Athena v0.2
Introduction
Lately I’ve had some free time to myself, and had a burst of inspiration, so I came up with some ways I wanted to update Athena for the next release. One re-write, and some scope-creep later I can now finally say I’m ready to release version 0.2 of Athena!
With this release comes a lot of new stuff that I’m really excited about!
tl;dr
- Complete rewrite to clean up the code and make development easier
- A bunch of new commands!
- Improved SMB p2p support
- Support for Mythic Hooks
- Better long-running task support
- Improved build options
New Commands
Amsi
Athena now comes with an amsi command that uses an obfuscated version of the AmsiScanBuffer bypass originally discovered by @rasta-mouse
This command is only available on Windows agents.
DS
Athena now has the ability to enumerate Active Directory/Ldap information. This makes use of the System.DirectoryServices.Protocols library, and needs to be loaded using the command load-module ds
Farmer & Crop
Athena now comes with built-in support for Farmer from @domchell. You can load the farmer server using the farmer command, and drop your lnk payloads using the crop command.
Get-LocalGroup
You can now enumerate local and remote groups against Windows servers without calling net.exe. This makes use of the NetLocalGroupEnum and NetLocalGroupGetMembers API calls in Windows (Windows agents only).
This command is only available on Windows agents.
Get-Sessions
Athena can now get active sessions using the NetSessionEnum Windows API call. This allows you to easily identify sessions against a specific server when hunting users. Target servers can be provided to Athena via comma separated hostnames, or a newline separated file containing the hosts can be uploaded to the agent.
This command is only available on Windows agents.
Get-Shares
Athena can identify shares on a Windows server using the NetShareEnum Windows API call. This allows you to identify what shares are available in a Windows environment. Target servers can be provided to Athena via comma separated hostnames, or a newline separated file containing the hosts can be uploaded to the agent.
This command is only available on Windows agents.
Inline-Exec
inline-exec allows Athena to execute a provided shellcode file in a new thread. Only supported on Windows, it can be used to execute your favorite donut payloads easily.
This command is only available on Windows agents.
Load-Module
Athena now comes with a load-module command that allows for easier operation with 3rd party libraries for plugins. For example, the ssh plugin has two requirements:
Renci.SSH.Net and SshNet.Security.Cryptography which come as separate DLLs. Instead of having to call load-assembly for each DLL individually, you can have load-module do it for you!
Just type load-module <module> and let it do the rest!
Currently supported modules are:
- ssh
- sftp
- domain
SFTP
Athena now has the ability to interact with SFTP servers, which supports hooking into the Mythic file browser. You can connect, list files, and download currently, with upload coming in a later release.
SSH
Athena can allow you to interact with SSH servers without ever having to leave the agent!
You first connect to the server using ssh connect:
You can then run commands using ssh exec
Athena also supports multiple open SSH sessions, and can easily switch between them using ssh switch-session. These sessions can be listed using the ssh list-sessions command.
Token
Athena finally supports impersonation and token operations. Now you can create tokens and execute plugins as different users! As of now only new token operations are supported, with or without netonly logons.
It hooks in with the dedicated mythic feature, allowing you to specify any of the listed tokens when calling plugins. Athena will automatically revert at the end of each command.
In addition, these tokens can be viewed in the Mythic UI!
This command is only available on Windows agents.
Improved Commands
Ls
The ls command now supports the Mythic FileBrowser hook, making your local file and share enumeration life that much easier!
When performing an ls view the command line, instead of the files and directories, you’ll receive a message stating how many files were returned.
These files can be found in the File Browser.
To make life even easier ls can be tasked directly from the FileBrowser allowing you to share mine all from one convenient place!
Nslookup
The nslookup command now supports getting targets from a file just like get-sessions and get-shares. Just upload your target list as a newline separated text file and Athena will take it from there!
Ps
The ps command now supports the Mythic Process Browser hook. When running a ps command, the information will be output into the process browser, allowing for easier parsing and identification of interesting processes.
Execute-Assembly
The execute-assembly command now works better than Athena 0.1, yay!
C2 Profiles
SMB
I’ve improved SMB communication between Athena agents a lot, I’m sure it’s not perfect yet, and it’s not the fastest, but it’s much more stable than 0.1.
Coming Soon
I have some new C2 profiles in the pipeline that should be coming soon. Keep an eye out!
Conclusion
If you’ve gotten this far thanks for reading! Athena is a passion project that allows me to experiment with new techniques I read about or find useful, that being said I would love contributions! Since it’s already .NET based the learning curved from current offensive tools is fairly low. Additionally, as I’m the only developer I don’t expect this to be a completely bug free release, so if you find any bugs or wish something was different feel free to submit an issue on Github!
Special thanks to @its_a_feature for putting up with all my questions and feature requests, and for creating Mythic allowing me to work on the fun part of agent development.