# Uchukuaji wa Usanidi wa AdaptixC2 na TTPs {{#include ../../banners/hacktricks-training.md}} AdaptixC2 ni framework modular, open‑source ya post‑exploitation/C2 yenye Windows x86/x64 beacons (EXE/DLL/service EXE/raw shellcode) na BOF support. Ukurasa huu unaandika kuhusu: - Jinsi usanidi wake uliopakiwa kwa RC4 umeingizwa na jinsi ya kuuchota kutoka kwa beacons - Viashiria vya mtandao/profaili kwa listeners za HTTP/SMB/TCP - TTPs za kawaida za loader na persistence zilizobainika katika mazingira ya kweli, pamoja na viungo kwa kurasa za mbinu za Windows zinazohusiana ## Beacon profiles and fields AdaptixC2 inaunga mkono aina tatu kuu za beacon: - BEACON_HTTP: web C2 yenye servers/ports/SSL zinazoweza kusanidiwa, method, URI, headers, user‑agent, na custom parameter name - BEACON_SMB: named‑pipe peer‑to‑peer C2 (intranet) - BEACON_TCP: direct sockets, hiari zikiwa na marker iliyowekwa mwanzoni ili kuficha mwanzo wa protocol Mashamba ya profaili ya kawaida yaliyobainika katika config za beacon za HTTP (baada ya decryption): - agent_type (u32) - use_ssl (bool) - servers_count (u32), servers (array of strings), ports (array of u32) - http_method, uri, parameter, user_agent, http_headers (length‑prefixed strings) - ans_pre_size (u32), ans_size (u32) – used to parse response sizes - kill_date (u32), working_time (u32) - sleep_delay (u32), jitter_delay (u32) - listener_type (u32) - download_chunk_size (u32) Example default HTTP profile (from a beacon build): ```json { "agent_type": 3192652105, "use_ssl": true, "servers_count": 1, "servers": ["172.16.196.1"], "ports": [4443], "http_method": "POST", "uri": "/uri.php", "parameter": "X-Beacon-Id", "user_agent": "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0", "http_headers": "\r\n", "ans_pre_size": 26, "ans_size": 47, "kill_date": 0, "working_time": 0, "sleep_delay": 2, "jitter_delay": 0, "listener_type": 0, "download_chunk_size": 102400 } ``` Profaili ya HTTP yenye nia mbaya iliyogunduliwa (shambulio la kweli): ```json { "agent_type": 3192652105, "use_ssl": true, "servers_count": 1, "servers": ["tech-system[.]online"], "ports": [443], "http_method": "POST", "uri": "/endpoint/api", "parameter": "X-App-Id", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36", "http_headers": "\r\n", "ans_pre_size": 26, "ans_size": 47, "kill_date": 0, "working_time": 0, "sleep_delay": 4, "jitter_delay": 0, "listener_type": 0, "download_chunk_size": 102400 } ``` ## Ufungashaji wa usanidi uliosimbwa na njia ya kupakia Wakati operator anabonyeza Create katika builder, AdaptixC2 inaweka profaili iliyosimbwa kama tail blob ndani ya beacon. Muundo ni: - 4 bytes: configuration size (uint32, little‑endian) - N bytes: RC4‑encrypted configuration data - 16 bytes: RC4 key Beacon loader inakopa 16‑byte key kutoka mwisho na RC4‑decrypts N‑byte block mahali pake: ```c ULONG profileSize = packer->Unpack32(); this->encrypt_key = (PBYTE) MemAllocLocal(16); memcpy(this->encrypt_key, packer->data() + 4 + profileSize, 16); DecryptRC4(packer->data()+4, profileSize, this->encrypt_key, 16); ``` Matokeo ya vitendo: - Muundo mzima mara nyingi upo ndani ya sehemu ya PE .rdata. - Uchimbaji ni isiyobadilika: soma size, soma ciphertext ya ukubwa huo, soma 16‑byte key iliyowekwa mara moja baada yake, kisha RC4‑decrypt. ## Mtiririko wa uchimbaji wa configuration (walinzi) Andika extractor inayofanana na mantiki ya beacon: 1) Pata blob ndani ya PE (kawaida .rdata). Njia ya vitendo ni kuskena .rdata kutafuta muundo unaowezekana wa [size|ciphertext|16‑byte key] na kujaribu RC4. 2) Soma 4 bytes za kwanza → size (uint32 LE). 3) Soma bytes zifuatazo N=size → ciphertext. 4) Soma 16 bytes za mwisho → RC4 key. 5) RC4‑decrypt the ciphertext. Kisha changanua profaili wazi kama: - u32/boolean scalars kama ilivyoelezwa hapo juu - length‑prefixed strings (u32 length followed by bytes; trailing NUL can be present) - arrays: servers_count ikifuatiwa na idadi hiyo ya jozi [string, u32 port] Minimal Python proof‑of‑concept (standalone, no external deps) that works with a pre‑extracted blob: ```python import struct from typing import List, Tuple def rc4(key: bytes, data: bytes) -> bytes: S = list(range(256)) j = 0 for i in range(256): j = (j + S[i] + key[i % len(key)]) & 0xFF S[i], S[j] = S[j], S[i] i = j = 0 out = bytearray() for b in data: i = (i + 1) & 0xFF j = (j + S[i]) & 0xFF S[i], S[j] = S[j], S[i] K = S[(S[i] + S[j]) & 0xFF] out.append(b ^ K) return bytes(out) class P: def __init__(self, buf: bytes): self.b = buf; self.o = 0 def u32(self) -> int: v = struct.unpack_from(' int: v = self.b[self.o]; self.o += 1; return v def s(self) -> str: L = self.u32(); s = self.b[self.o:self.o+L]; self.o += L return s[:-1].decode('utf-8','replace') if L and s[-1] == 0 else s.decode('utf-8','replace') def parse_http_cfg(plain: bytes) -> dict: p = P(plain) cfg = {} cfg['agent_type'] = p.u32() cfg['use_ssl'] = bool(p.u8()) n = p.u32() cfg['servers'] = [] cfg['ports'] = [] for _ in range(n): cfg['servers'].append(p.s()) cfg['ports'].append(p.u32()) cfg['http_method'] = p.s() cfg['uri'] = p.s() cfg['parameter'] = p.s() cfg['user_agent'] = p.s() cfg['http_headers'] = p.s() cfg['ans_pre_size'] = p.u32() cfg['ans_size'] = p.u32() + cfg['ans_pre_size'] cfg['kill_date'] = p.u32() cfg['working_time'] = p.u32() cfg['sleep_delay'] = p.u32() cfg['jitter_delay'] = p.u32() cfg['listener_type'] = 0 cfg['download_chunk_size'] = 0x19000 return cfg # Usage (when you have [size|ciphertext|key] bytes): # blob = open('blob.bin','rb').read() # size = struct.unpack_from('