Skip to content

Interacting with Beacons

Lee Baird edited this page Mar 21, 2021 · 34 revisions

System
Beacon
Process
Enumeration
File System
Privilege Escalation
Modules


System

The table below contains a list of system commands.

+-------------+-------------+-----------------------+  
| Type        | Command     | Description           |
+-------------+-------------+-----------------------+  
| system      | exit        | Exit shad0w C2        |
| system      | help        | Show help information |
+-------------+-------------+-----------------------+  

Beacon

The table below contains a list of beacon commands.

+-------------+-------------+------------------------------------------+
| Type        | Command     | Description                              |
+-------------+-------------+------------------------------------------+
| beacon      | beacons     | Interact with or display current beacons |
| beacon      | die         | Kill the current beacon                  |
| beacon      | set         | Set the value of a variable              |
+-------------+-------------+------------------------------------------+

beacons

Use the -i flag followed by a beacon number to interact with a particular beacon.

interact

When you interact with a beacon, a white bar at the bottom of the Terminal will appear containing information about the beacon.

bar

When you use die to kill the current beacon, you will receive a warning. When must provide the -y flag as a safety measure.

die

Process

The table below contains a list of process commands.

+-------------+-------------+-------------------------------------------------------------+
| Type        | Command     | Description                                                 |
+-------------+-------------+-------------------------------------------------------------+
| process     | getpid      | Show current process info                                   |
| process     | binject     | Inject a new beacon into a process                          |
| process     | dllinject   | Inject a DLL into a process                                 |
| process     | hijack      | Hijack a running process and force it to run your shellcode |
| process     | migrate     | Migrate a beacon to a different process                     |
| process     | ps          | Show running processes                                      |
| process     | sharpdump   | Create a mini dump of a process                             |
| process     | shinject    | Execute shellcode inside a process                          |
+-------------+-------------+-------------------------------------------------------------+

It is important once you have an active beacon that you are not confined to a single process. Shad0w allows you to list, migrate and spawn new beacons and processes.

Use getpid to show current process info a beacon is running in.

getpid

Use ps to show running processes.

ps

Use migrate with the -p flag and a process number to migrate the current beacon to a new process.

migrate

Use binject with the -p flag and a process number to inject a new copy of the current beacon into another process.

binject

Use shinject and dllinject to inject both raw shellcode and DLLs into a process.

shad0w(SYSTEM@DC01) ≫ shinject -p 8725 -f shellcode.bin
shad0w(SYSTEM@DC01) ≫ dllinject -p 4267 -f yourfile.dll

Enumeration

The table below contains a list of enumeration commands.

+-------------+-------------+-------------------------------------------------------------------+
| Type        | Command     | Description                                                       |
+-------------+-------------+-------------------------------------------------------------------+ 
| enumeration | dotnet      | Show installed .NET versions                                      |
| enumeration | seatbelt    | Perform a number of security oriented host-survey "safety checks" |
| enumeration | sharpchrome | Retrieve saved logins and cookies from Google Chrome              |
| enumeration | watson      | Show missing KBs and suggest exploits for priv esc                |
| enumeration | whoami      | Show info about the current user                                  |  
+-------------+-------------+-------------------------------------------------------------------+

Use dotnet to show installed .NET versions.

dotnet

File System

The table below contains a list of file system commands.

+-------------+-------------+------------------------------------------------+
| Type        | Command     | Description                                    |
+-------------+-------------+------------------------------------------------+                                                                        
| file system | cat         | Show the contents of a file on a target        |
| file system | cd          | Change the working directory on a target       |
| file system | download    | Download a file from a target                  |
| file system | ls          | List the files in a directory on a target      |
| file system | mkdir       | Create a new directory on a target             |
| file system | pwd         | Show the current working directory on a target |
| file system | rm          | Delete a file on a target                      |
| file system | upload      | Upload a file to a target                      |
+-------------+-------------+------------------------------------------------+                                                                        

Shad0w uses Linux style commands to interact with a target's file system.

