Quick Jump Links
- Project Home Page (GitHub)
- Install Under Linux Distros
- Install Under Windows Distros
- Project github WiKi Pages (Modules)
- Working with meterpeter dropper(s)
Project Description - codename: Betelgeuse - Remote Access Tool v2.10.14
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key
and another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'.
(in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload or the dropper) with administrator privileges, unlocks ALL C2 server modules (AMSI bypass + Execution_Policy bypass ).
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
Meterpeter v2.10.14 codename: Betelgeuse Update Description
This update adds new modules, fixes modules being flagged by AMSI (Anti-Virus)
And review all Meterpeter C2 (server) indevidual modules for errors\bugs\fast_improvements.
List Of Updated-New Modules
| Meterpeter Prompt | Module Name | Module Description | Module Options | State |
|---|---|---|---|---|
| :meterpeter:Adv:Processes> | kill | kill process by is PID number | *** | new option |
| :meterpeter:Adv:Browser> | Clean | Clean major browsers temporary files | *** | new module |
| :meterpeter:Keylogger> | SocialMedia | capture keyboard keystrokes from fb and twitter | Start, Stop, Schedule, Delay Force, SendToPasteBin |
new module |
| :meterpeter:Post> | Msstore | Manage microsoft store programs | list,discover,install,uninstall | new module |
| :meterpeter:Post:Escalate> | Uacpriv | use RUNAS to spawn UAC dialogbox (user->admin) | *** | new module |
| :meterpeter:Post:Passwords> | DumpSam | Dump hashs from registry hives. | *** | new module |
| :meterpeter:Post:Passwords> | Browser | Dump stored credentials. | *** | *AMSI bypass* |
| :meterpeter:Post:Passwords> | Putty | Leak PUTTY session(s) credentials (regedit) | *** | new module |
| :meterpeter:Post:PhishCred> | Start | Phish for remote credentials | *** | new msgbox added |
| :meterpeter:Post:AMSIPatch> | Console | Disable AMS1 within current process | Console,,FilePath,PayloadUrl | *AMSI bypass* |
| :meterpeter:Pranks> | WindowsUpdate | Windows fake update full screen prank (browser) | *** | new module |
| :meterpeter:Pranks> | LabelDrive | Rename drive letter (C:) label (display name) | list,rename | new module |
| :meterpeter:Pranks> | criticalerror | fake a system critical error (bsod) | *** | *AMSI bypass* |
| :meterpeter:Pranks> | BallonTip | Show a ballon tip in the notification bar | Title,Text,IconType,AutoClose | new module |
Command & Control - Modules Structure
Module Name Module Description
----------------------- ----------------------
info Retrieve remote host system information
session Retrieve Meterpeter C2 connection status
advinfo Advanced system information sub-menu
|__ accounts List remote host accounts
|__ revshell List client rev tcp shell information
|__ ListAppl List remote host installed applications
|__ Processes Remote host processes sub-menu
|__ Check List remote processe(s) running
|__ Query Process name verbose information
|__ DllSearch List DLLs loaded by processes
|__ Kill Kill remote process from running (processname or pid)
|__ Tasks Enumerate schedule tasks sub-menu
|__ Check Retrieve Schedule Tasks
|__ Query Retrieve single task information
|__ RunOnce Create new schedule task
|__ LoopExec Create new schedule task
|__ Delete Delete existing schedule task
|__ Drives List all remote host mounted drives
|__ Browser List remote host installed browsers sub-menu
|__ Start Enumerate remote browsers\versions installed
|__ Verbose Verbose enumerate remote browsers installed
|__ Addons Enumerate installed browsers addons installed
|__ Clean Clean major browsers temporary files
|__ Recent List remote host recent directory
