PoshC2 v5.0 is here and there are significant changes and improvements that we’re very excited to reveal! There’s been a move to Python3, much improved documentation, significant functionality and quality of life improvements, and more. Read on for a detailed description of it all!
We have had a bit of a change around with repository names, as described here.
- The latest version of PoshC2 will now be hosted at https://github.com/nettitude/PoshC2. If that’s all you need, skip to the next section!
- The old (and very original) PowerShell server-based version of PoshC2 has been moved to https://github.com/nettitude/PoshC2_old. This repository is no longer maintained but everything is still fully functional should you want to use it.
- The PoshC2_Python URL https://github.com/nettitude/PoshC2_Python is no longer in use. It will redirect to https://github.com/nettitude/PoshC2 so that users with existing installations will not find them broken when they update.
This brings us back to PoshC2 being the latest and greatest repository, and PoshC2_old being the obsolete repository.
The documentation for PoshC2 has been completely re-written and updated, with emphasis on red team trade-craft when using PoshC2 and on extending and customising it to suit any situation or environment.
It will still be updated regularly, but there will be less focus on what all the different techniques are, and more on how to use PoshC2 itself. Check it out at https://poshc2.readthedocs.io.
PoshC2 has been completely updated to use Python3. With Python2 becoming End-of-Life in January 2020, it was quite an important change to make.
Efforts have been made to abstract the potentially difficult nuances of setting up and using PoshC2 away from the user. Remember having to change into the PoshC2 directory, setup and use a Python virtual environment, to avoid dependency version clashes with the rest of your system? That’s a thing of the past.
The install script now installs a number of posh-* commands to your /usr/bin directory, before setting up the virtual environment ahead of time. These scripts then encapsulate the use of that environment for the user, allowing PoshC2 to be run and configured from any directory, and it will seamlessly use the virtual environment and other configurations behind the scenes.
For example, PoshC2 can be configured from any directory using your editor of choice by issuing:
It can then be installed and run as a service simply by executing:
Conversely so it can be stopped using:
The Implant-Handler can now be started using posh with a username which is used for logging purposes:
posh –u crashoverride
…and you’re good to go.
Use of these scripts is recommended, as any further logic will also go into them and we will work to ensure that PoshC2 works seamlessly when they are used, while other techniques may not be maintained.
PoshC2 now has an intelligent new prompt that can aid users when performing red teaming!
This prompt has context-sensitive auto-completions, intelligently suggesting commands based on the current prompt, such as PowerShell commands in a PowerShell prompt and so on. A unique command history is stored per context, so you won’t have to scroll back through PowerShell commands on a C# implant.
In addition to this, the prompt features fish-shell-like auto-suggestions in dark grey text based on commands from that prompt’s history, so if you want to repeat or edit log commands you can complete the suggestion by pressing the right-arrow key or ctrl+e.
Combined with the help and searchhelp commands, we hope that this will allow users of PoshC2 to quickly explore PoshC2s functionality and enable veteran users efficiency and speed of operation for those crucial engagements.
SharpSocks has undergone some significant improvements and integration into PoshC2. It started out as a standalone cmdlet that can be initiated from any PS session, but we have now fully integrated this so the users can be in any implant and type sharpsocks to get this going. A full separate blog has been written with all the changes for SharpSocks and can be found here:
Several new payloads have been added out-of-the-box, including a DotNet2JS payload using James Forshaw’s DotNet2JScript technique, and a new C# payload for PowerShell Implants.
Sharp Implant Improvements
.NET 4.8 introduced Antimalware scanning for all assemblies, including those loaded using Assembly.Load(byte bytes), which previously went unchecked and is used by our PowerShell-less C# implant to load C# executables and run them in memory.
This release features a new bypass-amsi command for the C# implant which will patch AMSI in memory and allow flagged modules to be loaded and executed.
We fully appreciate that nobody has time to type out long commands over and over. To that end, we’ve streamlined the run-exe commands for the C# Implant. Now, instead of run-exe Seatbelt.Program Seatbelt all it’s just seatbelt all.
We’ve added aliases for all our favourite commands, but you can add your own in Alias.py. See the documentation for more details.
Lateral Movement Methods
In addition to integrating SharpSocks, we’ve integrated PBind, another great tool written by Doug McLeod. This is now full integrated into PoshC2 and users can type invoke-wmijspbindpayload with the relevant arguments to try and attempt execution on another endpoint using SMB named pipes. The default SMB named pipe for PoshC2 is jaccdpqnvbrrxlaf.
invoke-wmijspbindpayload -target -domain -user -pass ''
In addition to the lateral movement command, PoshC2 will automatically create several payloads that are named PBind payloads. These, like the normal payloads, can be executed against a remote host in whichever technique you prefer to use; dcom, wmi, psexec, etc.
Once you have initiated the payload on a remote host, it will automatically open an SMB named pipe ready for connection. You must know the secret key, the encryption key and the pipe name to communicate, but we already have you covered for this as it tells you what commands to run to interact with the PBind implant:
If you want any other information on PBind, a previous blog covers the techniques in more details and the comms methods including a diagram.
Amongst the various scripts that are added to /usr/bin is the fpc (Find PoshC2 Command) script, added to aid in reporting. This script allows you to search for PoshC2 commands, filtering on keywords in the command, the command output and by user.
