search

gloxec / CrossC2

generate CobaltStrike's cross-platform payload
2.26k stars 344 forks source link

Beacon和 TeamServer通信出现问题 #62

Closed thinkycx closed 3 years ago

thinkycx commented 3 years ago

CobaltStrike 3.12 TeamServer环境:CentOS、Java8

Beacon执行后,TeamServer报错如下(似乎是TeamServer无法解密Beacon传输过来的流量):


[-] Trapped javax.crypto.BadPaddingException during RSA decrypt [HTTP session handler]: Decryption error
javax.crypto.BadPaddingException: Decryption error
        at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:380)
        at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:291)
        at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
        at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:389)
        at javax.crypto.Cipher.doFinal(Cipher.java:2165)
        at dns.AsymmetricCrypto.decrypt(AsymmetricCrypto.java:35)
        at beacon.BeaconC2.process_beacon_metadata(BeaconC2.java:269)
        at beacon.BeaconHTTP$GetHandler.serve(BeaconHTTP.java:64)
        at c2profile.MalleableHook.serve(MalleableHook.java:47)
        at cloudstrike.WebServer._serve(WebServer.java:228)
        at cloudstrike.WebServer.serve(WebServer.java:209)
        at cloudstrike.NanoHTTPD$HTTPSession.run(NanoHTTPD.java:359)
        at java.lang.Thread.run(Thread.java:745)
[-] decrypt of metadata failed
[-] A Malleable C2 attempt to recover data from a '.http-get.client.metadata' transaction failed. This could be due to a bug in the profile, a change made to the profile after this Beacon was run, or a change made to the transaction by some device between your target and your Cobalt Strike controller. The following information will (hopefully) help narrow down what happened.

From   '10.24.*.*'
URI    '/load'

Headers
-------
'User-Agent' = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/537.36'
'Cookie' = 'jTqIympJrRgVpoOvsfWDXJvKUo6k4mTYYxFK4Il8i6cdkTrv8YZ1SnTPdzKQaDNtgjuWL+cIPccOaE9/BWJC3UO1YU9puJ46e/sYOzFougZPiyupHgAh+TQjq6Eo0yGGIaqWWFj+i0OipAahB8iIKTehvlRXopubRl0bfiZjb6Q='
'Accept' = '*/*'
'Host' = '10.48.*.*:9999'
'REMOTE_ADDRESS' = '/10.24.*.*'
'Connection' = 'keep-alive'
gloxec commented 3 years ago

目前支持3.14, 4.0, 4.x (cs >= 4.1)三个版本,分别对应master, cs4.0, cs4.1三个分支

P1kAju commented 3 years ago

请问CobaltStrike4.3版本支持吗? / 我CobaltStrike4.3版本的也出现了以上问题。 image