|__ ListSMB List remote host SMB names\shares
|__ StartUp List remote host startUp directory
|__ ListRun List remote host startup run entrys
|__ AntiVirus Enumerate all EDR Products installed sub-menu
|__ Primary PrimaryAV + Security processes
|__ FastScan PrimaryAV + Security processes + EDR hunt
|__ Verbose Full scan module ( accurate\slower )
|__ FRManager Manage remote host firewall rules sub-menu
|__ Query Query 'active' firewall rules
|__ Create Block application\program rule
|__ Delete Delete sellected firewall rule
|__ OutLook Manage OutLook Exchange Email Objects sub-menu
|__ Folders Display outlook folder names
|__ Contacts Display outlook contacts info
|__ Emails Display outlook email objects
|__ SendMail Send Email using target domain
upload Upload from local host to remote host
|__ start Upload from lhost to rhost
download Download from remote host to local host
|__ start Download from rhost to lhost
Screenshot Capture remote host desktop screenshots sub-menu
|__ Snapshot Capture one desktop screenshot
|__ SpyScreen Capture multiple screenshots (background)
keylogger Install remote host keylogger sub-menu
|__ Mouse Start remote mouselogger
|__ Keystrokes Start\Stop remote keylogger
|__ Pastebin Send keystrokes to pastebin
|__ Browser Capture browsers active tab title
|__ SocialMedia Capture FB + Twitter + whatsup + instagram keyboard keystrokes
PostExploit Post Exploitation modules sub-menu
|__ Stream Stream remote host desktop live
|__ Start Stream target desktop live
|__ Camera Take snapshots with remote webcam sub-menu
|__ Device List all available WebCamera Devices
|__ Snapshot Auto use of default webcam to take snapshot
|__ WebCamAvi Capture video (AVI) using default webcam
|__ FindEop Search for EOP possible entry points sub-menu
|__ Check Retrieve directory permissions
|__ Service Search for Unquoted Service Paths
|__ RottenP Search For rotten potato vuln
|__ Agressive Search for all EOP possible entrys
|__ Escalate Escalate rev tcp shell privileges sub-menu
|__ GetAdmin Escalate client privileges (user->admin)
|__ Delete Delete getadmin module artifacts
|__ Uacpriv use RUNAS to spawn UAC (user->admin)
|__ CmdLine UAC execute command elevated
|__ Persist Persist rev tcp shell on startup sub-menu
|__ Beacon Persiste Client using startup
|__ ADSRUN Persiste Client using ADS:Run
|__ RUNONCE Persiste Client using REG:HKCU
|__ REGRUN Persiste Client using REG:HKLM
|__ Schtasks Persiste Client using Schtasks
|__ WinLogon Persiste Client using WinLogon
|__ TimeStamp Change remote host files timestamp
|__ Check Print current file timestamp
|__ Modify existing file timestamp
|__ Msstore Manage microsoft store programs
|__ List installed packets [local PC]
|__ Discover search for appl in msstore
|__ Install application from msstore
|__ Uninstall application from [local PC]
|__ Artifacts Clean remote host activity tracks sub-menu
|__ Query query eventvwr logs
|__ Clean clean system tracks
|__ Paranoid clean tracks paranoid ( anti-forensic )
|__ HiddenDir Super\hidden directorys manager sub-menu
|__ Search for regular hidden folders
|__ Super Search super hidden folders
|__ Create Create\Modify super hidden
|__ Delete One super hidden folder
|__ hideUser Remote hidden accounts manager sub-menu
|__ Query Query all accounts
|__ Create Create hidden account
|__ Delete Delete hidden account
|__ Passwords Search for passwords inside files sub-menu
|__ File Search for credentials recursive
|__ Putty Leak PUTTY session(s) credentials (regedit)
|__ Dpapi Dump DPAPI masterKeys + blobs
|__ Vault Dump creds from Password Vault
|__ WDigest Credential caching in memory [clear-text]
|__ Brower Web Brower credential dump [clear-text]
|__ DumpSAM Dump hashs from registry hives.
