cobbr / covenant Goto Github PK
View Code? Open in Web Editor NEWCovenant is a collaborative .NET C2 framework for red teamers.
Home Page: https://cobbr.io/Covenant.html
License: GNU General Public License v3.0
Covenant is a collaborative .NET C2 framework for red teamers.
Home Page: https://cobbr.io/Covenant.html
License: GNU General Public License v3.0
I ran a grunt, and I can see it with an ID(Grunt Name). That's great.
But when I restarted the grunt, its ID changed. The Note I had wrote gone at the same time. And it's seems to there are two grunts, and two grunts in the graph .
So, Is there a way that when I restart the grunt, the ID of the grunt will not change?
Or was it not designed with this feature? Or I did not use it in a right way?
So I'm not sure if this is a Bug or a Feature Request.
Just a small thing but presumably: wmic os get /format:"file.xls"
ought to read wmic os get /format:"file.xsl"
?
Affected line:
Hey.
During the execution of commands, an error appears in Elite:
(Covenant: Grunts\69fc1b9cfa) > getsystem
[!] EliteMenu Exception: Operation returned an invalid status code 'BadRequest'
at Covenant.API.CovenantAPI.ApiGruntsByIdTaskingsPostWithHttpMessagesAsync(Int32 id, GruntTasking gruntTasking, Dictionary`2 customHeaders, CancellationToken can
cellationToken) in /app/API/CovenantAPI.cs:line 6690
at Covenant.API.CovenantAPIExtensions.ApiGruntsByIdTaskingsPostAsync(ICovenantAPI operations, Int32 id, GruntTasking gruntTasking, CancellationToken cancellation
Token) in /app/API/CovenantAPIExtensions.cs:line 1283
at Covenant.API.CovenantAPIExtensions.ApiGruntsByIdTaskingsPost(ICovenantAPI operations, Int32 id, GruntTasking gruntTasking) in /app/API/CovenantAPIExtensions.c
s:line 1268
at Elite.Menu.Tasks.MenuCommandTaskStart.Command(MenuItem menuItem, String UserInput) in /app/Menu/Tasks/TaskMenuItem.cs:line 89
at Elite.Menu.Grunts.MenuCommandGruntInteractGetSystem.Command(MenuItem menuItem, String UserInput) in /app/Menu/Grunts/InteractGruntMenuItem.cs:line 1300
at Elite.Menu.EliteMenu.PrintMenu(String UserInput) in /app/Menu/EliteMenu.cs:line 122
(Covenant: Grunts\69fc1b9cfa) > powershell get-process
[!] EliteMenu Exception: Object reference not set to an instance of an object.
at Elite.Menu.Grunts.MenuCommandGruntInteractPowerShell.Command(MenuItem menuItem, String UserInput) in /app/Menu/Grunts/InteractGruntMenuItem.cs:line 602
at Elite.Menu.EliteMenu.PrintMenu(String UserInput) in /app/Menu/EliteMenu.cs:line 122
Covenant Error:
Task Compilation failed: CompilationErrors:
(7,16): error CS0246: The type or namespace name 'Tokens' could not be found (are you missing a using directive or an assembly reference?)
(7,31): error CS0246: The type or namespace name 'Tokens' could not be found (are you missing a using directive or an assembly reference?)
at Covenant.Core.Compiler.Compile(CompilationRequest request)
at Covenant.Models.Grunts.GruntTasking.Compile(String TaskCode, List1 Parameters, List
1 ReferenceAssemblies, List1 ReferenceSourceLibraries, List
1 EmbeddedResources, DotNetVersion dotNetFrameworkVersion) in /app/Models/Grunts/GruntTasking.cs:line 115
at Covenant.Controllers.GruntTaskingController.CreateGruntTasking(Int32 id, GruntTasking gruntTasking) in /app/Controllers/GruntTaskingController.cs:line 171
After restarting Covenant, the error disappears.
After sending several commands, the error appears again.
What is not configured?
Hi.
I install according to the instructions. I use the command: git clone --recurse-submodules https://github.com/cobbr/Covenant. I do the assembly in docker, there is no error. After starting, I get an error message:
ย Error: git submodules have not been initialized
Covenant's submodules can be cloned with: git clone --recurse-submodules https://github.com/cobbr/Covenant
Or initialized after cloning with: git submodule update --init --recursive.
Working system: Ubuntu 18.04, Docker 18.09.3, git 2.11.0.
What could be the problem?
Can I haz a button that turns on Dark Mode for the UI?
Thanks you kind sir.
The default task template for DCOMCommand always receives a "Parameter count mismatch" error when a task is issued. I created a workaround by using the same code and creating the following options:
This properly executes the command along with the forked commit I made to change the string comparisons to lowercase rather than CamelCase.
