2 hours ago
[center]![[Image: img24-8f6c47d2a5e0787a77eab016d81189ef.png]](https://impacttrial.coresecurity.com/assets/images/img24-8f6c47d2a5e0787a77eab016d81189ef.png)
[/center]
[center]=7GhostPack Cracked Beacon Object File Software[/center]
[center]
GhostPack Cracked Beacon Object File Software
Beacon Object File (BOF) toolset that allows for the capture of user credential material via purposeful token/logon session leakage.
Some code was inspired by Elad Shamir's Internal-Monologue project (no license), as well as KB180548. For why this is possible and Koh's approeach, see the Technical Background section of this README.
For a deeper explanation of the motivation behind Koh and its approach, see the Koh: The Token Stealer post.
@harmj0y is the primary author of this code base. @tifkin_ helped with the approach, BOF implementation, and some token mechanics.
Koh is licensed under the BSD 3-Clause license.
Table of Contents
Koh
Table of Contents
Koh Server
Compilation
Usage
Example - Listing Logon Sessions
Example - Monitoring for Logon Sessions (with group SID filtering)
Koh Client
Usage
Group SID Filtering
Example - Capture
Technical Background
Why This Is Possible
Approach
Possible Approaches
Our Approach
Advantages/Disadvantages Versus Traditional Credential Extraction
Advantages
Disadvantages
The Inline Shenanigans Bug
IOCs
Mitigations
TODO
Koh Server
The Koh "server" captures tokens and uses named pipes for control/communication. This can be wrapped in Donut and injected into any high-integrity SYSTEM process (see The Inline Shenanigans Bug).
Compilation
We are not planning on releasing binaries for Koh, so you will have to compile yourself
Koh has been built against .NET 4.7.2 and is compatible with Visual Studio 2019 Community Edition. Simply open up the project .sln, choose "Release", and build. The Koh.exe assembly and Koh.bin Donut-built PIC will be output to the main directory. The Donut blob is both x86/x64 compatible, and is built with the following options using v0.9.3 of Donut at ./Misc/Donut.exe:
[ Instance type : Embedded
[ Entropy : Random names + Encryption
[ Compressed : Xpress Huffman
[ File type : .NET EXE
[ Parameters : capture
[ Target CPU : x86+amd64
[ AMSI/WDLP : abort
Donut's license is BSD 3-clause.
Usage
Koh.exe Koh.exe <list | monitor | capture> [GroupSID... GroupSID2 ...]
list - lists (non-network) logon sessions
monitor - monitors for new/unique (non-network) logon sessions
capture - captures one unique token per SID found for new (non-network) logon sessions
Group SIDs can be supplied command line as well, causing Koh to monitor/capture only logon sessions that contain the specified group SIDs in their negotiated token information.
=7Download Link
[/center]
Download Link
[/center]
[/center][center]=7GhostPack Cracked Beacon Object File Software[/center]
[center]
GhostPack Cracked Beacon Object File Software
Beacon Object File (BOF) toolset that allows for the capture of user credential material via purposeful token/logon session leakage.
Some code was inspired by Elad Shamir's Internal-Monologue project (no license), as well as KB180548. For why this is possible and Koh's approeach, see the Technical Background section of this README.
For a deeper explanation of the motivation behind Koh and its approach, see the Koh: The Token Stealer post.
@harmj0y is the primary author of this code base. @tifkin_ helped with the approach, BOF implementation, and some token mechanics.
Koh is licensed under the BSD 3-Clause license.
Table of Contents
Koh
Table of Contents
Koh Server
Compilation
Usage
Example - Listing Logon Sessions
Example - Monitoring for Logon Sessions (with group SID filtering)
Koh Client
Usage
Group SID Filtering
Example - Capture
Technical Background
Why This Is Possible
Approach
Possible Approaches
Our Approach
Advantages/Disadvantages Versus Traditional Credential Extraction
Advantages
Disadvantages
The Inline Shenanigans Bug
IOCs
Mitigations
TODO
Koh Server
The Koh "server" captures tokens and uses named pipes for control/communication. This can be wrapped in Donut and injected into any high-integrity SYSTEM process (see The Inline Shenanigans Bug).
Compilation
We are not planning on releasing binaries for Koh, so you will have to compile yourself
Koh has been built against .NET 4.7.2 and is compatible with Visual Studio 2019 Community Edition. Simply open up the project .sln, choose "Release", and build. The Koh.exe assembly and Koh.bin Donut-built PIC will be output to the main directory. The Donut blob is both x86/x64 compatible, and is built with the following options using v0.9.3 of Donut at ./Misc/Donut.exe:
[ Instance type : Embedded
[ Entropy : Random names + Encryption
[ Compressed : Xpress Huffman
[ File type : .NET EXE
[ Parameters : capture
[ Target CPU : x86+amd64
[ AMSI/WDLP : abort
Donut's license is BSD 3-clause.
Usage
Koh.exe Koh.exe <list | monitor | capture> [GroupSID... GroupSID2 ...]
list - lists (non-network) logon sessions
monitor - monitors for new/unique (non-network) logon sessions
capture - captures one unique token per SID found for new (non-network) logon sessions
Group SIDs can be supplied command line as well, causing Koh to monitor/capture only logon sessions that contain the specified group SIDs in their negotiated token information.
=7Download Link
[/center]
Download Link
[/center]
