红队混淆工具OffensivePipeline

admin
admin
admin
138635
文章
114
评论
2024年6月20日19:54:44评论20 views字数 17056阅读56分51秒阅读模式

OffensivePipeline

红队混淆工具OffensivePipeline

OfensivePipeline 允许您下载和构建C#工具,应用某些修改,以提高他们对红队演习的规避能力。
OffensivePipeline的一个常见用途是从Git仓库下载工具,随机化项目中的某些值,构建它,混淆生成的二进制文件并生成外壳代码。

特点

  • 当前仅支持C#(.Net Framework)项目
  • 允许克隆公共和私有(需要凭据:D)git仓库
  • 允许使用本地文件夹
  • 随机化项目GUID
  • 随机化AssemblyInfo中包含的应用程序信息
  • 生成C#项目
  • 混淆生成的二进制文件
  • 从二进制文件生成外壳代码
  • YML模板中有79个工具参数化(并非所有工具都可以工作:D)
  • 可使用YML模板添加新工具
  • 添加新插件应该很容易...

版本2.0中的新增功能

  • 几乎完成代码重写(新错误?)
  • 可以从私有存储库克隆(通过GitHub authToken进行身份验证)
  • 可以复制本地文件夹,而不是从远程存储库进行克隆
  • 用于生成外壳代码的新模块 甜甜圈
  • 用于随机化应用程序GUID的新模块
  • 用于随机化每个应用程序的AssemblyInfo的新模块
  • 添加60个新工具

实例

  • 列出所有工具:
OffensivePipeline.exe list
  • 构建所有工具:
OffensivePipeline.exe all
  • 构建工具
OffensivePipeline.exe t toolName
  • 清理克隆和构建工具

OffensivePipeline.exe

输出示例

PS C:OffensivePipeline> .OffensivePipeline.exe t rubeus                                                                                                   ooo                                                                                           .osooooM M      ___   __  __                _           ____  _            _ _                      +y.     M M     / _  / _|/ _| ___ _ __  ___(_)_   _____|  _ (_)_ __   ___| (_)_ __   ___           :h  .yoooMoM    | | | | |_| |_ / _  '_ / __|   / / _  |_) | | '_  / _  | | '_  / _           oo  oo    | |_| |  _|  _|  __/ | | __  | V /  __/  __/| | |_) |  __/ | | | | |  __/          oo  oo     ___/|_| |_|  ___|_| |_|___/_| _/ ___|_|   |_| .__/ ___|_|_|_| |_|___|          oo  oo                                                     |_|                            MoMoooy.  h:                                                                                    M M     .y+                                                                                    M Mooooso.                                                                                    ooo                                                                    @aetsu                                                                                v2.0.0[+] Loading tool: Rubeus    Clonnig repository: Rubeus into C:OffensivePipelineGitRubeus                 Repository Rubeus cloned into C:OffensivePipelineGitRubeus    [+] Load RandomGuid module        Searching GUIDs...                > C:OffensivePipelineGitRubeusRubeus.sln                > C:OffensivePipelineGitRubeusRubeusRubeus.csproj                > C:OffensivePipelineGitRubeusRubeusPropertiesAssemblyInfo.cs        Replacing GUIDs...                File C:OffensivePipelineGitRubeusRubeus.sln:                        > Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286                        > Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e                        > Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a                [+] No errors!                File C:OffensivePipelineGitRubeusRubeusRubeus.csproj:                        > Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286                        > Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e                        > Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a                [+] No errors!                File C:OffensivePipelineGitRubeusRubeusPropertiesAssemblyInfo.cs:                        > Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286                        > Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e                        > Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a                [+] No errors!    [+] Load RandomAssemblyInfo module        Replacing strings in C:OffensivePipelineGitRubeusRubeusPropertiesAssemblyInfo.cs                [assembly: AssemblyTitle("Rubeus")] -> [assembly: AssemblyTitle("g4ef3fvphre")]                [assembly: AssemblyDescription("")] -> [assembly: AssemblyDescription("")]                [assembly: AssemblyConfiguration("")] -> [assembly: AssemblyConfiguration("")]                [assembly: AssemblyCompany("")] -> [assembly: AssemblyCompany("")]                [assembly: AssemblyProduct("Rubeus")] -> [assembly: AssemblyProduct("g4ef3fvphre")]                [assembly: AssemblyCopyright("Copyright ©  2018")] -> [assembly: AssemblyCopyright("Copyright ©  2018")]                [assembly: AssemblyTrademark("")] -> [assembly: AssemblyTrademark("")]                [assembly: AssemblyCulture("")] -> [assembly: AssemblyCulture("")]    [+] Load BuildCsharp module        [+] Checking requirements...        [*] Downloading nuget.exe from https://dist.nuget.org/win-x86-commandline/latest/nuget.exe                [+] Download OK - nuget.exe                [+] Path found - C:Program Files (x86)Microsoft Visual Studio2022BuildToolsCommon7ToolsVsDevCmd.bat        Solving dependences with nuget...        Building solution...                [+] No errors!                [+] Output folder: C:OffensivePipelineOutputRubeus_vh00nc50xud    [+] Load ConfuserEx module        [+] Checking requirements...        [+] Downloading ConfuserEx from https://github.com/mkaring/ConfuserEx/releases/download/v1.6.0/ConfuserEx-CLI.zip                [+] Download OK - ConfuserEx        Confusing...                [+] No errors!    [+] Load Donut module        Generating shellcode...Payload options:        Domain: RMM6XFC3        Runtime:v4.0.30319Raw Payload: C:OffensivePipelineOutputRubeus_vh00nc50xudConfuserExDonutRubeus.binB64 Payload: C:OffensivePipelineOutputRubeus_vh00nc50xudConfuserExDonutRubeus.bin.b64                [+] No errors!    [+] Generating Sha256 hashes                Output file: C:OffensivePipelineOutputRubeus_vh00nc50xud-----------------------------------------------------------------                SUMMARY - Rubeus         - RandomGuid: OK         - RandomAssemblyInfo: OK         - BuildCsharp: OK         - ConfuserEx: OK         - Donut: OK

