2019-03-16 01:32:54 Author: pentestlab.blog(查看原文) 阅读量:475 收藏
Command and Control – Browser
June 6, 2018
Red Team Browser-C2, C&C, Command and Control, Red Team
Red Teams are always focused in the discovery of innovative ways to establish connections back to their command and control infrastructure. The main reasons that leads red teams to use standard protocols or native system functionality for command and control operations is to bypass some sort of restrictions and to stay of the radar of the blue team. 0x09AL developed Browser-C2 in Go which uses the browser (Chrome) as a communication channel and can bypass host based firewalls. 0x09AL described the idea and the operation of the tool in his blog.
The tool requires the following two components in order to operate successfully.
go get -u github.com/gorilla/mux go get -u github.com/chzyer/readline
The implant can be compiled to executable with the following command. However prior to that activity the agent.go file needs to be changed to contain the IP address of the C2 server.
go build agent.go
Browser C2 – Converting the implant to executable
The jquery file needs to modified to contain the IP of the command and control server in the var url parameter.
The main command and control application can be compiled with the following:
go build
When the implant will executed on the target host Chrome browser will initiate and automatically will reach the Command and Control server endpoint.
Browser C2 – Agent Execution
A connection will establish with the C2 server and commands can be executed to retrieve host information.
Browser C2 – Command Execution
The Windows Management Instrumentation command line utility can be also used for additional host recon.
wmic useraccount list full
Browser C2 – User Enumeration via WMIC
Browser-C2 doesn’t support encryption for communication between the server and the compromised host and has limited functionality since it cannot execute PowerShell scripts and it can only used for basic command execution. For additional operations an alternative channel such as Meterpeter or PoshC2 can be considered. The Metasploit Framework module web delivery will generate and host a scriptlet automatically.
exploit/multi/script/web_delivery
Browser C2 – Metasploit Web Delivery Module
The regsvr32 is a common method discovered by Casey Smith which bypasses AppLocker policies and it is a reliable technique to execute arbitrary code remotely. The scriptlet can be executed from an existing Browser-C2 agent session.
Browser C2 – Code Execution via regsvr32 Metasploit
When the payload will delivered a Meterpreter session will open which will provide enhanced capabilities.
Browser C2 – Meterpreter via Web Delivery
Usage of the same method can also establish a connection with PoshC2 for post-exploitation activities based in PowerShell.
Browser C2 – Code Execution via regsvr32 for PoshC2
The implant handler of PoshC2 will receive the connection.
PoshC2 – Implant Handler
Interaction with the implant will start by selecting the associated ID. PoshC2 contains various PowerShell modules which can be used for extensive host recon credential grabbing like Mimikatz.
Browser C2 – Mimikatz via Implant Handler
Mimikatz output will appear in the PoshC2 console.
Browser C2 – Mimikatz PoshC2
References
如有侵权请联系:admin#unsafe.sh