Identifying Cobalt Strike team servers in the wild by using ZoomEye(Part 2)

by Heige of KnownSec 404 Team 04/10/2020

Last year, I posted an article “Identifying Cobalt Strike team servers in the wild by using ZoomEye” (https://medium.com/@80vul/identifying-cobalt-strike-team-servers-in-the-wild-by-using-zoomeye-debf995b6798) . In the article, I introduce a method for identifying Cobalt Strike through ZoomEye, which is different from the “extraneous space” method proposed by Fox-it.

Cobalt Strike also changed the order of the http banner while fixing the “extraneous space” bug in Cobalt Strike 3.13, released on January 2nd of 2019. So the ZoomEye Dork :

https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20404%20Not%20Found%20%20%20Content-Type%3A%20text%2Fplain%20Date%3A%22%20%2B%22Content-Length%3A%200%22%20-Connection

It is only suitable for Cobalt Strike < 3.13 .

So “how do we find new versions of Cobalt Strike (>=3.13) through zoomeye?” I asked this question at the end of the last article, and I hope someone will give me the answer. Unfortunately, everyone seems to have little interest?

I noticed that Cobalt Strike 4.0 has been released, the latest update is Feb 22, 2020. So I think it ’s time to give the answer to the question.

First we have to do look at the banner data :

➜ 404team curl http://x.x.x.x:8001 -v
* Rebuilt URL to: http://x.x.x.x:8001/
* Trying x.x.x.x…
* TCP_NODELAY set
* Connected to x.x.x.x (x.x.x.x) port 8001 (#0)
> GET / HTTP/1.1
> Host: x.x.x.x:8001
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Thu, 26 Mar 2020 13:19:16 GMT
< Content-Type: text/plain
< Content-Length: 0
<
* Connection #0 to host x.x.x.x left intact

Here I need to introduce a ZoomEye feature: ZoomEye uses word segmentation matching, so the carriage return and line feed symbols are understood as spaces.

HTTP/1.1 404 Not Found Date: Fri, 10 Apr 2020 07:16:27 GMT Content-Type: text/plain Content-Length: 0

Because the date inside changes, so we divide into three parts:

1 HTTP/1.1 404 Not Found Date:
2 Fri, 10 Apr 2020 07:16:27
3 GMT Content-Type: text/plain Content-Length: 0

Next I will try to query 1 +3

https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20404%20Not%20Found%20Date%3A%22%20%2B%22GMT%20Content-Type%3A%20text%2Fplain%20Content-Length%3A%200%22&t=all

Obviously we found some wrong banners, such as this:

HTTP/1.1 404 Not Found
Date: Thu, 09 Apr 2020 13:06:17 GMT
Content-Type: text/plain
Content-Length: 0
Connection: close
Server: FP6.1.1728.65

We need to exclude data containing “Connection:” , Here directly use ZoomEye logical operation not symbol “-” ,So the final ZoomEye dork for Cobalt Strike >=3.13 is:

https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20404%20Not%20Found%20Date%3A%22%20%2B%22GMT%20Content-Type%3A%20text%2Fplain%20Content-Length%3A%200%22%20%20-%22Connection%22

About 3,831 results in ZoomEye:

We find a few real IP test our results:

https://twitter.com/VK_Intel/status/1247249887349047298 CobaltStrike C2ip 31.44.184.48

https://twitter.com/bryceabdo/status/1247550103205875717 CobaltStrike C2ip 134.122.103.239

Yes, the results speak for themselves!

At the end of the article, I want to tell everyone that ZoomEye 50% OFF is in progress.If you are interested, you can try it. Wish you all a happy dork game!

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)