CrossC2Kit is an infiltration expansion around the Unix platform derived from CrossC2. Use Aggressor Script Open Source Script engine. It can be used to create automation to simulate the operation process of the Red Team and expand the CobaltStrike client.
CrossC2Kit is inherited from the original features of CobaltStrike, so the development and writing grammar still refer to the official documentation: https://trial.cobaltstrike.com/aggressor-script/index.html
However, it has also performed some API expansion on CrossC2 to control the UNIX platform Beacon. The main functions are to perform the dynamic library (.so
/ .dylib
) and executable files (ELF
/ MachO
) and executable files from memory parsing. Script (bash
/ python
/ php
...). At the same time, some data set interfaces of CobaltStrike are reserved, such as
portscan
, screenshots
, keylogger
, credentials
, etc., can quickly develop Portscan and other kits. And if you are familiar with the CS native protocol, you can specify some more complicated data results for more flexible metadata collection.
Interpreter related plug-ins
、Password dump module
、Authentication backdoor modules
、Information collection modules
、Traffic proxy module
、Keylogger module
、Privilege promotion module
、Task management module
See wiki for details: About CrossC2Kit
Memory loading related API: API wiki
API function manual:API Reference
API demo:/third-party/api_demo/load.cna
Use CrossC2Kit to develop customized expansion:
Put the custom extension according to the classification, compilation source code, configuration file, etc. into the third-party
Folder, the client will automatically load the extended load.cna
CrossC2Kit/third-party/readme.md
Lines 11 to 21 in b108739
For details: https://github.com/CrossC2/CrossC2Kit/tree/template/third-party
- git clone https://github.com/CrossC2/CrossC2Kit.git
- cd CrossC2Kit && mkdir third-party
- Place the extended plug-in in the third-party directory and perform Pull Request
- Pull Request will merge after automatic compilation
├── third-party
│ ├── test.cna
│ └── util
│ ├── lpe // Type of plugin
│ │ ├── cve-2021-1102 // The name of the plugin
│ │ │ ├── load.cna // Loading file of the plug-in *
│ │ │ ├── readme.md // Description document of plug-in
│ │ │ ├── src // The source code directory of binary components in the plugin
│ │ │ │ ├── exp.c // Source code to be compiled *
│ │ │ │ └── makefile // Automatic compiled configuration file *
│ │ │ └── testa.cna // CNA script used inside the plug-in
│ │ └── cve-2022-2202
│ │ ├── load.cna
│ │ ├── readme.md
│ │ └── src
│ │ ├── exp.c
│ │ └── makefile
│ └── pass
│ ├── linux-login
│ │ ├── load.cna
│ │ └── src
│ │ ├── exp.c
│ │ └── makefile
│ └── readme.md
-
The compilation results will be displayed in Summary, including
System architecture information
Compile process
Compilation results symbol information
GLIBC version information contained in Linux programs
The overall result of compilation