_副本-slxb.png)
GhostPack安全带态势感知工具
工具简介
Carseat是Seatbelt的Python实现,此工具包含Seatbelt中支持远程执行的所有模块(技术上是所有模块减去一个)。与Seatbelt一样,您可能需要对运行任何模块的目标主机拥有特权访问权限。
https://github.com/GhostPack/Seatbelt/直链地址下载
https://lp.lmboke.com/Seatbelt-master.zip
安装使用
唯一使用的非标准Python库是impacket和pefile,因此,您可以单独安装它们,也可以通过requirements.txt文件安装它们。
pip3 install -r requirements.txt运行单个命令
python CarSeat.py domain/user:password@10.10.10.10 AntiVirus同时运行多个
python CarSeat.py domain/user:password@10.10.10.10 AntiVirus,UAC,ScheduledTasks运行分组命令
python CarSeat.py -group remote domain/user:password@10.10.10.10 InterestingProcesses运行带参数的命令
python CarSeat.py -group remote domain/user:password@10.10.10.10 ExplicitLogonEvents 10与其他impacket工具一样,CarSeat接受密码、哈希或kerberos票证进行身份验证。
python CarSeat.py -hashes :8846F7EAEE8FB117AD06BDD830B7586C -no-pass domain/user:@10.10.10.10 WSUS或者
export KRB5CCNAME=admin_tgt.ccachepython CarSeat.py -k -no-pass domain/user:@10.10.10.10 WindowsFirewallGroups与Seatbelt 的Groups相同,唯一的区别是-group remote将运行所有模块,因为它们都被视为远程模块。
Available commands:
+ AMSIProviders - Providers registered for AMSI + AntiVirus - Registered antivirus (via WMI) + AppLocker - AppLocker settings, if installed + AuditPolicyRegistry - Audit settings via the registry + AutoRuns - Auto run executables/scripts/programs + ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files + ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files + ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist + CloudCredentials - AWS/Google/Azure/Bluemix cloud credential files + CloudSyncProviders - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive. + CredGuard - CredentialGuard configuration + DNSCache - DNS cache entries (via WMI) + DotNet - DotNet versions + DpapiMasterKeys - List DPAPI master keys + EnvironmentVariables - Current environment variables + ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days. + ExplorerRunCommands - Recent Explorer "run" commands + FileZilla - FileZilla configuration files + FirefoxHistory - Parses any found FireFox history files + FirefoxPresence - Checks if interesting Firefox files exist + Hotfixes - Installed hotfixes (via WMI) + IEFavorites - Internet Explorer favorites + IEUrls - Internet Explorer typed URLs (last 7 days, argument == last X days) + InstalledProducts - Installed products via the registry + InterestingProcesses - "Interesting" processes - defensive products and admin tools + KeePass - Finds KeePass configuration files + LAPS - LAPS settings, if installed + LastShutdown - Returns the DateTime of the last system shutdown (via the registry). + LocalGroups - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate) + LocalUsers - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate) + LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. + LogonSessions - Windows logon sessions + LSASettings - LSA settings (including auth packages) + MappedDrives - Users' mapped drives (via WMI) + NetworkProfiles - Windows network profiles + NetworkShares - Network shares exposed by the machine (via WMI) + NTLMSettings - NTLM authentication settings + OptionalFeatures - List Optional Features/Roles (via WMI) + OSInfo - Basic OS info (i.e. architecture, OS version, etc.) + OutlookDownloads - List files downloaded by Outlook + PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days. + PowerShell - PowerShell versions and security settings + PowerShellEvents - PowerShell script block logs (4104) with sensitive data. + PowerShellHistory - Searches PowerShell console history files for sensitive regex matches. + ProcessCreationEvents - Process creation logs (4688) with sensitive data. + ProcessOwners - Running non-session 0 process list with owners. For remote use. + PSSessionSettings - Enumerates PS Session Settings from the registry + PuttyHostKeys - Saved Putty SSH host keys + PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys + RDPSavedConnections - Saved RDP connections stored in the registry + RDPsettings - Remote Desktop Server/Client Settings + SCCM - System Center Configuration Manager (SCCM) settings, if applicable + ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks + SecureBoot - Secure Boot configuration + SlackDownloads - Parses any found 'slack-downloads' files + SlackPresence - Checks if interesting Slack files exist + SlackWorkspaces - Parses any found 'slack-workspaces' files + SuperPutty - SuperPutty configuration files + Sysmon - Sysmon configuration from the registry + SysmonEvents - Sysmon process creation logs (1) with sensitive data. + UAC - UAC system policies via the registry + WindowsAutoLogon - Registry autologon information + WindowsDefender - Windows Defender settings (including exclusion locations) + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry + WindowsFirewall - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public) + WMI - Runs a specified WMI query + WSUS - Windows Server Update Services (WSUS) settings, if applicable
Note: Command names and descriptions are from Seatbelts README直链下载地址
https://lp.lmboke.com/Carseat-main.zip免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本平台和发布者不为此承担任何责任。
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
