admin管理员组文章数量:1637856
尽管galileo已经是几年前的产品,但可以说他是第一款成体系化的RCS工具,其中很多东西值得学习和加深体会。所以将当时的相关安装记录发出来供后来者学习。仅供技术交流提高,勿作他用。
1. 需要准备的东西
1.1. 两台server 2008 r2 sp1 64位虚拟机
用于搭建master、collector结点。
1.2. 一台centos 6.7 64位虚拟机
用于搭建anonymizer结点。
1.3. 一台windows 7 64位物理机
用于测试agent。
1.4. 主控端安装文件
\Hacking Team\FAE DiskStation\2. DELIVERY\2.3. Software (releases)\RCS 9.6 (stable)\ rcs-setup-2015032101.exe。
使用hackedteam.torrent按需下载。
1.5. AdobeAIRInstall安装文件
用于安装RCS主控端console。
1.6. 主控端攻击插件包
\Hacking Team\FAE DiskStation\2. DELIVERY\2.3. Software (releases)\RCS 9.6 (stable)\ rcs-exploits-2015032101.exe。
用于安装主控端攻击插件。
1.7. 其他
dongle.rb
用于绕过安装时的U盘key安全狗检测。
# encoding: utf-8
#
# Hardware dongle handling stuff
#
require_relative 'frontend'
# from RCS::Common
require 'rcs-common/trace'
require 'ffi'
require 'securerandom'
require 'openssl'
require 'digest/sha1'
require 'rbconfig'
module RCS
module DB
class NoDongleFound < StandardError
def initialize
super "NO dongle found, cannot continue"
end
end
module Hasp
extend FFI::Library
# we can use the HASP dongle only on windows
if RbConfig::CONFIG['host_os'] =~ /mingw/
ffi_lib File.join($execution_directory || Dir.pwd, 'bin/ruby_x64.dll')
ffi_convention :stdcall
AES_PADDING = 16
STRUCT_SIZE = 128
class Info < FFI::Struct
layout :enc, [:char, STRUCT_SIZE + AES_PADDING]
end
attach_function :RI, [:pointer], Info.by_value
attach_function :DC, [], :int
end
end
class Dongle
extend RCS::Tracer
VERSION = 20120504
KEY = "\xB3\xE0\x2A\x88\x30\x69\x67\xAA\x21\x74\x23\xCC\x90\x99\x0C\x3C"
DONT_STEAL_RCS = "∆©ƒø†£¢∂øª˚¶∞¨˚˚˙†´ßµ∫√Ïfiˆ¨Øˆ·‰fiΨ"
ERROR_INFO = 1
ERROR_PARSING = 2
ERROR_LOGIN = 3
ERROR_RTC = 4
ERROR_STORAGE = 5
class << self
def info
# fake info for macos
return {serial: 'off', time: Time.now.getutc, oneshot: 0} if RbConfig::CONFIG['host_os'] =~ /darwin/
# our info to be returned
info = {}
# pick a random IV for the encrypted channel with the DLL
#iv = SecureRandom.random_bytes(16)
# allocate the memory
#ivp = FFI::MemoryPointer.new(:char , 16)
#ivp.write_bytes iv, 0, 16
# call the actual method in the DLL
#hasp_info = Hasp.RI(ivp)
#enc = hasp_info[:enc].to_ptr.read_bytes Hasp::STRUCT_SIZE + Hasp::AES_PADDING
#raise "Invalid ENC dongle size: corrupted?" if enc.bytesize != Hasp::STRUCT_SIZE + Hasp::AES_PADDING
# decrypt the response with the pre-shared KEY
#decipher = OpenSSL::Cipher::Cipher.new('aes-128-cbc')
#decipher.decrypt
#decipher.padding = 1
#decipher.key = KEY
#decipher.iv = iv
#data = decipher.update(enc)
#data << decipher.final
# parse the data
#version = data.slice!(0..3).unpack('I').first
version = VERSION
raise "Invalid HASP version" if version != VERSION
info[:version] = version
info[:serial] = "1175082568"
time = Time.now.getutc
info[:time] = time
info[:oneshot] = 0
info[:error_code] = 0
info[:error_msg] = "no"
trace :error, "Error #{info[:error_code]} while communicating with HASP token: #{info[:error_msg]}" unless info[:error_code] == 0
raise "Cannot find hardware token" if info[:error_code] == ERROR_INFO || info[:error_code] == ERROR_PARSING
trace :info, "Dongle Bypass Coded by Looka @ HF"
return info
end
def decrement
# no dongle support for macos
return true if RbConfig::CONFIG['host_os'] =~ /darwin/
raise "No license left" unless 1 == Hasp.DC
end
def time
time = info[:time]
raise "Cannot get RTC time" if time == 0
return time
rescue Exception => e
trace :warn, "Invalid dongle time, contact support for dongle replacement"
return Time.now.getutc
end
本文标签: 指南详细HackingteamGalileoRCS
版权声明:本文标题:Hackingteam Galileo RCS安装详细绕坑指南 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dongtai/1729255899a1192648.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论