|__ BruteAcc Brute-force user account password
|__ Start Brute force user account password
|__ PhishCred Promp remote user for logon creds
|__ Start Phish for remote credentials
|__ AMSIpatch Disable AMS1 within current process sub-menu
|__ Console Disable AMS1 within current process
|__ FilePath Execute input script trough bypass
|__ PayloadUrl Download\Execute script trough bypass
|__ Exclusions Manage Windows Defender exclusions
|_ Query Query all windows defender exclusions
|_ Create Create a new windows defender exclusion
|_ UrlExec Download\Exec URI through created exclusion
|_ Delete Delete one windows defender exclusion
|__ LockPC Lock remote host WorkStation
|__ Restart Restart remote host WorkStation
|__ Allprivs EnableAllParentPrivileges to exec cmdline sub-menu
|__ demo EnableAllParentPrivileges to exec cmdline (demo)
|__ cmdline EnableAllParentPrivileges to exec cmdline (cmdline)
NetScanner Local LAN network scanner sub-menu
|__ ListDNS List remote host Domain Name entrys
|__ TCPinfo List remote host TCP\UDP connections sub-menu
|__ Stats Query IPv4 Statistics
|__ Query Established TCP connections
|__ Verbose Query all TCP\UDP connections
|__ ListWifi List remote host Profiles/SSID/Passwords sub-menu
|__ ListProf Remote-Host wifi Profile
|__ ListNetw List wifi Available networks
|__ ListSSID List Remote-Host SSID Entrys
|__ SSIDPass Extract Stored SSID passwords
|__ PingScan List devices ip addr\ports\dnsnames on Lan sub-menu
|__ Enum List active ip addresses on Lan
|__ PortScan Single ip port scanner \ dns resolver
|__ GeoLocate Client GeoLocation using curl ifconfig.me sub-menu
|__ GeoLocate Client GeoLocation using curl
|__ Ifconfig Client GeoLocation using ifconfig
Pranks Prank remote host modules sub-menu
|__ Msgbox Spawn remote msgbox manager
|__simple Spawn simple msgbox
|__cmdline msgbox that exec cmdline
|__ Speak Make remote host speak one frase
|__start speak input sentence
|__ OpenUrl Open\spawn URL in default browser
|__Open Url on default browser
|__ GoogleX Browser google easter eggs sub-menu
|__ gravity Open Google-Gravity webpage
|__ sphere Open Google-Sphere webpage
|__ rotate Open rotate 360º webpage
|__ mirror Open Google-Mirror webpage
|__ teapot Open Google-teapot webpage
|__ invaders Open Invaders-Game webpage
|__ pacman Open Pacman-Game webpage
|__ rush Open Google-Zerg-Rush webpage
|__ moon Open Google-Moon webpage
|__ Terminal Open Google-Terminal webpage
|__ trexgame Open Google-T-Rex-Game webpage
|__ kidscoding Open Google-kidscoding webpage
|__ googlespace Open Google-Space webpage
|__ WindowsUpdate Fake windows update full screen prank (browser)
|__ CriticalError Prank that fakes a critical system error (BSOD)
|__ BallonTip Show a ballon tip in the notification bar
|__ Nodrives Hide All Drives (C:D:E:F:G) From Explorer (GUI)
|__ LabelDrive Rename drive letter (C:) label (display name)
|__ List List ALL drives available
|__ Rename Rename drive letter label
meterpeter C2 - v2.10.14 - screenshots
Capture keyboard keystrokes from FACEBOOK, TWITTER, WHATSUP, INSTAGRAM (browser active tab)
Listing active TCP connections on remote host
Scanning OutLook for Email Objects
Record remote webcam in AVI format
Dump remote machine hashes
Dump remote machine DPAPI secrets
Dump all stored browsers credentials
Cleanning attacker system tracks ( anti-forensic )
URL's
virscan.org scan reports - 2023-12-08
File Name : meterpeter.ps1 ( server )
Scanner results:1% Scanner(s) (2/47) found malware!
report: https://www.virscan.org/report/8b5efcd871003109d21b23f19826149c91ca6f26108009a2b0f38a90fb220a17
Time: 2023-12-08 02:14:22 (CST)
File Name : Update-KB5005101.ps1 ( client )
Scanner results:0% Scanner(s) (0/46) found malware!
report: https://www.virscan.org/report/b12399a52b5064b063fef4f5740d4784a2e3bb587a32ab416d047c909d0b5fc9
Time: 2023-01-31 17:26:47 (CST)
Release v2.10.14 - Special Thanks
| Haxor NickName | Description |
|---|---|
| @ShantyDamayanti | Help debugging modules |
| @danieldurnea | Documentation\Software |
☠ Suspicious Shell Activity (RedTeam @2023) ☠
Contributors
2023 and danieldurnea