支持工具

  • ADCollector:
    • Description: ADCollector is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors.
    • Link: https://github.com/dev-2null/ADCollector
  • ADCSPwn:
    • Description: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.
    • Link: https://github.com/bats3c/ADCSPwn
  • ADFSDump:
    • Description: A C# tool to dump all sorts of goodies from AD FS
    • Link: https://github.com/mandiant/ADFSDump
  • ADSearch:
    • Description: A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.
    • Link: https://github.com/tomcarver16/ADSearch
  • BetterSafetyKatz:
    • Description: This modified fork of SafetyKatz dynamically fetches the latest pre-compiled release of Mimikatz directly from the gentilkiwi GitHub repo, runtime patching on detected signatures and uses SharpSploit DInvoke to get it into memory.
    • Link: https://github.com/Flangvik/BetterSafetyKatz
  • Certify:
    • Description: Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
    • Link: https://github.com/GhostPack/Certify
  • DeployPrinterNightmare:
    • Description: C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
    • Link: https://github.com/Flangvik/DeployPrinterNightmare
  • EDD:
    • Description: Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
    • Link: https://github.com/FortyNorthSecurity/EDD
  • ForgeCert:
    • Description: C# tool to find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
    • Link: https://github.com/GhostPack/ForgeCert
  • Group3r:
    • Description: Rubeus is a C# toolset for raw Kerberos interaction and abuses
    • Link: https://github.com/Group3r/Group3r
  • KrbRelay:
    • Description: C# Framework for Kerberos relaying
    • Link: https://github.com/cube0x0/KrbRelay
  • KrbRelayUp:
    • Description: Simple wrapper around some of the features of Rubeus and KrbRelay
    • Link: https://github.com/Dec0ne/KrbRelayUp
  • LockLess:
    • Description: LockLess is a C# tool that allows for the enumeration of open file handles and the copying of locked files.
    • Link: https://github.com/GhostPack/LockLess
  • PassTheCert:
    • Description: A small Proof-of-Concept tool that allows authenticating against an LDAP/S server with a certificate to perform different attack actions
    • Link: https://github.com/AlmondOffSec/PassTheCert
  • PurpleSharp:
    • Description: PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments
    • Link: https://github.com/mvelazc0/PurpleSharp
  • Rubeus:
    • Description: Rubeus is a C# toolset for raw Kerberos interaction and abuses
    • Link: https://github.com/GhostPack/Rubeus
  • SafetyKatz:
    • Description: SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
    • Link: https://github.com/GhostPack/SafetyKatz
  • SauronEye:
    • Description: SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
    • Link: https://github.com/vivami/SauronEye
  • SearchOutlook:
    • Description: A C# tool to search through a running instance of Outlook for keywords
    • Link: https://github.com/RedLectroid/SearchOutlook
  • Seatbelt:
    • Description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
    • Link: https://github.com/GhostPack/Seatbelt
  • Sharp-SMBExec:
    • Description: A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script
    • Link: https://github.com/checkymander/Sharp-SMBExec
  • SharpAppLocker:
    • Description: C# port of the Get-AppLockerPolicy PowerShell cmdlet with extended features.
    • Link: https://github.com/Flangvik/SharpAppLocker
  • SharpBypassUAC:
    • Description: C# tool for UAC bypasses
    • Link: https://github.com/FatRodzianko/SharpBypassUAC
  • SharpChisel:
    • Description: C# Wrapper of Chisel from https://github.com/jpillora/chisel
    • Link: https://github.com/shantanu561993/SharpChisel
  • SharpChromium:
    • Description: SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract
    • Link: https://github.com/djhohnstein/SharpChromium
  • SharpCloud:
    • Description: SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
    • Link: https://github.com/chrismaddalena/SharpCloud
  • SharpCOM:
    • Description: SharpCOM is a c# port of Invoke-DCOM
    • Link: https://github.com/rvrsh3ll/SharpCOM
  • SharpCookieMonster:
