红队开发学习----魔改cobaltstrike学习(持续更新)
环境和工具准备
1.jdku8环境 这里用的是jdk8u321,版本太低的java可能启动不了
https://www.oracle.com/java/technologies/javase/javase8u211-later-archive-downloads.html#license-lightbox
2.linux的ij idea
3.cs4.4源码
4.反编译工具Luyten
5.破解工具CSAgent.zip
6.破解cs的dll
反编译CobaltStrike_4.4_000.jar
java -jar luyten-0.5.4.jar
save all到一个新创建的目录
Idea项目
idea创建一个java项目
创建两个目录decompiled和lib
然后把反编译的decompiled-CobaltStrike_4.4_000.zip解压缩到decompiled目录,类似
unzip decompiled-CobaltStrike_4.4_000.zip -d /root/IdeaProjects/MyCobaltStrike/decompiled
改一下名
mv CobaltStrike_4.4_000.jar cobaltstrike.jar
然后将cobaltstrike.jar拷贝到lib目录
cp cobaltstrike.jar /root/IdeaProjects/MyCobaltStrike/lib
添加到Modules
添加Artifacts
HelloWorld测试代码
将decompiled/aggressor/Aggressor.java文件复制至src/aggressor/Aggressor.java
添加一段
JOptionPane.showMessageDialog(null, "Hello world");
在Modify options选择Add VM options
然后添加
-XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx2048M
最后运行
去除凭证读取
将decompiled/common/中的Authorization,Helper,Starter,Starter2复制到src/common目录下,将decompiled/beacon/BeaconData.java复制到src/beacon目录下
进入到Authorization.java
删除或注释掉
String s = CommonUtils.canonicalize("cobaltstrike.auth");
if (!new File(s).exists()) {
try {
File parentFile = new File(this.getClass().getProtectionDomain().getCodeSource().getLocation().toURI());
if (parentFile.getName().toLowerCase().endsWith(".jar")) {
parentFile = parentFile.getParentFile();
}
s = new File(parentFile, "cobaltstrike.auth").getAbsolutePath();
}
catch (Exception ex) {
MudgeSanity.logException("trouble locating auth file", ex, false);
}
}
final byte[] file = CommonUtils.readFile(s);
if (file.length == 0) {
this.error = "Could not read " + s;
return;
}
将final byte[] decrypt = authCrypto.decrypt(file);
更换为如下
final byte[] decrypt = {1, -55, -61, 127, //证书时间限制29999999(永久)
0, 0, 0, 1, //watermark(水印)
44, //版本
16, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
16, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
16, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
16, 58, 68, 37, 73, 15, 56, -102, -18, -61, 18, -67, -41, 88, -83, 43, -103,
16, 94, -104, 25, 74, 1, -58, -76, -113, -91, -126, -90, -87, -4, -69, -110, -42};
Helper.java中startHelper注释得恒返回true
Start.java中initializeStarter注释掉全部,只留下方法头
Start2.java中initialize同理
将beacon/BeaconData.java里面的this.shouldPad = shouldPad;改为this.shouldPad = false;
修复两处报错
protected List<byte[]> getQueue(final String s) {
synchronized (this) {
if (this.queues.containsKey(s)) {
return (List<byte[]>) this.queues.get(s);
}
final LinkedList<byte[]> list = new LinkedList<>();
this.queues.put(s, list);
return list;
}
}
public int getMode(final String s) {
synchronized (this) {
final Object modeObj = this.modes.get(s);
if (modeObj instanceof String) {
String s2 = (String) modeObj;
if ("dns-txt".equals(s2)) {
return 2;
}
if ("dns6".equals(s2)) {
return 3;
}
if ("dns".equals(s2)) {
return 1;
}
}
return 2;
}
}
这下可以删掉或注释掉HelloWorld的测试代码
此时运行可以弹出登录框
生成jar包,build artifacts
将MyCobaltStrike.jar改名为cobaltstrike.jar
将CSAgent.zip上传到服务端(这里仍然是kali),解压
将cobaltstrike.jar上传到CSAgent目录,服务端启动
./teamserver ip password
然后回到idea 客户端连接
teamserver端配置修改
teamserver默认配置
端口
将-Dcobaltstrike.server_port修改为其他端口即可
证书
查看证书中的信息,口令:Microsoft
keytool -list -v -keystore cobaltstrike.store
生成新证书
rm -rf cobaltstrike.store
keytool -keystore cobaltstrike.store -storepass strongpass -keypass strongpass -genkey -keyalg RSA -alias Google -dname "CN=(CN), OU=(SHANGHAI), O=(SHANGHAI), L=(DONGCHENG), ST=(SHANGHAI), C=(CN)" -validity 36500
teamserver修改最后的部分
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=1234 -Dcobaltstrike.server_bindto=0.0.0.0 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=strongpass -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar -javaagent:CSAgent.jar=CSAgent.properties -Duser.language=en server.TeamServer $*
profile配置
JA3|JA3S/JARM 指纹修改
其中一种方法
vim java_home/jre/lib/security/java.security
添加TLSv1.3
源码层面修改
stager导致配置泄漏
修改xor密钥(未进行,没研究明白,怕改崩了)
修改stager下载路径的长度
修改src/common/CommonUtils.java里面
修改4为其他数值(例如6)
public static String MSFURI() {
return MSFURI(4);
}
添加string = "/" + pick(array)...
中的pick(array)至六个(如果前面修改的数值为6)
public static String MSFURI_X64() {
final String[] array = toArray("a, b, c, d, e, f, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9");
String string;
do {
string = "/" + pick(array) + pick(array) + pick(array) + pick(array);
} while (checksum8(string) != 93L);
return string;
}
将decompiled/cloudstrike/WebServer.java复制到src/cloudstrike里面
可以这么修改(如果前面修改的数值为6)
public static boolean isStager(final String uri) {
return checksum8(uri) == 92L && uri.matches("/[A-Za-z0-9]{6}");
}
public static boolean isStagerX64(final String uri) {
return checksum8(uri) == 93L && uri.matches("/[A-Za-z0-9]{6}");
}
public static boolean isStagerStrict(final String uri) {
return isStager(uri) && uri.length() == 7;
}
public static boolean isStagerX64Strict(final String uri) {
return isStagerX64(uri) && uri.length() == 7;
}
修复一个漏洞
WebServer.java在_serve方法开头添加
if (!uri.startsWith("/")) {
return this.processResponse(uri, method, header, param, false, null, new Response("400 Bad Request", "text/plain", ""));
}
参考文章
https://pingmaoer.github.io/2020/06/24/CobaltStrike二次开发环境准备/
https://ucasers.cn/对cobaltstrike4.4的简单魔改/
https://blog.csdn.net/SHELLCODE_8BIT/article/details/121597311
https://blog.csdn.net/l1593572468/article/details/124039120
https://hosch3n.github.io/2020/12/16/检测与隐藏Cobaltstrike服务器/#CDN