Identifying Cobalt Strike team servers in the wild by using ZoomEye(Part 2)
by Heige of KnownSec 404 Team 04/10/2020
Last year, I posted an article “Identifying Cobalt Strike team servers in the wild by using ZoomEye” (https://medium.com/@80vul/identifying-cobalt-strike-team-servers-in-the-wild-by-using-zoomeye-debf995b6798) . In the article, I introduce a method for identifying Cobalt Strike through ZoomEye, which is different from the “extraneous space” method proposed by Fox-it.
Cobalt Strike also changed the order of the http banner while fixing the “extraneous space” bug in Cobalt Strike 3.13, released on January 2nd of 2019. So the ZoomEye Dork :
It is only suitable for Cobalt Strike < 3.13 .
So “how do we find new versions of Cobalt Strike (>=3.13) through zoomeye?” I asked this question at the end of the last article, and I hope someone will give me the answer. Unfortunately, everyone seems to have little interest?
I noticed that Cobalt Strike 4.0 has been released, the latest update is Feb 22, 2020. So I think it ’s time to give the answer to the question.
First we have to do look at the banner data :
➜ 404team curl http://x.x.x.x:8001 -v
* Rebuilt URL to: http://x.x.x.x:8001/
* Trying x.x.x.x…
* TCP_NODELAY set
* Connected to x.x.x.x (x.x.x.x) port 8001 (#0)
> GET / HTTP/1.1
> Host: x.x.x.x:8001
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Thu, 26 Mar 2020 13:19:16 GMT
< Content-Type: text/plain
< Content-Length: 0
<
* Connection #0 to host x.x.x.x left intact
Here I need to introduce a ZoomEye feature: ZoomEye uses word segmentation matching, so the carriage return and line feed symbols are understood as spaces.
HTTP/1.1 404 Not Found Date: Fri, 10 Apr 2020 07:16:27 GMT Content-Type: text/plain Content-Length: 0
Because the date inside changes, so we divide into three parts:
1 HTTP/1.1 404 Not Found Date:
2 Fri, 10 Apr 2020 07:16:27
3 GMT Content-Type: text/plain Content-Length: 0
Next I will try to query 1 +3
Obviously we found some wrong banners, such as this:
HTTP/1.1 404 Not Found
Date: Thu, 09 Apr 2020 13:06:17 GMT
Content-Type: text/plain
Content-Length: 0
Connection: close
Server: FP6.1.1728.65
We need to exclude data containing “Connection:” , Here directly use ZoomEye logical operation not symbol “-” ,So the final ZoomEye dork for Cobalt Strike >=3.13 is:
About 3,831 results in ZoomEye:
We find a few real IP test our results:
https://twitter.com/VK_Intel/status/1247249887349047298 CobaltStrike C2ip 31.44.184.48
https://twitter.com/bryceabdo/status/1247550103205875717 CobaltStrike C2ip 134.122.103.239
Yes, the results speak for themselves!
At the end of the article, I want to tell everyone that ZoomEye 50% OFF is in progress.If you are interested, you can try it. Wish you all a happy dork game!