contact us

Koadic: New Features and Video Demonstration

by | Oct 29, 2018

Koadic: New Features and Video Demonstration

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (i.e, JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

Koadic also attempts to be compatible with both Python 2 and Python 3.

In this video, I highlight some notable features and modules that have been added to Koadic.

The ‘creds’ command is Koadic’s credential store and was inspired by Powershell Empire. When a user runs any of the credential gathering implants in Koadic, the results get parsed and are placed in the store. Koadic takes a different approach to credential storing versus other methods’ tools. First, Koadic understands that users, especially domain users, are single entities and should be treated as such. This means that any passwords or hashes relating to a user should correspond to that user, and Koadic corrals all of this information into a single entry for that user. Second, Koadic understands that some credentials are actively useful while others are not. By making this distinction, the credential store shows useful credentials to the user by default instead of everything at once.

The ‘enum_domain_info’ module not only gives a user useful insight into a domain, it also informs Koadic about these domains, and Koadic uses this info to extend the functionality of other commands to make them more useful. For example, after gathering domain information, a user could run the ‘creds’ command with a flag that defines a domain, and Koadic will return any useful credentials that it has gathered for Domain Administrators.

Watch the Koadic Demo Video here: