Havoc插件编写
?
配置文件的webhook支持discord,所以嘗試使用釘釘和企業(yè)微信。
WebHook {
Discord {
Url = ""
AvatarUrl = ""
User = "announcer"
}
}
服務端中判斷如果配置了webhook會在自身添加agent之前就轉發(fā)給discord了。
func (t *Teamserver) AgentAdd(Agent *agent.Agent) []*agent.Agent {
if Agent != nil {
if t.WebHooks != nil {
t.WebHooks.NewAgent(Agent.ToMap())
}
}
...
}
可以看到在上線時,server的控制臺上會有上線的信息。
??
借鑒一個老哥的做法:起個子程序來開服務端,同時監(jiān)聽并捕獲這個信息:
process = subprocess.Popen(['./havoc', 'server', '--profile', './profiles/havoc.yaotl', '-v', '--debug'],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
text=True)
capture = False
// 獲取到前四行即可
if "[DBUG] [agent.ParseDemonRegisterRequest:382]" in line:
capture = True
captured_text = ""
line_count = 0
continue
if capture:
if line_count < 5:
captured_text += line + '\n'
line_count += 1
else: #
send_messages('New connection!\n'+captured_text.strip())
capture = False
然后根據(jù)官方文檔 發(fā)送text類型的消息,markdown可以但是在微信中不能正常顯示。
??
上面是markdown下面是text文本,代碼也上傳了:gayhub
????
但這樣并不是很好,而翻官方文檔,里面有提供對客戶端api的詳細說明,主要涉及到havoc和havocui這兩個。
??
對于ui可以直接在客戶端的console中嘗試他的效果:
??
像獲取demons的數(shù)量可以用havoc.GetDemons()?
文檔中介紹了一些比較常用的api,在\client\src\Havoc\PythonApi?有更多的調用方向,比如下面的:
PyMemberDef PyDemonClass_members[] = {
{ "Listener", T_STRING, offsetof( PyDemonClass, Listener ), 0, "Listener name" },
{ "DemonID", T_STRING, offsetof( PyDemonClass, DemonID ), 0, "Listener name" },
{ "ExternalIP", T_STRING, offsetof( PyDemonClass, ExternalIP ), 0, "External IP" },
{ "InternalIP", T_STRING, offsetof( PyDemonClass, InternalIP ), 0, "Internal IP" },
{ "User", T_STRING, offsetof( PyDemonClass, User ), 0, "Username" },
{ "Computer", T_STRING, offsetof( PyDemonClass, Computer ), 0, "Computer" },
{ "Domain", T_STRING, offsetof( PyDemonClass, Domain ), 0, "Domain" },
{ "OS", T_STRING, offsetof( PyDemonClass, OS ), 0, "Windows Version" },
{ "OSBuild", T_STRING, offsetof( PyDemonClass, OSBuild ), 0, "Windows OS Build" },
{ "OSArch", T_STRING, offsetof( PyDemonClass, OSArch ), 0, "Windows Architecture" },
{ "ProcessName", T_STRING, offsetof( PyDemonClass, ProcessName ), 0, "Process Name" },
{ "ProcessID", T_STRING, offsetof( PyDemonClass, ProcessID ), 0, "Process ID" },
{ "ProcessArch", T_STRING, offsetof( PyDemonClass, ProcessArch ), 0, "Process Architecture" },
{ "CONSOLE_INFO", T_INT, offsetof( PyDemonClass, CONSOLE_INFO ), 0, "Console message type info" },
{ "CONSOLE_ERROR", T_INT, offsetof( PyDemonClass, CONSOLE_ERROR ), 0, "Console message type error" },
{ "CONSOLE_TASK", T_INT, offsetof( PyDemonClass, CONSOLE_TASK ), 0, "Console message type task" },
{ NULL },
};
PyMethodDef PyDemonClass_methods[] = {
{ "ConsoleWrite", ( PyCFunction ) DemonClass_ConsoleWrite, METH_VARARGS, "Prints messages to the demon sessions console" },
{ "ProcessCreate", ( PyCFunction ) DemonClass_ProcessCreate, METH_VARARGS, "Creates a Process" },
{ "InlineExecute", ( PyCFunction ) DemonClass_InlineExecute, METH_VARARGS, "Executes a coff file in the context of the demon sessions" },
{ "InlineExecuteGetOutput", ( PyCFunction ) DemonClass_InlineExecuteGetOutput, METH_VARARGS, "Executes a coff file in the context of the demon sessions and get the output via a callback" },
{ "DllSpawn", ( PyCFunction ) DemonClass_DllSpawn, METH_VARARGS, "Spawn and injects a reflective dll and get output from it" },
{ "DllInject", ( PyCFunction ) DemonClass_DllInject, METH_VARARGS, "Injects a reflective dll into a specified process" },
{ "DotnetInlineExecute", ( PyCFunction ) DemonClass_DotnetInlineExecute, METH_VARARGS, "Executes a dotnet assembly in the context of the demon sessions" },
{ "Command", ( PyCFunction ) DemonClass_Command, METH_VARARGS, "Run a command" },
{ "CommandGetOutput", ( PyCFunction ) DemonClass_CommandGetOutput, METH_VARARGS, "Run a command and retreive the output" },
{ "ShellcodeSpawn", ( PyCFunction ) DemonClass_ShellcodeSpawn, METH_VARARGS, "Executes shellcode spawning a new process" },
{ NULL },
};
代碼的邏輯也很簡單,就是通過havoc.Demon(demon_id)?獲取到這個對象,抽出這里面的對象發(fā)送即可。代碼可以去倉庫看看。最終完成的效果如下:
??
最后也是正常能提示了,傳送門:gayhub(一起交流)
??
總結
- 上一篇: 2024-01-06:用go语言,在河上
- 下一篇: java信息管理系统总结_java实现科