Search the Community
Showing results for tags 'c&c'.
Found 2 results
Koadic C3 COM Command & Control - JScript RAT Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10. It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled). Koadic also attempts to be compatible with both Python 2 and Python 3. However, as Python 2 will be going out the door in the not-too-distant future, we recommend using Python 3 for the best experience. Hooks a zombie Elevates integrity (UAC Bypass) Dumps SAM/SECURITY hive for passwords Scans local network for open SMB Pivots to another machine Stagers Stagers hook target zombies and allow you to use implants. Module Description stager/js/mshta serves payloads using MSHTA.exe HTML Applications stager/js/regsvr serves payloads using regsvr32.exe COM+ scriptlets stager/js/wmic serves payloads using WMIC XSL stager/js/rundll32_js serves payloads using rundll32.exe stager/js/disk serves payloads using files on disk Implants Implants start jobs on zombies. Module Description implant/elevate/bypassuac_eventvwr Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. implant/elevate/bypassuac_sdclt Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10. implant/fun/zombie Maxes volume and opens The Cranberries YouTube in a hidden window. implant/fun/voice Plays a message over text-to-speech. implant/gather/clipboard Retrieves the current content of the user clipboard. implant/gather/enum_domain_info Retrieve information about the Windows domain. implant/gather/hashdump_sam Retrieves hashed passwords from the SAM hive. implant/gather/hashdump_dc Domain controller hashes from the NTDS.dit file. implant/gather/user_hunter Locate users logged on to domain computers (using Dynamic Wrapper X). implant/inject/mimikatz_dynwrapx Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). implant/inject/mimikatz_dotnet2js Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). implant/inject/shellcode_excel Runs arbitrary shellcode payload (if Excel is installed). implant/manage/enable_rdesktop Enables remote desktop on the target. implant/manage/exec_cmd Run an arbitrary command on the target, and optionally receive the output. implant/persist/add_user Create a local/domain user. implant/persist/registry Add a Koadic payload to the registry. implant/persist/schtasks Add a Koadic payload as a Scheduled Task. implant/persist/wmi Add a Koadic payload as a WMI subscription. implant/phishing/password_box Prompt a user to enter their password. implant/pivot/stage_wmi Hook a zombie on another machine using WMI. implant/pivot/exec_psexec Run a command on another machine using psexec from sysinternals. implant/scan/tcp Uses HTTP to scan open TCP ports on the target zombie LAN. implant/utils/download_file Downloads a file from the target zombie. implant/utils/multi_module Run a number of implants in succession. implant/utils/upload_file Uploads a file from the listening server to the target zombies. Disclaimer Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code. Source & Dowload: [Hidden Content]
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. HTTP/2 is a newly ratified protocol documented under RFC 7540 that aims to solve some of the problems with HTTP/1.x and provide functionality to support current web application operations. HTTP/2 communications are multiplexed, bi-direction connections that do not end after one request and response. Additionally, HTTP/2 is a binary protocol that makes it more compact, easy to parse, and not human readable without the use of an interpreting tool. An HTTP/2 connection can be setup by upgrading a HTTP/1.x connection using the `Upgrade` header or during the negotiation of a TLS encrypted channel. Application-Layer Protocol Negotiation (ALPN) is a TLS 1.2 extension that is required to setup a HTTP/2 connection identified with the `h2` protocol string. TLS versions less than 1.2 are not equipped to negotiate a HTTP/2 connection. Oddly enough, the client will perform one final check to ensure that the server can speak HTTP/2 by sending the string PRISM. This reminds me of the NSA PRISM program. An introductory blog post can be found : [Hidden Content] demo : [Hidden Content] Source & Download : [Hidden Content]