Cobalt Strike is a super easy-to-use penetration testing tool with a variety of protocol host launch methods, integrating various functions such as privilege escalation, credential export, port forwarding, socket proxy, office attack, file bundling, phishing, etc. At the same time, Cobalt Strike can also call other well-known tools such as Mimikatz, so it is widely loved by technical bigwigs.
Cobalt Strike is developed by Red Team in the United States, official website address: cobaltstrike.com.
The author believes that learning to use this “artifact” can play a role in our penetration process, so I shared some learning experience, hoping to give you a little help.
The community version of this tool is known as Armitage (a graphical interface tool for MSF), and Cobalt Strike is the commercial version of Armitage.
In the early version, Cobalt Srtike relied on the Metasploit framework, but now Cobalt Strike is no longer using MSF but is used as a separate platform, it is divided into client (Client) and server (Teamserver), the server side is one, there can be multiple clients, and the team can perform distributed cooperative operations.
Cobalt Strike architecture
The author is using Cabalt Strike version 3.13, although the official has been updated to version 3.14, but version 3.14 is not stable, so it is not recommended.
The file structure of version 3.13 is as follows:
- Plugins installed by Scripts users
- Log for each day
- c2lint checks for error exceptions in profiles
- cobaltstrike
- cobaltstrike.jar Client program
- icon.jpg LOGO
- license.pdf License documents
- readme.txt
- releasenotes.txt
- TeamServer server program
- update
- update.jar Update the program
- third-party third-party tool, which contains vnc dll
Of course, the powerful CS also supports users to expand its functionality: private customization
(1) Cobalt Strike can use AggressorScripts scripts to enhance itself to make it fuller, with the ability to expand the menu bar, view Beacon command line, escalation scripts, etc.;
(2) The Cobalt Strike communication configuration file is Malleable C2, you can modify the communication characteristics of CS, some behaviors of Beacon payload;
(3) Cobalt Strike can refer to other communication frameworks ExternalC2, which is a set of specifications/frameworks proposed by Cobalt Strike, which allows hackers to extend the default HTTP(S)/DNS/SMB C2 communication channel provided by the framework as needed.
In general, the customization function of CS is very powerful and flexible to use, and we will talk about related use later.
Start of the Cobaltstrike teamserver
Opening the Cobaltstrike teamserver and running the GUI interface require a Java environment, so the old buddy must first install Java on the computer.
1. Start teamserver on Windows
(1) Download keytool.exe and copy it to the Cobaltstrike folder under the link:
http://www.onlinedown.net/soft/614989.htm
(2) Switch to the Cobaltstrike directory and execute the following command:
Keytool.exe -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
(3) Execute orders
teamserver.bat 8.8.8.8 123456
8.8.8.8 is your server’s extranet IP and 123456 is the client password of Coabltstrike.
(4) Double-click cobaltstrike.bat and fill in the server external IP and teamserver password to log in:
2. Start teamserver and client under Linux
(1) Switch the cd to the Cobaltstrike directory
(2) Execution of orders
teamserver.bat 8.8.8.8 123456
8.8.8.8 is your server’s extranet IP and 123456 is the client password of Coabltstrike.
(3) Run the following command to see the GUI interface
Javaw -Dfile.encoding=UTF-8 -javaagent:CobaltStrikeCN.jar -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -jar cobaltstrike.jar
Introduction to Listner
1. Introduction to Cobaltstrike Listner
Listner: An object that is specifically designed to listen to and deal with events or state changes that occur on other objects, and takes corresponding actions immediately when the monitored object occurs.
Listner exists in many penetration testing tools, such as empire, metasploit, and cobaltstrike. You can simply understand that Listner is a module used to receive the permissions of the target host.
To create a Listener: Cobaltstrike — > listener
Currently I am using Cobaltstrike version 3.13, which has nine Listeners built-in.
windows/beacon_dns/reverse_dns_txt windows/beacon_dns/reverse_http windows/beacon_tcp/bind_tcp windows/beacon_http/reverse_http windows/beacon_https/reverse_https windows/beacon_smb/bind_pipe windows/foreign/reverse_http windows/foreign/reverse_https windows/foreign/reverse_tcp
The beacon is a built-in listener for CS, that is, when we successfully execute the payload on the target system, a beacon shell will pop up to CS.
foreign is mainly provided for external use, for example, if you want to use CS to derive a meterpreter or armitage shell back, to continue the subsequent intranet penetration, then choose to use external listeners.
As for how to achieve the linkage between Cobaltstrike and MSF and Armitage, please pay attention to the follow-up push articles on the official account.
2. Listener configuration
Select Cobaltstrike – > listener
Then enter the name of the listener and select the type of Listner you want to use, configure the external network IP and port (cannot conflict), click save to save, and you can use the listener in the process of generating payload in the future.
Cobalt Strike spawns a backdoor
1、Payload概念
Payload can be simply understood as a piece of code or program that exploits/implants a backdoor in penetration testing.
2. Cobalt Strike generates a backdoor
Attack – > generate backdoors
Let’s first talk about the four ways to generate backdoors in the red box, and the rest are more special, which will be explained separately later.
Payload Generator
This module can generate backdoor payloads in n languages, including C, C#, Python, Java, Perl, Powershell scripts, Powershell commands, Ruby, Raw, shellcod in the kill-free framework Veli, etc… Personally, I feel that this is a big fascination of CS.
In the process of infiltrating Windows hosts, I use Powershell and Powershell Command more often, mainly because they are convenient and easy to use, and can evade antivirus software (AV) detection.
Taking Powershell Command as an example, the generated Payload is a string of commands, as long as this string of commands is executed on the host (the host needs to install Powershell), CS can receive the host’s beacon.
Payload in other languages, you can do your own research.
Windows Dropper
This is a bundler for Windows programs that can bundle backdoors on top of other programs, such as minesweepers, certain tempting executables…
Here, the file I bundled is nidongde.txt, and the generated backdoor is called dropper.exe.
After clicking dropper.exe execute, the nidongde.txt file is released and the CS receives the session as well.
Windows Excutable/Windows Excutable(s)
1. The backdoor generated by Windows Excutable is a Windows executable file, such as exe and DLL.
Once the execution file is running, CS can receive the session of the target host.
As for DLLs, you can use DLL related attack methods, please pay attention to the follow-up push articles on the official account.
2. Windows Excutable comes with a stageless version (stateless Windows backdoor Trojan), let’s briefly explain how to use this stateless Trojan. The network environment that generally uses stateless Trojans is like this.
First you need to use a host as a relay to use with a stateless Trojan.
Here select the listener of the relay to generate the Trojan. It should be noted that if the firewall is turned on, a Windows security alert will be generated, so it is best to use cmd to add a firewall release rule or turn off the firewall in advance, and then upload the stateless Trojan to other machines on the intranet and return to a session.
The above is today’s content, do you understand? We will continue to update the knowledge points of the Cobalt Strike series in the future, and I hope you will pay attention to it in time.