Maalik is a network pivoting and post exploitation framework.
What is Network Pivoting?
According to Wikipedia.
Pivoting refers to a method used by penetration testers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines.
A simpler explanation for those who can understand, You want to Penetration test on a Host, BUT, you don’t directly have access to it, But an already Exploited PC that you do have access to does. So you can use that Exploited PC to attack.
That explanation is from the top of my head, But I Hope it’s enough for you to understand.
Post exploitation, is anything done after you’re gained access / exploited to a machine. post exploitation basically means the phases of operation once a victim’s system has been compromised by the attacker.
So you might have understood by now, Maalik in intended to be used for Post Exploitation mainly.
Let’s start using it, Note, This example assumes that we have exploited the machine named
Do not clone the repository.
The github repository is constantly updated, If you clone it then you might do so for developement reasons. For using it, Follow the instructions that are on the Github README file.
Let’s assume you have installed Maalik dependencies. Let’s run it.
$ cd maalik
$ sudo chmod +x maalik.py
$ sudo ./maalik.py
After executing the above commands, You should be seeing something that looks like this :
Alright, Now we’re ready to use Maalik.
Second step is to build the Maalik Client, Fhdawn and transfer it over to
test-PC and execute it as Administrator. If Fhdawn is not executed as Administrator, IT will copy itself to a file named
WindowsDefender.exe and attempt to execute it as administrator. This is very visible to the user.
This can be disabled / enabled in settings file
settings.ini. But Fhdawn must be run as administrator because most features require that. In this case, I have enabled it and built Fhdawn.
This is how it would look like ( note : this is an old windows 10 version)
After 5 seconds, You should have a session opened on the Server side.
Interact with the session, The first session will always be on index 0.
Now it should look like this.
maalik >> (192.168.0.106:5214) :
You can type
help for a list of available commands. I’m gonna be covering some main ones.
Maalik uses Reflective DLL Injection to execute payloads. If you don’t know what this is, You can learn about it directly from it’s creator over here : https://github.com/stephenfewer/ReflectiveDLLInjection
In simple words, Reflective DLL Injection allows you to load library entirely from memory. The dll does not need to be loaded directly from disk.
Maalik uses a text file named
output.png to send commands to the payload and also get it’s output.
Let’s run the
keylog_start payload. This injects the Keylogger Reflective DLL in
WindowsDefender.exe, The dll will log keystrokes and save them to a file named
That means, That it is now capturing keystrokes. Let’s stop logging and see what we have captured.
Because I intentionally wrote those at desktop. I did some spelling mistakes. But as you can see, WE have successfully logged keystrokes!
Let me explain what those lines mean, If you use maalik, Then you’re gonna be seeing them alot.
[+] Uploaded output.png (10 bytes) to 'C:\Users\Windows\Downloads\output.png' ...
Remember I said before, Maalik uses a file to send commands and also receive output of Keylogs.
When stopping keylog, We’re sending the command
KEYLOGSTOP to the keylogger using
The keylogger is made to stop keylogging when it reads in
Immediately after that, The output file is deleted. Because we can’t leave that around.
Then the log files are downloaded, And after downloading is complete, They are removed from the victim pc.
[+] Downloading file 'log.log' in 'downloads/log.log'
[+] Downloaded 'log.log' => 'downloads/log.log'
[i] File 'log.log' deleted from 'C:\Users\Windows\Downloads' ...
Finally, The logs are printed out to you and also removed from downloads folder to avoid future log downloading problems.
my keyaeglors being logged, yo what t[BACKSPACE]is going on!!! lmao hello dude.
That’s how the keylogging payload works. And other payloads works similarly.
A while back I created a video on network pivoting using Maalik, Even though t was an really old version, The methods are still same, You should watch this video for an understanding of how to pivot using maalik.
It uses netsh port forwarding to forward attack traffic on to a host unreachable directly. I do plan to add
route pivoting in future.
This video demonstrates manual pivoting with Maalik.
Now let me also demonstrate how to pivot with maalik using the latest version.
Firstly, You need to know what other machines are there in the network. So lets do a network scan.
maalik >> (192.168.0.106:50458) : network_scan
[^] Enter Range (eg: 192.168.0.1/24) : 192.168.0.100/109
[+] 192.168.0.104 - NULL - 88-83-5D-16-09-39
[+] 192.168.0.105 - BATMAN-PC - 44-1C-A8-69-D3-45
|_ OS : Windows (Just guessing)
[+] 192.168.0.106 - DESKTOP-HOGM9K8 - 08-00-27-AC-B7-B9
We’ve got 3 devices in the network. And you can also see that maalik has guessed the OS for one of them. The guess was based on it’s hostname, Most windows machines use
<name>-Pc as hostname. It’s not accurate, It’s a guess. Might be true. Might be false.
Those are 3 potential targets for a red teamer. Let’s select one, And do a port scan.
We have 3 Open ports. We need to pick a port to forward exploit traffic too. And you guessed it, I will be picking the smb port.
So I’ll set the attack port to
Pay close attention to
Attack Details In this case, both ip addresses are same because I picked myself as target to demonstrate. But what it’s trying to tell you is
to run exploits on the host and port that’s in the middle.
--> indicates where it will be forwarded to.
For example :
[ Exploit ] --> 192.168.0.106:8112 --> 192.168.0.106:445
That means, Everything sent on
192.168.0.106:811 will be forwarded to
192.168.0.106:445. Ignore the fact that here both IP addresses are same. As I said before, That’s me picked myself as target. :S
Note : We did not set the exploitport, Which is the port that we run the exploit on. It is set to random. It is preffered to leave it so. But you can change it if you want.
At this point, As it says, We can run exploits on the host and port using our favorite exploitation framework, Preferably, The Metasploit Framework.
Maalik also has plenty of other features as well, That support.
Here’s all it can do as of Version V2.2
- Runs in background, Only writes hidden plaintext file to disk.
- Execute / list / delete files and Browse
- Full access to all files.
- Windows Defender Exclusions
- Network Pivoting
- Enable / Disable Firewall
- Network Scanner
- Port Scanner
- Automatic Eternal Blue
- Reverse Shell
- File upload / download
- Reflective DLL Injection, Also you can load your own Reflective DLL.
- SAM Dump
List of CMD payloads useful for post exploitation.
- netuser – List users.
- systeminfo – View full System Information.
- driverquery – View all Drivers.
- tasklist – Get list of running processes.
- drives – Get Available Drive Letters.
- set – Get all envoironment variables.
- qwinsta – Displays information about sessions on a Remote Desktop Session Host server.
- netshall – Acronym for ‘netsh wlan show profiles’.
- rdp_enable – Enable Remote Desktop.
- rdp_disable – Disable Remote Desktop.
- firewall_off – Disable Firewall.
- firewall_on – Enable firewall.
- portfwd – Forward a PORT on the Remote PC.
- portfwd_reset – Reset all forwarded Ports.
- samdump – Dump SAM database.
List of Dynamic payload system payloads.
Executes ‘Payloads’ in Memory using Reflective DLL Injection. The Payload is a 32 bit Reflective DLL, That carries out tasks after successful Injection. DLL output is written to a TEXT file named output.png which is used to smuggle output back to server, And also give the DLL Payload commands.
- rshell – Netcat Reverse Shell.
- dropmsf – In Memory Meterpreter.
- runasadmin – Run an application as Administrator.
- chromedump – Dump Google Chrome Passwords.
- keylog_start – Start Capturing keystrokes.
- keylog_stop – Stop Capturing keystrokes, And dump keylogs.
- capturemic – Record microphone.
Thanks for reading, I hope I was able to give enough explanation so it could be understood.