Covenant C2增强及HardHat C2介绍

2023年4月6日11:11:43评论232 views字数 5612阅读18分42秒阅读模式

CovenantC2是一款.NET编写的C2框架，Gui为web形式，github地址为：https://github.com/cobbr/Covenant

此C2手动安装较为复杂，建议使用Docker一键化安装，因为此C2为.NET编写所以可以很容易的进行.NET插件化为其增加功能，因为官方已经很久不更新了，所以这里给出插件化的方法，至于.NET加载与Bof加载哪个更好那个更差，就因人而异了。

这里依旧以BRC4为样例进行功能的模仿（主要是BRC4更新勤快）Covenant使用yaml为模板，只需要编写相应的yaml文件即可进行模块（官方称之为task）的构造与使用。

- Author:    Name:     Handle: ''    Link:   Name:   Aliases: []  Description:  Help: >-
  Language: CSharp  CompatibleDotNetVersions:  -   -   Code: >-
  Compiled: false  TaskingType: Assembly  ReferenceSourceLibraries: []  ReferenceAssemblies:  - Name:     Location:     DotNetVersion:   EmbeddedResources: []  UnsafeCompile: false  TokenTask: false  Options: []

主要部分为code也就是你功能实现的具体代码部分以及下面的ReferenceAssemblies部分，也就是需要的引入的dll（熟悉.net的都懂就是针对功能引入的库dll，以及其版本也就是.net3.5、.net4.0这种）这里以网上公开的一个查看dll导出的功能为例：

- Author:    Name: Jann    Handle: '@jannlemm0913'    Link: https://avantguard.io  Name: ListExports  Aliases: []  Description: List all the exports of a DLL loaded in the current process.  Help: >-    List all the exports of a DLL loaded in the current process using SharpSploit and DInvoke, walking the PEB of the module to find exported functions.    Code was taken from the example in https://thewover.github.io/Dynamic-Invoke/.  Language: CSharp  CompatibleDotNetVersions:  - Net35  - Net40  Code: >-    using System;    using System.Linq;    using System.Diagnostics;    using SharpSploit.Execution;    using SharpSploit.Execution.Injection;    using System.Runtime.InteropServices;    using DInvoke = SharpSploit.Execution.DynamicInvoke;    public static class Task    {        public static string Execute(string DllName)        {            string output = "";            try            {                IntPtr ModuleBase = DInvoke.Generic.GetPebLdrModuleEntry(DllName);                IntPtr FunctionPtr = IntPtr.Zero;                try                {                    Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));                    Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));                    Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;                    Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);                    Int64 pExport = 0;                    if (Magic == 0x010b)                    {                        pExport = OptHeader + 0x60;                    }                    else                    {                        pExport = OptHeader + 0x70;                    }                    Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);                    Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));                    Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));                    Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));                    Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));                    Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));                    Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));                    output += "Found " + NumberOfNames.ToString() + " exported functions in " + DllName + ":n";                    for (int i = 0; i < NumberOfNames; i++)                    {                        string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));                        output += " - " + FunctionName + "n";                    }                }                catch                {                    throw new InvalidOperationException("Failed to parse module exports.");                }                   return output;            }            catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }        }    }  Compiled: false  TaskingType: Assembly  ReferenceSourceLibraries:  - Name: SharpSploit    Description: SharpSploit is a library for C# post-exploitation modules.    Location: SharpSploit/SharpSploit/    Language: CSharp    CompatibleDotNetVersions:    - Net35    - Net40    ReferenceAssemblies:    - &o4      Name: System.dll      Location: net40/System.dll      DotNetVersion: Net40    - Name: System.ServiceProcess.dll      Location: net40/System.ServiceProcess.dll      DotNetVersion: Net40    - Name: System.ServiceProcess.dll      Location: net35/System.ServiceProcess.dll      DotNetVersion: Net35    - Name: System.Windows.Forms.dll      Location: net40/System.Windows.Forms.dll      DotNetVersion: Net40    - Name: System.Windows.Forms.dll      Location: net35/System.Windows.Forms.dll      DotNetVersion: Net35    - Name: System.Management.Automation.dll      Location: net40/System.Management.Automation.dll      DotNetVersion: Net40    - Name: System.Management.Automation.dll      Location: net35/System.Management.Automation.dll      DotNetVersion: Net35    - Name: System.Management.dll      Location: net40/System.Management.dll      DotNetVersion: Net40    - Name: System.Management.dll      Location: net35/System.Management.dll      DotNetVersion: Net35    - Name: System.IdentityModel.dll      Location: net40/System.IdentityModel.dll      DotNetVersion: Net40    - Name: System.IdentityModel.dll      Location: net35/System.IdentityModel.dll      DotNetVersion: Net35    - Name: System.DirectoryServices.Protocols.dll      Location: net40/System.DirectoryServices.Protocols.dll      DotNetVersion: Net40    - Name: System.DirectoryServices.Protocols.dll      Location: net35/System.DirectoryServices.Protocols.dll      DotNetVersion: Net35    - Name: System.DirectoryServices.dll      Location: net40/System.DirectoryServices.dll      DotNetVersion: Net40    - Name: System.DirectoryServices.dll      Location: net35/System.DirectoryServices.dll      DotNetVersion: Net35    - &o3      Name: System.Core.dll      Location: net40/System.Core.dll      DotNetVersion: Net40    - &o0      Name: System.Core.dll      Location: net35/System.Core.dll      DotNetVersion: Net35    - &o2      Name: mscorlib.dll      Location: net35/mscorlib.dll      DotNetVersion: Net35    - &o5      Name: mscorlib.dll      Location: net40/mscorlib.dll      DotNetVersion: Net40    - &o1      Name: System.dll      Location: net35/System.dll      DotNetVersion: Net35    - Name: System.XML.dll      Location: net35/System.XML.dll      DotNetVersion: Net35    - Name: System.XML.dll      Location: net40/System.XML.dll      DotNetVersion: Net40    EmbeddedResources: []  ReferenceAssemblies:  - *o0  - *o1  - *o2  - *o3  - *o4  - *o5  EmbeddedResources: []  UnsafeCompile: false  TokenTask: false  Options:  - Name: DllName    Value: amsi.dll    DefaultValue: ''    Description: Name of the DLL that exports are shown for.    SuggestedValues: []    Optional: false    DisplayInCommand: true    FileOption: false    GruntTaskId: 107

