SpecterInsight is a cross-platform post-exploitation command and control framework designed to enable red teams to achieve their objectives. This series of tutorials are designed to get you up and running fast with SpecterInsight so that you can focus on you engagements. Please see the tutorials below to get started.
00. Architecture and Compoments
Overview This tutorial will provide you with the fundamental knowledge of the various SpecterInsight components required to accomplish the subsequent tutorials. Components SpecterInsight Server The SpectersInsight server is the core component of the application. It is a cross-platform, multi-threaded, .NET application. It leverages kestrel for hosting an HTTP/S API for managing the server, handles requests from the client UI, manages SpecterScripts, modules, implants, and artifacts exfiltrated from deployed Specters, and handles all implant communications, command, and control. The server provides a multi-player environment for conducting red team, pen-testing, or threat emulation engagements. It provides secure communications by providing encryption and...
01. Installation
This tutorial covers installation of the server on various operating systems. Debian Linux This guide will walk you through installing SpecterInsight on most Debian distributions including Kali and Ubuntu. This tutorial assumes that you have already registered an account and downloaded SpecterInsight. Install Postgres SpecterInsight leverages Postgres as the back end data store for all data that needs to be retrieved by server application. The easiest way to setup Postgres is to run a docker container. We'll demonstrate setting up a container locally as an example. docker run --name postgresql -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -p 5432:5432 -v /data:/var/lib/postgresql/data -d postgres...
02. Apply License
Overview This tutorial will show you how to apply a license using the SpecterInsight client UI. This tutorial assumes that you have already purchased a license for SpecterInsight. Navigate to the License Page After connecting to a server, you can tell if the product is unlicensed when an orange banner appears at the top of the screen that says, "This server is unlicensed." In the client UI, expand the "Administration" menu and select "License" to bring up the license page. The license status and key details are shown in the "Current License" pane. Apply License Click on the "Add or...
03. ELK Integration
SpecterInsight supports unique integrations with ElasticSearch, Logstash, and Kibana (ELK) out-of-the-box. Command output from your deployed Specters comes back as objects with properties that are then augmented and shipped off to ElasticSearch. This means that you can search your command history in Kibana on specific fields. Example This concept is probably easier to convey with a concrete example. If you fire up SpecterInsight, interact with one of the Specters that is beaconing back, and issue the script shown below, the Specter will pick up and execute that script during the next checkin. The output of the script will then be...
04. Managing Certificates
Introduction Managing certificates has always been tedious which is why SpecterInsight has a dedicated UI just for certificate management in order to make that work as easy as possible for the operator. Out-of-the-box, SpecterInsight will generate two new self-signed SSL certificates: one for the management API and one for implant C2 channels. These will be sufficient for installation and evaluation; however, these certificates, particularly the certificate for C2 should be changed for any contracted engagements. I assume that the fields of the default certificates will be signaturized very quickly and self-signed certificates can be a read flag to network defenders....
05. Listeners
Overview In this tutorial, you will learn how to create listeners with SpecterInsight. Viewing Listeners After logging into a server, select Operations > Listeners. You should see a screen similar to the one shown here that lists all of the enabled or disabled listeners. Adding a Listener Click on the "Add" button to create a new Listener. The "Prefix" allows the operator to specify the protocol, interfaces, and ports for the listener. PrefixDescriptionhttp://+Binds to all interfaces on port 80 for unencrypted HTTP connections.http://192.168.1.101:8080Binds to the interface with the IP 192.168.1.101 on port 8080 for unencrypted HTTP connections.https://+:8443Binds to all interfaces...
06. Specter Implants
Overview This tutorial will show you how to generate custom Specters (our term for implants). Background Knowledge The core implant for SpecterInsight is a .NET 2.0+ compatible binary referred to as a specter. The specter implant contains an internally hosted PowerShell 2.0+ compatible shell. Additionally, there are wrappers that encapsulate your specters to give them different running environments and allows this product to support a broad range of defense evasion techniques. Payloads The following payloads are generated every time you create a new specter: PayloadObfuscatedDescription.NET BinaryNoThe core SpecterInsight implant that can run in either 32-bit or 64-bit environments.Win32 DLLNoA native...
07. Sessions
Overview In this tutorial, you will learn how to manage and interact with Specter sessions. Background Knowledge The primary mechanism for interacting with Specters is through the interactive session window. This window provides a rich user interface for managing an individual Specter implant. Components Session Information Panel: This panel contains information about the context of the environment the Specter is running in to include: host identifier, session identifier, fully qualified domain name (FQDN), OS and version, IP address of the connection, Username, full process path, PID, the architecture, current callback interval settings, the expiration date, and a countdown to the...
08. Writing Custom SpecterScipts
Overview In this tutorial, you will learn how to write custom SpecterScripts to customize or augment the ones provided out-of-the-box. A SpecterScript is just a PowerShell script that can reference the built-in cmdlets provided by the Specter host environment. Write a Basic SpecterScript Let's say you need a basic command to find all Microsoft Office documents that have been recently edited by users on the system. How do you get that information using SpecterInsight? The best and most repeatable way is to create a SpecterScript. Draft the Script The recommended way to create a SpecterScript is to first write and...
09. Uploading and Importing Modules
Overview This tutorial will demonstrate how to upload new modules to the server and how to import those modules into a Specter session. Background Knowledge Modules Modules are another way to extend the functionality of SpecterInsight by uploading .NET Dynamically Linked Libraries (DLLs) to a Specter session. The SpecterInsight server maintains a repository of modules that can then be referenced inside of a SpecterScript. The following code block shows how to import a module into a SpecterSession: load recon; The command above instructs the Specter to download the “recon” module and load it into the current session. Any cmdlets defined...
10. Discovery
Overview SpecterInsight is designed to make reconnaissance fast, easy, intuitive, and provide rich insights. Performing Host Discovery Host discover includes collection of information about the local system that is relevant to the engagement. List Host Discovery Techniques To list the available host discovery techniques, apply a label filter for "host-discovery" in the SpecterScripts panel. This filter will list all of the available techniques that have SpecterScripts. Insert SpecterScript Into Command Editor Ensure that the SpecterScript titled "Get System Info via API" is selected in the SpecterScripts Search Panel and then click the "Insert" button. This will insert the contents of...
11. Persistence
Overview SpecterInsight ships with a variety of persistence mechanisms and effectively leverages the data analysis integration with ELK to ensure you never lose track of your persistence mechanisms during an engagement. Persistence Through PowerShell Profile Description SpecterInsight ships with a built-in persistence mechanism by dropping a cradle in one of the PowerShell profiles. There are various PowerShell profiles that execute when a PowerShell host starts up that run with the privileges of the executing user. SpecterInsight also provides an HTTP endpoint that will generate and obfuscate a PowerShell cradle which will securely load a Specter into memory. WARNING: This persistence...
12. Tunneling
Overview SpecterInsight provides the ability to tunnel traffic from the C2 server through a deployed Specter's C2 channel and out to a target. This is helpful for allowing direct TCP connections from ops workstation to the target network. Lateral Movement using RDP over HTTPS Tunnel Description Tunneling can get really confusing, really fast. To help make things more clear, we're going to walk through a concrete scenario. In this situation, the Red Team operator needs to Remote Desktop from their Kali VM to a workstation in the target environment. They can't do that directly over the internet because their's a...