Added C3 Client

2024-11-22 10:31:38 +01:00 · 2021-03-24 04:21:01 +01:00 · 2021-03-24 04:21:01 +01:00 · ed4791fb4e
commit ed4791fb4e
parent 254a4860b8
4 changed files with 1372 additions and 0 deletions
--- a/red-teaming/C3-Client/README.md
+++ b/red-teaming/C3-Client/README.md
@ -0,0 +1,180 @@
 ## F-Secure's C3 Client script
 This is a simple [F-Secure C3](https://github.com/FSecureLABS/C3) client Python script offering a few functions to interact with C3 framework in an automated manner.
 It connects to the C3 WebController (typically the one that's listening on port _52935_) and allows to issue API requests automating few things for us.
 ### Usage:
 The script offers subcommands-kind of CLI interface, so after every command one can issue `--help` to get subcommand's help message.
 **General help**:
 ```
 PS D:\> py c3-client.py --help
    :: C3 Client - a lightweight automated companion with C3 voyages
    Mariusz B. / mgeeky, <mb@binary-offensive.com>
 usage:
 Usage: ./c3-client.py [options] <host> <command> [...]
 positional arguments:
  host                  C3 Web API host:port
  {alarm,list,get,ping,channel}
                        command help
    alarm               Alarm options
    list                List options
    get                 Get options
    ping                Ping Relays
    channel             Send Channel-specific command
 optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Display verbose output.
  -d, --debug           Display debug output.
  -f {json,text}, --format {json,text}
                        Output format. Can be JSON or text (default).
  -A user:pass, --httpauth user:pass
                        HTTP Basic Authentication (user:pass)
 ```
 **Example of a sub-help**:
 ```
 PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay --help
    :: C3 Client - a lightweight automated companion with C3 voyages
    Mariusz B. / mgeeky, <mb@binary-offensive.com>
 usage: Usage: ./c3-client.py [options] <host> <command> [...] alarm relay [-h] [-e EXECUTE] [-x WEBHOOK] [-g gateway_id]
 optional arguments:
  -h, --help            show this help message and exit
  -e EXECUTE, --execute EXECUTE
                        If new Relay checks in - execute this command. Use following placeholders in your command: <computerName>, <userName>,
                        <domain>, <isElevated>, <osVersion>, <processId>, <relayName>, <relayId>, <buildId>, <timestamp> to customize executed
                        command's parameters. Example: powershell -c "Add-Type -AssemblyName System.Speech; $synth = New-Object -TypeName
                        System.Speech.Synthesis.SpeechSynthesizer; $synth.Speak('New Relay just checked-in
                        <domain>/<userName>@<computerName>')"
  -x WEBHOOK, --webhook WEBHOOK
                        Trigger a Webhook (HTTP POST request) to this URL whenever a new Relay checks-in. The request will contain JSON message
                        with all the fields available, mentioned in --execute option.
  -g gateway_id, --gateway-id gateway_id
                        ID (or Name) of the Gateway which Relays should be returned. If not given, will result all relays from all gateways.
 ```
 Currently, following commands are supported:
 - `list`
    - `gateways` - list gateways in either JSON or text format
    - `relays` - list relays in either JSON or text format
 - `get`
    - `gateway` - get gateway details in text or JSON format
    - `relay` - get relay details in text or JSON format
 - `alarm`
    - `relay` - trigger an alarm whenever a new Relay checks-in on a gateway
 - `ping` - ping selected Relays
 - `channel` - channel-specific commands
    - `mattermost`
        - `clear` - Clear Mattermost's channel messages to improve bandwidth
    - `ldap`
        - `clear` - Clear LDAP attribute to improve bandwidth
    - `mssql`
        - `clear` - Clear DB Table entries to improve bandwidth
    - `uncsharefile`
        - `clear` - Remove all message files to improve bandwidth
    - `dropbox`
        - `clear` - Remove All Files to improve bandwidth
    - `github`
        - `clear` - Remove All Files to improve bandwidth
    - `googledrive`
        - `clear` - Remove All Files to improve bandwidth
 ### Example Usage
 **Example 1**
 This example shows how to keep all of your Relays pinged every 45 seconds:
 ```
 PS D:\> py c3-client.py http://192.168.0.200:52935 ping -k 45
    :: C3 Client - a lightweight automated companion with C3 voyages
    Mariusz B. / mgeeky, <mb@binary-offensive.com>
 [.] Sending a ping every 45 seconds.
