本帖最后由 shaoheshaohe 于 2020-3-4 11:18 编辑
通过系列贴,记录silentTrinity的学习。
1. 介绍
SILENTTRINITY is a tool made by byt3bl33d3r which uses Ironpython for awesome C2 and post exploitation.
2019年2月,silentTrinity被首次公开报道用于攻击。这次攻击,在成功之后的2个月,才被发现。
克罗地亚政府员工在2019年2月至4月期间遭到钓鱼攻击,该钓鱼邮件伪装成克罗地亚邮政或其它零售服务的送货通知,通过恶意URL向用户分发包含恶意宏的Excel文档。该文档在攻击期间分发过两种payload,一个是Empire后门,另一个是SilentTrinity。
原文链接: https://www.zdnet.com/article/croatian-government-targeted-by-mysterious-hackers/
In a presentation at the Positive Hack Days (PHDays) security conference in May, Alexey Vishnyakov, a Senior Specialist in Threat Analysis for cyber-security firm Positive Technologies, said this was the first time when a malicious threat actor had weaponized the SilentTrinity tool in an active malware distribution campaign. 【相关ppt已在本帖附件】 CROATIAN GOVERNMENT DETECTED THE ATTACKS IN APRIL
While they went under the radar for two months, the phishing attacks were eventually detected in early April. The Information Systems Security Bureau (ZSIS), the central state authority responsible for the cyber-security of the Republic of Croatia state bodies, issued two separate alerts about the attacks [1, 2].
youtube介绍: https://www.youtube.com/watch?v=0_b3A1SOyVw,1小时版
B站:
SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It's the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API's, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim of this tool and the BYOI concept is to shift the paradigm back to PowerShell style like attacks (as it offers much more flexibility over traditional C# tradecraft) only without using PowerShell in anyway. Some of the main features that distinguish SILENTTRINITY are: - Multi-User & Multi-Server - Supports multi-user collaboration. Additionally, the client can connect to and control multiple Teamservers.
- Client and Teamserver Built in Python 3.7 - Latest and greatest features of the Python language are used, heavy use of Asyncio provides ludicrous speeds.
- Real-time Updates and Communication - Use of Websockets allow for real-time communication and updates between the Client and Teamserver.
- Focus on Usability with an Extremely Modern CLI - Powered by prompt-toolkit.
- Dynamic Evaluation/Compilation Using .NET Scripting Languages - The SILENTTRINITY implant Naga, is somewhat unique as it uses embedded third-party .NET scripting languages (e.g. Boolang) to dynamically compile/evaluate tasks, this removes the need to compile tasks server side, allows for real-time editing of modules, provides greater flexibilty and stealth over traditional C# based payloads and makes everything much more light-weight.
- ECDHE Encrypted C2 Communication - SILENTTRINITY uses Ephemeral Elliptic Curve Diffie-Hellman Key Exchange to encrypt all C2 traffic between the Teamserver and its implant.
- Fully Modular - Listeners, Modules, Stagers and C2 Channels are fully modular allowing operators to easily build their own.
- Extensive logging - Every action is logged to a file.
- Future proof - HTTPS/HTTP listeners are built on Quart & Hypercorn which also support HTTP2 & Websockets.
2. 安装
下载:git clone https://github.com/byt3bl33d3r/SILENTTRINITY
安装依赖包:pip install -r requirements.txt
安装:python st.py client/teamserver
-------------------问题记录--------------------
1. 改源
作者“好心地”在requirements.txt加入了pypi源。它的优先级比pip命令的-i更高,国外源的下载很慢。
因此,首先要将源换成国内的,比如清华源:https://pypi.tuna.tsinghua.edu.cn/simple
2. python版本
这没什么好说的,作者指名道姓要python3.7
3. donut-shellcode
这个包,在windows anaconda环境,安装报错。原因是缺少visual studio环境。在ubuntu 16.04,直接通过。应该是cmake足够了。
4. 文档缺失,教程更新不及时
此项目为一人开发,文档维护不到位,github教程都是过时的。
网上能找到的资料不多。youtube有大概5个左右相关的视频,最有价值的已在上面列出。
安装与使用,常有变化。几乎所有教程的命令都是过时的,python st.py client/teamserver这行命令,还未见哪个教程包含。
| 
发表于 2020-3-3 11:11:52
楼主