mythicagents / poseidon Goto Github PK

This is just a suggested change to include options to allow users to compile to ARM vs. x86. To compile ARM payloads I had to change two files:
https://github.com/MythicAgents/poseidon/blob/master/Payload_Type/poseidon/mythic/agent_functions/builder.py, change

command = f"rm -rf /build; rm -rf /deps; CGO_ENABLED=1 GOOS={target_os} GOARCH=amd64 "

to

command = f"rm -rf /build; rm -rf /deps; CGO_ENABLED=1 GOOS={target_os} GOARCH=arm64 "

and in https://github.com/MythicAgents/poseidon/blob/master/Payload_Type/poseidon/agent_code/poseidon.go, comment out all references to libinject from the code (this module does not work as written for ARM and will cause compile errors).
After that you should be good to go.

Tried to build the latest version of poseidon but the build was not successful. The reason behind it because this folder is placed in the wrong location:

https://github.com/MythicAgents/poseidon/tree/master/Payload_Type/poseidon/agent_code/execute_macho

#8 15.67        github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/pkg/utils/structs: module github.com/MythicAgents/poseidon/Payload_Type/poseidon@latest found (v0.0.0-20230510142239-d7316c849410), but does not contain package github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/pkg/utils/structs
#8 15.68 make: *** [Makefile:15: build] Error 1

This folder should be removed as these files are already located in the correct place:
https://github.com/MythicAgents/poseidon/tree/master/Payload_Type/poseidon/poseidon/agent_code/execute_macho

I've noticed while using poseidon, that there are a LOT of established conns that get generated and never cleaned up, and get progressively worse the lower you make the sleep, see an example below:

Using commit c63e0f5 of Poseidon, builds of the payload in Mythic 2.3.13 fail with output similar to the following.

STDERR:

[STDERR]
go: updates to go.mod needed; to update it:
	go mod tidy
/build/poseidon-linux-amd64 does not exist

I was able to fix the issue on my system and make builds work again by reversing this particular part of commit 62b6a4e to change the go version in Payload_Type/poseidon/agent_code/go.mod back to the previous value of 1.15.

Hi,

Latest poseidon (default build) payload truncates 'shell' command output.
E.g. "shell dmesg" shows only 1034 lines in output window. Running 'dmesg | wc -l' in terminal shows 2056 lines.
Running 'shell dmesg' next time, shows 1371 lines.

Similar with 'shell ps auxf', poseidon output in Mythic shows less lines than same command in terminal.

And amount of lines shown in Mythic output is every time random, but always smaller than actual number of output in terminal.

Seems like a bug?

Hi,

Using latest poseidon with latest Mythic on Linux. When running portscan, then error is shown:

json: cannot unmarshal array into Go struct field PortScanParams.ports of type string

Launching 'tcpdump' also does not show any traffic to scanned host.

p.s. other built-in commands work fine.

Hello Gang!

May I please have an example oneliner for executing poseidon.bin in the mac terminal, please :-)

I am getting a memory error every time I try to run the keylog. Not sure if I am doing something wrong or not.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x6b476d]

goroutine 23 [running]:
github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/keylog/keystate.keystateMonitor(0xc00010e0b8)
	/Mythic/agent_code/keylog/keystate/keystate_unix.go:317 +0x12d
created by github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/keylog/keystate.keyLogger
	/Mythic/agent_code/keylog/keystate/keystate_unix.go:413 +0x6e

When using the most recent mythic version, the keylogger does not produce output that Mythic understands.

The issue appears to be Poseidon attempting to send a keylog message instead of a task response message here:

https://github.com/MythicAgents/poseidon/blob/master/Payload_Type/poseidon/agent_code/keylog/keystate/keystate.go#L106
https://github.com/MythicAgents/poseidon/blob/master/Payload_Type/poseidon/agent_code/keylog/keystate/keystate.go#L114

It would be nice to be able to specify the processor arch i.e arm, amd64, mips when building the Poseidon payload in the mythic gui.

Hi,

I have installed Mythic on an Ubuntu server (20.04.4) and while I was trying to generate a payload for the websocket profile with the option of garble enabled I got the following error:

