Covenant the .NET based C2 on Kali Linux

There are many Command and Control Frameworks for Pentesters and Red Teamers to use. Covenant is a nice .NET based C2 environment that works great on Kali Linux. In this article we will cover installing and the very basic usage of Covenant.

When using Covenant, you first create “listeners”. These listen for incoming connections from “launchers”. Next, you create “launchers”, or basically, the exploit payloads. When the launchers are run on a target system, they connect back to Covenant as “Grunts”. Lastly, you control the Grunts by interacting with them and running “Tasks”.

Covenant uses SharpSploit for the Tasks. SharpSploit is basically a .NET exploitation library written in C#, that is similar to the PowerSploit project.

Use 64 bit Kali only, the install errors out on 32 bit Kali

Installing Covenant

Tool Author: Ryan Cobb
Tool Website: https://github.com/cobbr/Covenant

Install and usage of Covenant is heavily and thoroughly documents on the tool WiKi site at https://github.com/cobbr/Covenant/wiki/Installation-And-Startup. I highly recommend the reader use and follow this site for the latest instructions. As such, this will just be a quick overview of installing Covenant.

Download and install Covenant

NOTE: You need two dashes in front of the “recurse-submodules” command. WordPress combines them into one.

Next, Download and install DotNet core version 2.2 SDK from Microsoft. Instructions can be found here:

https://dotnet.microsoft.com/download/dotnet-core/2.2

Instructions copied below for your convenience:

If this doesn’t work, you are probably trying to us 32 bit or the wrong platform (ARM vs amd64).

Lastly, just build and run Covenant:

  • cd Covenant/Covenant
  • dotnet build
  • dotnet run

You will now be presented with the Covenant Login Screen:

At this point you will create an admin user for Covenant.

  • Enter a username and password

And that’s it, Covenant is ready for use:

Now we need to create a Listener, build a launcher and get ready for shells!

Build a Listener

Covered at https://github.com/cobbr/Covenant/wiki/Listeners

This will only allow you to create an HTTP listener, you can create more involved listeners with C2 Bridge, see the tool documentation.

  • On the Covenant Menu, click “Listeners”

All we need to do is change the “ConnectAddress” to the Kali Linux IP Address.

  • When finished, click “+ Create”

A new listener should now show up on the Listeners Dashboard

You can click on the Listener name to get info on the listener and Stop/ Start or Delete it.

Generate a Launcher

Launcher Wiki page: https://github.com/cobbr/Covenant/wiki/Launchers

Now all we need to do is create our Launcher to run on the target system.

  • Click “Launchers”
  • Pick a Launcher type

Check out the Launcher Wiki page for an explanation of each type. Let’s create an MsBuild launcher.

  • Click “MsBuild”
  • Generate
  • Download

And That’s it! Download the file and run it using MSBuild on the target system. If the system is vulnerable, you get a shell:

If it runs successfully, a new Grunt, or remote shell connection will show up in the Covenant Dashboard under “Grunts”:

  • Click on the Grunt name
  • Click “Interact” to interact with the Grunt

Here you can run tasks, enter the task name and then send it.

In the screen above, I have run many tasks, the last runs the Keylogger for 10 seconds. Click on “Taskings” and the Task name to view the output of each command

Conclusion

In this article we quickly covered installing and using the Covenant .NET based Command and Control framework. This is a very heavily developed and well working framework. If you haven’t seen it, I highly recommend you try it out.

I had mixed results running this “out of the box” against a Windows 10 system. Microsoft Defender detects and blocks the launchers pretty quickly. So advanced users may need to modify the payloads. This may or may not work flawlessly against other anti-viruses with no modifications. 🙂

Installing Kali Linux on Raspberry Pi – Partial Book Chapter

This is a partial sample chapter from my latest “Security Testing with Raspberry Pi” book – The full chapter (chapter 4) is over 20 pages long and includes how to use several of the installed Kali Linux tools.

In this chapter we will cover installing Kali Linux on a Raspberry Pi 3b+. We will also see how to run several Kali tools on this platform. As I assume the reader has used Kali Linux before, the goal is to show how to get up and running quickly on a Raspberry Pi, not necessarily to show how to run each individual tool. Most of the tools work just like they would in a full PC install of Kali. Though some of the tools, like Hashcat, apparently don’t have ARM compatible binaries and are not included in the Kali Pi version.

Surf to the Offensive Security Website:

https://www.offensive-security.com/kali-linux-arm-images/

Navigate to the Kali ARM images and then select the Raspberry Pi branch. Download the version of Raspberry Pi for the Pi that you have. I used a Pi3b+ for this chapter, so I downloaded the Kali Linux Raspberry Pi 3 64-bit image. If you have a Pi 4, you must download the Pi 4 version of Kali.

Once the image is downloaded, all you need to do is write it you your SD Ram card.

Etcher works great:

Insert your memory card into the Pi, attach keyboard, mouse, network line, and video cable. Lastly, plug in the power cord. The Pi will boot up and give you a graphical login screen.

  • Login with User: root, Password: toor

At the “Welcome to the first start of the panel” message, click on “Use default config”. You will then be presented with the Kali Desktop. Take a second and familiarize yourself with it. You will notice it is slightly different looking than the regular Kali Desktop, as it is using a different desktop environment. Xfce is used as the default Pi interface as it is a lightweight and fast desktop. But it is the same Kali underneath that you know and love.

