{"id":647,"date":"2025-01-27T13:19:35","date_gmt":"2025-01-27T05:19:35","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=647"},"modified":"2025-08-17T17:49:49","modified_gmt":"2025-08-17T09:49:49","slug":"cobaltstrike_dec","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2025\/01\/27\/cobaltstrike_dec\/","title":{"rendered":"CobaltStrike\u6d41\u91cf\u89e3\u5bc6"},"content":{"rendered":"<h2>\u6574\u4f53\u6b65\u9aa4<\/h2>\n<ol>\n<li>\u901a\u8fc7<code>.cobaltstrike.beacon_keys<\/code>\u6216\u8005<code>stage<\/code>\u6587\u4ef6\u83b7\u5f97 Beacon \u548c C2 \u4e4b\u95f4\u4f20\u8f93\u6570\u636e\u4f7f\u7528\u7684 rsa \u79c1\u94a5<\/li>\n<li>\u4f7f\u7528 rsa \u79c1\u94a5\u53bb\u89e3\u5bc6\u5143\u6570\u636e\uff08\u5fc3\u8df3\u5305\u4e2d\u7684 Cookie\uff09\uff0c\u62ff\u5230<code>AES key<\/code> \u548c <code>HMAC key<\/code><\/li>\n<li>\u4f7f\u7528 <code>AES key<\/code> \u548c <code>HMAC key<\/code>\u89e3\u5bc6\u4f20\u8f93\u6570\u636e<\/li>\n<\/ol>\n<h2>\u79c1\u94a5\u83b7\u53d6<\/h2>\n<h3>\u5229\u7528 .cobaltstrike.beacon_keys  \u6587\u4ef6<\/h3>\n<p><code>.cobaltstrike.beacon_keys<\/code>\u6587\u4ef6\u672c\u8d28\u4e0a\u4e3aKeyPair\u7684Java\u5bf9\u8c61\uff0cPython\u7684javaobj\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6\u5176\u4e2d\u5b58\u50a8\u7684\u6570\u636e<\/p>\n<p>\u5229\u7528parse_beacon_keys.py\u8bfb\u53d6\u516c\u94a5\u548c\u79c1\u94a5\uff08\u5982\u679c\u662fpython3\u73af\u5883\u88c5\u7684\u662f javaobj-py3 \uff09<\/p>\n<pre><code class=\"language-python\">import base64\n\nimport javaobj.v2 as javaobj\n\nwith open(&quot;.cobaltstrike.beacon_keys&quot;, &quot;rb&quot;) as fd:\n    pobj = javaobj.load(fd)\nprivateKey = pobj.array.value.privateKey.encoded.data\npublicKey = pobj.array.value.publicKey.encoded.data\n\nprivateKey = (\n    b&quot;-----BEGIN PRIVATE KEY-----\\n&quot;\n    + base64.encodebytes(bytes(map(lambda x: x &amp; 0xFF, privateKey)))\n    + b&quot;-----END PRIVATE KEY-----&quot;\n)\npublicKey = (\n    b&quot;-----BEGIN PUBLIC KEY-----\\n&quot;\n    + base64.encodebytes(bytes(map(lambda x: x &amp; 0xFF, publicKey)))\n    + b&quot;-----END PUBLIC KEY-----&quot;\n)\nprint(privateKey.decode())\nprint(publicKey.decode())<\/code><\/pre>\n<h3>\u5229\u7528 stage \u6587\u4ef6<\/h3>\n<p>\u901a\u8fc7<code>http.request.uri matches &quot;\/....$&quot;<\/code>\u7b5b\u9009cs\u6728\u9a6c\u4e0a\u7ebf\u65f6\u6240\u53d1\u9001\u7684stage\u6587\u4ef6<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/08\/cs_dec1.png\" alt=\"cs_dec1\" \/><\/p>\n<p>\u63a5\u7740\u901a\u8fc7<a href=\"https:\/\/blog.didierstevens.com\/2021\/10\/11\/update-1768-py-version-0-0-8\/\">1768.py<\/a>\u89e3\u5bc6\u8be5\u6587\u4ef6\uff0c\u5c06publickey\u591a\u4f590\u53bb\u9664\u5f97\u5230\u516c\u94a5<\/p>\n<pre><code>python3 cs_dec_stage.py xxxx<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/08\/cs_dec2.png\" alt=\"cs_dec2\" \/><\/p>\n<pre><code class=\"language-text\">30819e300d06092a864886f70d010101050003818c00308188028180525e1781f2f02d132a7818a6d269baddbf39352c8d20290ec2294fbe4d77e6549ef4766d8b0e1620000adfbd7aff99cd72f05623eb0def202265cf631dd895acd5e981da8424c03a295895c8194a31641f2eecd5a8715ca89cdbf9433c5d437538767666c3bdb0f8629555375b574fe408a94ae82f92960085d416374f1654b30203010001<\/code><\/pre>\n<p>\u4e4b\u540e\u7528cs_invert_pub.py\u5c06\u516c\u94a5\u8f6c\u4e3apem\u683c\u5f0f\uff0c\u5e76\u63d0\u53d6\u5176\u4e2d\u7684n\u548ce<\/p>\n<pre><code class=\"language-python\">from Crypto.PublicKey import RSA\nimport binascii\n\n# \u5c06\u4f60\u768416\u8fdb\u5236\u5b57\u7b26\u4e32\u653e\u5728\u8fd9\u91cc\n   hex_key = &quot;30819e300d06092a864886f70d010101050003818c00308188028180525e1781f2f02d132a7818a6d269baddbf39352c8d20290ec2294fbe4d77e6549ef4766d8b0e1620000adfbd7aff99cd72f05623eb0def202265cf631dd895acd5e981da8424c03a295895c8194a31641f2eecd5a8715ca89cdbf9433c5d437538767666c3bdb0f8629555375b574fe408a94ae82f92960085d416374f1654b30203010001&quot; \n# \u5c06\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u5b57\u8282\n   key_bytes = binascii.unhexlify(hex_key)\n# \u5bfc\u5165RSA\u516c\u94a5\n   