Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.
It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).
Koadic also attempts to be compatible with both Python 2 and Python 3.
# git clone https://github.com/zerosum0x0/koadic.git
# cd koadic
# pip install -r requirements.txt
- Hooks a zombie
- Elevates integrity (UAC Bypass)
- Dumps SAM/SECURITY hive for passwords
- Scans local network for open SMB
- Pivots to another machine
Stagers hook target zombies and allow you to use implants.
Module | Description |
---|---|
stager/js/mshta | serves payloads using MSHTA.exe HTML Applications |
stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets |
stager/js/wmic | serves payloads using WMIC XSL |
stager/js/rundll32_js | serves payloads using rundll32.exe |
stager/js/disk | serves payloads using files on disk |
Implants start jobs on zombies.
Module | Description |
---|---|
implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. |
implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10. |
implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window. |
implant/fun/voice | Plays a message over text-to-speech. |
implant/gather/clipboard | Retrieves the current content of the user clipboard. |
implant/gather/enum_domain_info | Retrieve information about the Windows domain. |
implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive. |
implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file. |
implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X). |
implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). |
implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). |
implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed). |
implant/manage/enable_rdesktop | Enables remote desktop on the target. |
implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output. |
implant/phishing/password_box | Prompt a user to enter their password. |
implant/pivot/stage_wmi | Hook a zombie on another machine using WMI. |
implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals. |
implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN. |
implant/utils/download_file | Downloads a file from the target zombie. |
implant/utils/multi_module | Run a number of implants in succession. |
implant/utils/upload_file | Uploads a file from the listening server to the target zombies. |
Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.
- @vvalien1
- fbctf
- cclaus
- Arno0x
- delirious-lettuce
- 6IX7ine
Special thanks to research done by the following individuals: