Initial commit

Author: HKirito

dependency-reduced-pom.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>GoogleAuth</groupId>
+  <artifactId>CsRewrite</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <organization>
+    <name>sanwu</name>
+  </organization>
+  <build>
+    <finalName>cstool</finalName>
+    <plugins>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.1</version>
+        <configuration>
+          <source>8</source>
+          <target>8</target>
+        </configuration>
+      </plugin>
+      <plugin>
+        <artifactId>maven-shade-plugin</artifactId>
+        <version>3.2.1</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <transformers>
+                <transformer>
+                  <manifestEntries>
+                    <Main-Class>sanwu.CsRewrite</Main-Class>
+                    <Premain-Class>sanwu.CsRewrite</Premain-Class>
+                  </manifestEntries>
+                </transformer>
+              </transformers>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+</project>

pom.xml

@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>GoogleAuth</groupId>
+    <artifactId>CsRewrite</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+    <organization>
+        <name>sanwu</name>
+    </organization>
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+    <build>
+        <finalName>cstool</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <source>8</source>
+                    <target>8</target>
+                </configuration>
+            </plugin>
+
+            <!-- 打包可运行jar包 -->
+<!--            <plugin>-->
+<!--                <groupId>org.apache.maven.plugins</groupId>-->
+<!--                <artifactId>maven-assembly-plugin</artifactId>-->
+<!--                <configuration>-->
+<!--                    <archive>-->
+<!--                        <manifest>-->
+<!--                            <mainClass>sanwu.CsRewrite</mainClass>-->
+<!--                        </manifest>-->
+<!--                    </archive>-->
+<!--                    <finalName>cstool</finalName>-->
+<!--                    <descriptorRefs>-->
+<!--                        <descriptorRef>jar-with-dependencies</descriptorRef>-->
+<!--                    </descriptorRefs>-->
+<!--                </configuration>-->
+<!--                <executions>-->
+<!--                    <execution>-->
+<!--                        <id>make-assembly</id>-->
+<!--                        <phase>package</phase>-->
+<!--                        <goals>-->
+<!--                            <goal>single</goal>-->
+<!--                        </goals>-->
+<!--                    </execution>-->
+<!--                </executions>-->
+<!--            </plugin>-->
+
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.2.1</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <transformers>
+                                <transformer
+                                        implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                                    <manifestEntries>
+                                        <Main-Class>sanwu.CsRewrite</Main-Class>
+                                        <Premain-Class>sanwu.CsRewrite</Premain-Class>
+                                    </manifestEntries>
+                                </transformer>
+                            </transformers>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+
+
+
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.11</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.zxing</groupId>
+            <artifactId>core</artifactId>
+            <version>3.3.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.25.0-GA</version>
+        </dependency>
+        <dependency>
+            <groupId>de.taimos</groupId>
+            <artifactId>totp</artifactId>
+            <version>1.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.zxing</groupId>
+            <artifactId>javase</artifactId>
+            <version>3.3.0</version>
+        </dependency>
+    </dependencies>
+</project>

src/main/java/sanwu/CsRewrite.java

@@ -0,0 +1,114 @@
+package sanwu;
+
+import com.google.zxing.WriterException;
+import javassist.*;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.lang.instrument.Instrumentation;
+import java.util.Scanner;
+
+class CsRewrite {
+
+    /**
+     *
+     * @param agentArgs TOTPSecretKey
+     * @return
+     * @throws Exception
+     */
+    public static void premain(String agentArgs, Instrumentation inst) throws Exception{
+        //Have class resources and TOTP secret
+        ClassPool classPool = ClassPool.getDefault();
+        Loader loader = new Loader(classPool);
+
+
+        //插入类路径，进行获取所需修改的类路径
+        String className = "server.ManageUser";
+
+        //Find ClassFile to byte[] and give it to classfileBuffer
+        CtClass cl = classPool.getCtClass(className);
+        byte[] classfileBuffer = cl.toBytecode();
+
+        //defrost server.ManageUser class
+        cl.stopPruning(true);
+        cl.defrost();
+        byte[] classfileBuffer2 = addCsTransformer(className,classfileBuffer,agentArgs);
+
+        cl = classPool.makeClass(new ByteArrayInputStream(classfileBuffer2));
+        cl.toClass();
+    }
+
+    public static byte[] addCsTransformer(String className,byte[] classfileBuffer,String totpSecretKey) throws Exception{
+        ClassPool classPool = ClassPool.getDefault();
+        try {
+            if (className == null) {
+                return classfileBuffer;
+            } else if (className.equals("server.ManageUser")) { // 只修改 ManageUser 类
+                CtClass cls = classPool.makeClass(new ByteArrayInputStream(classfileBuffer));
+                CtMethod ctmethod = cls.getDeclaredMethod("process",
+                        new CtClass[]{classPool.get("common.Request")});
+                String func = "{"
+                        + "if (!$0.authenticated && \"aggressor.authenticate\".equals($1.getCall()) && $1.size() == 3) {"
+                        + "   java.lang.String mnickname = $1.arg(0)+\"\";"
+                        + "   java.lang.String mpassword = $1.arg(1)+\"\";"
+                        + "   java.lang.String mver = $1.arg(2)+\"\";"
+                        + "   if(mnickname.length() < 6){ $0.client.writeObject($1.reply(\"Dynamic Code Error.\"));return; };" // 用户名如果低于 6 位就直接 return
+
+                        + "   java.lang.String lastcode = sanwu.GoogleAuthenticationTool.getTOTPCode(\""+totpSecretKey+"\");"// 生成 TOTP 6位数字
+                        + "   if(!mnickname.substring(mnickname.length()-6, mnickname.length()).equals(lastcode)) {" // 比对动态口令，如果口令没对上，就 return
+                        + "       $0.client.writeObject($1.reply(\"Dynamic Code Error.\"));return;"
+                        + "   }"
+                        + "}"
+                        + "}";
+                ctmethod.insertBefore(func); // 把上面的代码插入到 process 函数最前面，如果口令正确，就继续走 cs 常规的流程
+                byte[] result = cls.toBytecode();
+                //if not detach ,will frost class
+                cls.detach();
+                return result;
+
+            }
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            System.out.printf("[CSTOTPAgent] PreMain transform Error: %s\n", ex);
+        }
+        return new byte[]{};
+    }
+
+    public static void Generator(){
+        //默认用户名为Steve，title为teamwork;
+        String title = "teamwork";
+        String name = "Steve";
+
+        System.out.println("生成 CobaltStrike TOTP 密钥");
+        String secret = GoogleAuthenticationTool.generateSecretKey();
+        System.out.println("SecretKey: "+secret);
+
+        //Get User input
+        Scanner scanner = new Scanner(System.in);
+        System.out.println("Please input your name and title(,): ");
+        String line = scanner.nextLine();
+        String[] split = line.split(",");
+        if (split[0]==" "){
+            name = split[0];
+            title = split[1];
+        }
+        String QRString = GoogleAuthenticationTool.spawnScanQRString(name,secret,title);
+        String codestring = null;
+        try {
+            codestring = GoogleAuthenticationTool.createQRCode(QRString,"",400,400);
+        } catch (WriterException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        System.out.println(codestring);
+        System.out.println("\nPlease in CS args(file teamserver) plus -javaagent:$yourJarFilePath="+secret);
+        String totpSecretKey = GoogleAuthenticationTool.getTOTPCode(secret);
+    }
+
+    public static void main(String[] args) throws Exception {
+            CsRewrite.Generator();
+    }
+}
+
+

