mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 02:21:36 +01:00
Added C3 Client
This commit is contained in:
parent
254a4860b8
commit
ed4791fb4e
180
red-teaming/C3-Client/README.md
Normal file
180
red-teaming/C3-Client/README.md
Normal file
@ -0,0 +1,180 @@
|
|||||||
|
## F-Secure's C3 Client script
|
||||||
|
|
||||||
|
This is a simple [F-Secure C3](https://github.com/FSecureLABS/C3) client Python script offering a few functions to interact with C3 framework in an automated manner.
|
||||||
|
|
||||||
|
It connects to the C3 WebController (typically the one that's listening on port _52935_) and allows to issue API requests automating few things for us.
|
||||||
|
|
||||||
|
### Usage:
|
||||||
|
|
||||||
|
The script offers subcommands-kind of CLI interface, so after every command one can issue `--help` to get subcommand's help message.
|
||||||
|
|
||||||
|
|
||||||
|
**General help**:
|
||||||
|
|
||||||
|
```
|
||||||
|
PS D:\> py c3-client.py --help
|
||||||
|
|
||||||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
|
usage:
|
||||||
|
Usage: ./c3-client.py [options] <host> <command> [...]
|
||||||
|
|
||||||
|
positional arguments:
|
||||||
|
host C3 Web API host:port
|
||||||
|
{alarm,list,get,ping,channel}
|
||||||
|
command help
|
||||||
|
alarm Alarm options
|
||||||
|
list List options
|
||||||
|
get Get options
|
||||||
|
ping Ping Relays
|
||||||
|
channel Send Channel-specific command
|
||||||
|
|
||||||
|
optional arguments:
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
-v, --verbose Display verbose output.
|
||||||
|
-d, --debug Display debug output.
|
||||||
|
-f {json,text}, --format {json,text}
|
||||||
|
Output format. Can be JSON or text (default).
|
||||||
|
-A user:pass, --httpauth user:pass
|
||||||
|
HTTP Basic Authentication (user:pass)
|
||||||
|
```
|
||||||
|
|
||||||
|
**Example of a sub-help**:
|
||||||
|
|
||||||
|
```
|
||||||
|
PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay --help
|
||||||
|
|
||||||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
|
usage: Usage: ./c3-client.py [options] <host> <command> [...] alarm relay [-h] [-e EXECUTE] [-x WEBHOOK] [-g gateway_id]
|
||||||
|
|
||||||
|
optional arguments:
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
-e EXECUTE, --execute EXECUTE
|
||||||
|
If new Relay checks in - execute this command. Use following placeholders in your command: <computerName>, <userName>,
|
||||||
|
<domain>, <isElevated>, <osVersion>, <processId>, <relayName>, <relayId>, <buildId>, <timestamp> to customize executed
|
||||||
|
command's parameters. Example: powershell -c "Add-Type -AssemblyName System.Speech; $synth = New-Object -TypeName
|
||||||
|
System.Speech.Synthesis.SpeechSynthesizer; $synth.Speak('New Relay just checked-in
|
||||||
|
<domain>/<userName>@<computerName>')"
|
||||||
|
-x WEBHOOK, --webhook WEBHOOK
|
||||||
|
Trigger a Webhook (HTTP POST request) to this URL whenever a new Relay checks-in. The request will contain JSON message
|
||||||
|
with all the fields available, mentioned in --execute option.
|
||||||
|
-g gateway_id, --gateway-id gateway_id
|
||||||
|
ID (or Name) of the Gateway which Relays should be returned. If not given, will result all relays from all gateways.
|
||||||
|
```
|
||||||
|
|
||||||
|
Currently, following commands are supported:
|
||||||
|
|
||||||
|
- `list`
|
||||||
|
- `gateways` - list gateways in either JSON or text format
|
||||||
|
- `relays` - list relays in either JSON or text format
|
||||||
|
|
||||||
|
- `get`
|
||||||
|
- `gateway` - get gateway details in text or JSON format
|
||||||
|
- `relay` - get relay details in text or JSON format
|
||||||
|
|
||||||
|
- `alarm`
|
||||||
|
- `relay` - trigger an alarm whenever a new Relay checks-in on a gateway
|
||||||
|
|
||||||
|
- `ping` - ping selected Relays
|
||||||
|
|
||||||
|
- `channel` - channel-specific commands
|
||||||
|
- `mattermost`
|
||||||
|
- `clear` - Clear Mattermost's channel messages to improve bandwidth
|
||||||
|
- `ldap`
|
||||||
|
- `clear` - Clear LDAP attribute to improve bandwidth
|
||||||
|
- `mssql`
|
||||||
|
- `clear` - Clear DB Table entries to improve bandwidth
|
||||||
|
- `uncsharefile`
|
||||||
|
- `clear` - Remove all message files to improve bandwidth
|
||||||
|
- `dropbox`
|
||||||
|
- `clear` - Remove All Files to improve bandwidth
|
||||||
|
- `github`
|
||||||
|
- `clear` - Remove All Files to improve bandwidth
|
||||||
|
- `googledrive`
|
||||||
|
- `clear` - Remove All Files to improve bandwidth
|
||||||
|
|
||||||
|
|
||||||
|
### Example Usage
|
||||||
|
|
||||||
|
**Example 1**
|
||||||
|
This example shows how to keep all of your Relays pinged every 45 seconds:
|
||||||
|
|
||||||
|
```
|
||||||
|
PS D:\> py c3-client.py http://192.168.0.200:52935 ping -k 45
|
||||||
|
|
||||||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
|
[.] Sending a ping every 45 seconds.