rsa_key = RSA.import_key(key_bytes)\n# \u63d0\u53d6\u6a21\u6570(n)\u548c\u6307\u6570(e)\n   n = rsa_key.n\n   e = rsa_key.e\n# \u6253\u5370\u6a21\u6570\u548c\u6307\u6570\n   print(f&quot;Modulus (n): {n}&quot;)\n   print(f&quot;Exponent (e): {e}&quot;)\n\n# \u5c06RSA\u516c\u94a5\u5bfc\u51fa\u4e3aPEM\u683c\u5f0f\n   pem_key = rsa_key.publickey().export_key(format=&#039;PEM&#039;)\n# \u6253\u5370PEM\u683c\u5f0f\u516c\u94a5\n   print(pem_key.decode(&#039;utf-8&#039;))<\/code><\/pre>\n<pre><code class=\"language-text\">Modulus (n): 57840457943390562151183056895981922848981888713417943532946260250633760347281370187050725047626507035739078370095883411759062129893337622945780596526859424702568086671495882125464325172299346781795855931036288858784790023273356190549125683636953077021666004867856782395818167722491980517593426129106599564467\nExponent (e): 65537\n-----BEGIN PUBLIC KEY-----\nMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgFJeF4Hy8C0TKngYptJput2\/OTUs\njSApDsIpT75Nd+ZUnvR2bYsOFiAACt+9ev+ZzXLwViPrDe8gImXPYx3YlazV6YHa\nhCTAOilYlcgZSjFkHy7s1ahxXKic2\/lDPF1DdTh2dmbDvbD4YpVVN1tXT+QIqUro\nL5KWAIXUFjdPFlSzAgMBAAE=\n-----END PUBLIC KEY-----<\/code><\/pre>\n<p>\u5c06n\u8fdb\u884c\u6a21\u6570\u5206\u89e3\uff0c\u5f97\u5230p\u548cq<\/p>\n<pre><code>yafu-x64.exe factor(110209881007357893823335805800713195851127501725957565233140927957700204009298219831317940655870344979959172203765131703915110847527123581538957802617902884782216119145118127834057251159376653146542095451104320803312070357977411524497260098391204298785177487587770308799475139763729699721645361283357313642349)<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/08\/cs_dec3.png\" alt=\"cs_dec3\" \/><\/p>\n<p>\u63a5\u7740\u7528cs_calc_pri.py\u901a\u8fc7p\u548cq\u8ba1\u7b97\u79c1\u94a5<\/p>\n<pre><code class=\"language-python\"># -*- coding: utf-8 -*-\n\nfrom Crypto.PublicKey import RSA\n\ndef generate_rsa_keypair(p, q, e=65537):\n    &quot;&quot;&quot;\n    \u751f\u6210RSA\u5bc6\u94a5\u5bf9\u3002\n\n    :param p: \u5927\u7d20\u6570p\n    :param q: \u5927\u7d20\u6570q\n    :param e: \u516c\u94a5\u6307\u6570\uff0c\u9ed8\u8ba4\u4e3a65537\n    :return: RSA\u79c1\u94a5\n    &quot;&quot;&quot;\n    # \u8ba1\u7b97\u6a21\u6570N\n    N = p * q\n    # \u8ba1\u7b97\u6b27\u62c9\u51fd\u6570phi(N)\n    phi = (p - 1) * (q - 1)\n    # \u8ba1\u7b97\u79c1\u94a5d\n    d = pow(e, -1, phi)\n    # \u6784\u9020RSA\u79c1\u94a5\n    pri_key = RSA.construct((N, e, d))\n    return pri_key\n\ndef save_private_key_to_file(private_key, filename=&quot;id_rsa&quot;):\n    &quot;&quot;&quot;\n    \u5c06\u79c1\u94a5\u4fdd\u5b58\u5230\u6587\u4ef6\u4e2d\u3002\n\n    :param private_key: RSA\u79c1\u94a5\u5bf9\u8c61\n    :param filename: \u4fdd\u5b58\u7684\u6587\u4ef6\u540d\uff0c\u9ed8\u8ba4\u4e3a&quot;id_rsa&quot;\n    &quot;&quot;&quot;\n    with open(filename, &quot;wb&quot;) as f:\n        f.write(private_key.export_key(&quot;PEM&quot;))\n\n# \u793a\u4f8b\uff1a\u751f\u6210RSA\u5bc6\u94a5\u5bf9\u5e76\u4fdd\u5b58\u79c1\u94a5\nif __name__ == &quot;__main__&quot;:\n    # \u8f93\u5165\u5927\u7d20\u6570p\u548cq\n    p = 7605291443685150594150190909345113655196508809219162555499789316232908573154196070425269090153291952292016936024761413150455793038505322748933150548026527\n    q = 7605291443685150594150190909345113655196508809219162555499789316232908573154196070425269090153291952292016936024761413150455793038505322748933150548026221\n\n    private_key = generate_rsa_keypair(p, q)\n    save_private_key_to_file(private_key)\n    print(f&quot;\u79c1\u94a5\u5df2\u4fdd\u5b58\u5230\u6587\u4ef6\uff1aid_rsa&quot;)<\/code><\/pre>\n<pre><code