I believe default values for the above options can be used to ease the user:
In SharpSploit I have just been using the Command argument to = "cmd.exe", and prepending the Parameters argument with "/c " so that any command being input just appends to Parameters and doesn't touch Command, but I'll let you make the decision there.
After starting fresh to root out errors in my other issue, the Build fails in Step 4/10 with the
following error message:
---> Running in aa739e9eaf98
Microsoft (R) Build Engine version 16.2.32702+c4012a063 for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.
/usr/share/dotnet/sdk/2.2.402/NuGet.targets(123,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/app/Covenant.csproj]
/usr/share/dotnet/sdk/2.2.402/NuGet.targets(123,5): error : Resource temporarily unavailable [/app/Covenant.csproj]
The command '/bin/sh -c dotnet publish -c Release -o out' returned a non-zero code: 1
`
Commands do not run on the agents. I used shell and shellcmd for running whoami but i got this error:
"Task Exception: Could not load file or assembly '25088 bytes loaded from 4sefqqcl.0bj, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. An attempt was made to load a program with an incorrect format. at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource) at System.Reflection.Assembly.Load(Byte[] rawAssembly) at GruntExecutor.Grunt.TaskExecute(TaskingMessenger messenger, GruntTaskingMessage message)"
This is Ubuntu 19.04 x64
I got the victim back through powershell encoded command.
Hello there,
how hard would be to use a stegano channel between the grunt and the control centre?
It will be pretty cool if the grunt can communicate say over twitter,I am guessing I will have to implement a new CovenantAPI.cs ?
Cheers.
Everytime i create a task, it was stays in uninitialized status? any way to force it run? Also is there a way to kill a specific task on a grunt? did not see that option anywhere
In the wiki under the Launchers section the picture and description for the configuration option of CommType appears to have changed to Template in the most recent version of Covenant.
Here is the affected location (as close as I could get it): https://github.com/cobbr/Covenant/wiki/Launchers#binary-launcher
Hi guyz
Probably I am doing something wrong but I can not generate the files that the launchers require.
For example when I try to generate an hta file I type "Write test.hta", I get an output without errors [*] Wrote MshtaLauncher's hta to: "/app/Data/test.hta", but I can not locate the file.
Any suggestions??
Thanks
I'm looking to set up an HTTPS listener with a TLS certificate , but the SSLCertificate doesn't seem to be handled properly. I see in docs it expects a pfx file, but it doesn't actually upload when the POST is sent to create the listener (just the filename). When the form returns with the SSLCertificate error, and I resubmit the form, a key constraint error is thrown resulting in a 500 error.
Screenshots and details below.
fail: Microsoft.EntityFrameworkCore.Database.Command[20102]
Failed executing DbCommand (1ms) [Parameters=[@p0='?', @p1='?' (Size = 7), @p2='?', @p3='?' (Size = 10), @p4='?', @p5='?' (Size = 516), @p6='?' (Size = 25), @p7='?' (Size = 12), @p8='?' (Size = 10), @p9='?', @p10='?' (Size = 10), @p11='?', @p12='?', @p13='?', @p14='?', @p15='?' (Size = 8), @p16='?' (Size = 22), @p17='?'], CommandType='Text', CommandTimeout='30']
INSERT INTO "Listeners" ("Id", "BindAddress", "BindPort", "ConnectAddress", "ConnectPort", "CovenantToken", "Description", "Discriminator", "GUID", "ListenerTypeId", "Name", "ProfileId", "StartTime", "Status", "SSLCertificate", "SSLCertificatePassword", "Url", "UseSSL")
VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13, @p14, @p15, @p16, @p17);
Microsoft.Data.Sqlite.SqliteException (0x80004005): SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
fail: Microsoft.EntityFrameworkCore.Update[10000]
An exception occurred in the database while saving changes for context type 'Covenant.Models.CovenantContext'.
Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> Microsoft.Data.Sqlite.SqliteException: SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(DbContext _, ValueTuple`2 parameters, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IReadOnlyList`1 entriesToSave, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> Microsoft.Data.Sqlite.SqliteException: SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(DbContext _, ValueTuple`2 parameters, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IReadOnlyList`1 entriesToSave, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HLP3C6FNE726", Request id "0HLP3C6FNE726:0000000F": An unhandled exception was thrown by the application.
Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> Microsoft.Data.Sqlite.SqliteException: SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(DbContext _, ValueTuple`2 parameters, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IReadOnlyList`1 entriesToSave, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Covenant.Models.CovenantContext.CreateHttpListener(UserManager`1 userManager, IConfiguration configuration, HttpListener listener, ConcurrentDictionary`2 _ListenerCancellationTokens, IHubContext`1 _eventhub) in /app/Models/CovenantContext.cs:line 2527
at Covenant.Controllers.ListenerController.Create(HttpListener listener) in /app/Controllers/ViewControllers/ListenerController.cs:line 78
at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at System.Threading.Tasks.ValueTask`1.get_Result()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
fail: Microsoft.EntityFrameworkCore.Database.Command[20102]
Failed executing DbCommand (1ms) [Parameters=[@p0='?', @p1='?' (Size = 7), @p2='?', @p3='?' (Size = 12), @p4='?', @p5='?' (Size = 516), @p6='?' (Size = 25), @p7='?' (Size = 12), @p8='?' (Size = 10), @p9='?', @p10='?' (Size = 18), @p11='?', @p12='?', @p13='?', @p14='?', @p15='?' (Size = 8), @p16='?' (Size = 24), @p17='?'], CommandType='Text', CommandTimeout='30']
INSERT INTO "Listeners" ("Id", "BindAddress", "BindPort", "ConnectAddress", "ConnectPort", "CovenantToken", "Description", "Discriminator", "GUID", "ListenerTypeId", "Name", "ProfileId", "StartTime", "Status", "SSLCertificate", "SSLCertificatePassword", "Url", "UseSSL")
VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13, @p14, @p15, @p16, @p17);
Microsoft.Data.Sqlite.SqliteException (0x80004005): SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
fail: Microsoft.EntityFrameworkCore.Update[10000]
An exception occurred in the database while saving changes for context type 'Covenant.Models.CovenantContext'.
Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> Microsoft.Data.Sqlite.SqliteException: SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(DbContext _, ValueTuple`2 parameters, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IReadOnlyList`1 entriesToSave, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> Microsoft.Data.Sqlite.SqliteException: SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(DbContext _, ValueTuple`2 parameters, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IReadOnlyList`1 entriesToSave, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HLP3C6FNE72F", Request id "0HLP3C6FNE72F:00000003": An unhandled exception was thrown by the application.
Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> Microsoft.Data.Sqlite.SqliteException: SQLite Error 19: 'UNIQUE constraint failed: Listeners.Id'.
at Microsoft.Data.Sqlite.SqliteException.ThrowExceptionForRC(Int32 rc, sqlite3 db)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReader(CommandBehavior behavior)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.Data.Sqlite.SqliteCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(DbContext _, ValueTuple`2 parameters, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IReadOnlyList`1 entriesToSave, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken)
at Covenant.Models.CovenantContext.CreateHttpListener(UserManager`1 userManager, IConfiguration configuration, HttpListener listener, ConcurrentDictionary`2 _ListenerCancellationTokens, IHubContext`1 _eventhub) in /app/Models/CovenantContext.cs:line 2527
at Covenant.Controllers.ListenerController.Create(HttpListener listener) in /app/Controllers/ViewControllers/ListenerController.cs:line 78
at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at System.Threading.Tasks.ValueTask`1.get_Result()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
It appears that Covenant does not supprt IPV6.
~/Covenant/Covenant$ dotnet run --username XXX --password XXXX -c [9000:470:b2b5:cafe:XXXX:XXXX:XXX:XXX]
Using launch settings from /home/covi/Covenant/Covenant/Properties/launchSettings.json...
Failed to initialize CoreCLR, HRESULT: 0x80070057
Step 1:
git clone --recurse-submodules https://github.com/cobbr/Covenant
Step 2:
cd into /tmp/Covenant/Covenant
docker build -t covenant .
Container successfully builds image
Step 3:
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v /root/tmp/Covenant/Covenant/Data:/app/Data covenant --username AdminUser --computername 0.0.0.0
ERROR:
Error: git submodules have not been initialized
Covenant's submodules can be cloned with: git clone --recurse-submodules https://github.com/cobbr/Covenant
Or initialized after cloning with: git submodule update --init --recursive
Step 4: docker rm covenant
Step 5: git submodule update --init --recursive
Step 6: Rebuild container and try again
Same ERROR as above:
Using Kali Linux 2019 x64
Hi,
I've been unable to get most tasks I'm trying, to execute. I've only had success with Rubeus Kerberoast and Seatbelt so far. The error i'm receiving when trying for example, SamDump, Mimikatz lsadump::sam, Safetykatz, ShellCmd 's and many others is below.
Task Exception: Could not load file or assembly '744960 bytes loaded from hodvz3ev.ine, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. An attempt was made to load a program with an incorrect format.
at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource)
at System.Reflection.Assembly.Load(Byte[] rawAssembly)
at GruntExecutor.Grunt.TaskExecute(TaskingMessenger messenger, GruntTaskingMessage message)
I've built Covenant from scratch on both dotnet and docker, ensuring i recurse sub-modules when I clone.
Covenant platform: Ubuntu 16.04 4.4.0-146-generic
Target OS: Windows 10 1903 (18362.239)
Target .NET version: Net40
Tested on Chrome 76.0.3809.100 and Opera 63.0.3368.35
Any help would be greatly appreciated.