|
||||||
|
[.] Pinged relay: matter4 from gateway gate4
|
||||||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||||||
|
[.] Pinged relay: ldap9 from gateway gate4
|
||||||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||||||
|
[+] Pinged 4 active relays.
|
||||||
|
|
||||||
|
[.] Sending a ping every 45 seconds.
|
||||||
|
[.] Pinged relay: matter4 from gateway gate4
|
||||||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||||||
|
[.] Pinged relay: ldap9 from gateway gate4
|
||||||
|
[.] Pinged relay: mssql1 from gateway gate4
|
||||||
|
[+] Pinged 4 active relays.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
**Example 2**
|
||||||
|
|
||||||
|
In this example setup an alarm that triggers upon new Relay checking-in. Whenever that happens, a command is executed with placeholders that will be substituted with values extracted from Relay's metadata:
|
||||||
|
|
||||||
|
```
|
||||||
|
PS D:\> py c3-client.py -f text http://192.168.0.200:52935 alarm relay -g gate4 --execute "powershell -file speak.ps1 -message \`"New C3 Relay Inbound: <domain>/<userName>, computer: <computerName>\`""
|
||||||
|
|
||||||
|
:: C3 Client - a lightweight automated companion with C3 voyages
|
||||||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
|
[.] Entering infinite-loop awaiting for new Relays...
|
||||||
|
[+] New Relay checked-in!
|
||||||
|
Relay 5: matter4
|
||||||
|
Relay ID: 70a6f7c456f049c8
|
||||||
|
Build ID: 795f
|
||||||
|
Is active: True (+)
|
||||||
|
Timestamp: 2021-03-24 04:14:34
|
||||||
|
Host Info:
|
||||||
|
Computer: JUMPBOX
|
||||||
|
Domain: CONTOSO
|
||||||
|
User Name: alice
|
||||||
|
Is elevated: False
|
||||||
|
OS Version: Windows 10.0 Server SP: 0.0 Build 14393
|
||||||
|
Process ID: 4092
|
||||||
|
|
||||||
|
Channels:
|
||||||
|
Gateway Return Channel (GRC) 1:
|
||||||
|
Jitter: 3.5 ... 6.5
|
||||||
|
Properties:
|
||||||
|
Name: Output ID
|
||||||
|
Value: 3UM2G2TW
|
||||||
|
|
||||||
|
Name: Input ID
|
||||||
|
Value: fftuO5py
|
||||||
|
|
||||||
|
Name: Mattermost Server URL
|
||||||
|
Value: http://192.168.0.210:8080
|
||||||
|
|
||||||
|
Name: Mattermost Team Name
|
||||||
|
Value: foobar
|
||||||
|
|
||||||
|
Name: Mattermost Access Token
|
||||||
|
Value: c3g7sokucbgidgxxxxxxxxxx
|
||||||
|
|
||||||
|
Name: Channel name
|
||||||
|
Value: x26vg0
|
||||||
|
|
||||||
|
Name: User-Agent Header
|
||||||
|
Value: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||||
|
|
||||||
|
[.] Executing command: powershell -file speak.ps1 -message "New C3 Relay Inbound: CONTOSO/alice, computer: JUMPBOX"
|
||||||
|
|
||||||
|
```
|
||||||
|
|
1183
red-teaming/C3-Client/c3-client.py
Normal file
1183
red-teaming/C3-Client/c3-client.py
Normal file
File diff suppressed because it is too large
Load Diff
7
red-teaming/C3-Client/speak.ps1
Normal file
7
red-teaming/C3-Client/speak.ps1
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
param (
|
||||||
|
[string]$message
|
||||||
|
)
|
||||||
|
|
||||||
|
Add-Type -AssemblyName System.Speech
|
||||||
|
$synth = New-Object -TypeName System.Speech.Synthesis.SpeechSynthesizer
|
||||||
|
$synth.Speak($message)
|
@ -42,6 +42,8 @@ PS > $ExecutionContext.SessionState.LanguageMode
|
|||||||
FullLanguage
|
FullLanguage
|
||||||
```
|
```
|
||||||
|
|
||||||
|
- [**`C3-Client`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/C3-Client) - A lightweight [F-Secure's C3](https://github.com/FSecureLABS/C3) client script letting you setup an alarm on incoming Relay, continuously ping your Relays, Clear commands queues in various channels, and others. Might be useful while working with the framework.
|
||||||
|
|
||||||
- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
|
- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
|
||||||
|
|
||||||
- **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage:
|
- **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage:
|
||||||
|
Loading…
Reference in New Issue
Block a user