class=\"language-text\">-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgFJeF4Hy8C0TKngYptJput2\/OTUsjSApDsIpT75Nd+ZUnvR2bYsO\nFiAACt+9ev+ZzXLwViPrDe8gImXPYx3YlazV6YHahCTAOilYlcgZSjFkHy7s1ahx\nXKic2\/lDPF1DdTh2dmbDvbD4YpVVN1tXT+QIqUroL5KWAIXUFjdPFlSzAgMBAAEC\ngYApWVrrvY2c0zZKu\/VjQ\/ivQUPy0b63GmVyS1Lg8frzAiAaESnE2Pl6bwsGbxTE\nI+3jeYuE1IdWOAeMnKPhY80fOSgws6vSri7CcxnMUEEn3AMw4YSwBIaBGkdLnfxf\npbS\/kUUb\/z7\/A1SRtNq1n4hZYinnG2NpUuiO1WqwHqOGoQJBAJE14+VVt8ONGIZ1\nqIf4cqAnAmtonPhyDNdYZQC0IlxNzyixo\/lnlTc80b3jYUA4w8GGQQZea70op4RS\nfIJV420CQQCRNePlVbfDjRiGdaiH+HKgJwJraJz4cgzXWGUAtCJcTc8osaP5Z5U3\nPNG942FAOMPBhkEGXmu9KKeEUnyCVeSfAkB6vJQuKe+zaDVMoXKbyxIH8DEJXFkh\nXjUgZ+SnXZqVbmclPFEe48Cp+cxGtkRjJhfAIZwgp\/pk3lIJdDctay9ZAkAhlDeu\nCcNj6hXYyg592tsO49ZwZhGedik4Bw3cOsuTUr7r5yBHBUgBLQRHh\/QuOLIz50rU\nITOC24rZU4XNUfV7AkAipEfvmXf4RaJLlIoWZe\/XkNXpGcsYIeaedUv29xqaNAbA\n7HhEs3twu6+G0QP1YuAPNp28FNoe52XfJhVWTw1D\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n<h2>AES \u548c HMAC  \u5bc6\u94a5\u83b7\u53d6<\/h2>\n<h3>\u901a\u8fc7\u79c1\u94a5\u89e3\u5bc6Cookie<\/h3>\n<p>\u7528Beacon_metadata_RSA_Decrypt.py\u901a\u8fc7\u79c1\u94a5\u89e3\u5bc6\u5fc3\u8df3\u5305\u4e2d\u7684Cookie\u6570\u636e\uff0c\u62ff\u5230<code>AES Key<\/code>\u548c<code>HMAC Key<\/code><\/p>\n<pre><code class=\"language-python\">import hashlib\nfrom Crypto.PublicKey import RSA\nfrom Crypto.Cipher import PKCS1_v1_5\nimport base64\nimport hexdump\n\nPRIVATE_KEY = &quot;&quot;&quot;-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgFJeF4Hy8C0TKngYptJput2\/OTUsjSApDsIpT75Nd+ZUnvR2bYsO\nFiAACt+9ev+ZzXLwViPrDe8gImXPYx3YlazV6YHahCTAOilYlcgZSjFkHy7s1ahx\nXKic2\/lDPF1DdTh2dmbDvbD4YpVVN1tXT+QIqUroL5KWAIXUFjdPFlSzAgMBAAEC\ngYApWVrrvY2c0zZKu\/VjQ\/ivQUPy0b63GmVyS1Lg8frzAiAaESnE2Pl6bwsGbxTE\nI+3jeYuE1IdWOAeMnKPhY80fOSgws6vSri7CcxnMUEEn3AMw4YSwBIaBGkdLnfxf\npbS\/kUUb\/z7\/A1SRtNq1n4hZYinnG2NpUuiO1WqwHqOGoQJBAJE14+VVt8ONGIZ1\nqIf4cqAnAmtonPhyDNdYZQC0IlxNzyixo\/lnlTc80b3jYUA4w8GGQQZea70op4RS\nfIJV420CQQCRNePlVbfDjRiGdaiH+HKgJwJraJz4cgzXWGUAtCJcTc8osaP5Z5U3\nPNG942FAOMPBhkEGXmu9KKeEUnyCVeSfAkB6vJQuKe+zaDVMoXKbyxIH8DEJXFkh\nXjUgZ+SnXZqVbmclPFEe48Cp+cxGtkRjJhfAIZwgp\/pk3lIJdDctay9ZAkAhlDeu\nCcNj6hXYyg592tsO49ZwZhGedik4Bw3cOsuTUr7r5yBHBUgBLQRHh\/QuOLIz50rU\nITOC24rZU4XNUfV7AkAipEfvmXf4RaJLlIoWZe\/XkNXpGcsYIeaedUv29xqaNAbA\n7HhEs3twu6+G0QP1YuAPNp28FNoe52XfJhVWTw1D\n-----END RSA PRIVATE KEY-----&quot;&quot;&quot;\n\nencode_data = &quot;SLHAIOj8\/1icVtP6fImtJz6B6wR0t\/XwLg1G0Y3AxoxnseBfPONxoyjAWCCOH84IJULnCZZrO7cIRxJPS2PtmDD4MvD8\/PIpoW8Gj8536vhwd+tyXjNKyLNyNYcj+JgO4N5FTnKtkONgv7KnsMjJC3E0eI0ctqmZll8SrXLUS9k=&quot;\n\nprivate_key = RSA.import_key(PRIVATE_KEY.encode())\n\ncipher = PKCS1_v1_5.new(private_key)\nciphertext = cipher.decrypt(base64.b64decode(encode_data), 0)\n\nif ciphertext[0:4] == b&#039;\\x00\\x00\\xBE\\xEF&#039;:\n   raw_aes_keys = ciphertext[8:24]\n   # print(raw_aes_keys)\n   raw_aes_hash256 = hashlib.sha256(raw_aes_keys).digest()\n   aes_key = raw_aes_hash256[0:16]\n   hmac_key = raw_aes_hash256[16:]\n\n   print(&quot;RAW key: {}&quot;.format(raw_aes_keys.hex()))\n   print(&quot;AES key: {}&quot;.format(aes_key.hex()))\n   print(&quot;HMAC key: {}&quot;.format(hmac_key.hex()))\n\n   hexdump.hexdump(ciphertext)<\/code><\/pre>\n<pre><code class=\"language-text\">RAW key: 28ab951fc96bcb93ec13cf9dd5f21373\nAES key: 9fe14473479a283821241e2af78017e8\nHMAC key: 1e3d54f1b9f0e106773a59b7c379a89d\n00000000: 00 00 BE EF 00 00 00 5D  28 AB 95 1F C9 6B CB 93  .......](....k..\n00000010: EC 13 CF 9D D5 F2 13 73  A8 03 A8 03 43 50 DF EC  .......s....CP..\n00000020: 00 00 0B 50 00 00 0E 06  01 1D B0 00 00 00 00 77  ...P...........w\n00000030: 02 04 D0 77 02 34 70 8C  B8 A8 C0 57 49 4E 2D 52  ...w.4p....WIN-R\n00000040: 52 49 39 54 39 53 4E 38  35 44 09 41 64 6D 69 6E  RI9T9SN85D.Admin\n00000050: 69 73 74 72 61 74 6F 72  09 61 72 74 69 66 61 63  istrator.artifac\n00000060: 74 2E 65 78 65                                    t.exe<\/code><\/pre>\n<p>\u7528Beacon_metadata_moreInfo_RSA_Decrypt.py\u53ef\u4ee5\u83b7\u5f97<code>host<\/code>\u3001<code>PC name<\/code>\u3001<code>username<\/code>\u7b49\u66f4\u591a\u4fe1\u606f<\/p>\n<pre><code class=\"language-python\">import hashlib\nfrom Crypto.PublicKey import RSA\nfrom Crypto.Cipher import PKCS1_v1_5\nimport base64\nimport hexdump\n\nPRIVATE_KEY = &quot;&quot;&quot;-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgFJeF4Hy8C0TKngYptJput2\/OTUsjSApDsIpT75Nd+ZUnvR2bYsO\nFiAACt+9ev+ZzXLwViPrDe8gImXPYx3YlazV6YHahCTAOilYlcgZSjFkHy7s1ahx\nXKic2\/lDPF1DdTh2dmbDvbD4YpVVN1tXT+QIqUroL5KWAIXUFjdPFlSzAgMBAAEC\ngYApWVrrvY2c0zZKu\/VjQ\/ivQUPy0b63GmVyS1Lg8frzAiAaESnE2Pl6bwsGbxTE\nI+3jeYuE1IdWOAeMnKPhY80fOSgws6vSri7CcxnMUEEn3AMw4YSwBIaBGkdLnfxf\npbS\/kUUb\/z7\/A1SRtNq1n4hZYinnG2NpUuiO1WqwHqOGoQJBAJE14+VVt8ONGIZ1\nqIf4cqAnAmtonPhyDNdYZQC0IlxNzyixo\/lnlTc80b3jYUA4w8GGQQZea70op4RS\nfIJV420CQQCRNePlVbfDjRiGdaiH+HKgJwJraJz4cgzXWGUAtCJcTc8osaP5Z5U3\nPNG942FAOMPBhkEGXmu9KKeEUnyCVeSfAkB6vJQuKe+zaDVMoXKbyxIH8DEJXFkh\nXjUgZ+SnXZqVbmclPFEe48Cp+cxGtkRjJhfAIZwgp\/pk3lIJdDctay9ZAkAhlDeu\nCcNj6hXYyg592tsO49ZwZhGedik4Bw3cOsuTUr7r5yBHBUgBLQRHh\/QuOLIz50rU\nITOC24rZU4XNUfV7AkAipEfvmXf4RaJLlIoWZe\/XkNXpGcsYIeaedUv29xqaNAbA\n7HhEs3twu6+G0QP1YuAPNp28FNoe52XfJhVWTw1D\n-----END RSA PRIVATE KEY-----&quot;&quot;&quot;\n\nencode_data = &quot;SLHAIOj8\/1icVtP6fImtJz6B6wR0t\/XwLg1G0Y3AxoxnseBfPONxoyjAWCCOH84IJULnCZZrO7cIRxJPS2PtmDD4MvD8\/PIpoW8Gj8536vhwd+tyXjNKyLNyNYcj+JgO4N5FTnKtkONgv7KnsMjJC3E0eI0ctqmZll8SrXLUS9k=&quot;\n\nprivate_key = RSA.import_key(PRIVATE_KEY.encode())\ncipher = PKCS1_v1_5.new(private_key)\nciphertext = cipher.decrypt(base64.b64decode(encode_data), 0)\n\ndef isFlag(var, flag):\n    return (var &amp; flag) == flag\n\ndef toIP(var):\n    var2 = (var &amp; -16777216) &gt;&gt; 24\n    var4 = (var &amp; 16711680) &gt;&gt; 16\n    var6 = (var &amp; 65280) &gt;&gt; 8\n    var8 = var &amp; 255\n    return str(var2) + &quot;.&quot; + str(var4) + &quot;.&quot; + str(var6) + &quot;.&quot; + str(var8)\n\ndef getName(var0):\n    if var0 == 37:\n        return &quot;IBM037&quot;\n    elif var0 == 437:\n        return &quot;IBM437&quot;\n    elif var0 == 500:\n        return &quot;IBM500&quot;\n    elif var0 == 708:\n        return &quot;ISO-8859-6&quot;\n    elif var0 == 709:\n        return &quot;&quot;\n    elif var0 == 710:\n        return &quot;&quot;\n    elif var0 == 720:\n        return &quot;IBM437&quot;\n    elif var0 == 737:\n        return &quot;x-IBM737&quot;\n    elif var0 == 775:\n        return &quot;IBM775&quot;\n    elif var0 == 850:\n        return &quot;IBM850&quot;\n    elif var0 == 852:\n        return &quot;IBM852&quot;\n    elif var0 == 855:\n        return &quot;IBM855&quot;\n    elif var0 == 857:\n        return &quot;IBM857&quot;\n    elif var0 == 858:\n        return &quot;IBM00858&quot;\n    elif var0 == 860:\n        return &quot;IBM860&quot;\n    elif var0 == 861:\n        return &quot;IBM861&quot;\n    elif var0 == 862:\n        return &quot;IBM862&quot;\n    elif var0 == 863:\n        return &quot;IBM863&quot;\n    elif var0 == 864:\n        return &quot;IBM864&quot;\n    elif var0 == 865:\n        return &quot;IBM865&quot;\n    elif var0 == 866:\n        return &quot;IBM866&quot;\n    elif var0 == 869:\n        return &quot;IBM869&quot;\n    elif var0 == 870:\n        return &quot;IBM870&quot;\n    elif var0 == 874:\n        return &quot;x-windows-874&quot;\n    elif var0 == 875:\n        return &quot;IBM875&quot;\n    elif var0 == 932:\n        return &quot;Shift_JIS&quot;\n    elif var0 == 936:\n        return &quot;x-mswin-936&quot;\n    elif var0 == 949:\n        return &quot;x-windows-949&quot;\n    elif var0 == 950:\n        return &quot;Big5&quot;\n    elif var0 == 1026:\n        return &quot;IBM1026&quot;\n    elif var0 == 1047:\n        return &quot;IBM1047&quot;\n    elif var0 == 1140:\n        return &quot;IBM01140&quot;\n    elif var0 == 1141:\n        return &quot;IBM01141&quot;\n    elif var0 == 1142:\n        return &quot;IBM01142&quot;\n    elif var0 == 1143:\n        return &quot;IBM01143&quot;\n    elif var0 == 1144:\n        return &quot;IBM01144&quot;\n    elif var0 == 1145:\n        return &quot;IBM01145&quot;\n    elif var0 == 1146:\n        return &quot;IBM01146&quot;\n    elif var0 == 1147:\n        return &quot;IBM01147&quot;\n    elif var0 == 1148:\n        return &quot;IBM01148&quot;\n    elif var0 == 1149:\n        return &quot;IBM01149&quot;\n    elif var0 == 1200:\n        return &quot;UTF-16LE&quot;\n    elif var0 == 1201:\n        return &quot;UTF-16BE&quot;\n    elif