December 2019 – CYBER ARMS – Computer Security

There are many Command and Control Frameworks for Pentesters and Red Teamers to use. Covenant is a nice .NET based C2 environment that works great on Kali Linux. In this article we will cover installing and the very basic usage of Covenant.

When using Covenant, you first create “listeners”. These listen for incoming connections from “launchers”. Next, you create “launchers”, or basically, the exploit payloads. When the launchers are run on a target system, they connect back to Covenant as “Grunts”. Lastly, you control the Grunts by interacting with them and running “Tasks”.

Covenant uses SharpSploit for the Tasks. SharpSploit is basically a .NET exploitation library written in C#, that is similar to the PowerSploit project.

Use 64 bit Kali only, the install errors out on 32 bit Kali

Installing Covenant

Tool Author: Ryan Cobb
Tool Website: https://github.com/cobbr/Covenant

Install and usage of Covenant is heavily and thoroughly documents on the tool WiKi site at https://github.com/cobbr/Covenant/wiki/Installation-And-Startup. I highly recommend the reader use and follow this site for the latest instructions. As such, this will just be a quick overview of installing Covenant.

Download and install Covenant

git clone –recurse-submodules https://github.com/cobbr/Covenant

NOTE: You need two dashes in front of the “recurse-submodules” command. WordPress combines them into one.

Next, Download and install DotNet core version 2.2 SDK from Microsoft. Instructions can be found here:

https://dotnet.microsoft.com/download/dotnet-core/2.2

Instructions copied below for your convenience:

wget -q https://packages.microsoft.com/config/ubuntu/19.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install dotnet-sdk-2.2

If this doesn’t work, you are probably trying to us 32 bit or the wrong platform (ARM vs amd64).

Lastly, just build and run Covenant:

cd Covenant/Covenant
dotnet build
dotnet run

Now, open a browser and surf to https://0.0.0.0:7443
Accept the security warning

You will now be presented with the Covenant Login Screen:

At this point you will create an admin user for Covenant.

Enter a username and password

And that’s it, Covenant is ready for use:

Now we need to create a Listener, build a launcher and get ready for shells!

Build a Listener

Covered at https://github.com/cobbr/Covenant/wiki/Listeners

This will only allow you to create an HTTP listener, you can create more involved listeners with C2 Bridge, see the tool documentation.

On the Covenant Menu, click “Listeners”

All we need to do is change the “ConnectAddress” to the Kali Linux IP Address.

When finished, click “+ Create”

A new listener should now show up on the Listeners Dashboard

You can click on the Listener name to get info on the listener and Stop/ Start or Delete it.

Generate a Launcher

Launcher Wiki page: https://github.com/cobbr/Covenant/wiki/Launchers

Now all we need to do is create our Launcher to run on the target system.

Click “Launchers”
Pick a Launcher type

Check out the Launcher Wiki page for an explanation of each type. Let’s create an MsBuild launcher.

Click “MsBuild”
Generate
Download

And That’s it! Download the file and run it using MSBuild on the target system. If the system is vulnerable, you get a shell:

If it runs successfully, a new Grunt, or remote shell connection will show up in the Covenant Dashboard under “Grunts”:

Click on the Grunt name
Click “Interact” to interact with the Grunt

Here you can run tasks, enter the task name and then send it.

In the screen above, I have run many tasks, the last runs the Keylogger for 10 seconds. Click on “Taskings” and the Task name to view the output of each command

Conclusion

In this article we quickly covered installing and using the Covenant .NET based Command and Control framework. This is a very heavily developed and well working framework. If you haven’t seen it, I highly recommend you try it out.

I had mixed results running this “out of the box” against a Windows 10 system. Microsoft Defender detects and blocks the launchers pretty quickly. So advanced users may need to modify the payloads. This may or may not work flawlessly against other anti-viruses with no modifications. 🙂

I love Pwnagotchis, I mean, who doesn’t, have you seen these things?? My problem, is that I could not get great reception using the Pi0W built in WiFi. Also, I did not have a compatible E-Ink display for it. My first goal was to see if I could get Pwnagotchi running on a Pi 4 with an Alfa AWUS036NHA Long Range WiFi adapter. My second was to get it to display on an unsupported touchscreen or a full-size monitor.

TLDR version – You can!

But first – a Disclaimer:

These are just some personal notes of mine on getting the wickedly cool “Pwnagotchi” to work on a Pi 4 with a long range WiFi adapter. Also, how to access the Web User Interface so you don’t need an “E-Ink” display. This is mostly my work notes that I am sharing – It is a “try at your own risk” project. Due to configuration and network differences, it may or may not work for you and could leave your Pi software in an unstable state.