Use ls to list files in a directory.

ls

Use cd to change the current directory.

cd

Use pwd to print the current working directory and rm to delete files.

rm

Use mkdir to create a new directory.

mkdir

Privilege Escalation

The table below contains a list of priv esc commands.

+-------------+-------------+----------------------------------------------------------------------------------------+
| Type        | Command     | Description                                                                            |
+-------------+-------------+----------------------------------------------------------------------------------------+
| priv esc    | elevate     | Attempt to elevate privileges                                                          |
| priv esc    | sharpup     | A C# port of various PowerUp functionality (performs some privilege escalation checks) |
+-------------+-------------+----------------------------------------------------------------------------------------+

Use elevate with the following flags to attempt to elevate privileges:

  • -l to list available exploits.
  • -c to check if the target is vulnerable to an exploit.
  • -u to use an exploit on a target.

elevate

Modules

The table below contains a list of module commands.

+-------------+-------------+--------------------------------------------------------------------------------------+
| Type        | Command     | Description                                                                          |
+-------------+-------------+--------------------------------------------------------------------------------------+
| module      | execute     | Execute a .NET assembly, DLL, EXE, JS, VBS or XSL file in memory                     |
| module      | gitl        | Universally Evade Sysmon and ETW - patch the kernel to disable Windows event logging |
| module      | lockless    | Allows for the enumeration of open file handles and the copying of locked files      |
| module      | meterpreter | Metasploit handover module that generates and deploys a Metasploit payload in memory |
| module      | mimikatz    | Execute Mimikatz commands in memory                                                  |
| module      | psh         | Run unmanaged PowerShell on a session                                                |
| module      | rubeus      | A toolset for raw Kerberos interaction and abuses                                    |
| module      | safetykatz  | Mini dump LSASS then use Mimikatz sekurlsa::logonpasswords and sekurlsa::ekeys on it |
| module      | sharpdpapi  | A C# port of some DPAPI functionality from Mimikatz                                  |
| module      | sharphound  | A C# rewrite of the BloodHound3 Ingestor, targeted for .NET 4.5                      |
| module      | sharpsocks  | Create a SOCKS tunnel over HTTP/HTTPS                                                |
| module      | sharpwmi    | An implementation of various WMI functionality including local/remote WMI queries    |
+-------------+-------------+--------------------------------------------------------------------------------------+

Use execute to execute a .NET assembly, DLL, EXE, JS, VBS or XSL file in memory.
The file must be passed with the -f flag and any arguments with the -p flag.

execute

Mimikatz

This option extends features even further allowing you to perform actions such as dcsync and pth.

mimikatz

Unmanaged PowerShell

Use psh to run unmanaged PowerShell on a session. This option is very flexible and allows you to perform a wide range of actions.

Use the -c flag to execute a single PowerShell query.

psh

Use the -l flag to list the currently available modules.
Additional modules can be added by placing them in the scripts directory and rebuilding shad0w.

modules

Use the -m flag to import modules. This will host the modules on a random path on the C2. The module will then be downloaded and invoked before the command specified with the -c flag is executed.

psh2

Use the -i flag to get information about modules.

GhostPack

shad0w contains modules for all of the GhostPack binaries:

  • rubeus
  • safetykatz
  • seatbelt
  • sharpchrome
  • sharpdpapi
  • sharpdump
  • sharpup
  • sharpwmi

This will allows you to run any of the modules with a single command, without having to execute anything.

rubeus

Using these modules, it is possible to perform a wide range of lateral movement techniques.

SharpHound

BloodHound is supported via the sharphound module and has all of the command line switches of the original program.

Once sharphound has run, use download to grab the zip file.

sharphound

SOCKS Proxy

A slightly custom version of SharpSocks is currently used for SOCKS proxying.
Use the -q flag to setup a quick SOCKS connection.

socks

Using the server and listen arguments, it is possible to create much more complex SOCKS connection.