Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon.

Overview

aggrokatz

aggro_card

What is this

aggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely.
The current version of aggrokatz allows pypykatz to parse LSASS dump files and Registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon (Cobalt Strike is already there anyhow). In the future this project aims to provide additional features for covert operations such as searching and decrypting all DPAPI secrets/kerberoasting/etc.

We have published a short blog post for this tool release which also includes some screenshots.

IMPORTANT NOTES - PLEASE READ THIS

LSASS/Registry dumping is not the goal of this project, only parsing. Reasons:

  1. Multiple techniques for dumping are already implemented from Cobalt Strike (CS) and widely available to the public. Recently we switched to using a modified version of CredBandit that dumps the raw bytes to disk instead of base64. Cool tool, check it out.
  2. We want to keep our dumping technique private.

In CS client, do not use "reload" nor try to manually unload then reload the script if you modified it. You MUST unload it, close the client and start it anew, then load the modified script. Otherwise you will have multiple versions running simultaneously and a ton of errors and weird behaviours will happen!
While parsing LSASS/registry files on the remote end please don't interact with the specific beacon you started the script on. Normally it wouldn't cause any problems, but I can't give any guarantees.

Install

  • You will need pycobalt installed and set up. There is a readme on their github page.
  • You will need to install pypykatz version must be >=0.4.8
  • You will need Cobalt Strike

Setup

  • make sure that pycobalt's aggressor.cna file is set up and is aware of your python interpreter's location
  • Change the pycobalt_path in aggrokatz.cna to point to pycobalt.cna
  • in CS use the View > Script Console and Cobalt Strike > Script Manager windows. Using Script Manager load the aggkatz.cna script.

Usage

  • If the aggkatz.cna script loaded successfully you will have a new menu item pypykatz when right-clicking on a beacon.
  • During parsing you will see debug messages in Script Console window.
  • After parsing is finished, the results will be displayed in both Script Console window and the Beacon's own window.

LSASS dump parse menu parameters

  • LSASS file: The location of the lsass.dmp file on the remote computer. You can also use UNC paths to access shared lsass.dmp files over SMB
  • chunksize : The maximum amount that will be read in one go
  • BOF file : The BOF file (Beacon Object File) which allows chunked reads. This file will be uploaded and executed (in-memory) each time a new chunk is being read.
  • (module) : Specifies which modules will be parsed. Default: all
  • Output : Specifies the output format(s)
  • Populate Credential tab : After a sucsessful parsing all obtained credentials will be available on the Cobalt Srike's Credential tab. This feature is in beta
  • Delete remote file after parsing : After a sucsessful parsing the LSASS dump file will be removed from the target

Registry dump parse menu parameters

  • SYSTEM file: The location of the SYSTEM.reg file on the remote computer. You can also use UNC paths to access shared files over SMB
  • SAM file (optional): The location of the SAM.reg file on the remote computer. You can also use UNC paths to access shared files over SMB
  • SECURITY file (optional): The location of the SECURITY.reg file on the remote computer. You can also use UNC paths to access shared files over SMB
  • SOFTWARE file (optional): The location of the SOFTWARE.reg file on the remote computer. You can also use UNC paths to access shared files over SMB
  • chunksize : The maximum amount that will be read in one go
  • BOF file : The BOF file (Beacon Object File) which allows chunked reads. This file will be uploaded and executed (in-memory) each time a new chunk is being read.
  • Output : Specifies the output format(s)

Limitations

The file read BOF currently supports file reads up to 4Gb. This can be extended with some modifications but so far such large files haven't been observed.

How it works

TL;DR

Normally pypykatz's parser performs a series of file read operations on disk, but with the help of aggrokatz these read operations are tunneled to the beacon using a specially crafted BOF (Beacon Object File) which allows reading the remote file contents in chunks. This allows pypykatz to extract all secrets from the remote files without reading the whole file, only grabbing the necessary chunks where the secrets are located.

In-depth

To get the full picture of the entire process, there are two parts we'd need to highlight:

  1. how pypykatz integrates with CobaltStrike
  2. how pypykatz performs the credential extraction without reading the whole file

pypykatz integration to CobaltStrike

CobaltStrike (agent) is written in Java, pypykatz is written in python. This is a problem. Lucky for us an unknown entity has created pycobalt which provides a neat interface between the two worlds complete with usefule APIs which can be invoked directly from python. Despite pycobalt being a marvellous piece of engineering, there are some problems/drawbacks with it that we need to point out:

  1. About trusting the pycobalt project:
  • We have tried to reach out to the author but we got no reply.
  • We cannot guarantee that the pycobalt project will be maintained in the future.
  • We do not control any aspect of pycobalt's development.
  1. About technical issues observed:
  • Generally there are some encoding issues between pycobalt and CobaltSrike. This results in some API calls which would return bytes that can't be used because some bytes get mangled by the encoder. By checking the code we conclude that most encoding/decoding issues are because pycobalt uses STDOUT/STDIN to communicate with the Java process
  • Specifically the bof_pack API call which is crucial for this project had to be implemented as a pure-aggressor script and only invoked from python using basic data structures (string and int) and not using bytes.
  • Only blocking APIs provided by the pycobalt package without threading support. Well, at least we observed that threading breaks randomly, but we kinda expected this.
  • Blocking API + no threading + relying on callbacks = we had to employ some weird hacks to get it right.