<snip>
[garble] variable "r1" hashed with 74199b43… to "vRYBooiD"
[garble] variable "__cgofn__cgo_85c28f2a7a54_Cfunc_exec_csops_status" hashed with 74199b43… to "wQduKAnD"
[garble] variable "_cgo_85c28f2a7a54_Cfunc_exec_csops_status" hashed with 74199b43… to "m_wxmJHC"
[garble] func "_Cfunc_exec_csops_status" hashed with 74199b43… to "lhJzP7Rb"
[garble] obfuscating list_entitlements_darwin.cgo1.go
[garble] type "DarwinListEntitlements" hashed with 74199b43… to "FQeua458"
[garble] variable "pid" hashed with 74199b43… to "jHfVbT0J"
[garble] variable "res" hashed with 74199b43… to "nTzh1eSb"
[garble] variable "i" hashed with 74199b43… to "uQd9zpyJ"
[garble] obfuscating _cgo_import.go
[garble] transformed args for compile in 34.45ms: -o $WORK/b153/_pkg_.a -trimpath /tmp/garble-shared2165090381=>;/Mythic/agent_code/list_entitlements=>github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/list_entitlements;/tmp/go-build1237097560/b153=> -p GFly0iWE -lang=go1.15 -buildid MiSjyl4dNCB1e2eN9aA7/MiSjyl4dNCB1e2eN9aA7 -goversion go1.18.3 -c=4 -nolocalimports -importcfg /tmp/garble-shared2165090381/importcfg4228732642 -pack -dwarf=false /tmp/garble-shared2165090381/github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/list_entitlements/list_entitlements.go /tmp/garble-shared2165090381/github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/list_entitlements/_cgo_gotypes.go /tmp/garble-shared2165090381/github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/list_entitlements/list_entitlements_darwin.cgo1.go /tmp/garble-shared2165090381/github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/list_entitlements/_cgo_import.go
exit status 2
/build/poseidon-darwin-10.12-amd64 does not exist

Once I disabled the option for garble, I was able to generate the payload successfully.

Morning,

On clean/fresh installation of mythic and poseidon, compilation of new payload is failing.
Following error shown:

Build Message:
Processing C2 Profile - http:
Step 1/3 - Issuing OPSEC Check
No immediate issues with configuration
Step 2/3 - Issuing Config Check
C2 Profile container and agent configuration match port, 80, and SSL expectations (false)

Step 3/3 - Issuing Start command


Sending Build command
Compilation failed with errors
StdErr: 
go: downloading github.com/xorrior/keyctl v1.0.1-0.20210425144957-8746c535bf58
go: downloading github.com/djherbis/atime v1.1.0
go: downloading howett.net/plist v1.0.0
go: downloading github.com/google/uuid v1.3.1
go: downloading golang.org/x/sync v0.3.0
go: downloading github.com/creack/pty v1.1.18
go: downloading github.com/kbinani/screenshot v0.0.0-20210720154843-7d3a670d8329
go: downloading github.com/tmc/scp v0.0.0-20170824174625-f7b48647feef
go: downloading golang.org/x/crypto v0.13.0
go: downloading golang.org/x/sys v0.12.0
go: downloading github.com/jezek/xgb v1.1.0
go: downloading github.com/gen2brain/shm v0.0.0-20221026125803-c33c9e32b1c8
go: downloading github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
poseidon.go:7:2: no required module provides package github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/pkg/utils/files; to add it:
	go get github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/pkg/utils/files

exit status 1
StdOut: 

Checked the repo and github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code/pkg/utils/files is missing there.

Any chance to have repo updated/fixed?

Hi,

Using latest Mythic with latest poseidon agent on Linux.

rpfwd {"action":"start","port":9000,"remote_ip":"192.168.XX.XX","remote_port":80} - works as it should. Poseidon agent starts tcp listener on port 9000 and i'm able to use port forwarding.

But strange thing happens when i stop port forwarding rpfwd {"action":"stop","port":9000}.
I'm not able to use port forwarding (this is fine), but poseidon agent still listening on port 9000.

Shouldn't listening port (9000) disappear after i stop rpfwd on port 9000?

Looks like theres an undocumented quirk when developing and adding new commands that has them not build or show up. The .env has the POSEIDON_USE_BUILD_CONTEXT var set to false by default, so even if you follow the right steps from https://github.com/MythicAgents/poseidon/blob/055eb06e6fdc31ae4b0718dcaa2f6522c7e66b41/documentation-payload/poseidon/development.md, the commands never get built in (looks like it just pulls from main remote repo).

You have to set POSEIDON_USE_BUILD_CONTEXT to true, and then itll pull your added code from the local InstalledServices/poseidon folder like it should. This drove me nuts for awhile. Might be worth throwing in a note about it in the docs 🙏

Hi,

It is not clear from the README on how to build the project. So I tried:

joe@ubuntu:~/go/src/poseidon/Payload_Type/poseidon/agent_code$ go build
# github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code
./poseidon.go:163:13: undefined: profiles.New

The profiles package contains two New() method in two different files. How should I build?

Hi

Looks like the SOCKS functionality is no longer working properly in poseidon as tested on x86_64 Linux Ubuntu 16.06.6 LTS kernel 4.4.0-121-generic when using the http communication profile.

This was reproduced using poseidon commits 029d152 and 7c2349d .