Hi Ryan, first want to thank you for these awesome tools you are creating :)
Wanted to report you something that I think is not working properly: the MakeToken Task (and probly all the token-related things).
First I've confirmed that the method is working properly on SharpSploit, as can be seen in this image:
But, when you make the token in a Covenant's session, it seems there is something failing in the logic of how the token is applied. From my little knowledge, I guess this is happening because whenever you use a new Task (Shell, Powershell, WmiGrunt...) they are executed in other "enviroment" where our new token is not present.
Thank you very much!!
Output format is currently a b64 .xml when using the web GUI generate -> download.
Assuming that this should instead be a binary dll?
Feature Request or Bug
Bug
Describe the feature request or bug
I have been playing with Covenant and listeners with a BindPort different from its ConnectPort. When I create new listeners they are started on the correct port (BindPort). However if I restart the listener either through the web interface or by restarting Covenant, the listeners seems to start up listening to the ConnectPort.
In the SQLite database, it seems like the BindPort is set correctly initially (although the interface displays the ConnectPort in the BindPort field), but when the listener is restarted, the BindPort is changed in the database as well.
To Reproduce
Steps to reproduce the behavior:
netstat -pln
will show that Covenant is listening to port 9876netstat -pln
will now show that Covenant is listening to port 6789Expected behavior
The BindPort should not change when restarting the listener. The interface should also display the correct BindPort.
Covenant Server Information:
Browser Information:
Additional context
Built from the latest commit (02b221a)
Hi,
I've tried a couple of different launchers (PowerShell and a v4.0 binary) triggered by a local admin but in each instance I'm getting successful escalation messages that don't appear to be true. In all of the below examples my Grunt integrity is showing as 'High'.
Confirming user
(Covenant: Grunts\96f55d128a) > whoami [*] Started Task: WhoAmI on Grunt: 96f55d128a as GruntTask: 5a246d1dd6 (Covenant: Grunts\96f55d128a) > [*] Grunt: 96f55d128a has completed GruntTasking: 5a246d1dd6 (Covenant: Grunts\96f55d128a) > testdomain\localadmin (Covenant: Grunts\96f55d128a) > getsystem [*] Started Task: GetSystem on Grunt: 96f55d128a as GruntTask: c2c25a98c1 (Covenant: Grunts\96f55d128a) > [*] Grunt: 96f55d128a has completed GruntTasking: c2c25a98c1 (Covenant: Grunts\96f55d128a) > Successfully impersonated: NT AUTHORITY\SYSTEM (Covenant: Grunts\96f55d128a) > whoami [*] Started Task: WhoAmI on Grunt: 96f55d128a as GruntTask: 9f9859dd3e (Covenant: Grunts\96f55d128a) > [*] Grunt: 96f55d128a has completed GruntTasking: 9f9859dd3e (Covenant: Grunts\96f55d128a) > testdomain\localadmin
Samdump
`Successfully impersonated: NT AUTHORITY\SYSTEM
(Covenant: Grunts\96f55d128a) > SamDump
[] Started Task: Mimikatz on Grunt: 96f55d128a as GruntTask: 19b8e7dcb4
(Covenant: Grunts\96f55d128a) >
[] Grunt: 96f55d128a has completed GruntTasking: 19b8e7dcb4
(Covenant: Grunts\96f55d128a) >
.#####. mimikatz 2.1.1 (x64) built on Oct 22 2018 16:32:27
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
gentilkiwi
( [email protected] )'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::sam
Domain : UK-WKS-10
SysKey : 932953b3dc6a918bf81a99332d07326b
ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)`
Running 'ImpersonateUser "NT AUTHORITY\SYSTEM"' again shows a success but seemingly doesn't elevate my privs. I've tried impersonating SYSTEM owned processes but no luck either.
EDIT:
Forgot to add it's running on Win10 (Microsoft Windows NT 6.2.9200.0)
Hi Ryan :)
I've been playing around these days with Covenant and I've realized that MakeToken's functionality may not be working as intended.
The new token created with MakeToken seems is not working with Shellcmd. However, with powershell it does:
When using MakeToken with a low-priv user, only the logon type LOGON32_LOGON_NEW_CREDENTIALS seems to work. If another one is used, let's say LOGON32_LOGON_INTERACTIVE, the session breaks.
However, when doing this same process with an admin user, it succeeds:
I've seen that MakeToken is using
As Microsoft remarks, admin should not be needed (https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser):
All impersonate functions, including ImpersonateLoggedOnUser allow the requested impersonation if one of the following is true:
...
A process (or another process in the caller's logon session) created the token using explicit credentials through LogonUser or LsaLogonUser function.
...
Many thanks!!
