mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 18:11:37 +01:00
Added C3 Client
This commit is contained in:
parent
254a4860b8
commit
ed4791fb4e
180
red-teaming/C3-Client/README.md
Normal file
180
red-teaming/C3-Client/README.md
Normal file
@ -0,0 +1,180 @@
|
||||
## F-Secure's C3 Client script
|
||||
|
||||
This is a simple [F-Secure C3](https://github.com/FSecureLABS/C3) client Python script offering a few functions to interact with C3 framework in an automated manner.
|
||||
|
||||
It connects to the C3 WebController (typically the one that's listening on port _52935_) and allows to issue API requests automating few things for us.
|
||||
|
||||
### Usage:
|
||||
|
||||
The script offers subcommands-kind of CLI interface, so after every command one can issue `--help` to get subcommand's help message.
|
||||
|
||||
|
||||
**General help**:
|
||||
|
||||
```
|
||||
PS D:\> py c3-client.py --help
|
||||
|
||||
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
|
||||
usage:
|
||||
Usage: ./c3-client.py [options] <host> <command> [...]
|
||||
|
||||
positional arguments:
|
||||
host C3 Web API host:port
|
||||
{alarm,list,get,ping,channel}
|
||||
command help
|
||||
alarm Alarm options
|
||||
list List options
|
||||
get Get options
|
||||
ping Ping Relays
|
||||
channel Send Channel-specific command
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-v, --verbose Display verbose output.
|
||||
-d, --debug Display debug output.
|
||||
-f {json,text}, --format {json,text}
|
||||
Output format. Can be JSON or text (default).
|
||||
-A user:pass, --httpauth user:pass
|
||||
HTTP Basic Authentication (user:pass)
|
||||
```
|
||||
|
||||
**Example of a sub-help**:
|
||||
|
||||
```
|
||||
PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay --help
|
||||
|
||||
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
|
||||
usage: Usage: ./c3-client.py [options] <host> <command> [...] alarm relay [-h] [-e EXECUTE] [-x WEBHOOK] [-g gateway_id]
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-e EXECUTE, --execute EXECUTE
|
||||
If new Relay checks in - execute this command. Use following placeholders in your command: <computerName>, <userName>,
|
||||
<domain>, <isElevated>, <osVersion>, <processId>, <relayName>, <relayId>, <buildId>, <timestamp> to customize executed
|
||||
command's parameters. Example: powershell -c "Add-Type -AssemblyName System.Speech; $synth = New-Object -TypeName
|
||||
System.Speech.Synthesis.SpeechSynthesizer; $synth.Speak('New Relay just checked-in
|
||||
<domain>/<userName>@<computerName>')"
|
||||
-x WEBHOOK, --webhook WEBHOOK
|
||||
Trigger a Webhook (HTTP POST request) to this URL whenever a new Relay checks-in. The request will contain JSON message
|
||||
with all the fields available, mentioned in --execute option.
|
||||
-g gateway_id, --gateway-id gateway_id
|
||||
ID (or Name) of the Gateway which Relays should be returned. If not given, will result all relays from all gateways.
|
||||
```
|
||||
|
||||
Currently, following commands are supported:
|
||||
|
||||
- `list`
|
||||
- `gateways` - list gateways in either JSON or text format
|
||||
- `relays` - list relays in either JSON or text format
|
||||
|
||||
- `get`
|
||||
- `gateway` - get gateway details in text or JSON format
|
||||
- `relay` - get relay details in text or JSON format
|
||||
|
||||
- `alarm`
|
||||
- `relay` - trigger an alarm whenever a new Relay checks-in on a gateway
|
||||
|
||||
- `ping` - ping selected Relays
|
||||
|
||||
- `channel` - channel-specific commands
|
||||
- `mattermost`
|
||||
- `clear` - Clear Mattermost's channel messages to improve bandwidth
|
||||
- `ldap`
|
||||
- `clear` - Clear LDAP attribute to improve bandwidth
|
||||
- `mssql`
|
||||
- `clear` - Clear DB Table entries to improve bandwidth
|
||||
- `uncsharefile`
|
||||
- `clear` - Remove all message files to improve bandwidth
|
||||
- `dropbox`
|
||||
- `clear` - Remove All Files to improve bandwidth
|
||||
- `github`
|
||||
- `clear` - Remove All Files to improve bandwidth
|
||||
- `googledrive`
|
||||
- `clear` - Remove All Files to improve bandwidth
|
||||
|
||||
|
||||
### Example Usage
|
||||
|
||||
**Example 1**
|
||||
This example shows how to keep all of your Relays pinged every 45 seconds:
|
||||
|
||||
```
|
||||
PS D:\> py c3-client.py http://192.168.0.200:52935 ping -k 45
|
||||
|
||||
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
|
||||
[.] Sending a ping every 45 seconds.