That being said, I will not be offering any technical support on it. These are just steps that worked for me, that I found through much trial and error. Lastly, never try to gain access to a network that you do not have permission to access – doing so is illegal and you could go to jail.

Pwnagotchis are the ridiculously cute (and intelligent) Pi0w based WiFi attack tool made by the author of Bettercap. I recently wrote a magazine article for Hakin9 on using the Bettercap Web UI and Pwnagotchis. The Web UI is an HTML interface to Bettercap, it allows you to control it through a browser.

Raspberry Pi 4s’ are the latest and greatest flag ship of the Raspberry Pi family. They have increased power and speed. They also come with different memory options; I love the 4GB model! The only catch is they draw more power than the model 3, and changed the power plug type, so you will most likely need a new power supply, or a very strong battery.

Again, this is just some notes that helped me get this working, use at your own risk. Enough intro, let’s get to this! First up, running Pwnagotchi on a Pi4.

Installing Pwnagotchi on a Pi4

Tool website: https://pwnagotchi.ai/
Tool Github: https://github.com/evilsocket/pwnagotchi
Tool Authors: Evilsocket and the Pwnagotchi team

The Pwnagothi wiki covers everything you need to know about installing, configuring and using the tool in a normal atmosphere. You should read the entire Wiki.

Download and install the Pwnagotchi Raspberry Pi lite image: https://github.com/evilsocket/pwnagotchi/releases
Write the image to an SD card.
Insert the SD card into your Pi4, attach peripheral devices and lastly power.
Connect a LAN cable – when the ethernet cable is plugged in, it starts the Pwnagotchi in manual mode, and you can SSH into the Pi if you want to.

With the current version of Pwnagotchi (1.4.1) it seems to boot up fine on a Pi4, but doesn’t run. It doesn’t seem to like the default waveshare display type -if you don’t have one, that is – changing this to “inkyphat” seems to do the trick.

Change the default e-ink device in config.yaml:
sudo nano /etc/pwnagotchi/config.yml
add the following:

ui:
display:
type: ‘inkyphat’
color: ‘black’

Next, I wanted to use an external USB WiFi adapter instead of the built in one. Instead of modifying a bunch of config files in Pwnagotchi, the simplest way seemed to be to just turn off the onboard wireless, so the USB WiFi becomes “wlan0”

6. In /boot/config.txt, add the following line to turn off the onboard WiFi:

dtoverlay=disable-wifi

7. Reboot

In a web browser, navigate to the IP address of your device and port 8080 to view the Web UI.

So, in my case, it would be 172.24.1.157:8080

The webpage should show the iconic Pwnagotchi face with control options. You now have a Pi4 Pwnagotchi that uses the Web UI!

Full Screen Display on any Screen

That is all well and good, but how can you run Pwnagotchi on a display that isn’t directly supported? I spent several days trying to get my Raspberry Pi 7” touchscreen to work with Pwnagotchi and did find a way to make it work. It’s more of a trick than anything, it is just running the Web UI in a full screen browser!

Again, proceed at your own risk, and I am not offering any technical support on how to do this – it took a lot of futzing to get this to work on mine, and it may not work on yours, or it may leave your Pi in an unstable software state. But I found if you install the Pwnagotchi Raspbian Lite image on a Pi 4, get it working with the modifications mentioned above, all you need to do next is install the Raspbian Graphical User interface and Chromium, and you can view Pwnagotchi locally on any display!

Quick instructions:

You won’t be able to get out to the internet, because Pwnagotchi changes the default Route, so we need to delete the default route, then add a new route to your gateway/ router. You can then pull down the files needed with “apt install”.

sudo ip route del default
sudo route add default gw 172.24.1.1 eth0 (Use your gateway address!)
sudo apt install raspberrypi-ui-mods
sudo apt install chromium-browser
reboot – the default route should restore on bootup

The first two commands deal with the routing. The third command installs a cut down version of the Raspbian graphical desktop. Next, the chromium web browser is installed.

Once it reboots, start Chromium, navigate to the Pwnagotchi web interface and press “F11” for full screen. That’s it! If all went well, you should have a large Pwnagotchi on the screen!

Now remember, it is a web interface, so, if you want you can also surf to it from your desktop or mobile systems connected to the same LAN.

This was just a quick overview of running Pwnagotchi on a Raspberry Pi 4. Do you want to unlock the real power of Pi for Ethical Hacking? Check out my latest book, “Security Testing with Raspberry Pi” – available on Amazon.com!