fix Slack notification and support apps/webhooks

poshc2/client/command_handlers/ImplantHandler.py

@@ -732,7 +732,7 @@ def do_nuke_autoruns(user, command):
 
 def do_show_serverinfo(user, command):
     C2 = get_c2server_all()
-    detailsformatted = "\nPayloadCommsHost: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nGET_404_Response: %s\nPoshProjectDirectory: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nPushover_APIToken: %s\nPushover_APIUser: %s\nSlack_UserID: %s\nSlack_Channel: %s\nSlack_BotToken: %s\nEnableNotifications: %s\n" % (C2.PayloadCommsHost, C2.EncKey, C2.DomainFrontHeader, C2.DefaultSleep, C2.KillDate, C2.GET_404_Response, C2.PoshProjectDirectory, C2.QuickCommand, C2.DownloadURI, C2.ProxyURL, C2.ProxyUser, C2.ProxyPass, C2.URLS, C2.SocksURLS, C2.Insecure, C2.UserAgent, C2.Referrer, C2.Pushover_APIToken, C2.Pushover_APIUser, C2.Slack_UserID, C2.Slack_Channel, C2.Slack_BotToken, C2.EnableNotifications)
+    detailsformatted = "\nPayloadCommsHost: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nGET_404_Response: %s\nPoshProjectDirectory: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nPushover_APIToken: %s\nPushover_APIUser: %s\nSlack_UserID: %s\nSlack_Channel: %s\nSlack_BotToken: %s\nEnableNotifications: %s\n" % (C2.PayloadCommsHost, C2.EncKey, C2.DomainFrontHeader, C2.DefaultSleep, C2.KillDate, C2.GET_404_Response, C2.PoshProjectDirectory, C2.QuickCommand, C2.DownloadURI, C2.ProxyURL, C2.ProxyUser, C2.ProxyPass, C2.URLS, C2.SocksURLS, C2.Insecure, C2.UserAgent, C2.Referrer, C2.Pushover_APIToken, C2.Pushover_APIUser, C2.Slack_UserID, C2.Slack_Channel, C2.Slack_BotToken, C2.Slack_WebHook, C2.EnableNotifications)
     print_good(detailsformatted)
     input("Press Enter to continue...")
     clear()

poshc2/server/C2Server.py

@@ -15,7 +15,7 @@
 from poshc2.server.Config import PoshProjectDirectory, ServerHeader, PayloadsDirectory, GET_404_Response, DownloadsDirectory, Database, PayloadCommsHost, SocksHost
 from poshc2.server.Config import QuickCommand, KillDate, DefaultSleep, DomainFrontHeader, urlConfig, BindIP, BindPort
 from poshc2.server.Config import DownloadURI, URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken
-from poshc2.server.Config import Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications, DatabaseType
+from poshc2.server.Config import Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, Slack_WebHook, EnableNotifications, DatabaseType
 from poshc2.server.Cert import create_self_signed_cert
 from poshc2.client.Help import logopic
 from poshc2.Utils import validate_sleep_time, randomuri, gen_key
@@ -374,7 +374,7 @@ def newdb(db):
         print("Invalid DefaultSleep in config, please specify a time such as 50s, 10m or 1h")
         print(Colours.GREEN)
         sys.exit(1)
-    setupserver(PayloadCommsHost, gen_key().decode("utf-8"), DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, "", "", "", URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications)
+    setupserver(PayloadCommsHost, gen_key().decode("utf-8"), DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, "", "", "", URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, Slack_WebHook, EnableNotifications)
     rewriteFile = "%s/rewrite-rules.txt" % directory
     print("Creating Rewrite Rules in: " + rewriteFile)
     rewriteHeader = ["RewriteEngine On", "SSLProxyEngine On", "SSLProxyCheckPeerCN Off", "SSLProxyVerify none", "SSLProxyCheckPeerName off", "SSLProxyCheckPeerExpire off", "# Change IPs to point at C2 infrastructure below", "Define PoshC2 10.0.0.1", "Define SharpSocks 10.0.0.1", "# If running Apache 2.4.52 or Later", "Proxy100Continue Off"]

poshc2/server/Config.py

@@ -103,6 +103,7 @@
 Slack_UserID = config["Slack_UserID"]
 Slack_Channel = config["Slack_Channel"]
 Slack_BotToken = config["Slack_BotToken"]
+Slack_WebHook = config["Slack_WebHook"]
 