We’ve improved the credential management in PoshC2, and now when you run Mimikatz’s logonpasswords, the credentials will automatically be parsed and stored in the database, and can be displayed or manipulated using the creds command.
There’s also a myriad other improvements such as to logging, tracking file hashes on upload, UX improvements, internal modularisation and refactoring and module updates, with a lot more in the pipeline to come. Stay tuned on Twitter (@Nettitude_Labs, @benpturner, @m0rv4i) for the latest updates or join the PoshC2 slack channel by emailing labs at nettitude dot com.
There’s a lot planned for PoshC2 but the main upcoming features are detailed below.
The bad news is that support for any platform other than Debian flavours of Linux has been retired. While PoshC2 is written in Python3 and can be maintained to work across multiple platforms, we have instead elected to only support Debian-based distributions. However, we are working to bring Docker support to PoshC2 to add the ability to run PoshC2 from a Docker container, allowing full and stable execution across any platform that supports Docker, including Windows and Mac OSX.
A docker branch has been created with a Dockerfile added in addition to a number of Docker commands that can be used to manage the containers, but this is still very much in an unstable format.
One of the biggest concerns when running a red team engagement is operational security, and to that end we’re working on improving both the offensive side by making more of the inner workings of PoshC2 configurable, but also the reporting side by improving file upload tracking, hosts and users compromised and so on.
This will complement improvements to the HTML report and improve the OpSec and reporting side of things considerably.
The full changelist is below:
- Added Harmj0y’s KeeThief to modules
- Added RastaMouse’s Watson to modules
- Added SafetyDump for minidumping in memory
- Added file hashing when a file is uploaded
- Rework imports to improve dependency management
- Break up ImplantHandler into PSHandler.py, PyHandler.py and SharpHandler.py
- Add ability to upload a file to an ADS
- Update BloodHound
- Pull out unpatched payloads into file for easy management
- Add base64 encoded versions of the shellcode to the payloads directory
- Add a configurable jitter to all implants
- Update the notifications config if it is changed in the Config.py
- Add NotificationsProjectName in Config.py which is displayed in notifications message
- Add fpc script which searches the Posh DB for a particular command
- Modify InjectShellcode logged command to remove base64 encoded shellcode and instead just log loaded filename
- Add aliases for common sharp modules
- Fix Shellcode_migrate payload creation
- Start randomuris with a letter then proceed with random letters and numbers as e.g. msbuild errors if task name starts with a number
- Fix issue with cred-popper and keylogger using same variable and conflicting
- Add SCF files to the opsec command
- Add posh commands on *nix for abstracting the use of pipenv and set up the env in the install script.
- Move to python3 as python2 is EoL in 2020
- Misc performance improvments, such as reduced cylomatic complexity and only processing the command once per input
- Store creds in the DB, add ability to add creds/have them automatically parsed from mimikatz and add ability to specify use of a credId for some commands
- Add create-shortcut command
- Don’t show powershell one liner when domain fronting as it tries to connect directly
- Added set-killdate command
- Added posh-stop-service linux command
- Updated Mimikatz
- Added SafetyKatz
- posh-config uses $EDITOR variable
- New Sharp_Powershell_Runner payload compilation with mono
- Added DotNet2JS Payload generation
- Added get-computerinfo and get-dodgyprocesses to c# core
- Misc small fixes
- Updated help and readme
- Add new prompt with intelligent autocompletions, autosuggestions and smart history
- Log when a user logs on or logs off in the C2 server output
- Add ability to broadcast messages in the C2 server output using the ‘message’ command
- Add quit commands to Sharp and Python handlers
- output-to-html renamed to generate-reports
- Force setting of username for logging
- Show Implant type at Implant prompt
- Update User Agent string to match current Chrome
- Added New SharpSocks
- Addd * suffix for usernames for High Integrity processes
- Added lateral movements to Sharp Implant (SMB/DCOM/WMI)
- Add AMSI bypass for C# Implant
- Updated PBIND hosts in opsec
- Added invoke-mimikatz output from PBIND to be parsed
- Updated PBIND to send stderror if the command does not work
- Added remove-label for implants
- Updated PSHandler to add DomainFrontURL to sharpsocks if in use
- Updated RunAs-NetOnly
- Added RunAs-NetOnly which uses SimpleImpersonation to create a token
- Removed print statement on pbind-loadmodule
- Updated pbind-command and pbind-module
- Updated the pbind commands
- Updated invoke-wmijspbindpayload
- Added PBind payloads to PoshC2
- Updated opsec error when username is None
- Add output-to-html retired message
- Add Matterpreter’s Shhmon
- Updated ‘tasks’ command to add ImplantID
- List PowerShell modules pretty like C# modules
- Add new Sharp modules
- Port the .NET AMSI Bypass to PowerShell
- Updated Get-ScreenshotMulti to Continue if Screen is Locked
- Correct Jitter time equation in PS implant
- Print last commit and timestamp in header
- Prompt improvements
- Updated C2Server / SharpSocks Error responses
- Updated HTML output
- Update fpc.py to use virtualenv and only copy fpc to /usr/bin
- Updated help
- Expand on opsec no-nos
- Update inject-shellcode help