The content of the article
In this article we will talk about frameworks that will help exploit vulnerabilities, gain a foothold and advance in the target infrastructure. To do this, consider the main current projects, their functions and features. I hope you find something new for yourself or, as you read, figure out how to make your workflow even more efficient.
All information is provided for informational purposes only. Neither the editors nor the author are liable for any possible harm caused by the information in this article.
Exploitation is a sequence of actions that helps an attacker gain access to the system under investigation, using a vulnerability or an error in the settings. And since this is a sequence of actions, it means that it can and should be automated.
If you are on the side of the Red Team, then you just need tools in your work that will help automate the performance of routine operations. At the same time, it is important to ensure a high level of secrecy and also be able to work together with other members of the red team.
It is worth considering that most critical systems nowadays hide behind intrusion detection and prevention systems (IDS, IPS) and similar systems, and anti-virus protection tools are deployed at workstations. In such cases, more thorough reconnaissance is needed, including social engineering, in order to have an idea of the structure and attacked resources.
As you know, there are no ideal systems – there will always be a weak spot where you can gain a foothold and move deeper. But if you have one single entry point, then your every step should be carefully thought out and each decision should be carefully weighed.
What is post-operation?
So, armed with your beloved Nmap or Masscan, you are looking at the results of the recon with curiosity and probably already rubbing your hands, sorting out the first exploits that came to your mind, analyzing the possibilities and looking forward to future gains. ?
As the term itself implies, post-operation basically means actions that follow after the attacked infrastructure has been compromised. The value of a hacked system is determined by the weight of the actual data stored in it, and how you can use it for your own purposes.
That is, post-exploitation is, in essence, the way in which information about a compromised target can be used. At this stage, we are talking about collecting confidential information, documenting it, as well as about configuration settings, network interfaces and other communication channels.
For an attacker, it is important to navigate well and imagine where what data is stored, as well as quickly move inside the attacked system, providing maximum stealth: use proxies, tunneled connections (pivot), and so on.
With a large scope of network resources, it can be difficult to quickly figure out and understand where which vulnerabilities are found, which logins and passwords belong to what, which network security zones are accessible from where, where the payload is downloaded and where privileges can be increased.
In such situations, and help out frameworks that combine the necessary information and make it possible to quickly steer the process and advance in the attacked system. They may also include more convenient post-operation tools.
Let's start, of course, with the Rapid 7 Metasploit Framework. At the time of writing, version 5.0.48 is available. Metasploit has the most modules today – it has funds for almost all occasions. It also works with a local database, which may include scanning information, discovered accounts, and more.
This Armitage framework can also act as a C2 server (Command and Control). The main payload is Meterpreter, an interactive shell with which an attacker can examine the target machine, execute OS commands, inject the payload into legitimate processes, and much more. The msfvenom tool is used to generate the payload.
Metasploit is useful both in exploiting vulnerabilities and in post-exploitation. It is possible to bypass anti-virus protection, intrusion prevention systems (IPS) and other security technologies. In it you can write your own module in one of three languages - Go, Python or Ruby, and also run a PostgreSQL-based RESTful service to connect several Metasploit consoles or external tools.
This is the most popular framework, it has a large community, and mountains of documentation and useful tips have been written about it, so we calmly move on.
The latest version is 3.14 from May 2019. This is an excellent framework for operation and post-operation. Beacon is used as a payload, which has the ability to obfuscate and freeze to bypass antiviruses. Supports migration to processes. Suitable as a C2 server – it is especially convenient to navigate with a large scope. Out of the box has a one-click payload generator, as well as various delivery methods, which saves a lot of time.
Cobalt Strike's creed is stealth. Beacon most of the time is in a state of frieze or sleep, and only a “heartbeat” is sent to C2, so finding it is not easy.
The biggest drawback of Cobalt is that it is not available to ordinary users. Cobalt Strike is a commercial product, and developers are serious about distribution. There is a trial period of 21 days, but in this mode you will encounter significant limitations.
Cobalt Strike generates its own executables and DLLs using the Artifact Kit. They, in turn, send a payload, which helps bypass some antiviruses. The trial version includes only the Artifact Kit template without the ability to create executable files.
Also, the trial version of Cobalt does not download or use flexible C2 profiles. This is a feature that allows users to change network indicators in the Beacon payload. Each trial GET HTTP request includes an X-Malware header with an EICAR string as content. Similarly, Java attack modules include an EICAR file inside .jar packages.
Finally, the Cobalt Strike primary payload encoder has been removed from the trial version. All these restrictions are made so that the trial version could not be used for malicious purposes.
Eicar (or EICAR-Test-File – from the European Institute for Computer Antivirus Research) – this is a small 68-byte COM file that is not a virus, but only displays a text message and returns control to the operating system. The file was created as a single standard for checking the operation of the antivirus and is a set of bytes:
We pass to less popular, but still noteworthy options. Covenant is an open source post-operational framework that runs on .Net Core. Covenant has Docker support, which makes it easy to pick up a container with it on any system. The framework includes three components: Covenant – the server side, Elite – the console client (temporarily excluded for revision in the latest release) and Grunt – the implant. This framework has a clear and simple web user interface, three user roles are available.