Trying to figure out if this issue is on the Covenant side or the Elite side. I built both sides with dotnet-2.1 sdk on the latest Kali Linux.
For covenant:
dotnet run --username AdminUser --computername 192.168.0.2
For elite:
dotnet run --username AdminUser --computer 192.168.0.2
elite asks for the password and then Asks for the Covenant CertHash. I tried both empty and copying the hash from Covenant's line Using Covenant certificate with hash: xxxxxxx
Covenant demon$ docker build -t covenant .
Sending build context to Docker daemon 25.05 MB
Step 1/11 : FROM microsoft/dotnet:2.1-sdk as build
Error parsing reference: "microsoft/dotnet:2.1-sdk as build" is not a valid repository/tag: invalid reference format
Is it possible to make Covenant start up with the System? make it persistent like services in systemctl?
When trying to run tasks on Grunts, Getting powershell errors.
Local OS : Linux kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-6kali1 (2019-07-22) x86_64 GNU/Linux
.NET version - .NET Core 2.2
Target OS - Windows 10 Build 1803
Browser version - Firefox Version 60.8.0esr (64-bit)
An SMB listener would be useful in environment with subnetting, VLANs, or machine without Internet access.
I figured this could be implemented with a new listener type (SmbListener), and Launchers could then be generated with the SMB listener payload. A link command would need to be implemented within Grunt to connect and then proxy the traffic.
I'm diving into the source code to see how difficult this would be to implement. I make no promises and will definitely need help.
It'll be nice if we could navigate to any of the main menu options while in a particular menu, such as "Listeners." For example, if I just started a new Listener and I want to start a launcher, I should be able to immediately jump to the launcher menu by typing "launcher" rather than having to go back and then type launcher.
I would really love to have some way in the UI to modify or delete entries in the Data section. I think it would alternatively make sense to be able to purge everything to start over with a "fresh" covenant.
Is there any guidance for UI modifications? I could try to at least implement the purge functionality.
First, excellent work. Very impressed.
I'm using Covenant with an Apache redirector that I configured to match based on UA string in the HttpProfile. However, the requests arrive at the redirector without any user agent string present.
ex:
"GET /index.html HTTP/1.1" 200 336 "-" "-"
"GET /login.aspx HTTP/1.1" 200 336 "-" "-"
"GET /home/index HTTP/1.1" 200 336 "-" "-"
Also, if I create or change a profile it seems that I need to stop covenant, remove the db, and restart it for the profile options to be re-cached. Is there a better method?
Is it possible to add local/remote port forwarding option?
Hello,
I have this error while trying to launch Covenant with docker, it happens just after the password entry :
Unhandled Exception: System.IO.FileNotFoundException: Could not find file '/app/appsettings.json'.
b__0() in /app/Covenant.cs:line 73
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
at System.IO.File.InternalReadAllText(String path, Encoding encoding)
at System.IO.File.ReadAllText(String path)
at Covenant.Program.<>c.b__1_1(WebHostBuilderContext hostingContext, IConfigurationBuilder config) in /app/Covenant.cs:line 152
at Microsoft.AspNetCore.Hosting.WebHostBuilder.BuildCommonServices(AggregateException& hostingStartupErrors)
at Microsoft.AspNetCore.Hosting.WebHostBuilder.Build()
at Covenant.Program.<>c__DisplayClass0_0.
at Covenant.Program.Main(String[] args) in /app/Covenant.cs:line 119
Any help ? :)
The ConnectAttempts parameter, as defined in the wiki, is the number of consecutive times a grunt will attempt to poll the listener before quitting. If a grunt cannot reach the listener and fails to successfully poll the listener more times than the ConnectAttempts value, it will quit.
The grunt quits even if it's reaching the listener (at least if it's not receiving any command from the operator). You can reproduce this by reducing the ConnectAttempts to 10. The grunt stops polling after a minute of no interaction, even if the listener is answering correctly. IS this the expected behaviour?
Hi Ryan,
Thanks for your work on this tool.
I'm currently testing this on Kali and tried the dotnet method which did not work due to the bug you mentioned in a previous issue. I then tried docker and keep getting the following error below.
Appreciate your help with this. Thanks!
