sharkone's Introduction

SharkOneCS

版本

beta.0.1 测试版

一些说明

项目在release中sharkone zip打包
基于CobaltStrike4.5二开完成
SharkOne的主要功能是将beacon代码可视化，其实是为了方便自己也方便其他做这方面的二次开发
teamserver验证标识是将48879改成了其他标志并且验证错误会返回其他内容并记录ip
其他的一些beacon改了一些零零散散的功能，后面版本主要针对beacon进行一些修改，或者添加删除一些功能
支持c2profile
beacon对c2配置文件的GET/POST url随机访问并在测试中新加了一些httpheader以做混淆，可以到beacon源码参考并修改
编译器目前只测试了msvc＋llvm 可以自行在beacon/relaese32/64.bat beacon/start32/64.bat配置ollvm+mingw等其他编译器
目前仅支持http、https 后面beacon内容会在以后版本发布
造轮子项目，功能主要看个人修改，免杀姿势可以自己对beacon进行修修补补
By: T00ls.com

文件说明

文件名	说明
beacon	beacon源码目录，beaconMain.cpp为源码，其余为组件函数源码，start32/64.bat为编译组件脚本，release32/64.bat为编译主模块脚本
ttlog	为标志日志目录，里面并没什么好东西
SharkCS4_5_server.jar	teamserver jar包
SharkCS4_5_client.jar	client jar包
teamserver.bat/teamserver	teamserver启动脚本
cobaltstrike.auth	license文件涉及ssl密钥可以按需求修改
其他文件	其他文件为一些启动bat脚本和一些别的文件

环境配置

由于项目中teamserver内置编译，所以需要有对应的编译环境

目前测试的环境为

teamserver:

操作系统：Windows10

编译器版本：clang15.0.5

链接器版本：x86_64-pc-windows-msvc

java版本：java 17.0.2 2022-01-18 LTS

client:

操作系统：Windows10

java版本：java 17.0.2 2022-01-18 LTS

Linux需要额外配置环境，并且需要msvc的头文件，如果有兴趣可以Linux部署踩下坑

二开说明

beacon可视化，teamserver启动生成beacon逻辑，现在直接在源码中修改即可
内置llvm编译器，每次listener创建或重启时都对beacon进行重新编译
去除beacon端main函数起始时申请的4096c2profile配置操作
新增beacon对teamserver心跳或命令执行的随机c2profile配置访问
新增远程编译beacon组件
新增beacon端bof的异常处理，以前的bof比较脆弱，针对这部分进行了修复
新增beacon get或post随机访问c2profile配置中的所有字符串路径
增加teamserver防爆破，访问次数为一个小时限定一百次
增加teamserver防检测
增加teamserver对client的登录flag，并增加flag错误返回403并记录ip
修复cve-2022-39197漏洞

解压密码

见www.t00ls.com

更新日志

Beta.0.1 更新vnc库失踪问题更新client界面意外退出问题

sharkone's People

Contributors

Stargazers

Watchers

sharkone's Issues

clang15.0.5, x86_64-pc-windows-msvc How to install ?

bugs feedback

After stageless selects the listener, click generate, but the generation window cannot pop up.

Exception in thread "dialog action: Generate" java.lang.NullPointerException: Cannot read the array length because "<parameter1>" is null
        at sleep.runtime.SleepUtils.getScalar(Unknown Source)
        at common.ScListener.A(ScListener.java:351)
        at common.ScListener.export(ScListener.java:273)
        at common.ScListener.export(ScListener.java:266)
        at aggressor.dialogs.WindowsExecutableStageDialog.dialogAction(WindowsExecutableStageDialog.java:44)
        at dialog.DialogManager$2$1.run(DialogManager.java:129)
        at java.base/java.lang.Thread.run(Thread.java:833)

spawn cannot work

Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException: Cannot read the array length because "<parameter1>" is null
        at sleep.runtime.SleepUtils.getScalar(Unknown Source)
        at common.ScListener.A(ScListener.java:351)
        at common.ScListener.exportLocal(ScListener.java:240)
        at common.ScListener.exportLocal(ScListener.java:230)
        at beacon.TaskBeacon.Spawn(TaskBeacon.java:1758)
        at beacon.TaskBeacon.Spawn(TaskBeacon.java:1771)
        at aggressor.windows.BeaconConsole.actionPerformed(BeaconConsole.java:1117)
        at java.desktop/javax.swing.JTextField.fireActionPerformed(JTextField.java:525)
        at java.desktop/javax.swing.JTextField.postActionEvent(JTextField.java:740)
        at java.desktop/javax.swing.JTextField$NotifyAction.actionPerformed(JTextField.java:856)
        at java.desktop/javax.swing.SwingUtilities.notifyAction(SwingUtilities.java:1810)
        at java.desktop/javax.swing.JComponent.processKeyBinding(JComponent.java:2947)
        at java.desktop/javax.swing.JComponent.processKeyBindings(JComponent.java:2995)
        at java.desktop/javax.swing.JComponent.processKeyEvent(JComponent.java:2909)
        at java.desktop/java.awt.Component.processEvent(Component.java:6403)
        at java.desktop/java.awt.Container.processEvent(Container.java:2266)
        at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
        at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
        at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
        at java.desktop/java.awt.KeyboardFocusManager.redispatchEvent(KeyboardFocusManager.java:1952)
        at java.desktop/java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent(DefaultKeyboardFocusManager.java:883)
        at java.desktop/java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent(DefaultKeyboardFocusManager.java:1150)
        at java.desktop/java.awt.DefaultKeyboardFocusManager.typeAheadAssertions(DefaultKeyboardFocusManager.java:1020)
        at java.desktop/java.awt.DefaultKeyboardFocusManager.dispatchEvent(DefaultKeyboardFocusManager.java:848)
        at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:4882)
        at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
        at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
        at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
        at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
        at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
        at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
        at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:746)
        at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:744)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:743)
        at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
        at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
        at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
        at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
        at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
        at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

For the generated stager exe program, I right-click to run it with administrator permission, and the online user does not add "*" in the interface of the control terminal, that is, there is no uac permission logo.
So after I run getsystem, it prompts:

beacon> getsystem
[*] Tasked beacon to get SYSTEM
[+] host called home, sent: 2743 bytes
[-] un-implemented relocation type: 4

The beacon running the cs plug-in returns no result, and the beacon exits.

[*] Tasked beacon to run: wmic process get caption,commandline,processid /value
[+] host called home, sent: 92 bytes
[+] beacon exit.

ENV:
Windows 10
java 17.0.7 2023-04-18 LTS
Java(TM) SE Runtime Environment (build 17.0.7+8-LTS-224)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.7+8-LTS-224, mixed mode, sharing)
LLVM-15.0.5-win64.exe

Please fix those