Credential parsing on a stack of cards

pypykatz and it's companion module minidump had to be modified to allow a more efficient chunked parsing than what was implemented before, but this is a topic for another day.
After pypykatz was capable to interface with CobaltStrike via pycobalt the next step was to allow chunked file reading. Sadly this feature is not available by-default on any of the C2 solutions we have seen, so we had to implement it. The way we approached this problem is by implementing chunked reading via the use of CobaltStrike's Beacon Object Files interface, BOF for short. BOFs are C programs that run on the beacon not as a separate executable but as a part of the already running beacon. This interface is super-useful because it makes BOFs much stealthier since all of the code executes in memory without anything being written to disk.
Our BOF solution is a simple function and takes 4 arguments:

  • fileName : Full file path of the LSASS dump file or registry hive (on the remote end)
  • buffsize : Amount (in bytes) to be read from the file
  • seekSize : The position where the file read operation should start from (from the beginning of the file)
  • rplyid : An identification number to be incorporated in the reply to avoid possible collisions

With these parameters, pypykatz (running on the agent) can issue file read operations on the beacon (target computer) that specifically target certain parts of the file.
On the other end (in CobaltStrike) aggrokatz registers a callback to monitor every message returned by the target beacon. If the message's header matches the header of a file read operation it will be processed as a chunk of a minidump file and will be dispatched to the minidump parser which will dispatch the result to pypykatz. In case more read is needed pypykatz will issue a read using the minidump reader that will dispatch a new read command on the beacon via the BOF interface. This process repeats until the file is parsed.

Results

After parsing around a 100 LSASS dumps using this method, we can state the following (chunk size used was 20k):

  • Depending on the LSASS dump file size (our dumps were between 40Mb - 300Mb) on average all secrets could be extraced using 3,5Mb. Note that this number does not depend on the size of the LSASS dump rather than on the amount of secrets and the amount of packages you select to be parsed.
  • On average 250 read operations were used for a successful parse.
  • Time to parse only relies on your jitter/sleep configuration so measuring it is pointless.

Drawbacks

  • For each read operation a BOF needs to be uploaded to the beacon. (we secretly hope someone from CobaltSrike will look at this article and decide to implement basic file reading operations as a default, so we can skip using this solution).
  • The number of read operations can be problematic if you are using a beacon with a really large jitter/sleep.

Kudos

dcsync - author of pycobalt
@anthemtotheego Twitter - Creator of CredBandit
Nicol Jos @shinepaw - logo design

Owner
SEC Consult Vulnerability Lab
We strive for continued knowledge gain in the field of network and application security and the evaluation of new offensive and defensive technologies.
SEC Consult Vulnerability Lab
โš”๏ธ Fastest tibia bot API

๐Ÿ“ Description tibia bot api using python โŒจ Development โš™ Running the app python bot.py โœ… ROADMAP Add confidence to floor level to have more accuracy

Lucas Santos 133 Dec 28, 2022
Project developed as part of a selection process for the company Denox

๐Ÿ“ Tabela de conteรบdos Sobre Requisitos para rodar o projeto Instalaรงรฃo Rotas da API Observaรงรตes ๐Ÿง Sobre Projeto desenvolvido como parte de um proces

รcaro Sant'Ana 1 Mar 01, 2022
A simple telegram bot that resolves video urls using yt-dlp

URL to Video Telegram Bot A simple telegram bot that resolves video urls using yt-dlp Copyright (C) 2021 Vรญtor Vasconcellos This program is free softw

Vรญtor 1 Nov 18, 2021
Based on nonebot, a common bot framework for maimai.

mai bot ไฝฟ็”จๆŒ‡ๅ— ๆญค README ๆไพ›ไบ†ๆœ€ไฝŽ็จ‹ๅบฆ็š„ mai bot ๆ•™็จ‹ไธŽๆ”ฏๆŒใ€‚ Step 1. ๅฎ‰่ฃ… Python ่ฏท่‡ช่กŒๅ‰ๅพ€ https://www.python.org/ ไธ‹่ฝฝ Python 3 ็‰ˆๆœฌ๏ผˆ 3.7๏ผ‰ๅนถๅฐ†ๅ…ถๆทปๅŠ ๅˆฐ็Žฏๅขƒๅ˜้‡๏ผˆๅœจๅฎ‰่ฃ…่ฟ‡็จ‹ไธญๅ‹พ้€‰ Add to system P

Diving-Fish 150 Jan 01, 2023
Weather_besac is a French twitter bot that tweet the weather of the city of Besanรงon in Franche-Comtรฉ in France every day at 8am and 4pm.

