• Stars
    star
    116
  • Rank 303,894 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 7 years ago
  • Updated about 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A WebDAV PROPFIND C2 tool

WebDAVC2

LAST/CURRENT VERSION: 0.3

Author: Arno0x0x - @Arno0x0x

WebDavC2 is a PoC of using the WebDAV protocol with PROPFIND only requests to serve as a C2 communication channel between an agent, running on the target system, and a controller acting as the actuel C2 server.

The tool is distributed under the terms of the GPLv3 licence.

Background information

Check this blog post on how and why I came up with the idea of using WebDAV PROPFIND only requests as a C2 channel:

Wordpress:Using WebDAV features as a covert channel

Architecture

WebDavC2 is composed of:

  • a controller, written in Python, which acts as the C2 server
  • an agent, written in C#/.Net, running on the target system, delivered to the target system via various initial stagers
  • various flavors of initial stagers (created on the fly when the controller starts) used for the initial compromission of the target system

Features

WebDavC2 main features:

  • Various stager (powershell one liner, batch file, different types of MS-Office macro, JScript file) - this is not limited, you can easily come up with your own stagers, check the templates folder to get an idea
  • Pseudo-interactive shell (with environment persistency)
  • Auto start of the WebClient service, even from an unprivileged user using the 'pushd' trick

Installation & Configuration

Installation is pretty straight forward:

  • Git clone this repository: git clone https://github.com/Arno0x/WebDAVC2 WebDavC2
  • cd into the WebDavC2 folder: cd WebDavC2
  • Give the execution rights to the main script: chmod +x webDavC2.py

To start the controller, simply type ./webDavC2.py.

Compiling your own agent

Although it is perfectly OK to use the provided agent.exe, you can very easily compile your own executables of the agent, from the source code provided. You don't need Visual Studio installed.

  • Copy the agent/agent.cs file on a Windows machine with the .Net framework installed
  • CD into the source directory
  • Use the .Net command line C# compiler:
    • To get the standard agent executable: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:agent.exe *.cs
    • To get the debug version: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /define:DEBUG /out:agent_debug.exe *.cs

DISCLAIMER

This tool is intended to be used in a legal and legitimate way only:

  • either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
  • on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits)

Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.

TODO

This tool is just a PoC so don't expect production quality, plus it has some arbitrary limitations in terms of quantity of data that can be transfered from the agent back to the controller.

To be added:

  • more stagers ?

To be fixed:

  • Increase the (arbitrary) size limit of command output that can be returned to the controller
  • I'm waiting for feedback :)

More Repositories

1

DNSExfiltrator

Data exfiltration over DNS request covert channel
JavaScript
802
star
2

EmbedInHTML

Embed and hide any file in an HTML file
HTML
462
star
3

PowerShellScripts

Collection of PowerShell scripts
PowerShell
434
star
4

ShellcodeWrapper

Shellcode wrapper with encryption for multiple target languages
Python
410
star
5

WSC2

A WebSocket C2 Tool
Python
366
star
6

CSharpScripts

Collection of C# scripts
C#
326
star
7

NtlmRelayToEWS

ntlm relay attack to Exchange Web Services
Python
325
star
8

DivertTCPconn

A TCP packet diverter for Windows platform
C
275
star
9

DBC2

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.
PowerShell
269
star
10

DNSDelivery

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.
PowerShell
148
star
11

TwoFactorAuth

Two Factor Authentication web portal written in PHP
PHP
119
star
12

TCPRelayInjecter

Tool for injecting a "TCP Relay" managed assembly into unmanaged processes
C++
119
star
13

ObfuscateCactusTorch

When CactusTorch meets WebDavDelivery and obfuscation
Python
64
star
14

TCPRelayInjecter2

Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
C#
62
star
15

ReflectiveDnsExfiltrator

Data exfiltration using reflective DNS resolution covert channel
JavaScript
54
star
16

WebDavDelivery

A WebDAV PROPFIND covert channel to deliver payloads
Visual Basic
53
star
17

TermGate

A web application for running shell commands interactively on your server
PHP
21
star
18

BluecoatURLFilteringBypass

Bluecoat proxies URL filtering bypass PoC
JavaScript
14
star
19

MOBACMapsSources

Mobile Atlas Creator Additionnal map sources
11
star
20

NmapScripts

Collection of Nmap scripts
Lua
11
star
21

MultibyteEncodedShellcode

An AV evasion technique using multibyte xor encoding of shellcode
9
star
22

Docker-Dnscat2

Dockerfile and ressources for Dnscat2
Shell
8
star
23

GimmeTheFile

Proof of concept for bypassing corporate web proxies filtering and antiviruses
PHP
8
star
24

DeliverXLLviaHTML

Deliver encrypted XLL embeded in HTML file
7
star
25

Docker-Socator

Dockerfile and ressources for Socat + Tor
Shell
7
star
26

ShellScripts

Collection of shell scripts
Shell
6
star
27

HttpProxy

A simple HttpProxy for NodeJS
JavaScript
6
star
28

Docker-Cryptpad

Dockerfile and ressources for CryptPad application
JavaScript
5
star
29

Docker-DBC2

Dockerfile and ressources for DBC2
1
star
30

Docker-Koadic

Dockerfile and ressources for Koadic
1
star