Steps to reproduce involve:

1. Generating a poseidon binary payload communicating using http
2. Running the payload on a system with the previously mentioned architecture and linux release and getting a callback in Mythic
3. Setting the sleep interval to 0 to provide a usable communications channel for the proxying
4. Starting the socks server on port 7000
5. Attempting to do a simple netcat comms check on the Mythic server using proxychains-ng configured for socks 5 to a machine/port accessible from the host running the agent, e.g.:
   proxychains4 -f proxychains_7000.conf nc -vv 192.168.1.2 445
6. The connection then dies with socket error or timeout! from proxychains-ng and Connection refused from netcat

This is something I have had working previously on poseidon on this same testing host. I tested reverting to commit
5eb93dc and SOCKS works using the above mentioned steps.

Let me know if any more detail is required

poseidon_tcp.go file

// All variables must be a string so they can be set with ldflags
var tcp_initial_config string

tcp_initial_config should be poseidon_tcp_initial_config

Builds of the payload for arm64 Linux from poseidon commit c63e0f5 are failing on Mythic 2.3.13.

This is after resolving the seperate build issue discussed here.

Error message is below:

STDERR:

[STDERR]
# runtime/cgo
gcc_arm64.S: Assembler messages:
gcc_arm64.S:28: Error: no such instruction: `stp x29,x30,[sp,'
gcc_arm64.S:32: Error: too many memory references for `mov'
gcc_arm64.S:34: Error: no such instruction: `stp x19,x20,[sp,'
gcc_arm64.S:37: Error: no such instruction: `stp x21,x22,[sp,'
gcc_arm64.S:40: Error: no such instruction: `stp x23,x24,[sp,'
gcc_arm64.S:43: Error: no such instruction: `stp x25,x26,[sp,'
gcc_arm64.S:46: Error: no such instruction: `stp x27,x28,[sp,'
gcc_arm64.S:50: Error: too many memory references for `mov'
gcc_arm64.S:51: Error: too many memory references for `mov'
gcc_arm64.S:52: Error: too many memory references for `mov'
gcc_arm64.S:54: Error: no such instruction: `blr x20'
gcc_arm64.S:55: Error: no such instruction: `blr x19'
gcc_arm64.S:57: Error: no such instruction: `ldp x27,x28,[sp,'
gcc_arm64.S:60: Error: no such instruction: `ldp x25,x26,[sp,'
gcc_arm64.S:63: Error: no such instruction: `ldp x23,x24,[sp,'
gcc_arm64.S:66: Error: no such instruction: `ldp x21,x22,[sp,'
gcc_arm64.S:69: Error: no such instruction: `ldp x19,x20,[sp,'
gcc_arm64.S:72: Error: no such instruction: `ldp x29,x30,[sp],'
# github.com/xorrior/keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:89:33: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:97:35: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:106:33: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:114:34: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:122:33: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:149:34: undefined: syscall_add_key
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:173:36: undefined: syscall_setfsgid
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:181:34: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:213:35: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:230:36: undefined: syscall_keyctl
/go/src/pkg/mod/github.com/xorrior/[email protected]/sys_linux.go:230:36: too many errors
/build/poseidon-linux-arm64 does not exist

There were two seperate issues here causing the build errors:

• The first is the build process not specifying the correct cross compiler for arm64.
• The second is that the xorrior fork of the keyctl module does not support arm64

Ive fixed both issues in my own forks of keyctl and poseidon to create a version of poseidon that works for me on arm64, and have also pushed a PR to add arm64 support to the xorrior keyctl fork.

Not sure if you would like me to provide a PR to poseidon or not from my branch given the nature of these changes? Let me know...

Hello,

With default HTTP profile settings, poseidon payload (AMD_x64 executable) connection to Mythic http server is always 'ESTABLISHED'.

Does not look like it is normal behavior for payload.

Mythic, poseidon, http - use latest versions and running on latest Kali.

Any thoughts/ideas/hints on how to make payload connection stealthy?

➜ poseidon.bin ranlib poseidon-darwin-10.12-amd64.a
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000001.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000002.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000003.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000012.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000013.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000014.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000020.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000035.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000038.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000047.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: poseidon-darwin-10.12-amd64.a(000051.o) has no symbols

➜ poseidon.bin clang -shared -framework Foundation -framework CoreGraphics -framework Security -framework ApplicationServices -framework OSAKit -framework AppKit -fpic sharedlib-darwin-linux.c poseidon-darwin-10.12-amd64.a -o poseidon.dylib
sharedlib-darwin-linux.c:28:43: error: incompatible function pointer types passing 'void ()()' to parameter of type 'void * _Nullable ( _Nonnull)(void * _Nullable)' [-Wincompatible-function-pointer-types]
pthread_create(&posixThreadID, &attr, &RunMain, NULL);
^~~~~~~~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/pthread.h:340:31: note: passing argument to parameter here
void * _Nullable (* _Nonnull)(void * _Nullable),
^
1 error generated.