Graph view can be accessed under the Engineers page in the client. This will load a node for each engineer in the table. If you want only to show active engineers make sure to use the toggle on the main tab of the Engineers table.
- On the far left of the view is the teamserver with the current ts address. Connected to that are each of the currently viewed implants. The implant will contain a colored icon, an interact button, and some info at the bottom containing the Hostname, Username, and pid@address info.
- The color of the computer icon means a few things:
- Gray: offline
- Green: low integrity
- Blue: medium integrity
- Yellow/Orange: high integrity
- Red: system integrity
- The nodes also have arrows showing the connection direction and type. If the arrow is pointing at the teamserver, that is a reverse connection (All HTTP/HTTPS), then if it is pointing away from the ts/parent node, this is a bind connection. The color shows the type.
- Green: HTTP/HTTPS
- Red: TCP
- Blue: SMB
- Operators have the ability to zoom, pan, drag and even delete nodes. Since each user has their own graph, this won't affect anyone else's view, so feel free to delete and move them as needed.
- Sometimes nodes will start out stacked on top of each other, the logic to space them out is custom written, and while it does ok, it will not be perfect.⚠
Graph view of one HTTP implant with a bind connection to an offline TCP implant
the graph view does contain a bug where sometimes when items go out of focus and a user zooms, this will break the view.
I have included a fixed copy of the Blazor.Diagrams
script.js and script.min.jsfiles in the client folder named
GraphViewFix. Take those files, locate the NuGet package download, and overwrite the script files if this is an issue for you.