Covenant C2增强及HardHat C2介绍

admin
admin
admin
102407
文章
87
评论
2023年4月6日11:11:43评论204 views字数 5612阅读18分42秒阅读模式

CovenantC2是一款.NET编写的C2框架,Gui为web形式,github地址为:https://github.com/cobbr/Covenant 

Covenant C2增强及HardHat C2介绍

此C2手动安装较为复杂,建议使用Docker一键化安装,因为此C2为.NET编写所以可以很容易的进行.NET插件化为其增加功能,因为官方已经很久不更新了,所以这里给出插件化的方法,至于.NET加载与Bof加载哪个更好那个更差,就因人而异了。

这里依旧以BRC4为样例进行功能的模仿(主要是BRC4更新勤快)Covenant使用yaml为模板,只需要编写相应的yaml文件即可进行模块(官方称之为task)的构造与使用。

- Author:    Name:     Handle: ''    Link:   Name:   Aliases: []  Description:  Help: >-
  Language: CSharp  CompatibleDotNetVersions:  -   -   Code: >-
  Compiled: false  TaskingType: Assembly  ReferenceSourceLibraries: []  ReferenceAssemblies:  - Name:     Location:     DotNetVersion:   EmbeddedResources: []  UnsafeCompile: false  TokenTask: false  Options: []


主要部分为code也就是你功能实现的具体代码部分以及下面的ReferenceAssemblies部分,也就是需要的引入的dll(熟悉.net的都懂就是针对功能引入的库dll,以及其版本也就是.net3.5、.net4.0这种)这里以网上公开的一个查看dll导出的功能为例:

