GhostPack安全带态势感知工具

admin 2024年11月15日09:59:52评论17 views字数 4841阅读16分8秒阅读模式

工具简介

Carseat是Seatbelt的Python实现,此工具包含Seatbelt中支持远程执行的所有模块(技术上是所有模块减去一个)。与Seatbelt一样,您可能需要对运行任何模块的目标主机拥有特权访问权限。
https://github.com/GhostPack/Seatbelt/
GhostPack安全带态势感知工具
安装使用

唯一使用的非标准Python库是impacket和pefile,因此,您可以单独安装它们,也可以通过requirements.txt文件安装它们。
pip3 install -r requirements.txt

运行单个命令

python CarSeat.py domain/user:password@10.10.10.10 AntiVirus

同时运行多个

python CarSeat.py domain/user:password@10.10.10.10 AntiVirus,UAC,ScheduledTasks

运行分组命令

python CarSeat.py -group remote domain/user:password@10.10.10.10 InterestingProcesses

运行带参数的命令

python CarSeat.py -group remote domain/user:password@10.10.10.10 ExplicitLogonEvents 10

与其他impacket工具一样,CarSeat接受密码、哈希或kerberos票证进行身份验证。

python CarSeat.py -hashes :8846F7EAEE8FB117AD06BDD830B7586C -no-pass domain/user:@10.10.10.10 WSUS

或者

export KRB5CCNAME=admin_tgt.ccachepython CarSeat.py -k -no-pass domain/user:@10.10.10.10 WindowsFirewall

Groups与Seatbelt 的Groups相同,唯一的区别是-group remote将运行所有模块,因为它们都被视为远程模块。

Available commands:    + AMSIProviders          - Providers registered for AMSI    + AntiVirus              - Registered antivirus (via WMI)    + AppLocker              - AppLocker settings, if installed    + AuditPolicyRegistry    - Audit settings via the registry    + AutoRuns               - Auto run executables/scripts/programs    + ChromiumBookmarks      - Parses any found Chrome/Edge/Brave/Opera bookmark files    + ChromiumHistory        - Parses any found Chrome/Edge/Brave/Opera history files    + ChromiumPresence       - Checks if interesting Chrome/Edge/Brave/Opera files exist    + CloudCredentials       - AWS/Google/Azure/Bluemix cloud credential files    + CloudSyncProviders     - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.    + CredGuard              - CredentialGuard configuration    + DNSCache               - DNS cache entries (via WMI)    + DotNet                 - DotNet versions    + DpapiMasterKeys        - List DPAPI master keys    + EnvironmentVariables   - Current environment variables    + ExplicitLogonEvents    - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.    + ExplorerRunCommands    - Recent Explorer "run" commands    + FileZilla              - FileZilla configuration files    + FirefoxHistory         - Parses any found FireFox history files    + FirefoxPresence        - Checks if interesting Firefox files exist    + Hotfixes               - Installed hotfixes (via WMI)    + IEFavorites            - Internet Explorer favorites    + IEUrls                 - Internet Explorer typed URLs (last 7 days, argument == last X days)    + InstalledProducts      - Installed products via the registry    + InterestingProcesses   - "Interesting" processes - defensive products and admin tools    + KeePass                - Finds KeePass configuration files    + LAPS                   - LAPS settings, if installed    + LastShutdown           - Returns the DateTime of the last system shutdown (via the registry).    + LocalGroups            - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)    + LocalUsers             - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)    + LogonEvents            - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.    + LogonSessions          - Windows logon sessions    + LSASettings            - LSA settings (including auth packages)    + MappedDrives           - Users' mapped drives (via WMI)    + NetworkProfiles        - Windows network profiles    + NetworkShares          - Network shares exposed by the machine (via WMI)    + NTLMSettings           - NTLM authentication settings    + OptionalFeatures       - List Optional Features/Roles (via WMI)    + OSInfo                 - Basic OS info (i.e. architecture, OS version, etc.)    + OutlookDownloads       - List files downloaded by Outlook    + PoweredOnEvents        - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.    + PowerShell             - PowerShell versions and security settings    + PowerShellEvents       - PowerShell script block logs (4104) with sensitive data.    + PowerShellHistory      - Searches PowerShell console history files for sensitive regex matches.    + ProcessCreationEvents  - Process creation logs (4688) with sensitive data.    + ProcessOwners          - Running non-session 0 process list with owners. For remote use.    + PSSessionSettings      - Enumerates PS Session Settings from the registry    + PuttyHostKeys          - Saved Putty SSH host keys    + PuttySessions          - Saved Putty configuration (interesting fields) and SSH host keys    + RDPSavedConnections    - Saved RDP connections stored in the registry    + RDPsettings            - Remote Desktop Server/Client Settings    + SCCM                   - System Center Configuration Manager (SCCM) settings, if applicable    + ScheduledTasks         - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks    + SecureBoot             - Secure Boot configuration    + SlackDownloads         - Parses any found 'slack-downloads' files    + SlackPresence          - Checks if interesting Slack files exist    + SlackWorkspaces        - Parses any found 'slack-workspaces' files    + SuperPutty             - SuperPutty configuration files    + Sysmon                 - Sysmon configuration from the registry    + SysmonEvents           - Sysmon process creation logs (1) with sensitive data.    + UAC                    - UAC system policies via the registry    + WindowsAutoLogon       - Registry autologon information    + WindowsDefender        - Windows Defender settings (including exclusion locations)    + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry    + WindowsFirewall        - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)    + WMI                    - Runs a specified WMI query    + WSUS                   - Windows Server Update Services (WSUS) settings, if applicableNote: Command names and descriptions are from Seatbelts README
下载地址

https://github.com/0xthirteen/Carseat

原文始发于微信公众号(Hack分享吧):GhostPack安全带态势感知工具

 

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月15日09:59:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   GhostPack安全带态势感知工具http://cn-sec.com/archives/3396553.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息