sabato 15 maggio 2021

Alan - A post exploitation framework


Twitter: @s4tan
Download: GitHub (use this repo to report issues)
Documentation: https://github.com/enkomio/AlanFramework/tree/main/doc

I decided to dedicate a bit of my free time to develop a new project: Alan, a post exploitation framework. Doing red-team activities is not my main job, but I like this field and, as a malware analyst, I analyze a lot of programs that have a very similar intent.

The Alan concept is simple: the operator creates an agent file that is executed on the compromised host, and receives commands from a server under to control of the operator. The goal of the project is to provide a framework that has as primary target red-team activities. I implemented it by using C/Assembly for the agent and F# as backend (with .NET core, this ensure the excution on various OS).

Alan is implemented by considering weaknesses and missing features that I found in some of the currently available red-teaming tools. For example, a lot of tool claims that the traffic with the server is encrypted but they embed the key inside the request, or, in other cases, the key can be retrieved if the binary is available for reversing (too often I found a key generation algorithm based on a seed that can be easily computed).

A post-exploitation tool

Alan supports a good amount of features allowing the operator to further comprimise the target after the initial exploitation. Alan agent can be deployed in various formats, such as: Executable, DLL, Powershell and Shellcode. Below you can find a video that shows how to create an agent and interact with it by launching a command-shell on the remote host.



The agent can be easily customized and flexibility is a key feature for Alan. The agent profile can be updated at runtime, this means that you can change server address or even the communication protocol! The video below shows how to change the agent profile at runtime, by specifying a different server port and moving from HTTP to HTTPS.



Security Operation

Beign caugth by a blue team is something that should be avoided if you don't want to lose access to your target. Unfortunately, network traffic is something that cannot be hidden. Alan encrypts the network traffic in a strong way, but even if encrypted the requests might look suspicious. To avoid to raise any alerts, the operator can increase the delay between two requests or customize the requests and server reponses to look as a normal HTTP traffic from a know application. The video below shows the following features:
  • Create a powershell agent
  • Migrate to notepad.exe process. When the migration is completed in the Fiddler window is possible to see that the process sending requests became notepad.exe
  • A command-shell is executed and the original agent powershell file is deleted. By deleting the file there is no trace of the agent on disk and the execution is performed only in-memory. Then, the operator downloads some files to his system
  • The HTTP network traffic is inspected. The agent network traffic looks like normal traffic to an nginx server with default installation




In the next release I'll implement additional features and strenght a bit the code to try to avoid easily detection by AVs ;)