-
Notifications
You must be signed in to change notification settings - Fork 326
Interacting with Beacons
System
Beacon
Process
Enumeration
File System
Privilege Escalation
Modules
The table below contains a list of system commands.
+-------------+-------------+-----------------------+
| Type | Command | Description |
+-------------+-------------+-----------------------+
| system | exit | Exit shad0w C2 |
| system | help | Show help information |
+-------------+-------------+-----------------------+
The table below contains a list of beacon commands.
+-------------+-------------+------------------------------------------+
| Type | Command | Description |
+-------------+-------------+------------------------------------------+
| beacon | beacons | Interact with or display current beacons |
| beacon | die | Kill the current beacon |
| beacon | set | Set the value of a variable |
+-------------+-------------+------------------------------------------+
Use the -i flag followed by a beacon number to interact with a particular beacon.
When you interact with a beacon, a white bar at the bottom of the Terminal will appear containing information about the beacon.
When you use die
to kill the current beacon, you will receive a warning. When must provide the -y flag as a safety measure.
The table below contains a list of process commands.
+-------------+-------------+-------------------------------------------------------------+
| Type | Command | Description |
+-------------+-------------+-------------------------------------------------------------+
| process | getpid | Show current process info |
| process | binject | Inject a new beacon into a process |
| process | dllinject | Inject a DLL into a process |
| process | hijack | Hijack a running process and force it to run your shellcode |
| process | migrate | Migrate a beacon to a different process |
| process | ps | Show running processes |
| process | sharpdump | Create a mini dump of a process |
| process | shinject | Execute shellcode inside a process |
+-------------+-------------+-------------------------------------------------------------+
It is important once you have an active beacon that you are not confined to a single process. Shad0w allows you to list, migrate and spawn new beacons and processes.
Use getpid
to show current process info a beacon is running in.
Use ps
to show running processes.
Use migrate
with the -p flag and a process number to migrate the current beacon to a new process.
Use binject
with the -p flag and a process number to inject a new copy of the current beacon into another process.
Use shinject
and dllinject
to inject both raw shellcode and DLLs into a process.
shad0w(SYSTEM@DC01) ≫ shinject -p 8725 -f shellcode.bin
shad0w(SYSTEM@DC01) ≫ dllinject -p 4267 -f yourfile.dll
The table below contains a list of enumeration commands.
+-------------+-------------+-------------------------------------------------------------------+
| Type | Command | Description |
+-------------+-------------+-------------------------------------------------------------------+
| enumeration | dotnet | Show installed .NET versions |
| enumeration | seatbelt | Perform a number of security oriented host-survey "safety checks" |
| enumeration | sharpchrome | Retrieve saved logins and cookies from Google Chrome |
| enumeration | watson | Show missing KBs and suggest exploits for priv esc |
| enumeration | whoami | Show info about the current user |
+-------------+-------------+-------------------------------------------------------------------+
Use dotnet
to show installed .NET versions.
The table below contains a list of file system commands.
+-------------+-------------+------------------------------------------------+
| Type | Command | Description |
+-------------+-------------+------------------------------------------------+
| file system | cat | Show the contents of a file on a target |
| file system | cd | Change the working directory on a target |
| file system | download | Download a file from a target |
| file system | ls | List the files in a directory on a target |
| file system | mkdir | Create a new directory on a target |
| file system | pwd | Show the current working directory on a target |
| file system | rm | Delete a file on a target |
| file system | upload | Upload a file to a target |
+-------------+-------------+------------------------------------------------+
Shad0w uses Linux style commands to interact with a target's file system.
Use ls
to list files in a directory.
Use cd
to change the current directory.
Use pwd
to print the current working directory and rm
to delete files.
Use mkdir
to create a new directory.
The table below contains a list of priv esc commands.
+-------------+-------------+----------------------------------------------------------------------------------------+
| Type | Command | Description |
+-------------+-------------+----------------------------------------------------------------------------------------+
| priv esc | elevate | Attempt to elevate privileges |
| priv esc | sharpup | A C# port of various PowerUp functionality (performs some privilege escalation checks) |
+-------------+-------------+----------------------------------------------------------------------------------------+
Use elevate
with the following flags to attempt to elevate privileges:
- -l to list available exploits.
- -c to check if the target is vulnerable to an exploit.
- -u to use an exploit on a target.
The table below contains a list of module commands.
+-------------+-------------+--------------------------------------------------------------------------------------+
| Type | Command | Description |
+-------------+-------------+--------------------------------------------------------------------------------------+
| module | execute | Execute a .NET assembly, DLL, EXE, JS, VBS or XSL file in memory |
| module | gitl | Universally Evade Sysmon and ETW - patch the kernel to disable Windows event logging |
| module | lockless | Allows for the enumeration of open file handles and the copying of locked files |
| module | meterpreter | Metasploit handover module that generates and deploys a Metasploit payload in memory |
| module | mimikatz | Execute Mimikatz commands in memory |
| module | psh | Run unmanaged PowerShell on a session |
| module | rubeus | A toolset for raw Kerberos interaction and abuses |
| module | safetykatz | Mini dump LSASS then use Mimikatz sekurlsa::logonpasswords and sekurlsa::ekeys on it |
| module | sharpdpapi | A C# port of some DPAPI functionality from Mimikatz |
| module | sharphound | A C# rewrite of the BloodHound3 Ingestor, targeted for .NET 4.5 |
| module | sharpsocks | Create a SOCKS tunnel over HTTP/HTTPS |
| module | sharpwmi | An implementation of various WMI functionality including local/remote WMI queries |
+-------------+-------------+--------------------------------------------------------------------------------------+
Use execute
to execute a .NET assembly, DLL, EXE, JS, VBS or XSL file in memory.
The file must be passed with the -f flag and any arguments with the -p flag.
This option extends features even further allowing you to perform actions such as dcsync and pth.
Use psh
to run unmanaged PowerShell on a session. This option is very flexible and allows you to perform a wide range of actions.
Use the -c flag to execute a single PowerShell query.
Use the -l flag to list the currently available modules.
Additional modules can be added by placing them in the scripts directory and rebuilding shad0w.
Use the -m flag to import modules. This will host the modules on a random path on the C2. The module will then be downloaded and invoked before the command specified with the -c flag is executed.
Use the -i flag to get information about modules.
shad0w contains modules for all of the GhostPack binaries:
- rubeus
- safetykatz
- seatbelt
- sharpchrome
- sharpdpapi
- sharpdump
- sharpup
- sharpwmi
This will allows you to run any of the modules with a single command, without having to execute anything.
Using these modules, it is possible to perform a wide range of lateral movement techniques.
BloodHound is supported via the sharphound
module and has all of the command line switches of the original program.
Once sharphound
has run, use download
to grab the zip file.
A slightly custom version of SharpSocks is currently used for SOCKS proxying.
Use the -q flag to setup a quick SOCKS connection.
Using the server
and listen
arguments, it is possible to create much more complex SOCKS connection.