nettitude / poshc2_old Goto Github PK

When using shellcode or reflective DLL, domain fronting doesnt work in CLR v2

Hola! @davehardy20 has created a ZenHub account for the nettitude organization. ZenHub is the only project management tool integrated natively in GitHub – created specifically for fast-moving, software-driven teams.

How do I use ZenHub?

To get set up with ZenHub, all you have to do is download the browser extension and log in with your GitHub account. Once you do, you’ll get access to ZenHub’s complete feature-set immediately.

What can ZenHub do?

ZenHub adds a series of enhancements directly inside the GitHub UI:

• Real-time, customizable task boards for GitHub issues;
• Multi-Repository burndown charts, estimates, and velocity tracking based on GitHub Milestones;
• Personal to-do lists and task prioritization;
• Time-saving shortcuts – like a quick repo switcher, a “Move issue” button, and much more.

Add ZenHub to GitHub

Still curious? See more ZenHub features or read user reviews. This issue was written by your friendly ZenHub bot, posted by request from @davehardy20.

Create an advanced options menu that allows you to configure various pre-set environment detection checks before the code executes.

This will be implemented as an advanced feature.

Currently when updating if you get an error its because github.com now enforces tls1.2 and this is not setup by default.

Try re-installing as this has the update

http://poshc2.readthedocs.io/en/latest/

(Disclaimer: I may be messing up here)

I was testing SharpSocks and I seem to have run into issues and I'd like a little clarity on what I am doing wrong.

I am testing Posh on amazon. I am testing against an internal Windows 10 machine.

1. I am using http transport.

2. The implant works fine when connecting to http://ec2-*.amazonaws.com

3. I rewrote the apache conf as follows

Here is a sample of my apache.conf

RewriteEngine On
Define PoshC2 ec2-*.compute.amazonaws.com
Define SharpSocks 172.*.*.*:8080   #this is the local IP of the amazon instance

RewriteRule ^/connect(.*) http://${PoshC2}/connect$1 [NC,P]
RewriteRule ^/images/static/content/(.*) http://${PoshC2}/images/static/content/$1 [NC,P]
RewriteRule ^/news/(.*) http://${PoshC2}/news/$1 [NC,P]
RewriteRule ^/webapp/static/(.*) http://${PoshC2}/webapp/static/$1 [NC,P]
RewriteRule ^/images/prints/(.*) http://${PoshC2}/images/prints/$1 [NC,P]
RewriteRule ^/wordpress/site/(.*) http://${PoshC2}/wordpress/site/$1 [NC,P]
RewriteRule ^/true/images/77/(.*) http://${PoshC2}/true/images/77/$1 [NC,P]
RewriteRule ^/holdings/office/images/(.*) http://${PoshC2}/holdings/office/images/$1 [NC,P]
RewriteRule ^/steam(.*) http://${PoshC2}/steam$1 [NC,P]
RewriteRule ^/sitemap/api/push(.*) http://${SharpSocks}/sitemap/api/push$1 [NC,P]
RewriteRule ^/visitors/upload/map(.*) http://${SharpSocks}/visitors/upload/map$1 [NC,P]
RewriteRule ^/printing/images/bin/logo(.*) http://${SharpSocks}/printing/images/bin/logo$1 [NC,P]
RewriteRule ^/update/latest/traffic(.*) http://${SharpSocks}/update/latest/traffic$1 [NC,P]
RewriteRule ^/saml/stats/update/push(.*) http://${SharpSocks}/saml/stats/update/push$1 [NC,P]

4. I ran sharpsocks as follows:

SharpSocks -Uri http://ec2-*.compute.amazonaws.com -Beacon 5000 -Insecure
Local IP Address to bind to, e.g. http://172.16.0.1:80: http://172.*.*.*:8080

5. I started proxy cap and pointed my SOCKS5 proxy to http://172.*.*.*:8080 and forced mstsc.exe through the proxy.

The above didn't work. I have tried a few other options but they all didn't work.

Please let me know what I am doing wrong. Would be great to have some insight into how to set this up for testing in the cloud.

Thank you.

I was testing PoshC2 against various proxies and one of them had a bug that prevented webclient requests through the proxy.

After some internet searches , I discovered and tested that the issue could be solved by setting a registry key. But this required administrator privileges.

However, using IE Com objects is much easier and managed to hack together a script that calls PoshC2 with IE com objects. As long as IE can reach the internet, proxy becomes a non-issue. I also find it to be a useful evasion technique.

I would love to contribute a PoC in the coming weeks if that is ok with you.

Would like to get your thoughts on this.

Thank you.

Create a CScript variant on DotNetToJS.

There is currently a posh.js that just needs to be hosted.

When using payloads from a non-domain joined machine, proxy authentication will fail because:

1. Proxy settings are unavailable in IE and registry

2. DefaultNetworkCredentials will not authenticate to the proxy

At the time of server setup, it might be a good idea to ask:

"Are you using the payload from a non-domain joined machine?"
And proceed to obtain the proxy url , port , username and password from the user at the time of setting up the server.

The current way to navigate this issue is decode the payload and manually add the proxy parameters. The placeholders for proxy parameters already exist in the payload but they cannot be activated until you have an existing active implant.

Thank you.

"[Shift]","14/10/2018:17:42:25:26","@pedro paulo - Discord"
"[Shift][Shift]","14/10/2018:17:42:25:33","@pedro paulo - Discord"
"[Shift]","14/10/2018:17:42:25:44","@pedro paulo - Discord"
"[Shift][Shift]","14/10/2018:17:42:25:52","@pedro paulo - Discord"
"[Shift]","14/10/2018:17:42:25:82","@pedro paulo - Discord"
"[Shift][Shift]","14/10/2018:17:42:25:89","@pedro paulo - Discord"
"[Shift]","14/10/2018:17:42:26:01","@pedro paulo - Discord"
"[Shift][Shift]","14/10/2018:17:42:26:07","@pedro paulo - Discord"
"[Shift]","14/10/2018:17:42:26:21","@pedro paulo - Discord"
"[Shift][Shift]","14/10/2018:17:42:26:27","@pedro paulo - Discord"
"[Shift]","14/10/2018:17:42:26:41","@pedro paulo - Discord"
"[Shift][Shift]","14/10/2018:17:42:26:48","@pedro paulo - Discord"
"[Shift]","14/10/2018:17:42:26:58","@pedro paulo - Discord"
"[Shift][Shift]","14/10/2018:17:42:26:65","@pedro paulo - Discord"
"[0]","14/10/2018:17:42:27:40","@pedro paulo - Discord"
"[c]","14/10/2018:17:42:28:05","@pedro paulo - Discord"
"[4]","14/10/2018:17:42:28:18","@pedro paulo - Discord"
"[5]","14/10/2018:17:42:28:38","@pedro paulo - Discord"
"[2]","14/10/2018:17:42:28:59","@pedro paulo - Discord"
"[f]","14/10/2018:17:42:28:75","@pedro paulo - Discord"
"[0]","14/10/2018:17:42:28:86","@pedro paulo - Discord"

Rigth before '0' it's supost to be a 'B' (Shift+b) char.

Hello, thank you very much for your great tool. I have a few questions for you if If may.
-- Is it posisble de connect to differents engagement at the same time with PoshC2?
-- Is it possible to restrict each engagement agents to allowed team collaborator? In this way we wouldn't have an unauthorized team collaborator on an engagement?

Sorry if the question has already bee asked or if there's already an answer about it, or if you can't merely figure out what I mean.

Regards!

Hi everyone,

Is a feature like port forwarding (local & remote) available?