var0 == 1250:\n        return &quot;windows-1250&quot;\n    elif var0 == 1251:\n        return &quot;windows-1251&quot;\n    elif var0 == 1252:\n        return &quot;windows-1252&quot;\n    elif var0 == 1253:\n        return &quot;windows-1253&quot;\n    elif var0 == 1254:\n        return &quot;windows-1254&quot;\n    elif var0 == 1255:\n        return &quot;windows-1255&quot;\n    elif var0 == 1256:\n        return &quot;windows-1256&quot;\n    elif var0 == 1257:\n        return &quot;windows-1257&quot;\n    elif var0 == 1258:\n        return &quot;windows-1258&quot;\n    elif var0 == 1361:\n        return &quot;x-Johab&quot;\n    elif var0 == 10000:\n        return &quot;x-MacRoman&quot;\n    elif var0 == 10001:\n        return &quot;&quot;\n    elif var0 == 10002:\n        return &quot;&quot;\n    elif var0 == 10003:\n        return &quot;&quot;\n    elif var0 == 10004:\n        return &quot;x-MacArabic&quot;\n    elif var0 == 10005:\n        return &quot;x-MacHebrew&quot;\n    elif var0 == 10006:\n        return &quot;x-MacGreek&quot;\n    elif var0 == 10007:\n        return &quot;x-MacCyrillic&quot;\n    elif var0 == 10008:\n        return &quot;&quot;\n    elif var0 == 10010:\n        return &quot;x-MacRomania&quot;\n    elif var0 == 10017:\n        return &quot;x-MacUkraine&quot;\n    elif var0 == 10021:\n        return &quot;x-MacThai&quot;\n    elif var0 == 10029:\n        return &quot;x-MacCentralEurope&quot;\n    elif var0 == 10079:\n        return &quot;x-MacIceland&quot;\n    elif var0 == 10081:\n        return &quot;x-MacTurkish&quot;\n    elif var0 == 10082:\n        return &quot;x-MacCroatian&quot;\n    elif var0 == 12000:\n        return &quot;UTF-32LE&quot;\n    elif var0 == 12001:\n        return &quot;UTF-32BE&quot;\n    elif var0 == 20000:\n        return &quot;x-ISO-2022-CN-CNS&quot;\n    elif var0 == 20001:\n        return &quot;&quot;\n    elif var0 == 20002:\n        return &quot;&quot;\n    elif var0 == 20003:\n        return &quot;&quot;\n    elif var0 == 20004:\n        return &quot;&quot;\n    elif var0 == 20005:\n        return &quot;&quot;\n    elif var0 == 20105:\n        return &quot;&quot;\n    elif var0 == 20106:\n        return &quot;&quot;\n    elif var0 == 20107:\n        return &quot;&quot;\n    elif var0 == 20108:\n        return &quot;&quot;\n    elif var0 == 20127:\n        return &quot;US-ASCII&quot;\n    elif var0 == 20261:\n        return &quot;&quot;\n    elif var0 == 20269:\n        return &quot;&quot;\n    elif var0 == 20273:\n        return &quot;IBM273&quot;\n    elif var0 == 20277:\n        return &quot;IBM277&quot;\n    elif var0 == 20278:\n        return &quot;IBM278&quot;\n    elif var0 == 20280:\n        return &quot;IBM280&quot;\n    elif var0 == 20284:\n        return &quot;IBM284&quot;\n    elif var0 == 20285:\n        return &quot;IBM285&quot;\n    elif var0 == 20290:\n        return &quot;IBM290&quot;\n    elif var0 == 20297:\n        return &quot;IBM297&quot;\n    elif var0 == 20420:\n        return &quot;IBM420&quot;\n    elif var0 == 20423:\n        return &quot;&quot;\n    elif var0 == 20424:\n        return &quot;IBM424&quot;\n    elif var0 == 20833:\n        return &quot;&quot;\n    elif var0 == 20838:\n        return &quot;IBM-Thai&quot;\n    elif var0 == 20866:\n        return &quot;KOI8-R&quot;\n    elif var0 == 20871:\n        return &quot;IBM871&quot;\n    elif var0 == 20880:\n        return &quot;&quot;\n    elif var0 == 20905:\n        return &quot;&quot;\n    elif var0 == 20924:\n        return &quot;&quot;\n    elif var0 == 20932:\n        return &quot;EUC-JP&quot;\n    elif var0 == 20936:\n        return &quot;GB2312&quot;\n    elif var0 == 20949:\n        return &quot;&quot;\n    elif var0 == 21025:\n        return &quot;x-IBM1025&quot;\n    elif var0 == 21027:\n        return &quot;&quot;\n    elif var0 == 21866:\n        return &quot;KOI8-U&quot;\n    elif var0 == 28591:\n        return &quot;ISO-8859-1&quot;\n    elif var0 == 28592:\n        return &quot;ISO-8859-2&quot;\n    elif var0 == 28593:\n        return &quot;ISO-8859-3&quot;\n    elif var0 == 28594:\n        return &quot;ISO-8859-4&quot;\n    elif var0 == 28595:\n        return &quot;ISO-8859-5&quot;\n    elif var0 == 28596:\n        return &quot;ISO-8859-6&quot;\n    elif var0 == 28597:\n        return &quot;ISO-8859-7&quot;\n    elif var0 == 28598:\n        return &quot;ISO-8859-8&quot;\n    elif var0 == 28599:\n        return &quot;ISO-8859-9&quot;\n    elif var0 == 28603:\n        return &quot;ISO-8859-13&quot;\n    elif var0 == 28605:\n        return &quot;ISO-8859-15&quot;\n    elif var0 == 29001:\n        return &quot;&quot;\n    elif var0 == 38598:\n        return &quot;ISO-8859-8&quot;\n    elif var0 == 50220:\n        return &quot;ISO-2022-JP&quot;\n    elif var0 == 50221:\n        return &quot;ISO-2022-JP-2&quot;\n    elif var0 == 50222:\n        return &quot;ISO-2022-JP&quot;\n    elif var0 == 50225:\n        return &quot;ISO-2022-KR&quot;\n    elif var0 == 50227:\n        return &quot;ISO-2022-CN&quot;\n    elif var0 == 50229:\n        return &quot;ISO-2022-CN&quot;\n    elif var0 == 50930:\n        return &quot;x-IBM930&quot;\n    elif var0 == 50931:\n        return &quot;&quot;\n    elif var0 == 50933:\n        return &quot;x-IBM933&quot;\n    elif var0 == 50935:\n        return &quot;x-IBM935&quot;\n    elif var0 == 50936:\n        return &quot;&quot;\n    elif var0 == 50937:\n        return &quot;x-IBM937&quot;\n    elif var0 == 50939:\n        return &quot;x-IBM939&quot;\n    elif var0 == 51932:\n        return &quot;EUC-JP&quot;\n    elif var0 == 51936:\n        return &quot;GB2312&quot;\n    elif var0 == 51949:\n        return &quot;EUC-KR&quot;\n    elif var0 == 51950:\n        return &quot;&quot;\n    elif var0 == 52936:\n        return &quot;GB2312&quot;\n    elif var0 == 54936:\n        return &quot;GB18030&quot;\n    elif var0 == 57002:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57003:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57004:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57005:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57006:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57007:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57008:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57009:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57010:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 57011:\n        return &quot;x-ISCII91&quot;\n    elif var0 == 65000:\n        return &quot;&quot;\n    elif var0 == 65001:\n        return &quot;UTF-8&quot;\n\nif ciphertext[0:4] == b&#039;\\x00\\x00\\xBE\\xEF&#039;:\n\n    # 16\n    raw_aes_keys = ciphertext[8:24]\n\n    # 2\n    var9 = ciphertext[24:26]\n    var9 = int.from_bytes(var9, byteorder=&#039;little&#039;, signed=False)\n    var9 = getName(var9)\n    # 2\n    var10 = ciphertext[26:28]\n    var10 = int.from_bytes(var10, byteorder=&#039;little&#039;, signed=False)\n    var10 = getName(var10)\n\n    # 4\n    id = ciphertext[28:32]\n    id = int.from_bytes(id, byteorder=&#039;big&#039;, signed=False)\n    print(&quot;Beacon id:{}&quot;.format(id))\n\n    # 4\n    pid = ciphertext[32:36]\n    pid = int.from_bytes(pid, byteorder=&#039;big&#039;, signed=False)\n    print(&quot;pid:{}&quot;.format(pid))\n\n    # 2\n    port = ciphertext[36:38]\n    port = int.from_bytes(port, byteorder=&#039;big&#039;, signed=False)\n    print(&quot;port:{}&quot;.format(port))\n\n    # 1\n    flag = ciphertext[38:39]\n    flag = int.from_bytes(flag, byteorder=&#039;big&#039;, signed=False)\n    # print(flag)\n\n    if isFlag(flag, 1):\n        barch = &quot;&quot;\n        pid = &quot;&quot;\n        is64 = &quot;&quot;\n    elif isFlag(flag, 2):\n        barch = &quot;x64&quot;\n    else:\n        barch = &quot;x86&quot;\n\n    if isFlag(flag, 4):\n        is64 = &quot;1&quot;\n    else:\n        is64 = &quot;0&quot;\n\n    if isFlag(flag, 8):\n        bypassuac = &quot;True&quot;\n    else:\n        bypassuac = &quot;False&quot;\n\n    print(&quot;barch:&quot; + barch)\n    print(&quot;is64:&quot; + is64)\n    print(&quot;bypass:&quot; + bypassuac)\n\n    # 2\n    var_1 = ciphertext[39:40]\n    var_2 = ciphertext[40:41]\n    var_1 = int.from_bytes(var_1, byteorder=&#039;big&#039;, signed=False)\n    var_2 = int.from_bytes(var_2, byteorder=&#039;big&#039;, signed=False)\n    windows_var = str(var_1) + &quot;.