• Stars
    star
    269
  • Rank 152,662 (Top 4 %)
  • Language
    PowerShell
  • Created almost 8 years ago
  • Updated about 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.

DBC2

LAST/CURRENT VERSION: 0.2.6

Author: Arno0x0x - @Arno0x0x

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.

This project was initially inspired by the fantastic Empire framework, but also as an objective to learn Python.

Check out this introduction and demo of basic functionnalities (v0.0.1) : Demo

New features in version 0.2.x : Demo

The app is distributed under the terms of the GPLv3 licence.

Architecture

DBC2 Architecture

Features

DBC2 main features:

  • Various stager (Powershell one liner, batch file, MS-Office macro, javascript, DotNetToJScript, msbuild file, SCT file, ducky, more to come...)
  • Single CLI commands (one at a time, no environment persistency)
  • Pseudo-interactive shell (environment persistency) - based on an idea from 0xDEADBEEF00 [at] gmail.com
  • Send file to the agent
  • Retrieve file from the agent
  • Launch processes on the agent
  • Keylogger
  • Clipboard logger (clipboard recording/spying)
  • Screenshot capture
  • Run and interact with PowerShell modules (Endless capabilities: PowerSploit, Inveigh, Nishang, Empire modules, Powercat, etc.)
  • Send key strokes to any process
  • Set persistency through scheduled task and single instance through Mutex
  • Can run within (w|c)script.exe thanks to the DotNetToJScript stager (javascript2)
  • Can be injected into any process thanks to the nativeWrapper and its corresponding position independant shellcode !

Dependencies & requirements

DBC2 requires a Dropbox application ("App folder" only is sufficient) to be created within your Dropbox account and an access token generated for this application, in order to be able to perform API calls. Look at the intoduction video on how to do this if you're unsure.

On the controller side, DBC2 requires:

  • Python 2.7 (not tested with Python 3)
  • The following libraries, that can be installed using pip install -r requirements.txt:
    • requests>=2.11
    • tabulate
    • pyscrypt
    • pycrypto

DBC2 controller has been successfully tested and used on Linux Kali and Mac OSX.

On the agent side, DBC2 requires:

  • .Net framework >= 4.5 (tested sucessfully on Windows 7 and Windows 10)

Security Aspects

DBC2 controller asks for a master password when it starts. This password is then derived into a 128 bits master key by the use of the PBKDF function from the pyscrypt library. The master key is then base64 encoded and can (optionnally) be saved in the config file.

DBC2 performs end-to-end encryption of data using the master key with AES-128/CBC mode. Data exchanged between the agent and the controller flows through the Dropbox servers so while the transfer itself is encrypted, thanks to HTTPS, data has to be end-to-end encrypted to protect the data while at rest on the Dropbox servers.

DBC2 also performs obfuscation of the stages and the modules by the use of XOR encryption, which is dumb encryption but is enough to simply obfuscate some well known and publically available piece of codes. The key used to perform XOR encryption is a SHA256 hash of the master key.

Installation & Configuration

Installation is pretty straight forward:

  • Git clone this repository: git clone https://github.com/Arno0x/DBC2 dbc2
  • cd into the DBC2 folder: cd dbc2
  • Install requirements using pip install -r requirements.txt
  • Give the execution rights to the main script: chmod +x dropboxC2.py

To start the controller, simply type ./dropboxC2.py.

Configuration is done through the config.py file:

  • You can optionnally specify your Dropbox API access token and base64 encoded master key. If you do so, the controller won't ask you for these when it starts.

DBC2 is also available as a Docker container so it's: Check DBC2 on Docker hub. Or simply do: docker pull arno0x0x/dbc2

Compiling your own agent stage

You can very easily compile your own executables of the agent stage, from the source code provided. You don't need Visual Studio installed.

  • Copy the agent/source folder on a Windows machine with the .Net framework installed
  • CD into the source directory
  • Use the .Net command line C# compiler:
    • To get the standard agent executable: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:dbc2_agent.exe *.cs
    • To get the debug version: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /define:DEBUG /out:dbc2_agent_debug.exe *.cs

DISCLAIMER

This tool is intended to be used in a legal and legitimate way only:

  • either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
  • on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits)

Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.

Author

Arno0x0x - You can contact me on my twitter page (@Arno0x0x).

TODO

This is still version beta of this tool, and my first project developped with Python and C#. So it is probably full of bugs, not written in the most Pythonic of CSharp'ish way. Bugs fixes and improvements will come over time as I'll be getting feedback on this tool.

To be added in the next releases:

  • Gather basic system information for each agent at startup
  • Create some basic event at the agent side and event subscription and automatic action on controller side (*ex: "machine locked or screensaver started" would allow for some activity that is visible like sending keystrokes to some processes, or "a given process or connection has been established")
  • Add option for the stage to auto persist at first startup
  • Possibility to task an agent with more than one task at a time

To be fixed:

  • Fix missing encryption on the "sendFile" function (due to me being lazy: on the agent side I wanted to leverage the WebClient->DownloadFile function and I'm not sure how to put my decryption routine in the middle of the flow without having to rewrite this function by hand). This is the only data that is not encrypted. Anything flowing from the agent back to the controller through the Dropbox servers is properly encrypted.

More Repositories

1

DNSExfiltrator

Data exfiltration over DNS request covert channel
JavaScript
802
star
2

EmbedInHTML

Embed and hide any file in an HTML file
HTML
462
star
3

PowerShellScripts

Collection of PowerShell scripts
PowerShell
434
star
4

ShellcodeWrapper

Shellcode wrapper with encryption for multiple target languages
Python
410
star
5

WSC2

A WebSocket C2 Tool
Python
366
star
6

CSharpScripts

Collection of C# scripts
C#
326
star
7

NtlmRelayToEWS

ntlm relay attack to Exchange Web Services
Python
325
star
8

DivertTCPconn

A TCP packet diverter for Windows platform
C
275
star
9

DNSDelivery

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.
PowerShell
148
star
10

TwoFactorAuth

Two Factor Authentication web portal written in PHP
PHP
119
star
11

TCPRelayInjecter

Tool for injecting a "TCP Relay" managed assembly into unmanaged processes
C++
119
star
12

WebDavC2

A WebDAV PROPFIND C2 tool
Python
116
star
13

ObfuscateCactusTorch

When CactusTorch meets WebDavDelivery and obfuscation
Python
64
star
14

TCPRelayInjecter2

Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
C#
62
star
15

ReflectiveDnsExfiltrator

Data exfiltration using reflective DNS resolution covert channel
JavaScript
54
star
16

WebDavDelivery

A WebDAV PROPFIND covert channel to deliver payloads
Visual Basic
53
star
17

TermGate

A web application for running shell commands interactively on your server
PHP
21
star
18

BluecoatURLFilteringBypass

Bluecoat proxies URL filtering bypass PoC
JavaScript
14
star
19

MOBACMapsSources

Mobile Atlas Creator Additionnal map sources
11
star
20

NmapScripts

Collection of Nmap scripts
Lua
11
star
21

MultibyteEncodedShellcode

An AV evasion technique using multibyte xor encoding of shellcode
9
star
22

Docker-Dnscat2

Dockerfile and ressources for Dnscat2
Shell
8
star
23

GimmeTheFile

Proof of concept for bypassing corporate web proxies filtering and antiviruses
PHP
8
star
24

DeliverXLLviaHTML

Deliver encrypted XLL embeded in HTML file
7
star
25

Docker-Socator

Dockerfile and ressources for Socat + Tor
Shell
7
star
26

ShellScripts

Collection of shell scripts
Shell
6
star
27

HttpProxy

A simple HttpProxy for NodeJS
JavaScript
6
star
28

Docker-Cryptpad

Dockerfile and ressources for CryptPad application
JavaScript
5
star
29

Docker-DBC2

Dockerfile and ressources for DBC2
1
star
30

Docker-Koadic

Dockerfile and ressources for Koadic
1
star