This is my version of c2, intended for penetration testing, but also useful for validation automation.
- reverse/bind socket/pipe shell
- exe/ps1 payload
- hta/js/vba/vbs payload using GadgetToJScript
- buildin ps command lists to get av,clm,al
- command history for each stager
- tab completion
- AMSI/AV bypass
-
python3.7 + pywin32
-
Microsoft Visual Studio 2019
-
If you prefer kali, use networking trick
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -A POSTROUTING -o [VPN INTERFACE] -j MASQUERADE [Add Kali ip to Windows route table] sudo iptables -t nat -A PREROUTING -d [VPN IP] -j DNAT --to-destination [LOCAL WINDOWS] sudo iptables -t nat -A POSTROUTING -s [LOCAL WINDOWS] -j SNAT --to-source [VPN IP] -
If want to share connection
sudo iptables -t nat -A PREROUTING -d [VPN IP] -p tcp --dport [DPORT] -j DNAT --to-destination [LOCAL WINDOWS]:[LOCAL PORT]
- psload can be used to load any ps script in the database to the stager runspace
- maketoken from sharpsploit is integrated
- psexec can be chained with maketoken
- hta -> powershell
cdintoolwill change both ps directory and .net directory the same time.
- enter remote ps session, use
psresetto reset back to local session.
- start a new stager using powershell.
- jump using remote powershell.
- kerberoast and asreproast
- this will allow connecting to the target from a running stager
- With .Net 4.8 on 17763 (ie. KB4486153), process injection using the technique available in GadgetToJSscript template will fail to load
System.Management.Automation.dllon the targeted process. It only happens with 32bit and possible workaround with inject topowershell.exeinstead.
- for education and reseach only
- some of the imbedded tools are from online repo and training course, and improved/av-bypessed by me. let me know if licensing issue, will remove immediately.