&quot; + str(var_2)\n    print(&quot;windows var:&quot; + windows_var)\n\n    # 2\n    windows_build = ciphertext[41:43]\n    windows_build = int.from_bytes(windows_build, byteorder=&#039;big&#039;, signed=False)\n    print(&quot;windows build:{}&quot;.format(windows_build))\n\n    # 4\n    x64_P = ciphertext[43:47]\n\n    # 4\n    ptr_gmh = ciphertext[47:51]\n    # 4\n    ptr_gpa = ciphertext[51:55]\n\n    # if (&quot;x64&quot;.equals(this.barch)) {\n    # this.ptr_gmh = CommonUtils.join(var10, this.ptr_gmh)\n    # this.ptr_gpa = CommonUtils.join(var10, this.ptr_gpa)\n    # }\n    #\n    # this.ptr_gmh = CommonUtils.bswap(this.ptr_gmh)\n    # this.ptr_gpa = CommonUtils.bswap(this.ptr_gpa)\n\n    # 4\n    intz = ciphertext[55:59]\n    intz = int.from_bytes(intz, byteorder=&#039;little&#039;, signed=False)\n    intz = toIP(intz)\n\n    if intz == &quot;0.0.0.0&quot;:\n        intz = &quot;unknown&quot;\n    print(&quot;host:&quot; + intz)\n\n    if var9 == None:\n        ddata = ciphertext[59:len(ciphertext)].decode(&quot;ISO8859-1&quot;)\n    else:\n        # ??x-mswin-936\n        # ddata = ciphertext[59:len(ciphertext)].decode(var9)\n        ddata = ciphertext[59:len(ciphertext)].decode(&quot;ISO8859-1&quot;)\n\n    ddata = ddata.split(&quot;\\t&quot;)\n    if len(ddata) &gt; 0:\n        computer = ddata[0]\n    if len(ddata) &gt; 1:\n        username = ddata[1]\n    if len(ddata) &gt; 2:\n        process = ddata[2]\n\n    print(&quot;PC name:&quot; + computer)\n    print(&quot;username:&quot; + username)\n    print(&quot;process name:&quot; + process)\n\n    raw_aes_hash256 = hashlib.sha256(raw_aes_keys)\n    digest = raw_aes_hash256.digest()\n    aes_key = digest[0:16]\n    hmac_key = digest[16:]\n\n    print(&quot;AES key:{}&quot;.format(aes_key.hex()))\n    print(&quot;HMAC key:{}&quot;.format(hmac_key.hex()))\n\n    print(hexdump.hexdump(ciphertext))<\/code><\/pre>\n<pre><code class=\"language-text\">Beacon id:1129373676\npid:2896\nport:0\nbarch:x64\nis64:1\nbypass:True\nwindows var:6.1\nwindows build:7600\nhost:192.168.184.140\nPC name:WIN-RRI9T9SN85D\nusername:Administrator\nprocess name:artifact.exe\nAES key:9fe14473479a283821241e2af78017e8\nHMAC key:1e3d54f1b9f0e106773a59b7c379a89d\n00000000: 00 00 BE EF 00 00 00 5D  28 AB 95 1F C9 6B CB 93  .......](....k..\n00000010: EC 13 CF 9D D5 F2 13 73  A8 03 A8 03 43 50 DF EC  .......s....CP..\n00000020: 00 00 0B 50 00 00 0E 06  01 1D B0 00 00 00 00 77  ...P...........w\n00000030: 02 04 D0 77 02 34 70 8C  B8 A8 C0 57 49 4E 2D 52  ...w.4p....WIN-R\n00000040: 52 49 39 54 39 53 4E 38  35 44 09 41 64 6D 69 6E  RI9T9SN85D.Admin\n00000050: 69 73 74 72 61 74 6F 72  09 61 72 74 69 66 61 63  istrator.artifac\n00000060: 74 2E 65 78 65                                    t.exe<\/code><\/pre>\n<h3>\u5229\u7528\u5185\u5b58\u955c\u50cf\u4e2d\u7684Beacon\u8fdb\u7a0b\u6587\u4ef6<\/h3>\n<p>\u4f7f\u7528procdump\u6216\u8005volatility\u7b49\u5de5\u5177\uff0c\u63d0\u53d6beacon\u8fdb\u7a0b\u4e3admp\u6587\u4ef6<\/p>\n<p>\u6b64\u65f6\u53ef\u4ee5\u5c1d\u8bd5\u76f4\u63a5\u4f7f\u7528<a href=\"https:\/\/github.com\/DidierStevens\/Beta\/blob\/master\/cs-extract-key.py\">cs-extract-key.py<\/a>\u53bb\u63d0\u53d6<code>AES Key<\/code>\u548c<code>HMAC Key<\/code><\/p>\n<pre><code>python3 cs-extract-key.py xxx.dmp<\/code><\/pre>\n<p>\u4f46\u662f\u5176\u539f\u7406\u662f\u67e5\u627e<code>0x0000BEEF<\/code>\u5e8f\u5217\u53f7\u5934\uff0c\u8fd9\u4e2a\u5e8f\u5217\u53f7\u5934\u662f\u672a\u88ab\u52a0\u5bc6\u7684\u5143\u6570\u636e\u7684\u5934\u90e8\uff0c\u5f88\u6709\u53ef\u80fd\u4e0d\u6b63\u786e<\/p>\n<p>\u5982\u679c\u6b64\u65f6\u6709\u5305\u542b\u52a0\u5bc6\u6570\u636e\u7684\u6d41\u91cf\u5305\uff0c\u53ef\u4ee5\u7528<a