视频:https://vimeo.com/197902404
可以看到就是一个利用dropbox的C2,不过他是通过dropbox的文件API在做C2控制的,如何做到的呢?其实很简单,C2的agent轮询服务器上是否有文件更新,有的话就下载下来,其实这里面就是C2交互的内容,而C2上传的信息又通过文件形式传到dropbox。C2的server也是通过这样的方式,间接和agent打交道。
代码:https://github.com/Arno0x/DBC2/blob/master/lib/dropboxHandler.py,使用API:
self.dropboxAPI = { 'listFolder': 'https://api.dropboxapi.com/2/files/list_folder', 'uploadFile': 'https://content.dropboxapi.com/2/files/upload', 'downloadFile': 'https://content.dropboxapi.com/2/files/download', 'deleteFile': 'https://api.dropboxapi.com/2/files/delete', 'getMetaData': 'https://api.dropboxapi.com/2/files/get_metadata', 'shareFile': 'https://api.dropboxapi.com/2/sharing/create_shared_link_with_settings', 'getSharedLink': 'https://api.dropboxapi.com/2/sharing/list_shared_links' }
Architecture(看他的架构)
Features
DBC2 main features:
- Various stager (Powershell one liner, batch file, MS-Office macro, javascript, DotNetToJScript, msbuild file, SCT file, ducky, more to come...)
- Single CLI commands (one at a time, no environment persistency)
- Pseudo-interactive shell (environment persistency) - based on an idea from 0xDEADBEEF00 [at] gmail.com
- Send file to the agent
- Retrieve file from the agent
- Launch processes on the agent
- Keylogger
- Clipboard logger (clipboard recording/spying)
- Screenshot capture
- Run and interact with PowerShell modules (Endless capabilities: PowerSploit, Inveigh, Nishang, Empire modules, Powercat, etc.)
- Send key strokes to any process
- Set persistency through scheduled task and single instance through Mutex
- Can run within
(w|c)script.exe
thanks to the DotNetToJScript stager (javascript2) - Can be injected into any process thanks to the nativeWrapper and its corresponding position independant shellcode !