hh

小白

0%

cs调试及teamserver通信问题总结

发表于

在teamserver通信调试中,记录一下遇到的问题。

环境搭建

  • 所有打断点的java文件都必须放到src目录下,不然不会跳到断点处。

src目录下需要放的文件,大概如下

1101-cs-1

  • 对于teamserver的调试可能出问题的地方,vmoptions参数

1101-cs-2

1
-XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=22222 -Dcobaltstrike.server_bindto=0.0.0.0 -Djavax.net.ssl.keyStore="E:\cs4.4\CobaltScrike_4.1_reverse\out\artifacts\CobaltScrike_4_1_reverse_jar\cobaltstrike.store" -Djavax.net.ssl.keyStorePassword=111111 -server -XX:+AggressiveHeap -XX:+UseParallelGC -Duser.language=en
  • 生成证书
1
keytool -keystore ./cobaltstrike.store -storepass 111111 -keypass 111111 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
  • 命令行启动teamserver或者client命令
1
2
3
4
5
- client
java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Duser.language=en -jar CobaltScrike_4.1_reverse.jar

- server
java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=22222 -Dcobaltstrike.server_bindto=0.0.0.0 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=111111 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./CobaltScrike_4.1_reverse.jar -Duser.language=en server.TeamServer 192.168.139.14 111111

cs 登陆通信分析

teamserver端

入口函数server.TeamServer.Authorization(),这个还没看懂,感觉是cobaltstrike.auth有关,这个文件是干嘛的我也不清楚

1031-cs-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
public Authorization() {
   try {
      byte[] decrypt = new byte[]{1, -55, -61, 127, 102, 0, 0, 0, 100, 1, 0, 27, -27, -66, 82, -58, 37, 92, 51, 85, -114, -118, 28, -74, 103, -53, 6};
      DataParser dataParser = new DataParser(decrypt);
      dataParser.big();
      int int1 = dataParser.readInt();
      this.watermark = dataParser.readInt();
      if (dataParser.readByte() < 41) {
         this.error = "Authorization file is not for Cobalt Strike 4.1+";
         return;
      }

      int i1 = dataParser.readByte();
      dataParser.readBytes(i1);
      byte[] bytes = dataParser.readBytes(dataParser.readByte());
      if (29999999 == int1) {
         this.validto = "forever";
         MudgeSanity.systemDetail("valid to", "perpetual");
      } else {
         this.validto = "20" + int1;
         MudgeSanity.systemDetail("valid to", CommonUtils.formatDateAny("MMMMM d, YYYY", this.getExpirationDate()));
      }

      this.valid = true;
      MudgeSanity.systemDetail("id", this.watermark + "");
      SleevedResource.Setup(bytes);   //进入Setup这里
   } catch (Exception var6) {
      MudgeSanity.logException("auth file parsing", var6, false);
   }

}
1
2
3
public static void Setup(byte[] array) {
   singleton = new SleevedResource(CommonUtils.readResource("resources/cobaltstrike.auth"));  //所以我认为和cobaltstrike.auth有关
}
  • 进入到server.TeamServer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
public void go() {
   try {
      new ProfileEdits(this.c2profile);
      this.c2profile.addParameter(".watermark", this.auth.getWatermark());
      this.c2profile.addParameter(".self", CommonUtils.readAndSumFi1e(TeamServer.class.getProtectionDomain().getCodeSource().getLocation().getPath()));
    //省略。。。
     
      if (!ServerUtils.hasPublicStage(this.resources)) {
         CommonUtils.print_warn("Woah! Your profile disables hosted payload stages. Payload staging won't work.");
      }

      SecureServerSocket var3 = new SecureServerSocket(this.port);  //new一个socks之类的
      CommonUtils.print_good("Team server is up on " + this.port);  //打印port信息
      CommonUtils.print_info("SHA256 hash of SSL cert is: " + var3.fingerprint());   //打印sha256值
      this.resources.call("listeners.go");

      while(true) {
         var3.acceptAndAuthenticate(this.pass, new PostAuthentication() {  //进入认证
            public void clientAuthenticated(Socket var1) {
               try {
                  var1.setSoTimeout(0);
                  TeamSocket var2 = new TeamSocket(var1);
                  (new Thread(new ManageUser(var2, TeamServer.this.resources, TeamServer.this.calls), "Manage: unauth'd user")).start();
               } catch (Exception var3) {
                  MudgeSanity.logException("Start client thread", var3, false);
               }

            }
         });
      }
   } catch (Exception var4) {
      MudgeSanity.logException("team server startup", var4, false);
   }
}
  • 可以在Debug的Console窗口看到输出的信息,和平时在命令行运行temserver的结果一样,之后进入登陆认证var3.acceptAndAuthenticate()

1031-cs-2

- 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
public Socket acceptAndAuthenticate(final String var1, final PostAuthentication var2) {
   String var3 = "unknown";

   try {
      final Socket var4 = this.server.accept();     //client端Connect
      var3 = var4.getInetAddress().getHostAddress();
      (new Thread(new Runnable() {
         public void run() {
            String var1x = "unknown";

            try {
               var1x = var4.getInetAddress().getHostAddress();
               if (SecureServerSocket.this.authenticate(var4, var1, var1x)) {     //登陆认证
                  var2.clientAuthenticated(var4);
                  return;
               }
            } catch (Exception var4x) {
               MudgeSanity.logException("could not authenticate client from " + var1x, var4x, false);  //报错,登陆失败
            }
  • final Socket var4 = this.server.accept(); //client端Connect

到达这里需要登陆,然后teamserver端会对连接的host,port,password等进行认证,进入authenticate认证

1
java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Duser.language=en -jar CobaltScrike_4.1_reverse.ja

1031-cs-3

  • 在点击Connect后,会发现Teamserver可以调试了,但是Client端报Read timed out,但是我一直忽略这个,在teamserver端进行调试,想走完登陆验证的过程,

1031-cs-6

然后就会 teamserver端出现,Connect reset

1031-cs-4

1031-cs-5

1031-cs-7

Read timed outConnect reset错误原因

Read timed out连接超时看,

因为此时teamserver端我正在缓慢调试client端的连接信息,认证账号密码等是否正确,但是teamserver端认证太慢,所以client端 timed out 超时,而teamserver端又由于client端已经关闭,所以后面也报错,或者不能继续调试了。

  • 可以试试在client端点击connect后,迅速再teamserver端点击step over,一直点,然后client端就登陆成功了。

这认证了我的想法