2019-02-14 18:35:31.0733||ERROR|Covenant.Program|Covenant stopped due to exception System.NullReferenceException: Object reference not set to an i
nstance of an object.
at Covenant.Program.<>c__DisplayClass1_0.b__4(HttpsConnectionAdapterOptions httpsOptions) in /app/Covenant.cs:line 144
at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action1 configureOptions) at Covenant.Program.<>c__DisplayClass1_0.<BuildWebHost>b__3(ListenOptions listenOptions) in /app/Covenant.cs:line 127 at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.Listen(IPEndPoint endPoint, Action
1 configure)
at Microsoft.Extensions.Options.ConfigureNamedOptions1.Configure(String name, TOptions options) at Microsoft.Extensions.Options.OptionsFactory
1.Create(String name)
at Microsoft.Extensions.Options.OptionsManager1.<>c__DisplayClass5_0.<Get>b__0() at System.Lazy
1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor) at System.Lazy
1.CreateValue()
at Microsoft.Extensions.Options.OptionsCache1.GetOrAdd(String name, Func
1 createOptions)
at Microsoft.Extensions.Options.OptionsManager1.Get(String name) at Microsoft.Extensions.Options.OptionsManager
1.get_Value()
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.CreateServiceContext(IOptions1 options, ILoggerFactory loggerFactory) at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer..ctor(IOptions
1 options, ITransportFactory transportFactory, ILoggerFactory loggerFa
ctory)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitConstructor(ConstructorCallSite constructorCallSite, Ser
viceProviderEngineScope scope)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor2.VisitCallSite(IServiceCallSite callSite, TArgument argument) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitScoped(ScopedCallSite scopedCallSite, ServiceProviderEng ineScope scope) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitSingleton(SingletonCallSite singletonCallSite, ServicePr oviderEngineScope scope) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor
2.VisitCallSite(IServiceCallSite callSite, TArgument argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.DynamicServiceProviderEngine.<>c__DisplayClass1_0.b__0(ServiceProvide
rEngineScope scope)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType, ServiceProviderEngineScope service
ProviderEngineScope)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType)
at Microsoft.Extensions.DependencyInjection.ServiceProvider.GetService(Type serviceType)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureServer()
at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
at Microsoft.AspNetCore.Hosting.Internal.WebHost.StartAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String shutdownMessage)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.Run(IWebHost host)
at Covenant.Program.<>c__DisplayClass0_0.
Hey, the bypass uac command and bypass uac grunt modules do not appear to give an elevated shell.
The following image shows 3 grunts.
Manual_UAC_ByPass - used powershell in an elevated cmd by manually right clicking and running cmd.exe as an administrator
GruntByPAss - used "BypassUACGrunt PowerShell" from the medium integrity grunt
20f748d281 - grunt used to get a high integrity shell (GruntByPAss)
Safteykatz etc fails to run on a high integrity grunt when using BypassUACGrunt or BypassUACCommand.
When running whoami /priv we can see that it fails to properly elevate the shell and thus unable to impersonate SYSTEM / Run mimikatz etc.
Manual_UAC_ByPass:
I have a grunt sucessfully connected to the covenant instance, I can interact with it normally on first acces of grunt page.
But when I leave the grunt page, i cannot return to it, despite the grunt is marked as active in the overview.
When I click on the Link, I only get a blank page with error 500.
Firefox Console shows the following Error Message:
The character encoding of the plain text document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the file needs to be declared in the transfer protocol or file needs to use a byte order mark as an encoding signature.
Theres no error message in the console window where the container runs.
When I reconnect the grunt, interaction is possible again until I leave the page.
Launchers/Grunts, which are using a COM activated Delegate throw a "mscorlib: Object reference not set to an instance of an object."
I want to implement the other persistence functions from PowerSploit, but I can only get the new tasks to show in the ui after deleting the covenant.db file. Is there any other way to inline update the database with the new created tasks?
First, thank you for this awesome framework.
When running the command PortScan example-hostname 445
the following error is encountered:
[!] EliteMenu Exception: Operation returned an invalid status code 'BadRequest' at Covenant.API.CovenantAPI.ApiGruntsByIdTaskingsPostWithHttpMessagesAsync(Int32 id, GruntTasking gruntTasking, Dictionary`2 customHeaders, CancellationToken cancellationToken) in /app/API/CovenantAPI.cs:line 4792 at Covenant.API.CovenantAPIExtensions.ApiGruntsByIdTaskingsPostAsync(ICovenantAPI operations, Int32 id, GruntTasking gruntTasking, CancellationToken cancellationToken) in /app/API/CovenantAPIExtensions.cs:line 912 at Covenant.API.CovenantAPIExtensions.ApiGruntsByIdTaskingsPost(ICovenantAPI operations, Int32 id, GruntTasking gruntTasking) in /app/API/CovenantAPIExtensions.cs:line 897 at Elite.Menu.Tasks.MenuCommandTaskStart.Command(MenuItem menuItem, String UserInput) in /app/Menu/Tasks/TaskMenuItem.cs:line 89 at Elite.Menu.Grunts.MenuCommandGruntInteractPortScan.Command(MenuItem menuItem, String UserInput) in /app/Menu/Grunts/InteractGruntMenuItem.cs:line 658 at Elite.Menu.EliteMenu.PrintMenu(String UserInput) in /app/Menu/EliteMenu.cs:line 122
Following this, running the command ls
in the Grunt results in the following error:
(Covenant: Grunts\403887a32c) > ls [!] EliteMenu Exception: Object reference not set to an instance of an object. at Elite.Menu.Grunts.MenuCommandGruntInteractListDirectory.Command(MenuItem menuItem, String UserInput) in /app/Menu/Grunts/InteractGruntMenuItem.cs:line 157 at Elite.Menu.EliteMenu.PrintMenu(String UserInput) in /app/Menu/EliteMenu.cs:line 122
When runing the help
command it is observed that the Task
command in the help output is now overwritten by PortScan
(Covenant: Grunts\403887a32c) > Help
Help
====================================================================================================================================================================
PortScan <task_name> Task a Grunt to do something.
