POST CATEGORY : Red Teaming

Command & Control: Ares

In this article, we will learn how to use Ares tool. This tool performs the Command and Control over the Web Interface. This tool can be found on GitHub.

Table of Content:

  • Introduction
  • Installation
  • Exploiting Target
  • Command Execution
  • Capturing Screenshot
  • File Download
  • Compressing Files
  • Persistence Agent
  • Clean Up

Introduction                                                                                                                                                 

Ares is a Python Remote Access Tool. Ares is made of two main programs: A Command & Control server, which is a Web interface to administer the agents and an agent program, which runs on the compromised host, and ensures communication with the CNC. The credit for creating this tool goes to Kevin Locati.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub. After Cloning, we traversed into the newly created directory called Ares through the cd command as shown in the image.

Now, to make the tool work we will be needing to install some prerequisites.  Let’s start from the file that we cloned earlier name requirements.txt. This file contains the details of the python libraries that are required to be installed.

Now as we have our target a Windows Machine, we will need to compile the agent that is compatible with the Windows Machine. To do that we will be needing wine. So, using the file that we cloned earlier, let’s begin the wine installation. Now this will take a bit of time.

Exploiting Target

Now that we have successfully installed all the requirements needed to run the Ares tool. Its time to gain the Command and Control Session.  To do this we are going to need an agent. For this, we use the cd command to traverse into the agent directory. After that, we list the contents of the file to find a config file. We will be needing to edit the file so as to gain the session.

As we can see, when we open the config file using the nano command. We see that the SERVER variable has an IP Address. We are going to edit it and change it to the internal IP address of the attacker machine, which in my case is 192.168.1.4. We don’t require any further changes. So Save and Exit the nano editor.

Now that we have configured the config file, Its time to create an agent. As we have a Windows Machine as a target. We will be creating a windows agent using the command given below.

Now, we will send this agent to the target machine by any means of preference. After that, we will be needing to launch the server. This is required as the agent will communicate to this server. Let’s get back to the Ares directory. Here we have a sub-directory called server. After traversing in it we will have to initiate the database for that we will be using the initdb parameter. Initiating the database is to be done only the first time. Now we will run the server as shown in the given image.

 

Now we will open the server IP in our browser. Here we will see a form asking for the password as shown in the given image. We entered the password and clicked on Define to continue.

Now that the password is defined, we will have to enter the password to log in.

Here we have the main index of the Ares GUI. It has the following links: Change Password, Disconnect, Agent List. Now, we will go back to the step where we created an agent. Only after we execute the agent on the target machine, we will get a line Agent in Agent List.

As we can see the image given below, that we have an agent alive. We have the name of the agent, status, user that was logged in when the agent went live, we have the hostname too. We are also informed about the IP Address and Operating System of the target. Here we could run the agent on multiple devices each one of them will be visible here. We can select sessions from here and execute the same command on multiple session at the same time. We will have to click on the name to proceed.

Command Execution

As Ares runs the Power Shell commands, let’s start with the System Information command. As we can see that we have all the system config information of the target machine.

Capturing Screenshot

Now, Let’s take a screenshot of the target machine. To do this we will type in the screenshot command and the agent will capture the screenshot and provide a link as shown in the figure. On opening this link the screenshot can be viewed.

File Download

We can also download files from the remote target using this agent. To do this we require the name of the file. This can be obtained using the dir command. Now once we have the filename, we will download it to our local attacker machine as shown in the image given below.

Compressing Files

We can compress a directory on the remote target using the Ares agent. For this, we require the name of the directory. After we extract the name of the directory, we can compress the file remotely using the command given below. Here, we have ‘sample’ the name of the directory and ‘compressed.zip’ the name of the compressed file.

 

Persistence Agent

We could invoke the persistence in the agent using the command persist. This command installs the agent on the remote target.

Clean Up

This tool also performs the clean up after the work through the session Is done. This command removes the agent from the target machine. Hence it goes on undetectable.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Command & Control: WebDav C2

In this article, we will learn how to use WebDav C2 tool.

Table of Content:

  • Introduction
  • Installation
  • Exploiting Target
  • Command Execution

Introduction                                                                                                                                                 

WebDavC2 uses the WebDAV protocol with PROPFIND only requests to serve as a C2 communication channel between an agent, running on the target system, and a controller acting as the actual C2 server. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

WebDavC2 is composed of a controller, which acts as the C2 server. It also comprises of an agent, written in C#/.Net, running on the target system. It is delivered to the target system via various initial stagers. It also consists of various types of initial stagers (created on the fly when the controller starts) used for the initial compromisation of the target system.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

After running the above command, we would have a directory created by the name of WSC2. Now, we will traverse inside that directory using the cd command. Let’s see the contents of the directory that we just cloned using the ls command.

Exploiting Target

As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this it will create multiple stagers in Batch, Macro and Jscript as shown in the figure below. It also starts an WebDav Server at the IP provided at port 80.