Click the “Applications” button to see the tools menu. They are pretty sparse at the moment; we will fix that soon. There are a couple house keeping things we need to do first.

Setting up SSH

The first thing we will want to do is regenerate the SSH security keys.

  • Open a Terminal
  • cd /etc/ssh/
  • mkdir default_keys
  • mv ssh_host_* default_keys/
  • dpkg-reconfigure openssh-server

In a couple seconds we should have new SSH security keys.

In the current version of Kali for the Pi, root login is permitted by default. This is fine for our lab, but this is something you would want to change in “/etc/ssh/sshd_config” if you were going to use this for regular purposes. You will also want to change the root password using the “passwd” command.

The SSH server is already started by default in the Kali Pi install, so all we need is the IP address of Kali. If you are an old time Linux user like me you will probably still use Ifconfig, the old “deprecated” commands are easier to use and look nicer in my opinion, (have to love change, lol) though you are supposed to use the “ip” command now.

  • Enter, “ip a” to see all the network addresses or “ip -4 a” to only see the ip 4 address.

Now you can just SSH or use Putty like we did in the previous chapter to connect remotely to the Kali system.

Metapackages

The Kali-Pi image comes pre-installed with some tools already installed. They were called the “top 10” in an earlier release of Kali and include Metasploit, nmap, Recon-NG, etc.  The rest of the Kali tools can be downloaded via Kali “Metapackages”. Metapackages are security tool packages grouped by function. If you have a 16 GB or greater SDRam card, and a lot of patience, you can install the full Kali Linux install. If you didn’t need all of these tools, you could install just the Wireless tools (kali-linux-wireless) or the Web Application Assessment tools (kali-linux-web), depending on your needs.

All the available Metapackages are listed on the Kali Metapackages website:

Installation is simple, in a terminal just enter, “apt install” along with the metapackage that you want. You basically have 2 options; you can install the full package or individual tool packages. The only drawback to option 2 is that some of the necessary “helper” tools may not be installed and you may need to install them manually.

Option 1

If you want the full Kali install:

  • apt install kali-linux-full

This includes all the tools from a normal Kali Linux install. This will take a very long time to install, so be patient.

Option 2

If you want to install a specific category of tools:

Depending on what you want to do with your Kali install, a good choice is the Wireless tools. The wireless package includes numerous tools including ones for Wi-Fi, Bluetooth & SDR. You can see what packages are included by using the following command:

  • apt-cache show kali-linux-wireless |grep Depends

If these are the tools that you want, then proceed with the install:

  • apt install kali-linux-wireless

Whichever option you pick, the new tools will show up in the Kali menu after the install:

Either install option seems to take hours, be patient, and reboot when it is finished.

The downloaded tools are the SAME tools that you would receive on the regular Kali install. These aren’t watered down versions or anything like that. I have run into a couple tools that didn’t work, or seemed to be missing, but it is a rare occurrence. If it works in the regular Kali install, chances are you can do the same thing, the same way, in the Raspberry Pi version. So, after that long install, let’s play!


If you liked this sample and want to learn a lot more about using the Raspberry Pi for Ethical Hacking, check out my new book, “Security Testing with Raspberry Pi“!

AV & AMSI Bypass with Magic Unicorn

If you have been wondering why many PowerShell based shells haven’t been working, you can thank Windows’ AMSI. If you still need to use PowerShell based shells, check out the latest version of Trusted Sec’s Magic Unicorn tool.

According to Microsoft, the Antimalware Scan Interface (AMSI) is an interface that “provides enhanced malware protection for users and their data, applications, and workloads”. A newer piece to the Anti-Virus bypass cat and mouse game. Just as there is with regular anti-virus, there has been an almost constant battle between AMSI and utilities to bypass its ability to catch and block PowerShell based remote shells.

The TrustedSec team has been very active in updating their “Magic Unicorn” PowerShell tool to evade AV and AMSI, and this is evident in their latest Unicorn update.

Installation and using Magic Unicorn is very simple in Kali Linux:

Installing Magic Unicorn

Then change to the unicorn directory and run it.

  • cd /unicorn
  • ./unicorn.py

When you run Magic Unicorn, you are given a complete set of usage examples. More information is available on the GitHub site, so I am not going to discuss tool usage. Though generated payloads can be found in the /unicorn directory.

Magic Unicorn usage features

The big question, does it work?

That would be a yes:

Remote PowerShell shell with Magic Unicorn

Best defenses against attacks like this is to be very leery of e-mail attachments & suspicious links. Protect physical access to your computers. Disable or remove old PowerShell versions.  Enable PowerShell monitoring. Install all Windows & AV updates. Run a good network security program. Also, a good Network Security Monitoring system is always helpful in case the worse happens.

Check out the Magic Unicorn Github site for more information.

https://www.trustedsec.com/unicorn/

Basic Security Testing with Kali Linux Giveaway Contest

Want a chance to get a signed copy of my latest Kali Linux book? I am giving away a total of 10 signed copies of “Basic Security Testing with Kali Linux, 3rd Edition”!

Simply follow, like and share this article, or my official Twitter or Instagram announcement, for a chance to win a signed copy of my new book!

10 lucky winners will be randomly selected on October 31st.

The Contest is for those living in the United States only. I may do another one for international readers in the future.

Liking this article & sharing the Official Contest announcements on Twitter and Instagram will increase your chances of winning.  Winners will be notified on October 31st. If a winner cannot be notified or does not respond by the end of the first week of November, another winner will be picked.

Good luck!