 # SOCKS Proxying Options
 SocksHost = config["SocksHost"]
@@ -140,4 +141,4 @@
 Cert_NotAfter = (10 * 365 * 24 * 60 * 60)
 
 #XOR encryption key
-XOR_KEY = bytes(config["XOR_KEY"], "utf-8")
+XOR_KEY = bytes(config["XOR_KEY"], "utf-8")

poshc2/server/Implant.py

@@ -1,4 +1,4 @@
-import urllib, base64, http.client, re
+import urllib, base64, http.client, re, json
 from datetime import datetime, timezone
 
 from poshc2.Colours import Colours
@@ -102,6 +102,7 @@ def display(self):
                 mention_userid = select_item("Slack_UserID", "C2Server")
                 channel = select_item("Slack_Channel", "C2Server")
                 Slack_BotToken = str("Bearer ")+Slack_BotToken
+                Slack_WebHook = select_item("Slack_WebHook", "C2Server")
                 if mention_userid in ("", None):
                     mention_userid = ""
                 elif mention_userid.lower().strip() == "channel":
@@ -111,7 +112,11 @@ def display(self):
                 message = {"channel": channel, "text": "%s[%s] - New Implant: %s @ %s" % (mention_userid, NotificationsProjectName, self.User, self.Hostname), "as_user": "true", "link_names": "true"}
                 headers = {"Content-type": "application/json","Authorization": Slack_BotToken }
                 conn = http.client.HTTPSConnection("slack.com:443")
-                conn.request("POST", "/api/chat.postMessage",json.dumps(message), headers)
+                connurl = "/api/chat.postMessage"
+                if Slack_WebHook:
+                    conn = http.client.HTTPSConnection("hooks.slack.com:443")
+                    connurl = Slack_WebHook
+                conn.request("POST", connurl,json.dumps(message), headers)
                 output = conn.getresponse()
                 if output.status != 200:
                     data = output.read()

poshc2/server/database/DB.py

@@ -83,10 +83,10 @@ def get_last_insert_row_id(cursor):
     return cursor.lastrowid
 
 
-def setupserver(PayloadCommsHost, EncKey, DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, ProxyURL, ProxyUser, ProxyPass, URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications):
+def setupserver(PayloadCommsHost, EncKey, DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, ProxyURL, ProxyUser, ProxyPass, URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, Slack_WebHook, EnableNotifications):
     c = conn.cursor()
-    command = convert_query("INSERT INTO C2Server (PayloadCommsHost,EncKey,DomainFrontHeader,DefaultSleep,KillDate,GET_404_Response,PoshProjectDirectory,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,URLS,SocksURLS,Insecure,UserAgent,Referrer,Pushover_APIToken,Pushover_APIUser,Slack_UserID,Slack_Channel,Slack_BotToken,EnableNotifications) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")
-    c.execute(command, (PayloadCommsHost, EncKey, DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, ProxyURL, ProxyUser, ProxyPass, URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications))
+    command = convert_query("INSERT INTO C2Server (PayloadCommsHost,EncKey,DomainFrontHeader,DefaultSleep,KillDate,GET_404_Response,PoshProjectDirectory,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,URLS,SocksURLS,Insecure,UserAgent,Referrer,Pushover_APIToken,Pushover_APIUser,Slack_UserID,Slack_Channel,Slack_BotToken,Slack_WebHook,EnableNotifications) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")
+    c.execute(command, (PayloadCommsHost, EncKey, DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, ProxyURL, ProxyUser, ProxyPass, URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, Slack_WebHook, EnableNotifications))
     conn.commit()
 
