Tool Preparation

A foreign server

Free Whale (VPN)

CS 4.4

nginx

CS Server Configuration

Server ping is disabled

1. When the server ping is disabled, it can be determined from a certain perspective that the host is inactive.

2. Edit the file /etc/sysctl.conf and add a line to it. net.ipv4.icmp_echo_ignore_all=1

Then the mission command sysctl -p makes the configuration take effect.

vim /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all=1

sysctl -p

3. After that, the ping will not be able to ping. In this way, nmap can still scan the server to survive.

Modify port

1. Edit the teamserver file, search for 50050, and change it to any port, here it is changed to 65000

vim teamserver

2. Save and exit, start teamserver, and find that the port has changed.

./teamserver xx.xx.xx.xx xiao

Modify the default certificate

1. Because the certificate generated by the cs server contains all the relevant characteristics of cs, it is modified and replaced here. There are two ways to modify it, namely, generate a keystore and modify the startup file. No matter which way, you need to delete the original file cobaltstrike.store.

Method 1 Delete the keystore file cobaltstrike.store (recommended)

1. Generate a new keystore file

keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu -dname 'CN=baidu.com, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co.\, Ltd, L=beijing, S=beijing, C=CN'

keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12

2. Check the certificate

keytool -list -keystore cobaltstrike.store 3. Start the server to check whether the certificate signature is the same, and the certificate signature is the same after checking.

Method 2 Modify the startup file

1. Teamserver is the startup file that starts the CSS server. There is an environment detection part, including the detection of the keystore. The way to write this part is that if the keystore cannot be detected, use the command to generate a new keystore and modify the generated command here.

2. The part circled in the teamserver needs to be modified

3. Modify it to the following content:

keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu -dname 'CN=baidu.com, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co.\, Ltd, L=beijing, S=beijing, C=CN'

4. Delete the original ./cobaltstrike.store keystore file, and the next time it starts, a new keystore file will be automatically generated.

rm -rf cobaltstrike.store

Hide with CDN

Apply for a free domain name

1. Enter the freenom official website, translate Chinese, pull to the bottom, and select the developer.

2. Pull to the bottom and click today to get a random domain account

3. Enter the international email address and click Verify the email address. It is recommended to use a temporary email address.

4. After a few seconds, you will receive an email. Click on the email and click on confirmation to jump to the freenom website. After translating the current web page, click on the developer.

5. Pull the website to the end, translate Chinese, and click to get a random domain account immediately.

6. Then come to the personal information filling page

7. Because the address selected by the IP is Florida, it is necessary to use the Florida personal information generator and personal information generator, and the two need to be combined.

8. Just fill in the information according to the generator. After filling in it, check and click to complete the order. The account has been registered successfully.

9. Return to the homepage of the website, select the domain name, enter xxx.tk, click check availability, and if available, click checkout.

10. Select the 12-month free version and finally click continue.

11. Final order

12. Select my domains and see that the domain name is alive.

CDN configuration

1. There are actually quite a lot of options for cdn part. I chose cloudflare here

2. After logging in to cloudflare, select Add Site

3. Choose a free plan

4. Add DNS records and enter the IP and A records to be protected.

5. Modify the dns server of xxx.tk to cloudflare. It takes a certain amount of time to take effect after the modification is completed

6. Turn off automatic https rewrite and always use https and broti compression

7. Click finish

8. The following interface appears and the settings take effect. You can use cloudflare to perform domain name resolution operation.

9. Analyze a www.xxx.tk to test it

10. Using Global Ping, I found that CDN has been successfully added

11. Configure SSL/TLS encryption mode to complete

cloudflare generates certificate

1. Find SSL/TLS-source server-create the certificate on the dash page of cloudflare, and then save the public and private keys, namely server.pem and server.key, respectively. It must be saved during generation, otherwise the private key may not be found.

2. Apply for a certificate and package the keystore, package the certificate and generate the store file.

openssl pkcs12 -export -in server.pem -inkey server.key -out www.xxx.tk.p12 -name www.xxx.tk -passout pass:123456

//Use keytool to generate certificate pairs in cs available store format

keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore www.xxx.tk.store -srckeystore www.xxx.tk.p12 -srcstoretype PKCS12 -srcstorepass 123456 -alias www.xxx.tk

3. Configure the certificate to the https listening method. If you want to use the certificate we applied for, you need to use the ‘Malleable C2 profile’ method to operate. Here we take cloudflare.profile as an example. Put the generated key file.store in the cs directory and want to add cloudflare.profile to the certificate configuration: What you need to note is that https-certificate is a certificate-related configuration. The Host value in other client.header should be the domain name we applied for, and the other parts should be configured according to personal circumstances.

//Copy the store certificate generated above to the teamserver directory

cp ./www.xxx.tk.store /opt/cs44/

//Create cloudflare.profile file

vim cloudflare.profile

//cloudflare.profile file content

https-certificate {

set keystore 'www.xxx.tk.store';

set password '123456';

}

http-stager {

set uri_x86 '/api/1';

set uri_x64 '/api/2';

client {

header 'Host' 'www.xxx.tk';}

server {

output{

print;

}

}

}

http-get {

set uri '/api/3';

client {

header 'Host' 'www.xxx.tk';

metadata {

base64;

header 'Cookie';

}

}

server {

output{

print;

}

}

}

http-post {

set uri '/api/4';

client {

header 'Host' 'www.xxx.tk';

id {

uri-append;

}

output{

print;

}

}

server {

output{

print;

}

}

}4. Verify that there is any problem with the configuration file. The following is the configuration for verification successfully (the current directory needs to have cobaltstrike.jar)

//Create a new c2lint file

vim c2lint

//c2lint file content

java -XX:ParallelGCThreads=4 -XX:+UseParallelGC -classpath ./cobaltstrike.jar c2profile.Lint $1

//Verify if there is any problem with the configuration file

./c2lint cloudflare.profile