0x00 Preface
The Cobalt Strike server and client communicate through SSL encryption. Due to the default configuration of the SSL configuration file and proxy configuration file, the content of the keystore file is usually used for firewall identification.
CS is often used in post-penetration. From two aspects: On the one hand, the internal network equipment controls the traffic very strictly. If the CS features are not modified, it is easy to be caught by the internal network equipment for traceability or directly blocked IP. , Indirectly Liang Xipi; on the other hand, it is mainly to ensure the security of the attacking team members’ computers and prevent countermeasures by the attacking team. Some time ago, I saw the low version of the counter-CS written by the big guy. So, in order to prevent Liangzi, It's best to change. Otherwise, you have your fish, and at the same time you are my fisher.
0x01 Modify for characteristic information
- Port number modification
- Fingerprint modification
- SSL certificate modification
0x02 Port number and SSL certificate fingerprint information modification
First look at the default configuration:
Because I read a lot of articles today, I will also summarize. The most impressive thing is to obtain an authoritative certificate and imitate information to modify it according to Mossen's writing. Of course, I think the local tyrants here are free to buy a certificate for binding. First delete the original store file, and then modify the teamserver file. (Back up first), thinking that when the server is mounted through teamserver, a store file will be generated.
Port number and SSL certificate fingerprint information modification:
print_info "Generating X509 certificate and keystore (for SSL)"
keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias Microsec.com -dname "CN=Microsec e-Szigno Root CA, OU=e-Szigno CA, O=Microsec Ltd., L=Budapest, S=HU, C=HU"
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50314 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar
By comparing the generated certificate information before and after, you can find obvious differences, the cobaltstrike.store file
0x03 Create a new CobaltStrike.store
有的时候为了方便起见,我们可以直接进行证书指纹的修改,这边使用常用的工具keytool进行修改,操作简单。Keytool是一个Java数据证书的管理工具,Keytool将密钥(key)和证书(certificates)存在一个称为keystore的文件中,即store后缀文件中。
命令:
‐certreq 生成证书请求
‐changealias 更改条目的别名
‐delete 删除条目
‐exportcert 导出证书
‐genkeypair 生成密钥对
‐genseckey 生成密钥
‐gencert 根据证书请求生成证书
‐importcert 导入证书或证书链
‐importpass 导入口令
‐importkeystore 从其他密钥库导入一个或所有条目
‐keypasswd 更改条目的密钥口令
‐list 列出密钥库中的条目
‐printcert 打印证书内容
‐printcertreq 打印证书请求的内容
‐printcrl 打印 CRL 文件的内容
‐storepasswd 更改密钥库的存储口令The keystore is a Java key store used for communication encryption, such as digital signatures. The keystore is used to
store key pairs, public and private keys. Keystore can be understood as a database, which can store many groups of data.
Each set of data mainly contains the following two kinds of data:
1. Key entity-secret key or private key and paired public key (using asymmetric encryption)
2. Trusted certificate entity-only public key
View CobaltStrike default store file through keytool
keytool ‐list ‐v ‐keystore cobaltstrike.store
The above default CobaltStrike features are very obvious. In order to cover up the features of the default SSL certificate, a new and different certificate needs to be recreated. Use the following command to create the certificate:
keytool ‐keystore cobaltstrike.store ‐storepass 密码 ‐keypass 密码 ‐genkey ‐key
alg RSA ‐alias google.com ‐dname "CN=(名字与姓氏), OU=(组织单位名称), O=(组织名
称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)"‐alias 指定别名
‐storepass pass 和 ‐keypass pass 指定密钥
‐keyalg 指定算法
‐dname 指定所有者信息
删除 CobaltStrike 自带的cobaltstrike.store,使用以下命令生成一个新的 cobaltstrike.store即
可!然后客户端连接即可。keytool ‐keystore cobaltstrike.store ‐storepass 123456 ‐keypass 123456 ‐gen
key ‐keyalg RSA ‐alias baidu.com ‐dname "CN=(名字与姓氏), OU=(组织单位名称),
O=(组织名称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)"
keytool ‐importkeystore ‐srckeystore cobaltstrike.store ‐destkeystore cobal
tstrike.store ‐deststoretype pkcs12keytool -keystore CobaltStrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu.com -dname "CN=ZhongGuo, OU=CC, O=CCSEC, L=BeiJing, ST=ChaoYang, C=CN"After modification, check the default store file of CobaltStrike again
0x04 summary
Times are changing, human beings are progressing, security is developing, and intranet traffic devices are becoming more and more advanced. It is an eternal truth that machines cannot play with humans. Just like this year's HW, security devices have become the biggest 0day.
For the detection of traffic devices, according to the judgment of the traffic devices, constantly improve the attack weapon, so as not to be disturbed in the post-penetration. I just draw on the tutorials of all the big guys and the online to make a summary, and I hope to get more With the support of the master, please feel free to suggest any better modification methods. I will also follow a wave of learning and common development, so that we can make faster progress. That’s it for today, keep going!
Please indicate: Adminxe's Blog » Cobalt Strike characteristic information modification and fun firewall equipment