cobaltstrike docker

截图

image-20210107002720284

image-20210107003005105

image-20210107003342603

image-20210107003306028

image-20210107003411305

那啥我建议你们 改改这些
dname=”CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US”
还是那句话后门自测

拉取镜像

Mac M1

docker run -it \
--name cobaltstrike \
-e passwd="123456" \
-e server_ip="192.168.88.101" \
-e server_port=50050 \
-e dname="CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US" \
-p 50050:50050 \
registry.cn-hangzhou.aliyuncs.com/xrsec/cobaltstrike:4.2-Arm

docker.io

docker run -it \
--name cobaltstrike \
-e passwd="123456" \
-e server_ip="192.168.88.101" \
-e server_port=50050 \
-e dname="CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US" \
-p 50050:50050 \
xrsec/cobaltstrike:4.2-Arm

Inter x64

阿里云

docker run -it \
--name cobaltstrike \
-e passwd="123456" \
-e server_ip="192.168.88.101" \
-e server_port=50050 \
-e dname="CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US" \
-p 50050:50050 \
registry.cn-hangzhou.aliyuncs.com/xrsec/cobaltstrike:4.2

docker.io

docker run -it \
--name cobaltstrike \
-e passwd="123456" \
-e server_ip="192.168.88.101" \
-e server_port=50050 \
-e dname="CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US" \
-p 50050:50050 \
xrsec/cobaltstrike:4.2

dockerfile

FROM centos:latest

RUN curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo

RUN yum makecache -y && yum update -y && yum upgrade -y

COPY CobaltStrike /CobaltStrike

# COPY jdk-15.0.2_linux-x64_bin.deb /tmp/
COPY jdk-15.0.2_linux-aarch64_bin.rpm /tmp/

RUN rpm -ivh /tmp/jdk-15.0.2_linux-aarch64_bin.rpm
RUN rm /tmp/jdk-15.0.2_linux-aarch64_bin.rpm
COPY Dockerfile /

ENV server_ip 127.0.0.1
ENV server_port 50050
ENV aliasname "Bing Wallpaper"
ENV dname "CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US"
STOPSIGNAL SIGWINCH

EXPOSE 50050
CMD ["/CobaltStrike/teamserver"]

以下作废教程可供参考

拉取镜像

sudo docker pull registry.cn-hangzhou.aliyuncs.com/xrsec/cobaltstrike:4.2

启动镜像

docker run -it -d \
--name cobaltstrike \
-p 50050:50050 \
-p 50051-50055:50051-50055 \
registry.cn-hangzhou.aliyuncs.com/xrsec/cobaltstrike:4.2

进入终端

docker exec -it cobaltstrike /bin/bash
cd /root/CS/
rm cobaltstrike.store

重新生成证书

# 默认密码 LCYtmSqVmj4kJDa3aFQZ 注意有两个需要修改
# 其他数据看着改
keytool -keystore ./cobaltstrike.store -storepass LCYtmSqVmj4kJDa3aFQZ -keypass LCYtmSqVmj4kJDa3aFQZ -genkey -keyalg RSA -alias BingWallPaper -dname "CN=Microsoft Bing, OU=UpdateTesting, O=BingUpdate, L=America, S=New York, C=Chinatown"

修改密码

# 重新开一个终端
# docker cp cobaltstrike 容器的 teamserver 到当前目录
docker cp cobaltstrike:/root/CS/teamserver .

需要修改这些

  • -storepass LCYtmSqVmj4kJDa3aFQZ
  • -keypass LCYtmSqVmj4kJDa3aFQZ
  • keyStorePassword=LCYtmSqVmj4kJDa3aFQZ
  • TeamServer 192.168.0.78 LCYtmSqVmj4kJDa3aFQZ
  • 其他的你们看着改,记得要和上面重新生成证书的地方一致
if [ -e ./cobaltstrike.store ]; then
print_info "Will use existing X509 certificate and keystore (for SSL)"
else
print_info "Generating X509 certificate and keystore (for SSL)"
keytool -keystore ./cobaltstrike.store -storepass LCYtmSqVmj4kJDa3aFQZ -keypass LCYtmSqVmj4kJDa3aFQZ -genkey -keyalg RSA -alias BingWallPaper -dname "CN=Microsoft Bing, OU=UpdateTesting, O=BingUpdate, L=America, S=New York, C=Chinatown"
fi

# start the team server.
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=LCYtmSqVmj4kJDa3aFQZ -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer 192.168.0.78 LCYtmSqVmj4kJDa3aFQZ & $*

客户端

java -Dfile.encoding=UTF-8 -javaagent:CobaltStrikeCN.jar -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -jar cobaltstrike.jar

保存为 cobaltstrike.bat

  • Linux
java -Dfile.encoding=UTF-8 -javaagent:CobaltStrikeCN.jar -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -jar cobaltstrike.jar

保存为 cobaltstrike.sh
chmod 777 cobaltstrike

  • Mac
java -Dfile.encoding=UTF-8 -javaagent:CobaltStrikeCN.jar -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -jar cobaltstrike.jar

保存为 cobaltstrike
chmod 777 cobaltstrike

插件推荐

  • Bypass
  • Taowu

注意事项

  1. 监听端口问题
    1. 如果是路由器转发端口 请 按照这种格式 443:xxx:443
    2. docker 容器 443 docker 主机 xxx 路由器 443
  2. 上线主机sleep设置为 0
  3. XXX