programming, and information security.