Help Display Help for this menu.
Back Navigate Back one menu level.
Exit Exit the Elite console.
Show Show details of the Grunt.
Set <option> <value> Set a Grunt Variable.
whoami Gets the username of the currently used/impersonated token.
ls Get a listing of the current directory.
cd <append_directory> Change the current directory.
ps Get a list of currently running processes.
RegistryRead <regpath> Reads a value stored in registry.
RegistryWrite <regpath> <value> Writes a value into the registry.
Upload <file_path> Upload a file.
Download <file_name> Download a file.
Assembly <assembly_path> <type_name> <method_name> Execute a .NET Assembly.
SharpShell <c#_code> Execute C# code.
Shell <shell_command> Execute a Shell command.
PowerShell <powershell_code> Execute a PowerShell command.
PowerShellImport <file_path> Import a local PowerShell file.
PortScan <computer_names> <ports> <ping> Conduct a TCP port scan of specified hosts and ports.
Mimikatz <command> Execute a Mimikatz command.
LogonPasswords Execute the Mimikatz command "sekurlsa::logonPasswords".
SamDump Execute the Mimikatz command "lsadump::sam".
LsaSecrets Execute the Mimikatz command "lsadump::secrets".
DCSync <user> <fqdn> <dc> Execute the Mimikatz command "lsadump::dcsync".
Kerberoast <usernames> <hash_format> Perform a "kerberoasting" attack to retreive crackable SPN tickets.
GetDomainUser <identities> Gets a list of specified (or all) user `DomainObject`s in the current Domain.
GetDomainGroup <identities> Gets a list of specified (or all) group `DomainObject`s in the current Domain.
GetDomainComputer <identities> Gets a list of specified (or all) computer `DomainObject`s in the current Domain...
GetNetLocalGroup <computernames> Gets a list of `LocalGroup`s from specified remote computer(s).
GetNetLocalGroupMember <computernames> <localgroup> Gets a list of `LocalGroupMember`s from specified remote computer(s).
GetNetLoggedOnUser <computernames> Gets a list of `LoggedOnUser`s from specified remote computer(s).
GetNetSession <computernames> Gets a list of `SessionInfo`s from specified remote computer(s).
ImpersonateUser <username> Find a process owned by the specified user and impersonate the token. Used to ex...
ImpersonateProcess <processid> Impersonate the token of the specified process. Used to execute subsequent comma...
GetSystem Impersonate the SYSTEM user. Equates to ImpersonateUser("NT AUTHORITY\SYSTEM").
MakeToken <username> <domain> <password> <logontype> Makes a new token with a specified username and password, and impersonates it to...
RevertToSelf Ends the impersonation of any token, reverting back to the initial token associa...
WMI <computername> <username> <password> <launcher> <command> Obtain a new Grunt through WMI lateral movement by executing a Launcher on a rem...
DCOM <computername> <launcher> <command> <method> Execute a process on a remote system using various DCOM methods.
BypassUAC <launcher> <command> Obtain a new high-integrity Grunt by bypassing UAC through token duplication.
TaskOutput <completed_task_name> Show the output of a completed task.
During this time Covenant outputs the following error:
Task Compilation failed: CompilationErrors: (11,9): error CS0246: The type or namespace name 'List<>' could not be found (are you missing a using directive or an assembly reference?) (12,9): error CS0246: The type or namespace name 'List<>' could not be found (are you missing a using directive or an assembly reference?) at Covenant.Core.Compiler.Compile(CompilationRequest request) at Covenant.Models.Grunts.GruntTasking.Compile(String TaskCode, List`1 Parameters, List`1 ReferenceAssemblies, DotNetVersion dotNetFrameworkVersion) in /app/Models/Grunts/GruntTasking.cs:line 95 at Covenant.Controllers.GruntTaskingController.CreateGruntTasking(Int32 id, GruntTasking gruntTasking) in /app/Controllers/GruntTaskingController.cs:line 182
Please let me know what else you need from me. Thank you again for this awesome work.