    • Description: This is a Sharp port of @defaultnamehere's cookie-crimes module - full credit for their awesome work!
    • Link: https://github.com/m0rv4i/SharpCookieMonster
  • SharpCrashEventLog:
    • Description: Crashes the Windows eventlog service locally or remotely using OpenEventLogA/ElfClearEventLogFileW.
    • Link: https://github.com/slyd0g/SharpCrashEventLog
  • SharpDir:
    • Description: SharpDir is a simple code set to search both local and remote file systems for files using the same SMB process as dir.exe, which uses TCP port 445
    • Link: https://github.com/jnqpblc/SharpDir
  • SharpDPAPI:
    • Description: SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project.
    • Link: https://github.com/GhostPack/SharpDPAPI
  • SharpDump:
    • Description: SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality
    • Link: https://github.com/GhostPack/SharpDump
  • SharpEDRChecker:
    • Description: Checks running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
    • Link: https://github.com/PwnDexter/SharpEDRChecker
  • SharPersist:
    • Description: Windows persistence toolkit written in C#
    • Link: https://github.com/mandiant/SharPersist
  • SharpExec:
    • Description: SharpExec is an offensive security C# tool designed to aid with lateral movement.
    • Link: https://github.com/anthemtotheego/SharpExec
  • SharpGPOAbuse:
    • Description: SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
    • Link: https://github.com/FSecureLABS/SharpGPOAbuse
  • SharpHandler:
    • Description: This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it. (Dinvoke-version)
    • Link: https://github.com/jfmaes/SharpHandler
  • SharpHose:
    • Description: SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike's execute-assembly.
    • Link: https://github.com/ustayready/SharpHose
  • SharpHound3:
    • Description: C# Rewrite of the BloodHound Ingestor
    • Link: https://github.com/BloodHoundAD/SharpHound3
  • 夏普卡茨 :
    • 描述:移植mimikatz sekurlsa::logonpasswords,sekurlsa::ekeys和lsadump::dcsync命令
    • 链接: https://github.com/b4rtik/SharpKatz
  • SharpLAPS:
    • Description: This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory.
    • Link: https://github.com/swisskyrepo/SharpLAPS
  • SharpMapExec:
    • Description: Sharpen version of CrackMapExec
    • Link: https://github.com/cube0x0/SharpMapExec
  • SharpMiniDump:
    • Description: Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
    • Link: https://github.com/b4rtik/SharpMiniDump
  • SharpMove:
    • Description: .NET authenticated execution for remote hosts
    • Link: https://github.com/0xthirteen/SharpMove
  • SharpNamedPipePTH:
    • Description: This project is a C# tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this.
    • Link: https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH
  • SharpNoPSExec:
    • Description: File less command execution for lateral movement.
    • Link: https://github.com/juliourena/SharpNoPSExec
  • SharpPrinter:
    • Description: Printer is a modified and console version of ListNetworks
    • Link: https://github.com/rvrsh3ll/SharpPrinter
  • SharpRDP:
    • Description: Remote Desktop Protocol Console Application for Authenticated Command Execution
    • Link: https://github.com/0xthirteen/SharpRDP
  • SharpReg:
    • Description: SharpReg is a simple code set to interact with the Remote Registry service API using the same SMB process as reg.exe, which uses TCP port 445
    • Link: https://github.com/jnqpblc/SharpReg
  • SharpSCCM:
    • Description: SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.
    • Link: https://github.com/Mayyhem/SharpSCCM
  • SharpScribbles:
    • Description: Extracts data from the Windows Sticky Notes database. Works on Windows 10 Build 1607 and higher. This
    • Link: https://github.com/V1V1/SharpScribbles
  • SharpSearch:
    • Description: Project to quickly filter through a file share for targeted files for desired information.
    • Link: https://github.com/djhohnstein/SharpSearch
  • SharpSecDump:
    • Description: .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py
    • Link: https://github.com/G0ldenGunSec/SharpSecDump
  • SharpShares:
