Introduction

Thanks for the download on BOFs, but now, where can I actually download some BOFs?

In my previous blog post, “BOFs for Script Kiddies,” I covered the basics of BOFs. I described what a BOF was (a Beacon Object File), when you would want to use a BOF (post-exploitation), and why you would want to use a BOF (for additional lightweight capabilities). I even pointed you in the direction of how you might go about developing your own BOFs using my colleagues’ work, “A Developer’s Introduction to Beacon Object Files” and “COFFLoader: Building Your Own In-Memory Loader or How to Run BOFs.” But, the beauty of BOFs is that they are small, plug-and-play capabilities that can now be used across multiple frameworks, including Sliver, Meterpreter, Nighthawk, Brute Ratel, and Havoc, not to mention the original Cobalt Strike platform. This means that you can develop your own BOFs or use some from the various repositories of publicly available BOFs. And, as my colleague pointed out in “Changes in the Beacon Object File Landscape,” a search for ‘BOF’ on GitHub returns around 187 C-based repositories. So, there are a lot of BOFs to choose from. As a TrustedSec team member and author of many BOFs myself, I am partial to our two (2) repositories: Situational Awareness and Remote Operations. In this edition of the Script Kiddie series, I will take a deeper look into TrustedSec’s Situational Awareness BOF repository and how you, too, can Hack the Planet and Save the World with BOFs.

Situational Awareness

Sure, sure. So, what is “Situational Awareness” whatever?

First, situational awareness means collecting as much information as possible to determine your next steps. You probably did some situational awareness before even attempting to hack into the system/network. Now, after gaining your initial access, you need to perform some more situational awareness to figure out all that you can about the current system and the domain/network. This information will aid you in determining how to move laterally, how to persist, and, maybe more importantly, whether you want to be on this system or network in the first place.

Situational awareness is not specifically defined, meaning that there is not a checklist of information that you must gather. There is no list of commands that you must run. Situational awareness is user-, environment-, and situation-dependent. In general, you want to know about files, drives, and shares on the system/network, the services and processes running on the system, the user(s) on the system/network, and other devices and resources on the network.

Thankfully, if your current tool does not have all these capabilities, but it does have the ability to run BOFs, then you can use our repository of Situational Awareness BOFs to gather all the relevant information. This repository has been opened to the community and has received numerous contributions. I will cover some in more detail, but the repository currently contains 48 BOFs:

Note: All examples of BOF execution were accomplished using the TrustedSec COFFLoader and corresponding beacon_generate.py script for generating arguments. The COFFLoader is a stand-alone utility for running BOFs. You simply need to supply the function to call (typically go), the BOF file, and any arguments. The arguments are dependent on the specific BOF and can be packed into an argument string using the beacon_generate.py helper script. This script allows you to ‘addString’, ‘addWString’, ‘addint’, or ‘addshort’—again, depending on the BOF’s required arguments. Once you have added all of the arguments, you can then ‘generate’ the packed argument string, which is then passed to the BOF.

whoami

The whoami BOF provides all the information that is similarly returned by the ‘whoami /all’ command. It will provide you with the current user’s name and SID, as well as the user’s group information and privileges. This can be useful information when you are first starting out and trying to figure out what kind of access you have.

tasklist

The tasklist BOF lists the running processes, including the process name, PID, parent PID, and command-line. It gathers this information using WMI. Knowing the running processes on a system can help you determine what the system is used for, what security software may be installed, and what applications are used in general. This is required information for true situational awareness.

sc_enum

There are a variety of service control or sc_* BOFs. In particular, the sc_enum BOF will enumerate all the services. More detailed service information can be obtained using the sc_qc, sc_query, or other BOFs. Understanding the services running on the system can again help you determine the role of the system, as well as identify other security software and applications in use on the system.

enum_filter_driver

Finally, I will highlight the enum_filter_driver BOF for gaining a better understanding of the current system. This is an often-overlooked piece of information, but listing the installed filter drivers can again help you identify any security software installed on the system, which could inform you of your next moves.

dir

The dir BOF lists files and directories just like the command-line dir command. It supports wildcards and can search subdirectories. The dir BOF is very helpful when searching a system for specific files or directories.

cacls

The cacls BOF lists the user’s permissions for the specified file. The BOF supports wildcards as part of the file path. This can help when determining what you have access to.

ipconfig

The ipconfig BOF can help you get a better understanding of the network. Like the command-prompt command, it provides you with a list of IPv4 addresses used by the system, as well as the hostname and DNS server.

netstat

The netstat BOF displays current network connections, including TCP and UDP ports. This is particularly useful when determining which other systems the current system is talking to.

netuse

The repository contains numerous BOFs replicating the net * commands from the command-prompt. All of these BOFs will help you learn about the network and the various resources attached to it. Specifically, the netuse BOF will allow you to view, add, or delete remote connections/shares. This can be very useful when considering lateral movement.

adcs_enum_com

There are three (3) different adcs_enum BOFs that use three (3) different methods for enumerating certificate authorities on the network. The adcs_enum_com BOF itself uses COM objects, but all three (3) return information used to identify potential AD CS misconfigurations, which could be used for privilege escalation and/or lateral movement.

ldapsearch

The ldapsearch BOF allows you to execute LDAP queries to retrieve information about the domain. This information can be used with BOFHound to identify targets within the network.

Conclusion

Great. Now, I have my own utility belt of BOFs. With my knowledge and your powers, we can Hack the Planet or at least get a better understanding of our situation.

With the information provided in our previous blogs and the wealth of tools supplied in our BOF repositories, you, too, can be a black-belt Script Kiddie. BOFs provide the ability to quickly deploy additional capabilities, and the BOF concept allows hackers from all over to unite behind a common framework for developing these tools. Now, we can have repositories of BOFs that can be plugged into a variety of frameworks to greatly expand our toolkit. In particular, TrustedSec has provided two (2) different repositories: Situational Awareness and Remote Operations. And, in this instance, I described how you can use the Situational Awareness BOFs to gain a better understanding of your environment, including the system itself and the network it’s a part of. These capabilities should help facilitate all of your post-exploitation fun. Just remember to always check your return values.

References

• https://www.trustedsec.com/blog/bofs-for-script-kiddies/
• https://www.trustedsec.com/blog/a-developers-introduction-to-beacon-object-files/
• https://www.trustedsec.com/blog/coffloader-building-your-own-in-memory-loader-or-how-to-run-bofs/
• https://www.trustedsec.com/blog/changes-in-the-beacon-object-file-landscape/
• https://github.com/trustedsec/CS-Situational-Awareness-BOF
• https://github.com/trustedsec/CS-Remote-OPs-BOF
• https://www.cobaltstrike.com/help-beacon-object-files
• https://cobalt-strike.github.io/community_kit/