Abstract
Quality & Innovation over quantity. Post-exploitation is a crucial part of red-team assessment as the other phases can be carried out passively but not post-exploitation. Also one of the very important aspect of this entire process of this maintaining access to the compromised host should be leveraged with keeping stealth in mind starting from performing enumeration to leveraging administrator level privileges and lateral movement, as modern day sophisticated EDRs and SIEM solutions and other detection engineering based software aim on staying ahead detecting these malicious implants & beacons. However in this game of cat & mouse the conventional part of red teaming also involves discovering bypass techniques for all the security mechanisms deployed. Once the red teamer gains an initial foothold into the host, he can implants an adversary in the host to achieve persistence. The adversary is capable of staying dormant and performing operations in stealth. It is capable of operating without internet access and can send data or receive commands when connected to the internet. This happens via the command and control server of the red teamer. It is crucial that the command and control server is secure and fast to reduce latency and improvise data transmission. Above all, the server must be easy to deploy and maintain and must be user-friendly, in a few instances the red teamer might have to pivot the data through another internal system that is connected to the internet. During such conditions, the C&C server must stay as it is crucial that the C&C server stays light, fast too Buzzard which is built by two undergrad students has been developed to operate under such intense circumstances, easy to deploy, with both command line and web interface giving the user the freedom to choose the beacons and implants of his own choices, as buzzard aims to provide implants programmed using C, Python, Rust, Go. Although some of the implants & beacons are built upon languages which are not “write once & run everywhere” we aim to build small additional beacons which helps to get all necessary feasible environment which helps other beacons for easy execution.
Buzzard is a hybrid architecture that is put together into a docker container. We have a web interface where the attacker interacts to manipulate tasks according to the requirements. The Web front-end is made up of HTML, CSS, and Jquery, it serves through Node JS which acts as a middleware between REST API and the front-end. The API follows the principle of CRUD(Create Read Update Delete) which is a function like a stateless API and connects to a MongoDB database to store and retrieve information about the tasks. The API also serves the beacons directory for sharing the scripts which interact through the implant. We have a dedicated module that is defined to create tunnel sessions.During each session creation a unique URL is created and some beacons are depended on it, which is dynamic modified to the respective files. When the server is stopped, it will be rewritten back to default. We have a separate module that creates a channel for WebSocket connection for updating real-time notification about the task as well it is used to update the target page for online status. The Monitor module is a multi-thread module to run in the background to check the status of the target machine and update the profile page whether the respective target machine is online or offline by sending an ICMP packet to the target and checks for the status of the machine.
Buzzard currently supports 9 post-exploitation modules and more to be added. Regarding providing a multi-platform support, the implants are only capable on running in Windows & Linux machines . Therefore buzzard is a flexible, easy to deploy, monitor and user friendly C2 server with a support providing the user a choice to choose it’s favorite programming language for beacon making it easy for him to debug them . The main goal still remains to make the beacons more persistent and making it more user-friendly & applying anti-reverse engineering traits making it a bit tougher for the defender to analyze these beacons.