Weather Bot Besac Weather_besac is a French twitter bot that tweet the weather of the city of Besanรงon in Franche-Comtรฉ in France every day at 8am and

Rgld_ 1 Nov 15, 2021
Python client for Arista eAPI

Arista eAPI Python Library The Python library for Arista's eAPI command API implementation provides a client API work using eAPI and communicating wit

Arista Networks EOS+ 124 Nov 23, 2022
Fairstructure - Structure your data in a FAIR way using google sheets or TSVs

Fairstructure - Structure your data in a FAIR way using google sheets or TSVs. These are then converted to LinkML, and from there other formats

Linked data Modeling Language 23 Dec 01, 2022
A simple tool that lets you know when you are out of Lost Ark's queues

Overview A simple tool that lets you know when you are out of Lost Ark's queues. You can be notified via: Sound: the app will play a sound Discord web

Nelson 3 Feb 15, 2022
ToqueIO Nuke tools - A collection of tools designed to assist in enhancing your workflows within nuke

ToqueIO Nuke tools - A collection of tools designed to assist in enhancing your workflows within nuke

4 Feb 19, 2022
๐Ÿ’ป A fully functional local AWS cloud stack. Develop and test your cloud & Serverless apps offline!

LocalStack - A fully functional local AWS cloud stack LocalStack provides an easy-to-use test/mocking framework for developing Cloud applications. Cur

LocalStack 45.3k Jan 02, 2023
Discord bot that displays the current Swatch Internet Time (.beat) as a status.

Internet-Time-Display Discord bot that displays the current Swatch Internet Time (.beat) as a status. Visit the website! Add the bot to your server! A

2 Mar 15, 2022
A bot written in Python to automate attending classes on MyClass (Codetantra).

codetantrabot This is python program to attend class on myclass(codetantra) Prerequisites You should have Python3 and Pip installed on your system Run

Aniket Kumar 1 Feb 08, 2022
Robot Swerve Test Public With Python

Robot-Swerve-Test-Public The codebase for our swerve drivetrain prototype robot.

1 Jan 09, 2022
A bot that updates about the most subscribed artist' channels on YouTube

A bot that updates about the most subscribed artist' channels on YouTube. A weekly top chart report is provided every Monday. It posts updates on Twitter

Marco Fantauzzo 5 Dec 14, 2022
BiliBili-live-barrage-transceiver - A simple python program for sending and receiving barrage in bilibili live room

BiliBili-live-barrage-transceiver - A simple python program for sending and receiving barrage in bilibili live room

zeroy 2 Jan 18, 2022
๐€ ๐ฆ๐จ๐๐ฎ๐ฅ๐š๐ซ ๐“๐ž๐ฅ๐ž๐ ๐ซ๐š๐ฆ ๐†๐ซ๐จ๐ฎ๐ฉ ๐ฆ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ ๐›๐จ๐ญ ๐ฐ๐ข๐ญ๐ก ๐ฎ๐ฅ๐ญ๐ข๐ฆ๐š๐ญ๐ž ๐Ÿ๐ž๐š๐ญ๐ฎ๐ซ๐ž๐ฌ !!

๐‡๐จ๐ฐ ๐“๐จ ๐ƒ๐ž๐ฉ๐ฅ๐จ๐ฒ For easiest way to deploy this Bot click on the below button ๐Œ๐š๐๐ž ๐๐ฒ ๐’๐ฎ๐ฉ๐ฉ๐จ๐ซ๐ญ ๐†๐ซ๐จ๐ฎ๐ฉ ๐’๐จ๐ฎ๐ซ๐œ๐ž๐ฌ ๐†๐ž๐ง๐ž?

Mukesh Solanki 1 Dec 10, 2021
An anime themed telegram group management bot based on sqlalchemy database running on python3.

Kazuko Robot A Telegram Python bot running on python3 forked with saitama and DiasyX with a sqlalchemy database and an entirely themed persona to make

heyaaman 22 Dec 07, 2022
Connect your Nintendo Switch playing status to Discord!

Disclaimer: Unfortunately, it appears that Nintendo has removed returning self-Presence in their API as of recently, making this project near obsolete

Deltaion Lee 145 Dec 30, 2022
Presentation and code files for the talk at PyCon Indonesia

pycon-indonesia Presentation and code files for the talk at PyCon Indonesia. Files used for the PyCon Indonesia presentation. [Directory Includes:] Be

Neeraj Pandey 2 Dec 04, 2021