 
@@ -96,7 +96,7 @@ def get_c2server_all():
     result = c.fetchone()
     return C2(result[1], result[2], result[3], result[4], result[5], result[6], result[7], result[8], result[9],
               result[10], result[11], result[12], result[13], result[14], result[15], result[16], result[17],
-              result[18], result[19], result[20], result[21], result[22], result[23])
+              result[18], result[19], result[20], result[21], result[22], result[23], result[24])
 
 
 def get_implants_all():

poshc2/server/database/DBPostgres.py

@@ -100,6 +100,7 @@ def initialise(create_database):
         Slack_UserID TEXT,
         Slack_Channel TEXT,
         Slack_BotToken TEXT,
+        Slack_WebHook TEXT,
         EnableNotifications TEXT);"""
 
     create_c2_messages = """CREATE TABLE C2_Messages (
@@ -135,4 +136,4 @@ def initialise(create_database):
 def db_exists(conn):
     c = conn.cursor()
     c.execute("SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';")
-    return c.rowcount > 0
+    return c.rowcount > 0

poshc2/server/database/DBSQLite.py

@@ -101,6 +101,7 @@ def initialise(create_database):
         Slack_UserID TEXT,
         Slack_Channel TEXT,
         Slack_BotToken TEXT,
+        Slack_WebHook TEXT,
         EnableNotifications TEXT);"""
 
     create_c2_messages = """CREATE TABLE C2_Messages (
@@ -142,4 +143,4 @@ def db_exists(conn):
     if result:
         return True
     else:
-        return False
+        return False

poshc2/server/database/Model.py

@@ -1,7 +1,7 @@
 class C2:
     def __init__(self, PayloadCommsHost, EncKey, DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response,
                  PoshProjectDirectory, QuickCommand, DownloadURI, ProxyURL, ProxyUser, ProxyPass,
-                 URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications):
+                 URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, Slack_WebHook, EnableNotifications):
         self.PayloadCommsHost = PayloadCommsHost
         self.EncKey = EncKey
         self.DomainFrontHeader = DomainFrontHeader
@@ -24,6 +24,7 @@ def __init__(self, PayloadCommsHost, EncKey, DomainFrontHeader, DefaultSleep, Ki
         self.Slack_UserID = Slack_UserID
         self.Slack_Channel = Slack_Channel
         self.Slack_BotToken = Slack_BotToken
+        self.Slack_WebHook = Slack_WebHook
         self.EnableNotifications = EnableNotifications
 
 

resources/config-template.yml

@@ -39,8 +39,10 @@ Pushover_APIUser: ""
 
 # Slack - https://slack.com/
 Slack_BotToken: "" # The token used by the application to authenticate. Get it from https://[YourSlackName].slack.com/apps/A0F7YS25R (swap out [YourSlackName]). Should start with xobo-.
+                   # If using more up-to-date slack apps (supporting webhooks), navigate to your app in https://api.slack.com/apps/ and then retrieving "Bot User OAuth Token" from "OAuth & Permissions"
 Slack_UserID: "" # Found under a users profile (i.e UHEJYT2AA). Can also be "channel". 
 Slack_Channel: "" # i.e #bots
+Slack_WebHook: "" # Navigate to your app > Incoming Webhooks > WebHook URLs for your Workspace endpoint. e.g. "/services/Q0000QQQQ0Q/Q0000QQQQQQ/QQQQQQQQQQQQQQQQ"
 
 # SOCKS Proxying Options
 SocksHost: "http://127.0.0.1:49031" # The host the C2 http requests communicate with - not the port the SOCKS client connects to. Most cases should be left like this and set in rewrite rules.