Terminology

Before getting into the details of all the options used in this tool, let's first take a look at the terminologies of the tool:

• Zombies:

The compromised system that connects back to the Koadic Command and Control Server. Just like a session is opened in Metasploit, a zombie will connect back to Koadic.

• Stagers:

The Command and Control web server from where the payload and implants are fetched by the zombie. Stagers are also used to maintain the connection between the zombies and Koadic. Note that Koadic does not rely on TCP connections for continues communication. Instead, the connection is maintained by requesting multiple HTTP connections.

• Implants:

An implant is a JavaScript or a VBScript code, which is executed by zombies to perform a certain task. It's the same as the post modules in Metasploit. Once an implant is chosen to be used by Koadic, the script is sent over to the zombies and is executed on the system. The fetched results are then displayed on the Koadic C2 panel.

In Koadic, the implants are categorized as follows: pivot, persistence, manage, utils, elevate, gather, scan, fun, and inject.

• Jobs:

Whenever the stager (C2) executes an implant (post module) over to the zombie (compromised system), a job is created in this process by C2. C2 gives the job execute the implant to the zombies and once the job is completed, C2 is notified about the completion (also displayed on the C2 panel).

To start with this tool, we can start by first executing a help command or we can use a ? instead:

? 

The ? command will show all the commands that are supported by the Koadic C2 with their respective descriptions.

To use Koadic, we can follow the given stages for performing a Koadic-style post-exploitation:

1. Stager Establishment: Set up the stager web server where the zombie will get connected.
2. Payload Execution: Drop the payload over to the target server and execute the payload to get the zombie hooked up by Koadic.
3. Running Implants: Execute the implants to get domain information, SYSTEM access, and NTLM hashes. These can be used for further post-exploitation.
4. Pivoting: Hook the zombie and move around the network through it.