href=\"https:\/\/github.com\/DidierStevens\/Beta\/blob\/master\/cs-parse-http-traffic.py\">cs-parse-http-traffic.py<\/a>\u63d0\u53d6\u52a0\u5bc6\u6d41\u91cf\u4e2d\u7684raw data<\/p>\n<pre><code>python3 cs-parse-http-traffic.py -k unknown xxx.pcapng<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/08\/cs_dec4.png\" alt=\"cs_dec4\" \/><\/p>\n<p>\u7136\u540e\u518d\u4f7f\u7528 cs-extract-key.py\u5de5\u5177\u89e3\u5bc6\u8fd9\u4e9b\u6570\u636e<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/08\/cs_dec5.png\" alt=\"cs_dec5\" \/><\/p>\n<h2>CS\u6d41\u91cf\u89e3\u5bc6<\/h2>\n<p>\u901a\u8fc7<code>data<\/code>\u7b5b\u9009 Beacon \u548c C2 \u4e4b\u95f4\u4f20\u8f93\u7684\u6570\u636e<\/p>\n<p>\u901a\u8fc7CS_Task_And_Return_AES_Decrypt.py\u89e3\u5bc6\u6570\u636e<\/p>\n<pre><code class=\"language-python\">import hmac\nimport binascii\nimport base64\nimport hexdump\nfrom Crypto.Cipher import AES\n\nAES_KEY = binascii.unhexlify(&quot;9fe14473479a283821241e2af78017e8&quot;)\nHMAC_KEY = binascii.unhexlify(&quot;1e3d54f1b9f0e106773a59b7c379a89d&quot;)\nencrypt_data = &quot;00000040efeda3e57f7d7fd589d11640ea0f9a4fe6bc91332723ffc5f43f78b37c21cc7485c44d6c8eb6af74fc7044046059c76519e493e351c9f631d6785d5c07eae9e3&quot;\n\ndef decrypt(encrypted_data, iv_bytes, signature, AES_KEY, hmac_key):\n# if hmac.new(hmac_key, encrypted_data, digestmod=&quot;sha256&quot;).digest()[:16] != signature:\n#     print(&quot;message authentication failed&quot;)\n#     return\n\n    cipher = AES.new(AES_KEY, AES.MODE_CBC, iv_bytes)\n    return cipher.decrypt(encrypted_data)\n\nencrypt_data = bytes.fromhex(encrypt_data)\n\ntry:\n       encrypt_data_length = int.from_bytes(encrypt_data[:4], byteorder=&#039;big&#039;, signed=False)\n       encrypt_data_l = encrypt_data[4:]\n       data1 = encrypt_data_l[:encrypt_data_length-16]\n       signature = encrypt_data_l[encrypt_data_length-16:encrypt_data_length]\n       iv_bytes = b&quot;abcdefghijklmnop&quot;\n       dec = decrypt(data1, iv_bytes, signature, AES_KEY, HMAC_KEY)\nexcept:\n       dec = decrypt(encrypt_data, iv_bytes, signature, AES_KEY, HMAC_KEY)\n\nprint(&quot;counter: {}&quot;.format(int.from_bytes(dec[:4], byteorder=&#039;big&#039;, signed=False)))\nprint(&quot;\u4efb\u52a1\u8fd4\u56de\u957f\u5ea6: {}&quot;.format(int.from_bytes(dec[4:8], byteorder=&#039;big&#039;, signed=False)))\nprint(&quot;\u4efb\u52a1\u8f93\u51fa\u7c7b\u578b: {}&quot;.format(int.from_bytes(dec[8:12], byteorder=&#039;big&#039;, signed=False)))\nprint(dec[12:int.from_bytes(dec[4:8], byteorder=&#039;big&#039;, signed=False)])\nprint(dec[12:])\nprint(hexdump.hexdump(dec))<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/08\/cs_dec6.png\" alt=\"cs_dec6\" \/><\/p>\n<h2>\u53c2\u8003\u6587\u7ae0<\/h2>\n<p><a href=\"https:\/\/1cepeak.cn\/posts\/cobaltstrike-traffic-analysis\/\">https:\/\/1cepeak.cn\/posts\/cobaltstrike-traffic-analysis\/<\/a><\/p>\n<p><a href=\"https:\/\/5ime.cn\/cobaltstrike-decrypt.html\">https:\/\/5ime.cn\/cobaltstrike-decrypt.html<\/a><\/p>\n<p><a href=\"https:\/\/www.freebuf.com\/articles\/system\/327060.html\">https:\/\/www.freebuf.com\/articles\/system\/327060.html<\/a><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/AomCC\/article\/details\/133298604\">https:\/\/blog.csdn.net\/AomCC\/article\/details\/133298604<\/a><\/p>\n<p><a href=\"https:\/\/www.freebuf.com\/articles\/system\/327435.html\">https:\/\/www.freebuf.com\/articles\/system\/327435.html<\/a><\/p>\n<div class=\"clearfix\"><\/div>","protected":false},"excerpt":{"rendered":"<p>\u6574\u4f53\u6b65\u9aa4 \u901a\u8fc7.cobaltstrike.beacon_keys\u6216\u8005stage\u6587\u4ef6\u83b7\u5f97 Beacon \u548c C2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-647","post","type-post","status-publish","format-standard","hentry","category-misc"],"views":1231,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=647"}],"version-history":[{"count":2,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/647\/revisions"}],"predecessor-version":[{"id":1092,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/647\/revisions\/1092"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}