- Author:    Name: Jann    Handle: '@jannlemm0913'    Link: https://avantguard.io  Name: ListExports  Aliases: []  Description: List all the exports of a DLL loaded in the current process.  Help: >-    List all the exports of a DLL loaded in the current process using SharpSploit and DInvoke, walking the PEB of the module to find exported functions.    Code was taken from the example in https://thewover.github.io/Dynamic-Invoke/.  Language: CSharp  CompatibleDotNetVersions:  - Net35  - Net40  Code: >-    using System;    using System.Linq;    using System.Diagnostics;    using SharpSploit.Execution;    using SharpSploit.Execution.Injection;    using System.Runtime.InteropServices;    using DInvoke = SharpSploit.Execution.DynamicInvoke;    public static class Task    {        public static string Execute(string DllName)        {            string output = "";            try            {                IntPtr ModuleBase = DInvoke.Generic.GetPebLdrModuleEntry(DllName);                IntPtr FunctionPtr = IntPtr.Zero;                try                {                    Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));                    Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));                    Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;                    Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);                    Int64 pExport = 0;                    if (Magic == 0x010b)                    {                        pExport = OptHeader + 0x60;                    }                    else                    {                        pExport = OptHeader + 0x70;                    }                    Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);                    Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));                    Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));                    Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));                    Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));                    Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));                    Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));                    output += "Found " + NumberOfNames.ToString() + " exported functions in " + DllName + ":n";                    for (int i = 0; i < NumberOfNames; i++)                    {                        string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));                        output += " - " + FunctionName + "n";                    }                }                catch                {                    throw new InvalidOperationException("Failed to parse module exports.");                }                   return output;            }            catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }        }    }  Compiled: false  TaskingType: Assembly  ReferenceSourceLibraries:  - Name: SharpSploit    Description: SharpSploit is a library for C# post-exploitation modules.    Location: SharpSploit/SharpSploit/    Language: CSharp    CompatibleDotNetVersions:    - Net35    - Net40    ReferenceAssemblies:    - &o4      Name: System.dll      Location: net40/System.dll      DotNetVersion: Net40    - Name: System.ServiceProcess.dll      Location: net40/System.ServiceProcess.dll      DotNetVersion: Net40    - Name: System.ServiceProcess.dll      Location: net35/System.ServiceProcess.dll      DotNetVersion: Net35    - Name: System.Windows.Forms.dll      Location: net40/System.Windows.Forms.dll      DotNetVersion: Net40    - Name: System.Windows.Forms.dll      Location: net35/System.Windows.Forms.dll      DotNetVersion: Net35    - Name: System.Management.Automation.dll      Location: net40/System.Management.Automation.dll      DotNetVersion: Net40    - Name: System.Management.Automation.dll      Location: net35/System.Management.Automation.dll      DotNetVersion: Net35    - Name: System.Management.dll      Location: net40/System.Management.dll      DotNetVersion: Net40    - Name: System.Management.dll      Location: net35/System.Management.dll      DotNetVersion: Net35    - Name: System.IdentityModel.dll      Location: net40/System.IdentityModel.dll      DotNetVersion: Net40    - Name: System.IdentityModel.dll      Location: net35/System.IdentityModel.dll      DotNetVersion: Net35    - Name: System.DirectoryServices.Protocols.dll      Location: net40/System.DirectoryServices.Protocols.dll      DotNetVersion: Net40    - Name: System.DirectoryServices.Protocols.dll      Location: net35/System.DirectoryServices.Protocols.dll      DotNetVersion: Net35    - Name: System.DirectoryServices.dll      Location: net40/System.DirectoryServices.dll      DotNetVersion: Net40    - Name: System.DirectoryServices.dll      Location: net35/System.DirectoryServices.dll      DotNetVersion: Net35    - &o3      Name: System.Core.dll      Location: net40/System.Core.dll      DotNetVersion: Net40    - &o0      Name: System.Core.dll      Location: net35/System.Core.dll      DotNetVersion: Net35    - &o2      Name: mscorlib.dll      Location: net35/mscorlib.dll      DotNetVersion: Net35    - &o5      Name: mscorlib.dll      Location: net40/mscorlib.dll      DotNetVersion: Net40    - &o1      Name: System.dll      Location: net35/System.dll      DotNetVersion: Net35    - Name: System.XML.dll      Location: net35/System.XML.dll      DotNetVersion: Net35    - Name: System.XML.dll      Location: net40/System.XML.dll      DotNetVersion: Net40    EmbeddedResources: []  ReferenceAssemblies:  - *o0  - *o1  - *o2  - *o3  - *o4  - *o5  EmbeddedResources: []  UnsafeCompile: false  TokenTask: false  Options:  - Name: DllName    Value: amsi.dll    DefaultValue: ''    Description: Name of the DLL that exports are shown for.    SuggestedValues: []    Optional: false    DisplayInCommand: true    FileOption: false    GruntTaskId: 107

可以看到模板的主要内容写法。剩下的你便可以根据自己需要进行自由发挥了。

Covenant C2增强及HardHat C2介绍

第二部分主要介绍另一款C2,也是.net编写HardHat C2,GitHub地址为https://github.com/DragoQCC/HardHatC2 整体架构为:

Covenant C2增强及HardHat C2介绍

具体功能一时半会也介绍不完,因为官方文档写的很详细,所以有兴趣的童鞋直接看文档好啦,整体完成度不亚于Honvc,擅长.NET但不擅长C有C2修改需求的可以考虑一手https://docs.hardhat-c2.net/documentation/hardhat-c2

Covenant C2增强及HardHat C2介绍

Covenant C2增强及HardHat C2介绍






     ▼
更多精彩推荐,请关注我们


请严格遵守网络安全法相关条例!此分享主要用于学习,切勿走上违法犯罪的不归路,一切后果自付!


Covenant C2增强及HardHat C2介绍



原文始发于微信公众号(鸿鹄实验室):Covenant C2增强及HardHat C2介绍

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年4月6日11:11:43
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Covenant C2增强及HardHat C2介绍http://cn-sec.com/archives/1655968.html

发表评论

匿名网友 填写信息