src/main/java/sanwu/GoogleAuthenticationTool.java

@@ -0,0 +1,107 @@
+package sanwu;
+import com.google.zxing.BarcodeFormat;
+import com.google.zxing.MultiFormatWriter;
+import com.google.zxing.WriterException;
+import com.google.zxing.client.j2se.MatrixToImageWriter;
+import com.google.zxing.common.BitMatrix;
+import de.taimos.totp.TOTP;
+import org.apache.commons.codec.binary.Base32;
+import org.apache.commons.codec.binary.Hex;
+
+
+import javax.imageio.ImageIO;
+import java.awt.image.BufferedImage;
+import java.io.*;
+import java.net.URLEncoder;
+import java.security.SecureRandom;
+import java.util.Base64;
+
+
+public class GoogleAuthenticationTool {
+
+    public static String generateSecretKey() {
+        SecureRandom random = new SecureRandom();
+        byte[] bytes = new byte[20];
+        random.nextBytes(bytes);
+        Base32 base32 = new Base32();
+        return base32.encodeToString(bytes);
+    }
+
+    /**
+     * 根据32位随机码获得正确的6位数字
+     *
+     * @param secretKey
+     * @return
+     */
+    public static String getTOTPCode(String secretKey) {
+        Base32 base32 = new Base32();
+        byte[] bytes = base32.decode(secretKey);
+        String hexKey = Hex.encodeHexString(bytes);
+        return TOTP.getOTP(hexKey);
+    }
+
+
+    /**
+     * 生成绑定二维码（字符串）
+     *
+     * @param account   账户信息（展示在Google Authenticator App中的）
+     * @param secretKey 密钥
+     * @param title     标题 （展示在Google Authenticator App中的）
+     * @return
+     */
+    public static String spawnScanQRString(String account, String secretKey, String title) {
+        try {
+            return "otpauth://totp/"
+                    + URLEncoder.encode(title + ":" + account, "UTF-8").replace("+", "%20")
+                    + "?secret=" + URLEncoder.encode(secretKey, "UTF-8").replace("+", "%20")
+                    + "&issuer=" + URLEncoder.encode(title, "UTF-8").replace("+", "%20");
+        } catch (UnsupportedEncodingException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
+    /**
+     * 生成二维码（文件）【返回图片的base64，若指定输出路径则同步输出到文件中】
+     *
+     * @param barCodeData 二维码字符串信息
+     * @param outPath     输出地址
+     * @param height
+     * @param width
+     * @throws WriterException
+     * @throws IOException
+     */
+    public static String createQRCode(String barCodeData, String outPath, int height, int width)
+            throws WriterException, IOException {
+        BitMatrix matrix = new MultiFormatWriter().encode(barCodeData, BarcodeFormat.QR_CODE,
+                width, height);
+        BufferedImage bufferedImage = MatrixToImageWriter.toBufferedImage(matrix);
+
+        ByteArrayOutputStream bof = new ByteArrayOutputStream();
+        ImageIO.write(bufferedImage, "png", bof);
+        String base64 = imageToBase64(bof.toByteArray());
+        if(outPath!=null&&!outPath.equals("")) {
+            try (FileOutputStream out = new FileOutputStream(outPath)) {
+                MatrixToImageWriter.writeToStream(matrix, "png", out);
+            }
+        }
+        return base64;
+    }
+
+    /**
+     * 将图片文件转换成base64字符串，参数为该图片的路径
+     *
+     * @param dataBytes
+     * @return java.lang.String
+     */
+    private static String imageToBase64(byte[] dataBytes) {
+        // 对字节数组Base64编码
+        String encoded = Base64.getEncoder().encodeToString(dataBytes);
+        //Base32 base32 = new Base32();
+        //String encoded = base32.encodeToString(dataBytes);
+        if (dataBytes != null) {
+            return "data:image/jpeg;base64," + encoded;// 返回Base64编码过的字节数组字符串
+        }
+        return null;
+    }
+
+}