可以看到模板的主要内容写法。剩下的你便可以根据自己需要进行自由发挥了。

Covenant C2增强及HardHat C2介绍

第二部分主要介绍另一款C2，也是.net编写HardHat C2，GitHub地址为https://github.com/DragoQCC/HardHatC2 整体架构为：

Covenant C2增强及HardHat C2介绍

具体功能一时半会也介绍不完，因为官方文档写的很详细，所以有兴趣的童鞋直接看文档好啦，整体完成度不亚于Honvc，擅长.NET但不擅长C有C2修改需求的可以考虑一手https://docs.hardhat-c2.net/documentation/hardhat-c2

Covenant C2增强及HardHat C2介绍

▼

更多精彩推荐，请关注我们

▼

请严格遵守网络安全法相关条例！此分享主要用于学习，切勿走上违法犯罪的不归路，一切后果自付！

Covenant C2增强及HardHat C2介绍

原文始发于微信公众号（鸿鹄实验室）：Covenant C2增强及HardHat C2介绍

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

Covenant C2增强及HardHat C2介绍

HW蓝队工具 - TrafficEye

【蓝队】一个非常耐斯的 Web 蜜罐

Windows远控工具：Quasar使用

渗透测试工具包 | 开源安全测试工具 | 网络安全工具

Nessus扫描参数的详细设置指南

spring框架渗透测试工具 SBSCAN

补档，关于 Yakit 插件 SQLmap 一把梭

【免杀工具】红队魔法书-LSASS转储

[红队]ENScan_GO：基于各大企业信息API的信息收集工具

敏感信息挖掘 | Yakit规则配置内容！

发表评论