参考文档:
- CS 合法证书 + Powershell 上线
- https://bluescreenofjeff.com/2018-04-12-https-payload-and-c2-redirectors/
- https://bluescreenofjeff.com/2018-04-12-https-payload-and-c2-redirectors/
首先,请宁打开您的购买域名的网站。添加a记录。
然后,我要去freessl网站申请我买的 dtgsiam.pw **** 这个域名的证书了:
会生成一个TXT记录,请您粘贴到宁购买域名的网站上:
粘贴好之后是这样,倒数第二条请宁忽略,那是我以前搞合法证书上线的历史遗留:
粘贴好之后去 freessl 验证,解析通过就行:
在这里下载文件:
宁就会得到两个文件:
现在宁就需要去生成 keystore 文件了:
命令模板是:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out spoofdomain.p12 -name spoofdomain.com -passout pass:mypass
keytool -importkeystore -deststorepass mypass -destkeypass mypass -destkeystore spoofdomain.store -srckeystore spoofdomain.p12 -srcstoretype PKCS12 -srcstorepass mypass -alias spoofdomain.com
宁看看我的例子里,是这样输入的:
中间有个是错误的那条命令,宁应该看的出来吧!还可以看出来上面生成的两个文件我已经粘贴到我的 CS 文件夹了吧!!!
帮宁粘贴出来了:
root@VM-0-10-ubuntu:/home/ubuntu/cobaltstrike4.0_cracked_ssooking# openssl pkcs12 -export -in full_chain.pem -inkey private.key -out test.dtgsiam.p12 -name test.dtgsiam.pw -passout pass:snowming
root@VM-0-10-ubuntu:/home/ubuntu/cobaltstrike4.0_cracked_ssooking# keytool -importkeystore -deststorepass snowming -destkeypass snowming -destkeystore dtgsiam.store -srckeystore test.dtgsiam.p12 -srcstoretype PKCS12 -srcstorepass snowming -alias test.dtgsiam.pw
然后我就获得了,这个文件:dtgsiam.store
然后我们怎么用这个文件呢?是写入自己的 c2 profile 里面。
怎么创建 C2 Profile 呢?我帮我朋友写了一个,但是他可能要用我就不贴出来了。宁看我下面这个网址,你实在不会的话就用这个吧。。
其实就是找带 https-certificate段的 c2 profile 去替换。
然后记得我刚刚设置的密码和store文件吗,就换 https-certificate 这一块,换成这两行!!
用 .c2lint 检查下,下面这样就是通过:
然后还可以替换一个东西,就是 teamserver 这个文件:
#!/bin/bash
#
# Start Cobalt Strike Team Server
#
# make pretty looking messages (thanks Carlos)
function print_good () {
echo -e "\x1B[01;32m[+]\x1B[0m $1"
}
function print_error () {
echo -e "\x1B[01;31m[-]\x1B[0m $1"
}
function print_info () {
echo -e "\x1B[01;34m[*]\x1B[0m $1"
}
# check that we're r00t
if [ $UID -ne 0 ]; then
print_error "Superuser privileges are required to run the team server"
exit
fi
# check if java is available...
if [ $(command -v java) ]; then
true
else
print_error "java is not in \$PATH"
echo " is Java installed?"
exit
fi
# check if keytool is available...
if [ $(command -v keytool) ]; then
true
else
print_error "keytool is not in \$PATH"
echo " install the Java Developer Kit"
exit
fi
# generate a certificate
# naturally you're welcome to replace this step with your own permanent certificate.
# just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
# -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
# an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
# is printed so users may have a chance to verify they're not being owned.
if [ -e ./cobaltstrike.store ]; then
print_info "Will use existing X509 certificate and keystore (for SSL)"
else
print_info "Generating X509 certificate and keystore (for SSL)"
keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
fi
# start the team server.
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50051 -Djavax.net.ssl.keyStore=./dtgsiam.store -Djavax.net.ssl.keyStorePassword=snowming -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*
我把最后一行改了!!其实就是改了端口、指定的 store 文件,以及 store 文件的密码。
然后跑起来~
root@VM-0-10-ubuntu:/home/ubuntu/cobaltstrike4.0_cracked_ssooking# ./teamserver 106.55.18.116 snowming gmail.profile
注:这个图是我开了监听器之后的截图,那一个红色的报错是我一开始开错了一个 http 的监听器,又关掉了。可以忽略。
申明:文章非本人原创,只是转载的