當前位置：首頁 > 运维知识 > windows >内容正文

windows

Havoc插件编写

發(fā)布時間：2024/1/8 windows 35 coder

生活随笔收集整理的這篇文章主要介紹了 Havoc插件编写小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

配置文件的webhook支持discord，所以嘗試使用釘釘和企業(yè)微信。

WebHook {
	Discord {
		Url = ""
		AvatarUrl = ""
		User = "announcer"
	}
}

服務端中判斷如果配置了webhook會在自身添加agent之前就轉(zhuǎn)發(fā)給discord了。

func (t *Teamserver) AgentAdd(Agent *agent.Agent) []*agent.Agent {
	if Agent != nil {
		if t.WebHooks != nil {
			t.WebHooks.NewAgent(Agent.ToMap())
		}
	}
...
}

可以看到在上線時，server的控制臺上會有上線的信息。

借鑒一個老哥的做法：起個子程序來開服務端，同時監(jiān)聽并捕獲這個信息：

    process = subprocess.Popen(['./havoc', 'server', '--profile', './profiles/havoc.yaotl', '-v', '--debug'],
                               stdout=subprocess.PIPE, 
                               stderr=subprocess.STDOUT,
                               text=True)
  
    capture = False

// 獲取到前四行即可
        if "[DBUG] [agent.ParseDemonRegisterRequest:382]" in line:
            capture = True
            captured_text = ""
            line_count = 0
            continue

        if capture:
            if line_count < 5:  
                captured_text += line + '\n'
                line_count += 1
            else: # 
                send_messages('New connection!\n'+captured_text.strip())
                capture = False

然后根據(jù)官方文檔發(fā)送text類型的消息，markdown可以但是在微信中不能正常顯示。

上面是markdown下面是text文本，代碼也上傳了：gayhub

????

但這樣并不是很好，而翻官方文檔，里面有提供對客戶端api的詳細說明，主要涉及到havoc和havocui這兩個。

對于ui可以直接在客戶端的console中嘗試他的效果：

像獲取demons的數(shù)量可以用havoc.GetDemons()?

文檔中介紹了一些比較常用的api，在\client\src\Havoc\PythonApi?有更多的調(diào)用方向，比如下面的：

PyMemberDef PyDemonClass_members[] = {

        { "Listener",       T_STRING, offsetof( PyDemonClass, Listener ),    0, "Listener name" },
        { "DemonID",        T_STRING, offsetof( PyDemonClass, DemonID ),     0, "Listener name" },
        { "ExternalIP",     T_STRING, offsetof( PyDemonClass, ExternalIP ),  0, "External IP" },
        { "InternalIP",     T_STRING, offsetof( PyDemonClass, InternalIP ),  0, "Internal IP" },
        { "User",           T_STRING, offsetof( PyDemonClass, User ),        0, "Username" },
        { "Computer",       T_STRING, offsetof( PyDemonClass, Computer ),    0, "Computer" },
        { "Domain",         T_STRING, offsetof( PyDemonClass, Domain ),      0, "Domain" },
        { "OS",             T_STRING, offsetof( PyDemonClass, OS ),          0, "Windows Version" },
        { "OSBuild",        T_STRING, offsetof( PyDemonClass, OSBuild ),     0, "Windows OS Build" },
        { "OSArch",         T_STRING, offsetof( PyDemonClass, OSArch ),      0, "Windows Architecture" },
        { "ProcessName",    T_STRING, offsetof( PyDemonClass, ProcessName ), 0, "Process Name" },
        { "ProcessID",      T_STRING, offsetof( PyDemonClass, ProcessID ),   0, "Process ID" },
        { "ProcessArch",    T_STRING, offsetof( PyDemonClass, ProcessArch ), 0, "Process Architecture" },

        { "CONSOLE_INFO",   T_INT, offsetof( PyDemonClass, CONSOLE_INFO ),   0, "Console message type info" },
        { "CONSOLE_ERROR",  T_INT, offsetof( PyDemonClass, CONSOLE_ERROR ),  0, "Console message type error" },
        { "CONSOLE_TASK",   T_INT, offsetof( PyDemonClass, CONSOLE_TASK ),   0, "Console message type task" },

        { NULL },
};

PyMethodDef PyDemonClass_methods[] = {

        { "ConsoleWrite",           ( PyCFunction ) DemonClass_ConsoleWrite,           METH_VARARGS, "Prints messages to the demon sessions console" },
        { "ProcessCreate",          ( PyCFunction ) DemonClass_ProcessCreate,          METH_VARARGS, "Creates a Process" },
        { "InlineExecute",          ( PyCFunction ) DemonClass_InlineExecute,          METH_VARARGS, "Executes a coff file in the context of the demon sessions" },
        { "InlineExecuteGetOutput", ( PyCFunction ) DemonClass_InlineExecuteGetOutput, METH_VARARGS, "Executes a coff file in the context of the demon sessions and get the output via a callback" },
        { "DllSpawn",               ( PyCFunction ) DemonClass_DllSpawn,               METH_VARARGS, "Spawn and injects a reflective dll and get output from it" },
        { "DllInject",              ( PyCFunction ) DemonClass_DllInject,              METH_VARARGS, "Injects a reflective dll into a specified process" },
        { "DotnetInlineExecute",    ( PyCFunction ) DemonClass_DotnetInlineExecute,    METH_VARARGS, "Executes a dotnet assembly in the context of the demon sessions" },
        { "Command",                ( PyCFunction ) DemonClass_Command,                METH_VARARGS, "Run a command" },
        { "CommandGetOutput",       ( PyCFunction ) DemonClass_CommandGetOutput,                METH_VARARGS, "Run a command and retreive the output" },
        { "ShellcodeSpawn",         ( PyCFunction ) DemonClass_ShellcodeSpawn,         METH_VARARGS, "Executes shellcode spawning a new process" },

        { NULL },
};

代碼的邏輯也很簡單，就是通過havoc.Demon(demon_id)?獲取到這個對象，抽出這里面的對象發(fā)送即可。代碼可以去倉庫看看。最終完成的效果如下：

最后也是正常能提示了，傳送門：gayhub（一起交流）

總結(jié)

以上是生活随笔為你收集整理的Havoc插件编写的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。

插件
Havoc

上一篇： 2024-01-06：用go语言，在河上
下一篇： SPSC Queue