To achieve (at least for the user) less visibility, the binary launcher could use WindowsApplication as outputKind, similar to csc with -target:winexe.
That would cause the console application window to disappear.
When creating or editing a Listener profile the functionality to add addition HttpRequestHeaders
does not do anything. Not sure if this as expected but I have tried editing the default HttpProfile
as well as creating a custom profile.
I would assume a VM sandbox, but what OS?
This error I could not figure out.
The following is the error output from a Grunt implant (NET40 binary) of the DCOMCommand function that's supposed to be hooking into SharpSploit:
DCOM Failed: Retrieving the COM class factory for remote component with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} from machine DOMAINCOMPUTER.LAB failed due to the following error: 800706ba DOMAINCOMPUTER.LAB.
DCOM Failed: Retrieving the COM class factory for remote component with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} from machine DOMAINCOMPUTER.LAB failed due to the following error: 800706ba DOMAINCOMPUTER.LAB.
DCOM Failed: Retrieving the COM class factory for remote component with CLSID {49B2791A-B1AE-4C90-9B8E-E860BA07F889} from machine DOMAINCOMPUTER.LAB failed due to the following error: 800706ba DOMAINCOMPUTER.LAB.
The curious issue here is that I used both a PowerShell script I created and my own compiled wrapper of SharpSploit to execute the same command via DCOM, and all three of those method objects worked against the same exact system (i.e. MMC20.Application, ShellWindows, ShellBrowserWindow). Happy to work with you on this one.
Hi - I've been using a Binary Launcher which works fine. Thought I'd take a look at generating the GruntStager code and compiling myself. Can't seem to get this to connect to the C2 server though. Always fails in the same place with a 404 from the server:
GET /index.html HTTP/1.1
Server: Microsoft-IIS/7.5
Host: x.x.x.x
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 03 Jun 2019 11:25:10 GMT
Server: Microsoft-IIS/7.5
Content-Length: 0
POST /home/index HTTP/1.1
Server: Microsoft-IIS/7.5
Host: x.x.x.x
Content-Length: 1038
Expect: 100-continue
HTTP/1.1 100 Continue
i=a19ea23062db990386a3a478cb89d52e&data=eyJHVUlEIjoiMDAzNmM5YWZhMTc0MGYzMGNlMzYiLCJUeXBlIjowLCJNZXRhIjoiIiwiSVYiOiJUMU1IV3pTTmxVMVpkRnkrTVFVSmh3PT0iLCJFbmNyeXB0ZWRNZXNzYWdlIjoiRU9OWWxSUTlFcUtNZE9NVGFkNm1kRy9qY2w4QjlJTkN4OGhocHVlMjdtb0FQNWJnbG1sQVR1NVZvNldWRTVpT2JWQnhGNkVlb0crM3BIM3hFNzVEVklHMk02VEJzc3RHYTg0V2VRK2srNFFyajdxc3IyRFhBNWhUUk1lRTZYRmhha0phM3hlemg2cURXRjhQcnBENE5YSG1adE1zaGd5QTBqa3hrNmY2N2JkamdnSTU3am9FeFNkcWRqQTZHeWF6S0ZuNlhsaFBrN3ltelVlb1Jvc2w1SEtoeSs5c2Mzcng3MHo4RG9XVmlLSGdRbUEveXBudllvYXJ4SjlxVDUySWJvbVpxRExjZjJzQVd1Z2tlVndOWTFIRUVXV1lkaGcxc3BLdFlQdlgrVXVKRkUwdjZ4OVVWWHBTTmlrZmlxU1dRWmRtMHFpSXJEQjVtMG5jVEdoSXduWUsxVUM1ZVhmZElqTjNrMTM1RHltdkF6RG5mUzR4a1RId09NR293aURtd2d2Z0FDcEhrMEprdDBxVGlNNXE1bHgwUFhuellBa24rUTREeGU3VlVXNXZLUDI4bTkvcFY4OXR5d0pHMGpWdzQwaGpyNDJyeGZUcDJPaUlEbUlFeWw0U3BBM0xWS21JZk9aUGpDN3RKRDVBa3dUMTdYZ2lUMTNWYVFZQmRZTy9lamNPWTVETWltU2FidkE2MG1WRHB5UDV2aWpSVlA4VTVlVGR4V3VmdklZPSIsIkhNQUMiOiJaMlZkbUhXSTN6emVqR05YQkl5bDZmR3RuL3pQK1VFZkVXNFJQNlVWWTRVPSJ9&session=75db-99b1-25fe4e9afbe58696-320bea73
HTTP/1.1 404 Not Found
Date: Mon, 03 Jun 2019 11:25:10 GMT
Server: Microsoft-IIS/7.5
Content-Length: 0
Hi.
How to set up the autorun command when the Grunt implantant is first connected?
Thank you.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.