The main purpose is to serve as a C2 server for the red team. The payload can be generated directly from the web interface or from the console part. Here are all the options available.
On the dashboard – active sessions, a list of tasks for implants and a list of listeners.
That is, during teamwork, attackers see what information and where it was already received from, where what type of implant is active, and so on. The results are saved as tickets with numbers, the output of the commands is also saved.
The listener profile edit page allows you to change any parameter, including request and response headers, callbacks, and request and response formats. For convenience, there is a graph where connections of the form “listener – parent node – child node” are displayed.
All collected information from the attacked resources is categorized. The framework has an interactive command shell with highlighting of all available commands.
Covenant can be customized by creating your own templates. And also it is great for solving the problems of post-operation of Windows.
Apfell is a cross-platform post-exploitation framework built around Python 3 and Docker. Like Covenant, it is designed primarily for use by the red team as a C2 server.
Essentially, Apfell uses web containers and Docker containers for the inside, where the Python server handles most of the web requests through the RESTful API and WebSockets. This server then processes the connections to the PostgreSQL database and communicates with other Docker containers through RabbitMQ. This allows you to place individual components on separate physical computers or, if necessary, on different virtual machines.
The framework is able to combine the work of several teams. In the operations manager, you can view the status, configure rights and communications. Apfell's goal was to create a simple environment where agents are configured on a plug-and-play basis.
The build process is extremely fast and straightforward thanks to Docker support. The database contains all the basic information for attackers: found accounts, payloads, tasks, responds, files and screenshots. Apfell allows you to use the MITER ATT & CK classification in your workflow. And each activity can be commented on, which helps to work in a single information space with colleagues. The payload generation takes place in the web interface, there is an agent management console.
Apfell is a decent framework, but only for Red Team tasks. For other tasks, it is unlikely to be suitable because of its narrow focus.
Post-exploitation framework. As you might have guessed, this is another platform for deploying C2. It provides ease of interaction with agents through the well-documented REST API and Socket.IO.
Faction consists of a kernel that is responsible for user interaction with agents, an environment for creating modules and agents, and a CLI for managing the framework. User roles are delimited by admin, operator, and read only.
Currently, Faction supports only .NET payloads and modules. Marauder is used as an example of the payload, but you can easily create your own.
The interaction of Faction and agents is based on a flexible connector system that provides strong encrypted communications. By default is DIRECT – this is a connection directly to C2. When creating a new connector, an API key is generated.
Faction also allows you to query data using SQL queries, which is sometimes more convenient than interacting with the web interface.
In general, this is a good option, but it lacks interactivity and deeper tool settings.
An open source framework designed for post-exploitation of Windows. Koadic is easy to deploy and handle and uses VBScript / JScript. Koadic is really very “silent” and does not leave as many traces in the system as, for example, PowerShell frameworks. It is possible to run the payload both on disk and in memory; Koadic also supports SSL and TLS encryption.
The framework includes stagers and implants. Stagers determine the options for launching the payload on the attacked system, and implants are ready-made script packages.
By the way, active sessions here are called zombie! ?
The most necessary implants are available out of the box, but if anything, you can always add this set to yours.
The Koadic console displays completed and active tasks (jobs) of the implants. In general, the interface reminds everyone of the beloved Metasploit.
The framework can truly be called flexible and efficient, and cross-platforming only adds to this image.
Another cross-platform post-exploitation framework, this time written in Go. One of the features of Merlin is the ability to bypass security using the HTTP / 2 protocol. In the framework directory
/data/bin There are already pre-compiled agents for Windows, Linux, macOS and PowerShell, as well as DLLs. By default, the address is sewn in them
https://127.0.0.1:443which you can always change to your own using the flag
-url, and in the case of a DLL through decompilation.
The console is friendly and interactive. Interaction with agents occurs through the creation of tasks, which, of course, is not entirely online, but without any noise.
Merlin has a wide range of modules for each platform, and it combines lightness, stealth and efficiency.
EmpireProject / Empire
A cross-platform framework for post-exploitation, the server side of which is written in Python. Unfortunately, the development of the project has been stopped, but the possibilities of the framework are wide to this day. Empire includes an agent on PowerShell 2.0 for Windows and an agent on Python 2.6 / 2.7 for Linux and macOS.
A framework with such a complex name appeared by chance. Two projects were merged: PowerShell Empire and Python EmPyre. Empire is responsible for starting PowerShell agents without using powershell.exe itself. This allows you to quickly deploy any post-operation module – from keyloggers to Mimikatz, as well as adaptive communications to prevent detection. And all this is done in a way that is convenient to use in your mind!
The project has a large and affordable documentation in which you will find everything you need to apply Empire.