|
||||
[.] Pinged relay: matter4 from gateway gate4
|
||||
[.] Pinged relay: mssql1 from gateway gate4
|
||||
[.] Pinged relay: ldap9 from gateway gate4
|
||||
[.] Pinged relay: mssql1 from gateway gate4
|
||||
[+] Pinged 4 active relays.
|
||||
|
||||
[.] Sending a ping every 45 seconds.
|
||||
[.] Pinged relay: matter4 from gateway gate4
|
||||
[.] Pinged relay: mssql1 from gateway gate4
|
||||
[.] Pinged relay: ldap9 from gateway gate4
|
||||
[.] Pinged relay: mssql1 from gateway gate4
|
||||
[+] Pinged 4 active relays.
|
||||
|
||||
```
|
||||
|
||||
**Example 2**
|
||||
|
||||
In this example setup an alarm that triggers upon new Relay checking-in. Whenever that happens, a command is executed with placeholders that will be substituted with values extracted from Relay's metadata:
|
||||
|
||||
```
|
||||
PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay -g gate4 --execute "powershell -file speak.ps1 -message \`"New C3 Relay Inbound: <domain>/<userName>, computer: <computerName>\`""
|
||||
|
||||
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
|
||||
[.] Entering infinite-loop awaiting for new Relays...
|
||||
[+] New Relay checked-in!
|
||||
Relay 5: matter4
|
||||
Relay ID: 70a6f7c456f049c8
|
||||
Build ID: 795f
|
||||
Is active: True (+)
|
||||
Timestamp: 2021-03-24 04:14:34
|
||||
Host Info:
|
||||
Computer: JUMPBOX
|
||||
Domain: CONTOSO
|
||||
User Name: alice
|
||||
Is elevated: False
|
||||
OS Version: Windows 10.0 Server SP: 0.0 Build 14393
|
||||
Process ID: 4092
|
||||
|
||||
Channels:
|
||||
Gateway Return Channel (GRC) 1:
|
||||
Jitter: 3.5 ... 6.5
|
||||
Properties:
|
||||
Name: Output ID
|
||||
Value: 3UM2G2TW
|
||||
|
||||
Name: Input ID
|
||||
Value: fftuO5py
|
||||
|
||||
Name: Mattermost Server URL
|
||||
Value: http://192.168.0.210:8080
|
||||
|
||||
Name: Mattermost Team Name
|
||||
Value: foobar
|
||||
|
||||
Name: Mattermost Access Token
|
||||
Value: c3g7sokucbgidgxxxxxxxxxx
|
||||
|
||||
Name: Channel name
|
||||
Value: x26vg0
|
||||
|
||||
Name: User-Agent Header
|
||||
Value: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
[.] Executing command: powershell -file speak.ps1 -message "New C3 Relay Inbound: CONTOSO/alice, computer: JUMPBOX"
|
||||
|
||||
```
|
||||
|
1183
red-teaming/C3-Client/c3-client.py
Normal file
1183
red-teaming/C3-Client/c3-client.py
Normal file
File diff suppressed because it is too large
Load Diff
7
red-teaming/C3-Client/speak.ps1
Normal file
7
red-teaming/C3-Client/speak.ps1
Normal file
@ -0,0 +1,7 @@
|
||||
param (
|
||||
[string]$message
|
||||
)
|
||||
|
||||
Add-Type -AssemblyName System.Speech
|
||||
$synth = New-Object -TypeName System.Speech.Synthesis.SpeechSynthesizer
|
||||
$synth.Speak($message)
|
@ -42,6 +42,8 @@ PS > $ExecutionContext.SessionState.LanguageMode
|
||||
FullLanguage
|
||||
```
|
||||
|
||||
- [**`C3-Client`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/C3-Client) - A lightweight [F-Secure's C3](https://github.com/FSecureLABS/C3) client script letting you setup an alarm on incoming Relay, continuously ping your Relays, Clear commands queues in various channels, and others. Might be useful while working with the framework.
|
||||
|
||||
- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
|
||||
|
||||
- **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage:
|
||||
|
Loading…
Reference in New Issue
Block a user