工具介绍:
RedPeanut是在.Net Core 2中开发的小型RAT及其在.Net 3.5 / 4.0中的代理。RedPeanut代码执行基于DonutCS生成的shellcode 。因此,它是混合的,尽管它是在.Net中开发的,但它并不完全依赖Assembly.Load。
C2 Channel
隧道加载过程如下:
- The stager requires an agent id, the message is encrypted with RC4 with the shared serverkey
- The server decrypt the message, compile and sends the agent, generate and send KEY and IV for future communications AES encryption, the message is encrypted RC4
- The stager decrypt the message and load the agent via Assembly.Load
- The agent sends a checkin message to the server, the message is encrypted with AES
Profiles
配置c2的内容文件,包含以下内容:
- General
- Delay (between requests)
- ContentUri (url of dynamic content eg. dll hta etc.)
- UserAgent
- Spawn (the process to create to perform critical tasks)
- HtmlCovered (Enable covered channel)
- TargetClass (Class to search for image recover)
- Http Get
- ApiPath (comma separated list of url es /news-list.jsp,/antani.php etc.)
- Server
- Prepend
- Append
- Headers (name and value pair for http headers)
- Client
- Headers
- Http Post
- ApiPath (comma separated list of url es /news-list.jsp,/antani.php etc.)
- Param (the name of the post request payload parameter)
- Mask (format for interpreting the key value pair eg {0}={1}) (need more work...)
- Server
- Prepend
- Append
- Headers (name and value pair for http headers)
- Client
- Headers
Domain Fronting
包含的功能:
- GhostPack
- SharpGPOAbuse
- SharpCOM
- EvilClippy
- DotNetToJS
- SharpWeb
- Modified version of PsExec
- SharpSploit
- TikiTorch
PowerShellExecuter
PowerShellExecuter 模块可以允许我们自动bypass AMSI、Logging bypass 等
加载方式
- Exe
- Dll
- PowerShell
- Hta (vbs,powershell)
- InstallUtil
- MSBuild
- MacroVba
本地模块
- EvilClippy
客户端模块
- Upload
- DownLoad
- SharpWeb
- SharpWmi
- SharpUp
- UACBypass Token Duplication
- SharpDPAPIVaults
- SharpDPAPITriage
- SharpDPAPIRdg
- SharpDPAPIMasterKeys
- SharpDPAPIMachineVaults
- SharpDPAPIMachineTriage
- SharpDPAPIMachineMasterKeys
- SharpDPAPIMachineCredentials
- SharpDPAPICredentials
- SharpDPAPIBackupKey
- Seatbelt
- SafetyKatz
- RubeusTriage
- RubeusTgtDeleg
- RubeusS4U
- RubeusRenew
- RubeusPurge
- RubeusPtt
- RubeusMonitor
- RubeusKlist
- RubeusKerberoast
- RubeusHash
- RubeusHarvest
- RubeusDump
- RubeusDescribe
- RubeusCreateNetOnly
- RubeusChangePw
- RubeusASREPRoast
- RubeusAskTgt
- SharpCOM
- SharpGPOAddUserRights
- SharpGPOAddStartupScript
- SharpGPOAddLocalAdmin
- SharpGPOAddImmediateTask
- PowerShellExecuter
- LatteralMSBuild
- SharpPsExec
- SharpAdidnsdump
- PPIDAgent
- SpawnAsAgent
- SpawnShellcode
- SpawnAsShellcode
- SharpMiniDump
权限维持
- Autorun
- Startup
- WMI
- CRL
除此之外,还包含BlockDlls、Direct Sysstem Call and Dynamic Dll Loading等功能。
工具安装
linux下面执行如下命令:
代码语言:javascript复制wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.asc.gpg
mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/
wget -q https://packages.microsoft.com/config/debian/9/prod.list
mv prod.list /etc/apt/sources.list.d/microsoft-prod.list
chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg
chown root:root /etc/apt/sources.list.d/microsoft-prod.list
apt-get install apt-transport-https
apt-get update
apt-get install dotnet-sdk-2.1
git clone --recursive https://github.com/b4rtik/RedPeanut.git
apt-get install -y libgdiplus然后windows下执行如下命令:
代码语言:javascript复制C:Program Files (x86)Microsoft Visual Studio2017Community>sn.exe -k 4096 key.snk然后复制key.snk 到 Workspace/KeyFile
执行:
代码语言:javascript复制dotnet run然后输入密码,得到下面的结果即成功
使用方法:
我们可以使用list命令查看其内容
主要模块有launcher、c2、list、exit。
我们看一下主要C2模块
主要为agents、listener、opinion、back。用法肯定也是很简单了,设置监听、操作agents。
然后设置即可
然后返回到launcher中
然后选择你喜欢的,并设置
生成exe后,执行,得到会话
windows defender联网扫描,无反应,360扫描被杀
会话操作
进入会话后,使用opinion查看基本操作:
比如查看目录、查看用户:
主要的内容还是其集成的csharp模块,比如credential
拿safetykatz为例:
执行后生成exe文件,然后在目标机器内存执行,文件不落地
其余的模块用法也就一模一样了,这里就不再继续演示了。
总结:
作为一个新出的c2工具,总体来说还是不错的,在针对国外杀软方面做的比较好,每一种launcher都自带amsi的bypass(可提取出来自用),但是对国内杀软就不那么友好了。还有就是里面的一些模块,开发的可能不是很好,执行完总是会没反映。但是其通信方式以及自定义上线、内存加载等都是其优点。这就是对该工具的简单评测了。