C3 (Custom Command and Control) framework (MWR Labs)
Finally, the last post-exploitation framework we will look at. It is a kind of wrapper over C2. The essence of C3 frameworks is in the flexible communication of external C2 through legitimate processes. For example, you can adapt Office 365, Slack, Google Drive, Dropbox, and other services that are used daily in offices for these purposes.
The C3 concept was first introduced at the BlueHat v18 conference by William Knowles and Dave Hartley. The MWR Labs framework is open source and consists of the following nodes.
- Relay – An executable file running on a compromised system. Relays communicate with each other via interfaces or directly with a gateway.
- Gateway – a special relay for controlling one C3 network, is responsible for feedback from C2.
- Channel – Relay interaction diagram inside legitimate processes typical of an attacked system, for example, through API Slack.
- Reverse gateway channel (Gateway Return Channel) – A configured channel that is used by the relay to send data back to the gateway. It may also be a route through another relay.
- Interface – A high-level name assigned to any device that facilitates sending and receiving data on the C3 network.
- Route – the intended path of communication through the relay back to the gateway. A peripheral implant C2 acts as a peripheral device (for example, Cobalt Strike SMB beacon).
- Connector – Integration with third-party systems C2. By the way, C3 performed by MWR Labs supports tight integration with TeamServer Cobalt Strike. A Cobalt Strike instance called External C2 (command
externalc2_startthrough the script manager).
At first glance, it seems that the C3 is too complicated – it takes time to figure it all out. But in fact, a convenient interface, a speed deployment and the ability to independently determine the architecture, taking into account the specifics of the attacked system and other things, help.
First, launch WebController and set the URL. Or you can execute the StartWebController.cmd script.
Further in the web application, you must configure the first gateway. As you already know, nothing will work without it. ?
After the gateway gets in touch, you will automatically be taken to the framework management console, where you will already build your architecture.
Many actions are performed in just a couple of clicks. You can easily generate a new channel by clicking on the gateway, similarly to the created channel – to generate a new relay. All the necessary information here will be automatically filled. At this stage, you can specify the architecture, file type (.exe, .dll), and more.
Detailed information is available for each relay: OS version, under which user is running and when was the last time online.
It is also important to know that there are two types of channels. The coordinated channel allows you to have several connections between the gateway and the relays (on one channel), the uncoordinated channel allows only one relay to be connected to the gateway. The screenshot shows an example of organizing a consistent channel through the Slack API.
The framework can be finely tuned and any communication schemes made. You can realize any creative scenarios, which is valuable in itself.
I have reduced all the main features of the considered frameworks to a table for ease of comparison.
|Name||Appointment||Development language||Docker Support||Supported platform||MITER ATT & CK||Sharing||Лицензия|
|Covenant||ПЭ||C# (.NET)||+||Кросс||–||+||GNU GPL3|
|C3 MWR Labs||ПЭ||C++ (.NET)||–||Windows||–||+||BSD3|
А теперь поговорим о выборе. Это очень важный момент, и здесь нужно учитывать все особенности векторов атак на целевые системы. Фреймворк должен обеспечивать анонимность и по максимуму удовлетворять потребности в реализуемых техниках.
Из девяти описанных фреймворков наиболее удобным инструментарием из коробки обладают Cobalt Strike и Metasploit. «Кобальт», особенно в сочетании с MWR Labs C3, обеспечивает достойный уровень скрытности и неплохо способствует совместной работе.
Metasploit в бесплатной версии community edition содержит актуальный набор эксплоитов и средств постэксплуатации, предоставляет гибкие инструменты генерации полезной нагрузки и обхода средств антивирусной защиты (модуль evasion), к сожалению по дефолту малоэффективные, так что нужно импровизировать.
В «Кобальте» же с обходом АВПО все проще, но цена вопроса и сложности с его покупкой могут стать большим препятствием.
Merlin и Koadic прекрасно подойдут для проведения краткосрочных атак из-за особенностей взаимодействия с С2. В частности, Merlin позволяет эффективно использовать сетевые ресурсы с помощью протокола HTTP/2, что сводит влияние задержек к минимуму (благодаря сжатию полей заголовков). Одновременно это дает возможность обмениваться данными в рамках одного соединения, что полезно при обходе IPS и IDS.
Достоинством Koadic может быть применение Windows Scripting Host (компонент Windows, предназначенный для запуска приложений на скриптовых JScript и VBScript). Это позволяет использовать сценарии, аналогичные пакетным файлам, но с дополнительными возможностями. Благодаря этой функции его можно использовать во многих версиях Windows, включая Windows 10.
Apfell, Faction и Covenant — молодые и развивающиеся фреймворки, в которых все еще встречаются небольшие баги. Это пока что ставит под сомнение их использование в случаях, когда ошибаться нельзя.
Аналогичная ситуация с Empire: из-за того что проект больше не развивается, стабильность фреймворка изрядно пошатнулась, и в серьезных операциях использовать его я бы не стал.
И конечно же, в этой статье затронуты далеко не все существующие инструменты. Экспериментируй, и ты найдешь, что тебе по душе!