181 lines
6.6 KiB
Markdown
181 lines
6.6 KiB
Markdown
|
## F-Secure's C3 Client script
|
||
|
|
||
|
This is a simple [F-Secure C3](https://github.com/FSecureLABS/C3) client Python script offering a few functions to interact with C3 framework in an automated manner.
|
||
|
|
||
|
It connects to the C3 WebController (typically the one that's listening on port _52935_) and allows to issue API requests automating few things for us.
|
||
|
|
||
|
### Usage:
|
||
|
|
||
|
The script offers subcommands-kind of CLI interface, so after every command one can issue `--help` to get subcommand's help message.
|
||
|
|
||
|
|
||
|
**General help**:
|
||
|
|
||
|
```
|
||
|
PS D:\> py c3-client.py --help
|
||
|
|
||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||
|
|
||
|
usage:
|
||
|
Usage: ./c3-client.py [options] <host> <command> [...]
|
||
|
|
||
|
positional arguments:
|
||
|
host C3 Web API host:port
|
||
|
{alarm,list,get,ping,channel}
|
||
|
command help
|
||
|
alarm Alarm options
|
||
|
list List options
|
||
|
get Get options
|
||
|
ping Ping Relays
|
||
|
channel Send Channel-specific command
|
||
|
|
||
|
optional arguments:
|
||
|
-h, --help show this help message and exit
|
||
|
-v, --verbose Display verbose output.
|
||
|
-d, --debug Display debug output.
|
||
|
-f {json,text}, --format {json,text}
|
||
|
Output format. Can be JSON or text (default).
|
||
|
-A user:pass, --httpauth user:pass
|
||
|
HTTP Basic Authentication (user:pass)
|
||
|
```
|
||
|
|
||
|
**Example of a sub-help**:
|
||
|
|
||
|
```
|
||
|
PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay --help
|
||
|
|
||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||
|
|
||
|
usage: Usage: ./c3-client.py [options] <host> <command> [...] alarm relay [-h] [-e EXECUTE] [-x WEBHOOK] [-g gateway_id]
|
||
|
|
||
|
optional arguments:
|
||
|
-h, --help show this help message and exit
|
||
|
-e EXECUTE, --execute EXECUTE
|
||
|
If new Relay checks in - execute this command. Use following placeholders in your command: <computerName>, <userName>,
|
||
|
<domain>, <isElevated>, <osVersion>, <processId>, <relayName>, <relayId>, <buildId>, <timestamp> to customize executed
|
||
|
command's parameters. Example: powershell -c "Add-Type -AssemblyName System.Speech; $synth = New-Object -TypeName
|
||
|
System.Speech.Synthesis.SpeechSynthesizer; $synth.Speak('New Relay just checked-in
|
||
|
<domain>/<userName>@<computerName>')"
|
||
|
-x WEBHOOK, --webhook WEBHOOK
|
||
|
Trigger a Webhook (HTTP POST request) to this URL whenever a new Relay checks-in. The request will contain JSON message
|
||
|
with all the fields available, mentioned in --execute option.
|
||
|
-g gateway_id, --gateway-id gateway_id
|
||
|
ID (or Name) of the Gateway which Relays should be returned. If not given, will result all relays from all gateways.
