Skip to content

icecliffs/C2Crash

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
dict
dict
 
 
img
img
 
 
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 
cc2
cc2
 
 
cc2_64.exe
cc2_64.exe
 
 

Repository files navigation

Crash C2 (Crash Command && Control)

反制

Cobalt Strike

这里你需要获取 Beacon 用于解密 publickey,一般来说通信时会先发一个 Stage 过去,然后截获到这个 Stage 后用 1768 来解

File: cs_test/orJ1
xorkey(chain): 0x909d17ff
length: 0x03680093
xorkey b'.' 2e
0x0001 payload type                     0x0001 0x0002 0 windows-beacon_http-reverse_http
0x0002 port                             0x0001 0x0002 36522
0x0003 sleeptime                        0x0002 0x0004 60000
0x0004 maxgetsize                       0x0002 0x0004 1048576
0x0005 jitter                           0x0001 0x0002 0
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100b4ca492b960c3cd2b592f9de5045db8120934aaf12cf571ed2cc
0x0008 server,get-uri                   0x0003 0x0100 '192.168.50.235,/en_US/all.js'
0x0043 DNS_STRATEGY                     0x0001 0x0002 0
0x0044 DNS_STRATEGY_ROTATE_SECONDS      0x0002 0x0004 -1
0x0045 DNS_STRATEGY_FAIL_X              0x0002 0x0004 -1
0x0046 DNS_STRATEGY_FAIL_SECONDS        0x0002 0x0004 -1

然后保存到本地,下面为参数

参数 说明
-url 目标 C2 URL,例如 http://114.5.1.4:1919/homo.gif
-n 要发送的次数,推荐 114514
-computer 计算机名文件路径,默认在dict下
-user 用户名文件路径,默认在dict下
-process 进程名文件路径,默认在dict下
-pub 公钥,直接十六进制

示例执行

main -url http://192.168.50.235:36522/en_US/all.js -n 20 -pub 30819f300d06092a864886f70d0

VShell

这个逆起来比较复杂,我这边是用一键上线的,方便后续分析

然后就是三次握手,这里 w32w

对抗

有什么用?

红队猴子看着满屏 Shell 乐翻天了,他乐了,你乐了,大家都乐了,小亮,给他整个活!

References

https://blog.nviso.eu/wp-content/uploads/2025/11/VShell.pdf

About

一键假上线 Cobalt Strike,用来研究对抗 EDR 的仓库

Resources

Readme
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published