Now we have to send the files to the target. For this we will open a new terminal and traverse inside the stagers directory. Here as we can see that we have multiple stagers. Let’s try to open the batch file, here we see that the PowerShell batch file in encrypted. Now we will sent these stagers to the target using the python server.

Command Execution

After the stager is executed, we are provided with a prompt to run commands. Here we run the command systeminfo. And we have the system information of the target as shown in the given image.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Command & Control: WebSocket C2

In this article, we will learn how to use WebSocket C2 tool. It is also known as WSC2.

Table of Content:

  • Introduction
  • Installation
  • Exploiting Target
  • Command Execution
  • File Download

Introduction                                                                                                                                                 

WSC2 is primarily a tool for post-exploitation. WSC2 uses the WebSocket and a browser process. This serves as a C2 communication channel between an agent, running on the target system, and a controller acting as the actual C2 server. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

After running the above command, we would have a directory created by the name of WSC2. Now, we will traverse inside that directory using the cd command. Let’s see the contents of the directory that we just cloned using the ls command.

After that we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

As we saw earlier that we have a config.py file inside the cloned directory. We have to make some changes inside this config.py file so as to get the session on our system. We used nano to edit the file. As shown in the figure, when we opened the config.py file using nano, we found a variable CALLBACK. It has an IP Address. We changed it to the IP Address of our Attacker Machine i.e Kali Linux.

Exploiting Target

Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this, it will create an incoming directory inside the Directory we cloned earlier. This will be used as a buffer to save files from the target.

We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in jscript1, jscript2, jscript3. We are using jscript1 here because it is not required to compile. Rest of the stagers are required to compile. This command will create a wsc2Agent1.js in stagers directory.

Now let’s get the file to the target machine. To do this we will open up a new terminal and traverse into the stagers directory using the cd command. Here, we are using the python server to share the file to the target. This can be done using any other method of choice.

After the jscript file is executed on the target machine, we will be informed with a message on the terminal that New agent connected. Now we will use the list command to see the list of the agents.

And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

Command Execution

We can run some PowerShell commands on the target machine using the command cli. Here we run the command systeminfo. And we have the system information of the target as shown in the given image.

File Download

Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Command and Control with DropboxC2

In this article, we will learn how to use DropboxC2 tool. It is also known as DBC2.

Table of Content:

  • Introduction
  • Installation
  • Getting Dropbox API
  • Exploiting Target
  • Sniffing Clipboard
  • Capturing Screenshot
  • Command Execution
  • File Download

Introduction                              

DBC2 is primarily a tool for post-exploitation. It has an agent running on the target’s machine, a controller, running on any machine, PowerShell modules, and Dropbox servers as a means of communication. It is inspired by the PowerShell Empire Framework. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

After running the above command, we would have a directory created by the name of DBC2. Now, we will traverse inside that directory using the cd command. After that, we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

Getting Dropbox API

Now, this tool uses the Dropbox Servers as the medium to run agents on the target machine. In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and 

Generate access token. This will give the Dropbox API required for this particular practical.

Copy the Generated access token, now get to the directory we cloned earlier. Here we have a file named config.py. We will open it using nano command and paste the Access token as the value for “defaultAccessToken” as shown in the given screenshot given below.

Exploiting Target

Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this, it will ask for a master password which will be used to encrypt all the data between the agents and the controller. Enter the password of choice. It will encrypt the password entered and display the result. We can copy the code shown and add to the config.py file so that it doesn’t ask again for a master password. After this, it will create an incoming directory inside the Directory we cloned earlier. This will be used as a buffer to save files from the target.

This tool requires to upload the modules and stager on Dropbox before proceeding further. We will do this using the command given below.

This will upload a file on the Dropbox as shown in the image given below. This file is encrypted using XOR encryption.

Now let’s check if the stage is published using the command given below:

Now that stage is uploaded, let’s use it to create a stager. We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in macro, oneliner, JavaScript, MS build sct and much more. This command will create a stager.bat in the tmp directory. We sent this bat file to our target machine.

After the batch file is executed on the target machine, we will be informed with a message on the terminal that Agent found with ID. Now we will use the list command to see the list of the agents. And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

This will create a file on the Dropbox with the .status extension as shown in the given image.

Clipboard Sniffing

We can get the clipboard data that the target has on its clipboard. That is., the data he/she has copied. To do this we will have to start a sniffer using the command clipboardLogger start. Then wait till the target copies some data. Then Stop the sniffer using the command clipboardLogger stop. After stopping the sniffer the clipboard will be saved in a text file inside the incoming directory.

Let’s take a look at what target copied on his/her machine. We are going to use the cat command on a new Kali terminal to read the file as shown in the given image.

Capturing Screenshot

Now furthermore we can grab a screenshot of then target machine. To do this we will use the screenshot command as shown in the given image.

The screenshot will be captured and stored in the incoming directory. We can see that the target is browsing a website on his/her machine in the given image.

Command Execution

We can run some PowerShell commands on the target machine using the parameter cmd. This tool doesn’t offer the shell but it can execute one command at a time. So, we type cmd and then it asks the command that is to be executed. Here we run the command dir. And we have the list of files as shown in the given image.

File Download

Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here