红队开发学习----魔改cobaltstrike学习(持续更新)

环境和工具准备

1.jdku8环境 这里用的是jdk8u321,版本太低的java可能启动不了
https://www.oracle.com/java/technologies/javase/javase8u211-later-archive-downloads.html#license-lightbox
2.linux的ij idea
3.cs4.4源码
4.反编译工具Luyten
5.破解工具CSAgent.zip
6.破解cs的dll

反编译CobaltStrike_4.4_000.jar

java -jar luyten-0.5.4.jar


save all到一个新创建的目录

Idea项目

idea创建一个java项目


创建两个目录decompiled和lib

然后把反编译的decompiled-CobaltStrike_4.4_000.zip解压缩到decompiled目录,类似

unzip decompiled-CobaltStrike_4.4_000.zip -d /root/IdeaProjects/MyCobaltStrike/decompiled

改一下名

mv CobaltStrike_4.4_000.jar cobaltstrike.jar

然后将cobaltstrike.jar拷贝到lib目录

cp cobaltstrike.jar /root/IdeaProjects/MyCobaltStrike/lib

添加到Modules

添加Artifacts

HelloWorld测试代码

将decompiled/aggressor/Aggressor.java文件复制至src/aggressor/Aggressor.java

添加一段

JOptionPane.showMessageDialog(null, "Hello world");


在Modify options选择Add VM options
然后添加

-XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx2048M



最后运行

去除凭证读取

将decompiled/common/中的Authorization,Helper,Starter,Starter2复制到src/common目录下,将decompiled/beacon/BeaconData.java复制到src/beacon目录下
进入到Authorization.java
删除或注释掉

        String s = CommonUtils.canonicalize("cobaltstrike.auth");
        if (!new File(s).exists()) {
            try {
                File parentFile = new File(this.getClass().getProtectionDomain().getCodeSource().getLocation().toURI());
                if (parentFile.getName().toLowerCase().endsWith(".jar")) {
                    parentFile = parentFile.getParentFile();
                }
                s = new File(parentFile, "cobaltstrike.auth").getAbsolutePath();
            }
            catch (Exception ex) {
                MudgeSanity.logException("trouble locating auth file", ex, false);
            }
        }
        final byte[] file = CommonUtils.readFile(s);
        if (file.length == 0) {
            this.error = "Could not read " + s;
            return;
        }

final byte[] decrypt = authCrypto.decrypt(file);更换为如下

        final byte[] decrypt = {1, -55, -61, 127,   //证书时间限制29999999(永久)
                0, 0, 0, 1,     //watermark(水印)
                44,     //版本
                16, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
                16, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
                16, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
                16, 58, 68, 37, 73, 15, 56, -102, -18, -61, 18, -67, -41, 88, -83, 43, -103,
                16, 94, -104, 25, 74, 1, -58, -76, -113, -91, -126, -90, -87, -4, -69, -110, -42};


Helper.java中startHelper注释得恒返回true

Start.java中initializeStarter注释掉全部,只留下方法头

Start2.java中initialize同理

将beacon/BeaconData.java里面的this.shouldPad = shouldPad;改为this.shouldPad = false;

修复两处报错

protected List<byte[]> getQueue(final String s) {
    synchronized (this) {
        if (this.queues.containsKey(s)) {
            return (List<byte[]>) this.queues.get(s);
        }
        final LinkedList<byte[]> list = new LinkedList<>();
        this.queues.put(s, list);
        return list;
    }
}
public int getMode(final String s) {
    synchronized (this) {
        final Object modeObj = this.modes.get(s);
        if (modeObj instanceof String) {
            String s2 = (String) modeObj;
            if ("dns-txt".equals(s2)) {
                return 2;
            }
            if ("dns6".equals(s2)) {
                return 3;
            }
            if ("dns".equals(s2)) {
                return 1;
            }
        }
        return 2;
    }
}

这下可以删掉或注释掉HelloWorld的测试代码

此时运行可以弹出登录框

生成jar包,build artifacts



将MyCobaltStrike.jar改名为cobaltstrike.jar
将CSAgent.zip上传到服务端(这里仍然是kali),解压
将cobaltstrike.jar上传到CSAgent目录,服务端启动

./teamserver ip password


然后回到idea 客户端连接

teamserver端配置修改

teamserver默认配置

端口

将-Dcobaltstrike.server_port修改为其他端口即可

证书

查看证书中的信息,口令:Microsoft

keytool -list -v -keystore cobaltstrike.store


生成新证书

rm -rf cobaltstrike.store
keytool -keystore cobaltstrike.store -storepass strongpass -keypass strongpass -genkey -keyalg RSA -alias Google -dname "CN=(CN), OU=(SHANGHAI), O=(SHANGHAI), L=(DONGCHENG), ST=(SHANGHAI), C=(CN)" -validity 36500

teamserver修改最后的部分

java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=1234 -Dcobaltstrike.server_bindto=0.0.0.0 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=strongpass -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar -javaagent:CSAgent.jar=CSAgent.properties -Duser.language=en server.TeamServer $*

profile配置

JA3|JA3S/JARM 指纹修改

其中一种方法

vim java_home/jre/lib/security/java.security

添加TLSv1.3

源码层面修改

stager导致配置泄漏

修改xor密钥(未进行,没研究明白,怕改崩了)

修改stager下载路径的长度

修改src/common/CommonUtils.java里面
修改4为其他数值(例如6)

public static String MSFURI() {
        return MSFURI(4);
    }

添加string = "/" + pick(array)...中的pick(array)至六个(如果前面修改的数值为6)

    public static String MSFURI_X64() {
        final String[] array = toArray("a, b, c, d, e, f, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9");
        String string;
        do {
            string = "/" + pick(array) + pick(array) + pick(array) + pick(array);
        } while (checksum8(string) != 93L);
        return string;
    }

将decompiled/cloudstrike/WebServer.java复制到src/cloudstrike里面
可以这么修改(如果前面修改的数值为6)

   public static boolean isStager(final String uri) {
        return checksum8(uri) == 92L && uri.matches("/[A-Za-z0-9]{6}");
    }
    
    public static boolean isStagerX64(final String uri) {
        return checksum8(uri) == 93L && uri.matches("/[A-Za-z0-9]{6}");
    }
    
    public static boolean isStagerStrict(final String uri) {
        return isStager(uri) && uri.length() == 7;
    }
    
    public static boolean isStagerX64Strict(final String uri) {
        return isStagerX64(uri) && uri.length() == 7;
    }

修复一个漏洞

WebServer.java在_serve方法开头添加

if (!uri.startsWith("/")) {
            return this.processResponse(uri, method, header, param, false, null, new Response("400 Bad Request", "text/plain", ""));
        }

参考文章

https://pingmaoer.github.io/2020/06/24/CobaltStrike二次开发环境准备/
https://ucasers.cn/对cobaltstrike4.4的简单魔改/
https://blog.csdn.net/SHELLCODE_8BIT/article/details/121597311
https://blog.csdn.net/l1593572468/article/details/124039120
https://hosch3n.github.io/2020/12/16/检测与隐藏Cobaltstrike服务器/#CDN

posted @ 2023-11-29 19:58  BattleofZhongDinghe  阅读(667)  评论(0编辑  收藏  举报