Medusa – Cross Platform C2
2021-12-28 21:29:23 Author: reconshell.com(查看原文) 阅读量:26 收藏

Medusa

Medusa

Medusa is a cross-platform C2 agent compatible with Python 2.7 and 3.8, compatible with Mythic


Installation

To install Medusa, you’ll need Mythic installed on a remote computer. You can find installation instructions for Mythic at the Mythic project page.

From the Mythic install root, run the command:

./mythic-cli install github https://github.com/MythicAgents/Medusa.git

Once installed, restart Mythic to build a new agent.

Notable Features

  • Dynamic loading/unloading of agent functions to limit exposure of agent capabilities on-disk.
  • Loading of Python modules in-memory for use in custom scripts.
  • Cross-platform SOCKS5 proxy
  • maOS clipboard reader, screenshot grabber and TCC database parsing examples
  • File browser compatibility with upload/download
  • Eval() of dynamic Python code
  • Basic Authentication Proxy compatibility

Commands Manual Quick Reference

The base agent and included commands all use built-in Python libraries, so do not need additional packages to function. Agents will run the commands in threads, so long-running uploads or downloads won’t block the main agent.

General Commands

CommandSyntaxDescription
catcat path/to/fileRead and output file content.
cdcd [.. dir]Change working directory (.. to go up one directory).
cpcp src_file_or_dir dst_file_or_dirCopy file or folder to destination.
cwdcwdPrint working directory.
downloaddownload [path]Download a file from the target system.
exitexitExit a callback.
envenvPrint environment variables.
eval_codeeval_code [commands]Execute python code and return output.
jobkilljobkill [task id]Send stop signal to long running task.
jobsjobsList long-running tasks, such as downloads.
list_moduleslist_modules [module_name]Lists in-memory modules or the full file listing for a specific module.
loadload commandLoad a new capability into an agent.
load_moduleload_moduleLoad a zipped Python module into memory (adapted from here and here).
load_scriptload_scriptLoad and execute a Python script through the agent.
lsls [. path]List files and folders in [path] or use . for current working directory.
mvmv src_file_or_dir dst_file_or_dirMove file or folder to destination.
rmrm file_or_dirDelete file or folder.
shellshell [command]Run a shell command which will spawn using subprocess.Popen(). Note that this will wait for command to complete so be careful not to block your agent.
sockssocks start/stop [port]Start/stop SOCKS5 proxy through Medusa agent.
shinjectshinjectInject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here).
sleepsleep [seconds] [jitter percentage]Set the callback interval of the agent in seconds.
unloadunload commandUnload an existing capability from an agent.
unload_moduleunload_module module_nameUnload a Python module previously loaded into memory.
uploaduploadUpload a file to a remote path on the machine.
watch_dirwatch_dir path secondsWatch for changes in target directory, polling for changes at a specified rate.

macOS Commands

CommandSyntaxDescription
clipboardclipboardOutput contents of clipboard (uses Objective-C API, as outlined by Cedric Owens here. macOS only, Python 2.7 only).
list_appslist_appsList macOS applications (Python 2.7 only, macOS only).
list_tcclist_tcc [path]List entries in macOS TCC database (requires full-disk access and Big Sur only atm).
screenshotscreenshotTake a screenshot (uses Objective-C API, macOS only, Python 2.7 only).

Windows Commands

CommandSyntaxDescription
shinjectshinjectInject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here).
load_dllload_dll dll_path dll_exportLoad an on-disk DLL and execute an exported function (NOTE: This DLL must return an int value on completion, an msfvenom-created DLL, for example, will kill your agent upon completion).

Python Versions

Both versions of the Medusa agent use an AES256 HMAC implementation written with built-in libraries (adapted from here), removing the need for any additional dependencies beyond a standard Python install. As such the agent should operate across Windows, Linux and macOS hosts. It’s worth mentioning that this crypto implementation does introduce some overhead when handling large files (screenshotting, downloads, etc.) but it’s workable.

Py2 vs Py3 Commands

Within the Payload_Type/Medusa/agent_code directory, you will see base_agent files with both py2 and py3 suffixes. Likewise, similar file extensions can be seen for individual function files too.

These are read by the builder.py script to firstly select the right base Python version of the Medusa agent. builder.py will then include commands that are specific to the chosen python version. In the case where a command only has a .py extension, this will be used by default, with the assumption being that no alternative code is needed between the Py2 and Py3 versions.

Threaded Jobs

Medusa uses basic threading for job execution. Where jobs are potentially long-running, they can be implemented with a ‘stop check’ to respond to a signal from the jobkill task. This can be implemented with a code snippet similar to that shown below:

if [task for task in self.taskings if task["task_id"] == task_id][0]["stopped"]:
  # Some job-specific tidy up
  return "Job stopped."

This handler can be seen implemented within the downloaduploadwatch_dir and screenshot commands.

Additionally, if the long-running job is expected to provide continuous output, the sendTaskOutputUpdate function – included in the base agent – can be used to update Mythic prior to the task completion. A dummy function that provides continuous output and can be jobkill‘d can be seen below.

def dummyFunction(self, task_id):
  while(True):
      # Check if we've got a stop signal.
      if [task for task in self.taskings if task["task_id"] == task_id][0]["stopped"]: return "Job stopped."
      
      # Send output back to Mythic
      self.sendTaskOutputUpdate(self, task_id, "We're still running")

      time.sleep(10)

Supported C2 Profiles

Currently, only one C2 profile is available to use when creating a new Medusa agent: http (both with and without AES256 HMAC encryption).

HTTP Profile

The HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. GET requests for taskings, POST requests with responses.



文章来源: https://reconshell.com/medusa-cross-platform-c2/
如有侵权请联系:admin#unsafe.sh