|
||
|
```
|
||
|
|
||
|
Currently, following commands are supported:
|
||
|
|
||
|
- `list`
|
||
|
- `gateways` - list gateways in either JSON or text format
|
||
|
- `relays` - list relays in either JSON or text format
|
||
|
|
||
|
- `get`
|
||
|
- `gateway` - get gateway details in text or JSON format
|
||
|
- `relay` - get relay details in text or JSON format
|
||
|
|
||
|
- `alarm`
|
||
|
- `relay` - trigger an alarm whenever a new Relay checks-in on a gateway
|
||
|
|
||
|
- `ping` - ping selected Relays
|
||
|
|
||
|
- `channel` - channel-specific commands
|
||
|
- `mattermost`
|
||
|
- `clear` - Clear Mattermost's channel messages to improve bandwidth
|
||
|
- `ldap`
|
||
|
- `clear` - Clear LDAP attribute to improve bandwidth
|
||
|
- `mssql`
|
||
|
- `clear` - Clear DB Table entries to improve bandwidth
|
||
|
- `uncsharefile`
|
||
|
- `clear` - Remove all message files to improve bandwidth
|
||
|
- `dropbox`
|
||
|
- `clear` - Remove All Files to improve bandwidth
|
||
|
- `github`
|
||
|
- `clear` - Remove All Files to improve bandwidth
|
||
|
- `googledrive`
|
||
|
- `clear` - Remove All Files to improve bandwidth
|
||
|
|
||
|
|
||
|
### Example Usage
|
||
|
|
||
|
**Example 1**
|
||
|
This example shows how to keep all of your Relays pinged every 45 seconds:
|
||
|
|
||
|
```
|
||
|
PS D:\> py c3-client.py http://192.168.0.200:52935 ping -k 45
|
||
|
|
||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||
|
|
||
|
[.] Sending a ping every 45 seconds.
|
||
|
[.] Pinged relay: matter4 from gateway gate4
|
||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||
|
[.] Pinged relay: ldap9 from gateway gate4
|
||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||
|
[+] Pinged 4 active relays.
|
||
|
|
||
|
[.] Sending a ping every 45 seconds.
|
||
|
[.] Pinged relay: matter4 from gateway gate4
|
||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||
|
[.] Pinged relay: ldap9 from gateway gate4
|
||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||
|
[+] Pinged 4 active relays.
|
||
|
|
||
|
```
|
||
|
|
||
|
**Example 2**
|
||
|
|
||
|
In this example setup an alarm that triggers upon new Relay checking-in. Whenever that happens, a command is executed with placeholders that will be substituted with values extracted from Relay's metadata:
|
||
|
|
||
|
```
|
||
|
PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay -g gate4 --execute "powershell -file speak.ps1 -message \`"New C3 Relay Inbound: <domain>/<userName>, computer: <computerName>\`""
|
||
|
|
||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||
|
|
||
|
[.] Entering infinite-loop awaiting for new Relays...
|
||
|
[+] New Relay checked-in!
|
||
|
Relay 5: matter4
|
||
|
Relay ID: 70a6f7c456f049c8
|
||
|
Build ID: 795f
|
||
|
Is active: True (+)
|
||
|
Timestamp: 2021-03-24 04:14:34
|
||
|
Host Info:
|
||
|
Computer: JUMPBOX
|
||
|
Domain: CONTOSO
|
||
|
User Name: alice
|
||
|
Is elevated: False
|
||
|
OS Version: Windows 10.0 Server SP: 0.0 Build 14393
|
||
|
Process ID: 4092
|
||
|
|
||
|
Channels:
|
||
|
Gateway Return Channel (GRC) 1:
|
||
|
Jitter: 3.5 ... 6.5
|
||
|
Properties:
|
||
|
Name: Output ID
|
||
|
Value: 3UM2G2TW
|
||
|
|
||
|
Name: Input ID
|
||
|
Value: fftuO5py
|
||
|
|
||
|
Name: Mattermost Server URL
|
||
|
Value: http://192.168.0.210:8080
|
||
|
|
||
|
Name: Mattermost Team Name
|
||
|
Value: foobar
|
||
|
|
||
|
Name: Mattermost Access Token
|
||
|
Value: c3g7sokucbgidgxxxxxxxxxx
|
||
|
|
||
|
Name: Channel name
|
||
|
Value: x26vg0
|
||
|
|
||
|
Name: User-Agent Header
|
||
|
Value: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
|
||
|
|
||
|
[.] Executing command: powershell -file speak.ps1 -message "New C3 Relay Inbound: CONTOSO/alice, computer: JUMPBOX"
|
||
|
|
||
|
```
|
||
|
|