    • Description: Quick and dirty binary to list network share information from all machines in the current domain and if they're readable.
    • Link: https://github.com/djhohnstein/SharpShares
  • SharpSniper:
    • Description: SharpSniper is a simple tool to find the IP address of these users so that you can target their box.
    • Link: https://github.com/HunnicCyber/SharpSniper
  • SharpSphere:
    • Description: SharpSphere gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter
    • Link: https://github.com/JamesCooteUK/SharpSphere
  • SharpSpray:
    • Description: SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
    • Link: https://github.com/jnqpblc/SharpSpray
  • SharpSQLPwn:
    • Description: C# tool to identify and exploit weaknesses with MSSQL instances in Active Directory environments
    • Link: https://github.com/lefayjey/SharpSQLPwn
  • SharpStay:
    • Description: .NET Persistence
    • Link: https://github.com/0xthirteen/SharpStay
  • SharpSvc:
    • Description: SharpSvc is a simple code set to interact with the SC Manager API using the same DCERPC process as sc.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port
    • Link: https://github.com/jnqpblc/SharpSvc
  • SharpTask:
    • Description: SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port.
    • Link: https://github.com/jnqpblc/SharpTask
  • SharpUp:
    • Description: SharpUp is a C# port of various PowerUp functionality
    • Link: https://github.com/GhostPack/SharpUp
  • SharpView:
    • Description: .NET port of PowerView
    • Link: https://github.com/tevora-threat/SharpView
  • SharpWebServer:
    • Description: Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes
    • Link: https://github.com/mgeeky/SharpWebServer
  • SharpWifiGrabber:
    • Description: Retrieves in clear-text the Wi-Fi Passwords from all WLAN Profiles saved on a workstation
    • Link: https://github.com/r3nhat/SharpWifiGrabber
  • SharpWMI:
    • Description: SharpWMI is a C# implementation of various WMI functionality.
    • Link: https://github.com/GhostPack/SharpWMI
  • SharpZeroLogon:
    • Description: An exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass.
    • Link: https://github.com/nccgroup/nccfsas
  • Shhmon:
    • Description: While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events.
    • Link: https://github.com/matterpreter/Shhmon
  • Snaffler:
    • Description: Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
    • Link: https://github.com/SnaffCon/Snaffler
  • SqlClient:
    • Description: C# .NET mssql client for accessing database data through beacon.
    • Link: https://github.com/FortyNorthSecurity/SqlClient
  • StandIn:
    • Description: StandIn is a small AD post-compromise toolkit
    • Link: https://github.com/FuzzySecurity/StandIn
  • SweetPotato:
    • Description: A collection of various native Windows privilege escalation techniques from service accounts to SYSTEM
    • Link: https://github.com/CCob/SweetPotato
  • ThreatCheck:
    • Description: Modified version of Matterpreter's DefenderCheck
    • Link: https://github.com/rasta-mouse/ThreatCheck
  • TokenStomp:
    • Description: C# POC for the token privilege removal flaw reported
    • Link: https://github.com/MartinIngesen/TokenStomp
  • TruffleSnout:
    • Description: Iterative AD discovery toolkit for offensive operators
    • Link: https://github.com/dsnezhkov/TruffleSnout
  • Watson:
    • Description: Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
    • Link: https://github.com/rasta-mouse/Watson
  • Whisker:
    • Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.
    • Link: https://github.com/eladshamir/Whisker
  • winPEAS:
    • Description: Privilege Escalation Awesome Scripts SUITE
    • Link: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
  • WMIReg:
    • Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.
    • Link: https://github.com/airzero24/WMIReg

项目地址

https://github.com/Aetsu/OffensivePipeline

原文始发于微信公众号(StudySec):红队混淆工具--OffensivePipeline

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年6月20日19:54:44
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   红队混淆工具OffensivePipelinehttps://cn-sec.com/archives/2847229.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息