 [.] Pinged relay: matter4    from gateway  gate4
 [.] Pinged relay: mssql1     from gateway  gate4
 [.] Pinged relay: ldap9      from gateway  gate4
 [.] Pinged relay: mssql1     from gateway  gate4
 [+] Pinged 4 active relays.
 [.] Sending a ping every 45 seconds.
 [.] Pinged relay: matter4    from gateway  gate4
 [.] Pinged relay: mssql1     from gateway  gate4
 [.] Pinged relay: ldap9      from gateway  gate4
 [.] Pinged relay: mssql1     from gateway  gate4
 [+] Pinged 4 active relays.
 ```
 **Example 2**
 In this example setup an alarm that triggers upon new Relay checking-in. Whenever that happens, a command is executed with placeholders that will be substituted with values extracted from Relay's metadata:
 ```
 PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay -g gate4 --execute "powershell -file speak.ps1 -message \`"New C3 Relay Inbound: <domain>/<userName>, computer: <computerName>\`""
    :: C3 Client - a lightweight automated companion with C3 voyages
    Mariusz B. / mgeeky, <mb@binary-offensive.com>
 [.] Entering infinite-loop awaiting for new Relays...
 [+] New Relay checked-in!
    Relay 5:              matter4
        Relay ID:         70a6f7c456f049c8
        Build ID:         795f
        Is active:        True                  (+)
        Timestamp:        2021-03-24 04:14:34
        Host Info:
            Computer:     JUMPBOX
            Domain:       CONTOSO
            User Name:    alice
            Is elevated:  False
            OS Version:   Windows 10.0 Server SP: 0.0 Build 14393
            Process ID:   4092
    Channels:
        Gateway Return Channel (GRC) 1:
            Jitter:      3.5 ... 6.5
            Properties:
                Name:    Output ID
                Value:   3UM2G2TW
                Name:    Input ID
                Value:   fftuO5py
                Name:    Mattermost Server URL
                Value:   http://192.168.0.210:8080
                Name:    Mattermost Team Name
                Value:   foobar
                Name:    Mattermost Access Token
                Value:   c3g7sokucbgidgxxxxxxxxxx
                Name:    Channel name
                Value:   x26vg0
                Name:    User-Agent Header
                Value:   Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 [.] Executing command: powershell -file speak.ps1 -message "New C3 Relay Inbound: CONTOSO/alice, computer: JUMPBOX"
 ```
--- a/red-teaming/C3-Client/c3-client.py
+++ b/red-teaming/C3-Client/c3-client.py
--- a/red-teaming/C3-Client/speak.ps1
+++ b/red-teaming/C3-Client/speak.ps1
@ -0,0 +1,7 @@
 param (
    [string]$message
 )
 Add-Type -AssemblyName System.Speech
 $synth = New-Object -TypeName System.Speech.Synthesis.SpeechSynthesizer
 $synth.Speak($message)
--- a/red-teaming/README.md
+++ b/red-teaming/README.md
@ -42,6 +42,8 @@ PS > $ExecutionContext.SessionState.LanguageMode
 FullLanguage 
 ```
 - [**`C3-Client`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/C3-Client) - A lightweight [F-Secure's C3](https://github.com/FSecureLABS/C3) client script letting you setup an alarm on incoming Relay, continuously ping your Relays, Clear commands queues in various channels, and others. Might be useful while working with the framework.
 - **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
 - **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage: