Awesome
CrossC2 framework
π For a faster way, see cna introduction GOπ
π₯ Linux & MacOS supports no file landing, load and execute from memory dynamic library or executable file GOπ
π₯ Flexibly customize the data return type of the execution file, portscan, screenshot, keystrokes, credentials and other user-defined development to achieve more convenient implementation GOπ ( Sample: GOπ )
π₯ Custom communication protocol GOπ
π₯ Now supports lateral movement GOπ
π₯ Now supports loading scripts from memory [GOπ](#Run script-in-memory)
π Android & iPhone support GOπ
CrossC2 framework - Generator CobaltStrike's cross-platform beacon
ββββββ ββββββ ββββββ ββββββ ββββββ ββββββ βββββββ
ββββ ββ βββ β βββββββ ββββββ β βββ β ββββ ββ βββ
βββ β βββ βββ βββββ ββββ ββββ β ββββ βββ ββββββ
ββββ βββββββββββ βββ βββ β βββ β βββ ββββ ββ ββββ
β βββββ βββββ βββββ βββββββββββββββββββββββββ β βββββ βββββββββ
β ββ β ββ ββ βββββ ββββββ β βββ β ββ βββ β β β ββ β ββ ββ ββ
β β ββ β ββ β β ββ β ββ β ββ ββ β β β β β ββ β
β ββ β β β β β β β β β β β CrossC2 v2.0 @hook
β β β β β β β β β β
β β
Description
A security framework for enterprises and Red Team personnel, supports CobaltStrike's penetration testing of other platforms (Linux / MacOS / ...), supports custom modules, and includes some commonly used penetration modules.
Only for internal use by enterprises and organizations, this framework has a certain degree of instability. Non-professionals are not allowed to use it. Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.
| Windows | Linux | MacOS | iOS | Android | Embedded | |
|---|---|---|---|---|---|---|
| Run Env (x86) | β | |||||
| Run Env (x64) | β | β | β | |||
| gen beacon (x86) | β | β | ||||
| gen beacon (x64) | β | β | ||||
| gen beacon (armv7) | β» | β | ||||
| gen beacon (arm64) | β | β | ||||
| gen beacon (mips[el]) | β» |
Restricted description:
- CobaltStrike: currently only supports the last version of cs 3.14(bug fixs) and 4.x versions are supported (see the cs4.1 branch for details).
- Linux: For particularly old systems, you can choose "Linux-GLIBC" option in cna (around 2010)
- MacOS: Latest systems only support 64-bit programs
- iOS: sandbox, restricted cmd
- Embedded: only *nix
- β» : Loader is still in progress
Install & Usage
Download:
- CrossC2.cna
- genCrossC2
(If it is a Windows system, download genCrossC2.Win.exe)
- choose
Script ManagerοΌaddCrossC2.cna(If successfully installed, the menu bar will have an additional itemCrossC2) - Modify the
genCC2path in theCrossC2.cnascript to the real path
77: $genCC2 = "/xxx/xx/xx/genCrossC2.MacOS"; # <-------- fix
Create listener and copy key:
For some reasons, only HTTPS beacon is currently supported.
Copy .cobaltstrike.beacon_keys from the cs directory on the server to the local directory.
Reference documents: π Wiki
Module: API introduction π Wiki
It adopts the method of loading memory without landing, and supports dynamic libraries (.so/.dylib) and executable files (ELF/MachO).
β οΈ: Although the file is loaded directly from memory, the process can be viewed in ps when the executable file is passed in, but the process name can be customized.
The type of output information can be freely specified at the time of execution. The return type has been predetermined and can be docked with the native return data type of CS.
β οΈ: For special data types, such as passwords, port scan results, etc., please refer to the information returned by the native function of cs, which will be matched according to the regular.
-
Password dump module: cc2_mimipenguin uses the open source project MimiPenguin2.0, see CrossC2Kit/ mimipenguin/mimipenguin.cna
-
Authentication backdoor modules: cc2_auth, cc2_ssh sudo / su / passwd and other authentication backdoors, ssh is connected and the credentials to connect to other hosts will be recorded.
-
Information collection modules: cc2_safari_dump, cc2_chrome_dump, cc2_iMessage_dump, cc2_keychain_dump access records of common browsers, as well as iMessage chat content and authentication credentials saved in the keychain will be obtained.
-
Traffic proxy module: cc2_frp supports fast TCP/KCP(UDP) reverse socks5 encrypted traffic proxy.
-
Keylogger module: cc2_keylogger records user's keyboard input.
-
Network detection module: cc2_portscan, cc2_serverscan for port scanning and service version scanning.
-
Privilege promotion module: cc2_prompt_spoof induces deception to obtain user account password.
-
Task management module: cc2_job manages the modules running in memory.
-
...
Custom communication protocol: API introduction π Wiki
Can more easily realize C2Profile configuration and custom communication protocol TCP / UDP and so on.
Lateral movement
- Generate beacon of
Linux-bind/MacOS-bindtype - The target in the intranet runs
./MacOS-bind.beacon <port>to start the service - Run
connect <targetIP>:<port>in the session of China Unicom
Run script in memory
The script interpreter such as bash / python / ruby / perl / php in the host can be called directly in the session to execute the script passed into the memory.
There is no information in the process, all running content is transferred from the memory to the interpreter
- python c:\getsysteminfo.py
- python import base64;print base64.b64encode('whoami'); print 'a'*40
- php <?php phpinfo()?>
Try to load local script:
Try to run the scripting language directly:
Coming soon
- Rich C2Profile support βοΈ (Choose custom HTTP module when CNA generates beaocn)
- Staged Type Shellcode Generation βοΈ (Only Linux is temporarily supported, and stagerServer needs to be started on the server)
- http-proxy (auth) & socks proxy back connection support
- Proxy-Pivots βοΈ (Temporarily adopt the method of connecting back to socks proxy)
- node beacon? (Single node type, can host other beacon without relying on teamserver)
Examples
Mobile
MacOS & Linux
CustomExtension
Develop dynamic libraries and customize data return types, such as implementing some built-in functions.
keystrokes
credentials
portscan
ChangeLog
release v2.1 :
- +support Support for parsing and executing scripts from memory
- +support Support CobaltStrike 4.1 (see cs4.1 branch for details)
release v2.0 :
- -fix Fix the problem of path errors caused by backslashes when uploading files in the file management office
- -fix Long-term testing in various scenarios in the real environment, fixing some hidden problems, and now more stable
- +support Support for lower kernel version systems
- +support Environment variables are automatically set at startup
- +support Delete sensitive env records at startup
- +support The background service process can be linked to the init process at startup
- +support Increase session spawn function
- +support Increase the function of session setting environment variables
- +support Increase the privilege escalation function of session getsystem
- +support Increase session analysis function to handle multiple merge tasks
- +support Increase Mac & Linux lateral movement function
release v1.5 :
- -fix genCrossC2's bug about protocol rebinding.
release v1.4 :
- -fix Linux daemon process and joblist display problem.
release v1.3 :
- +support Support custom communication protocol (HTTP, TCP, UDP...) .
- +support A new joblist module has been added to manage programs running without files in persistent memory.
- +support Reverse proxy module{TCP/KCP(UDP)} that executes without files in memory.
md5(genCrossC2.Linux) = 221b3ede4e78fee80f59946f116d7245
md5(genCrossC2.MacOS) = d216cad3fe3c25ead46b85c7ad7051f1
md5(genCrossC2.Win.exe) = a573506e8825b46b041ac3b9307a656b
release v1.2 :
- +support Support manual selection of key files.
- +support Support to generate shellcode.
- -change No longer rely on cobaltstrike.jar (plug-ins can be placed in any directory).
- -change More flexible and convenient Script Unix Web Delivery.
md5(genCrossC2.Linux) = 2ef7250cc3787d3cbd1e6f99c3c434aa
md5(genCrossC2.MacOS) = eaabde94dd7fed8dabb37cd67a1171c4
md5(genCrossC2.Win.exe) = c65ac808ed3a1000b3ff4ebb8c48ea4e
release v1.1 :
- -fix Multi-language garbled problem fix for memory load execution function
md5(genCrossC2.Linux) = 2347ed6e30e4655b793a6dbb4d33d25c
md5(genCrossC2.MacOS) = f530333500a76fe228864f8901af4104
md5(genCrossC2.Win.exe) = c223e31b2674a8a11d3254f92259e87a
release v1.0 :
- -fix Test multiple times for a long time in multiple scenarios in real environment, fix some hidden problems, now more stable
- +support Linux & MacOS Supports no file landing, loading and executing from memory
- +support Reserved CS built-in data types, richer user-defined plug-in return data types, free and easy to implement 'portscan' and other native functions
md5(genCrossC2.Linux) = 12295998d4bffd5b4c4a411fb33428bb
md5(genCrossC2.MacOS) = c88ce9df47529b243e2215a866d445c5
md5(genCrossC2.Win.exe) = 51d1814f1ebbab634bce0373ceb7cee6
release v0.4 :
- -change Multi-threaded background when shell commands are executed
- -change Redirect error output to standard output when shell command is executed.
- +support Add background file download function.
md5(genCrossC2.Linux) = b2e34f721ec2543b6625e33c8c2935df
md5(genCrossC2.MacOS) = 4e38a9d9a3eeff309648afc02e2e7664
release v0.3 :
- +support Compatibility with older versions of GLIBC on older systems Linux (around 2010).
release v0.2 :
- -fix genCrossC2.Linux crash.
- -fix uploading large file error.
- +support GUI file manager.
md5(genCrossC2.Linux) = 8256374d88c2149efc102aff7e90b3f9
md5(genCrossC2.MacOS) = 08fce0a5d964a091d8bf2344d7ab809e
release v0.1 :
- Support Linux & MacOS beacon generation.
md5(genCrossC2.Linux) = f4c0cc85c7cdd096d2b7febedc037538
md5(genCrossC2.MacOS) = 79fff0505092fc2055824ed1289ce8f9