/CrossC2Kit

CrossC2 developed based on the Cobalt Strike framework can be used for other cross-platform system control. CrossC2Kit provides some interfaces for users to call to manipulate the CrossC2 Beacon session, thereby extending the functionality of Cobalt Strike.

Primary LanguageShellApache License 2.0Apache-2.0

CrossC2 Kit

README | 中文文档

CrossC2Kit is an infiltration expansion around the Unix platform derived from CrossC2. Use Aggressor Script Open Source Script engine. It can be used to create automation to simulate the operation process of the Red Team and expand the CobaltStrike client.

CrossC2Kit is inherited from the original features of CobaltStrike, so the development and writing grammar still refer to the official documentation: https://trial.cobaltstrike.com/aggressor-script/index.html

However, it has also performed some API expansion on CrossC2 to control the UNIX platform Beacon. The main functions are to perform the dynamic library (.so / .dylib) and executable files (ELF / MachO) and executable files from memory parsing. Script (bash / python / php ...). At the same time, some data set interfaces of CobaltStrike are reserved, such as portscan, screenshots, keylogger, credentials, etc., can quickly develop Portscan and other kits. And if you are familiar with the CS native protocol, you can specify some more complicated data results for more flexible metadata collection.

basic function

Interpreter related plug-insPassword dump moduleAuthentication backdoor modulesInformation collection modulesTraffic proxy moduleKeylogger modulePrivilege promotion moduleTask management module

See wiki for details: About CrossC2Kit

API Reference:

Memory loading related API: API wiki

API function manual:API Reference

API demo:/third-party/api_demo/load.cna

Custom expansion

Use CrossC2Kit to develop customized expansion: Put the custom extension according to the classification, compilation source code, configuration file, etc. into the third-party Folder, the client will automatically load the extended load.cna

├── third-party
│   ├── test.cna
│   └── util
│ ├── lpe // 插件分类
│ │ ├── cve-2021-1102 // 插件名称
│ │ │ ├── load.cna // 插件启动入口 *
│ │ │ ├── readme.md // 插件文档
│ │ │ ├── src // 插件包含的二进制组件源码目录
│ │ │ │ ├── exp.c // 待编译的源码 *
│ │ │ │ └── makefile // 自动编译的工程配置文件 *
│ │ │ └── testa.cna // 插件内部用到的cna脚本

For details: https://github.com/CrossC2/CrossC2Kit/tree/template/third-party

Pull Request

  1. git clone https://github.com/CrossC2/CrossC2Kit.git
  2. cd CrossC2Kit && mkdir third-party
  3. Place the extended plug-in in the third-party directory and perform Pull Request
  4. Pull Request will merge after automatic compilation
├── third-party
│   ├── test.cna
│   └── util
│       ├── lpe  // Type of plugin
│       │   ├── cve-2021-1102       // The name of the plugin
│       │   │   ├── load.cna        // Loading file of the plug-in *
│       │   │   ├── readme.md       // Description document of plug-in
│       │   │   ├── src             // The source code directory of binary components in the plugin
│       │   │   │   ├── exp.c       // Source code to be compiled *
│       │   │   │   └── makefile    // Automatic compiled configuration file *
│       │   │   └── testa.cna       // CNA script used inside the plug-in
│       │   └── cve-2022-2202
│       │       ├── load.cna
│       │       ├── readme.md
│       │       └── src
│       │           ├── exp.c
│       │           └── makefile
│       └── pass
│           ├── linux-login
│           │   ├── load.cna
│           │   └── src
│           │       ├── exp.c
│           │       └── makefile
│           └── readme.md
  1. The compilation results will be displayed in Summary, including

    System architecture information

    Compile process

    Compilation results symbol information

    GLIBC version information contained in Linux programs

    The overall result of compilation