CobaltStrike is a penetration testing tool, known by the industry people as CS gods. cobaltStrike is divided into client and server, the server is one, the client can have more than one, can be distributed by the team to collaborate group operations.

CobaltStrike integrates port forwarding, service scanning, automatic overflow, multi-mode port monitoring, windows exe Trojan generation, windows dll Trojan generation, java trojan generation, office macro virus generation, and trojan bundling. Phishing attacks include: site cloning, target information acquisition, java execution, browser automatic attacks and other powerful functions!

Installation of CobaltStrike

I take Kali installation as an example here:

Go to download the jdk version first

Upload to Kali and extract: tar -xzvf jdk-8u191-linux-x64.tar.gz
Move to the opt directory: mv jdk1.8.0_191/ /opt/
Go to the jdk directory: cd /opt/jdk1.8.0_191
 
Execute vim ~/.bashrc and add the following
# install JAVA JDK
export JAVA_HOME=/opt/jdk1.8.0_191
export CLASSPATH=.:${JAVA_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH
Save and exit
Execute: source ~/.bashrc
 
Execution:
update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_191/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_191/bin/javac 1
update-alternatives --set java /opt/jdk1.8.0_191/bin/java
update-alternatives --set javac /opt/jdk1.8.0_191/bin/javac
 
View Results:
update-alternatives --config java
update-alternatives --config javac
 

After installing java, let's install CobaltStrike!

Upload to Kali, unzip: unzip cobaltstrike-linux.zip
Go to cobalstrike: cd cobaltstrike-linux/

Start the server:

Start the server: . /teamserver 192.168.10.11 123456 #192.168.10.11 is the ip address of kali, 123456 is the password
The background run, close the current terminal is still running: nohup . /teamserver 192.168.10.11 123456 &

Here CobaltStrike listens to port 50050 by default. If we want to modify this default port, we can open the teamserver file and modify 50050 to any port number.

 

Start client:

./cobaltstrike

Here the host fills in the ip of kali, and the password is the password we just started.

 

Client after startup:

We can also open the cobaltstrike client under windows, and then set the ip to our startup ip.

 

Use of CobaltStrike

Creating a listener:

Click the CobaltStrike option in the upper left -> select Listeners in the drop-down box -> stand-alone add in the pop-up area below

name: the name of the listener, can be arbitrary
payload: payload type
Host: the host of the shell bounce, which is our kali ip
Port: the bounce port
 

There are 9 options for Payload here, as follows:

Internal Listener

  • windows/beacon_dns/reverse_dns_txt
  • windows/beacon_dns/reverse_http
  • windows/beacon_http/reverse_http
  • windows/beacon_https/reverse_https
  • windows/beacon_smb/bind_pipe

External Listener

  • windows/foreign/reverse_dns_txt
  • windows/foreign/reverse_http
  • windows/foreign/reverse_https
  • windows/foreign/reverse_tcp Beacon is a built-in Listener, that is, executes the corresponding payload on the target host, and obtains the shell to the CS; it includes DNS, HTTP, HTTPS, and SMB. Beacon can choose to export the network through DNS or HTTP protocol, and you can even switch between HTTP and DNS during communication with Beacon. It supports multi-host connection. After deploying Beacon, submit a list of domain names or hosts to be connected back, and Beacon will poll through these hosts. The protection team of the target network must block all the hosts in the list to interrupt communication with its network. After obtaining the shell in various ways (such as directly running the generated exe), you can use Beacon. Foreign is an externally combined Listener, which is often used in the combination of MSF, such as getting meterpreter to MSF. Different beacons support different system bits, as follows:
 

Create Attacks:

There are several types of Attacks here, as follows:

  • HTML Application generates a powershell-based malicious HTML Application Trojan with a suffix format of .hta
  • MS Office Macro generates office macro virus files;
  • Payload Generator generates payloads in various languages;
  • USB/CD AutoPlay generates Trojan files that run with AutoPlay;
  • Windows Dropper bundler, capable of bundling document classes;
  • Windows Executable generates executable exe Trojan;
  • Windows Executable(S) generates stateless executable exe Trojans

Attacks——>Web Drive-by

 
  • Manage manages the opened web services;
  • Clone Site clones websites that can record data submitted by victims;
  • Host File provides a file download, which can modify Mime information; Host File can be used with DNS spoofing to achieve the effect of hanging horses
  • Scripted Web Delivery is similar to msf's web_delivery;
  • Signed Applet Attack starts a web service to provide a runtime environment for self-signed Java Applets;
  • Smart Applet Attack automatically detects the Java version and uses known exploits to bypass security;
  • System Profiler is used to obtain some system information, such as system version, Flash version, browser version, etc.
  • Spear Phish module for email phishing

View:

Click on View in the middle

 
  • Applications displays the application information of the victim machine;
  • Credentials displays the credential information of the victim's machine, which can make subsequent penetration more convenient;
  • Downloads file download;
  • Event Log can see the event log, clearly see the events of the system, and the team can chat here;
  • Keystrokes to view the keyboard record;
  • Proxy Pivots View proxy information;
  • Screenshots View screenshots;
  • Script Console is where you can load various scripts to enhance functionality, script address: https://github.com/rsmudge/cortana-scripts
  • Targets View targets;
  • Web Log View web logs.
  • Reporting is mainly for reporting

 

Operation on the controlled host

Interact  
Access 
  dump hashes
  Elevate   
  Golden Ticket 
  MAke token  
  Run Mimikatz 
  Spawn As      
Explore
  Browser Pivot 
  Desktop(VNC) 
  File Browser 
  Net View     
  Port scan    
  Process list 
  Screenshot  
Pivoting
  SOCKS Server 
  Listener    
  Deploy V
Spawn           
Session

Grab hash and dump plaintext passwords

Both functions require administrator or System privileges

Grab the password hash: right click on the host -> Access -> Dump Hashes

Use mimikatz to grab the plaintext password: right click on the controlled host -> Access -> Run Mimikatz

 

There are three privilege escalation payloads available by default, namely MS14-058, uac-dll, and uac-token-duplication.

 

We select MS14-058 and click Launch

 

After that, it will pop back a beacon with system permissions.

 

We can also add some privilege escalation scripts ourselves. There is a privilege escalation kit on Github, which can be used to add several privilege escalation methods: https://github.com/rsmudge/ElevateKit . After we download the privilege escalation toolkit

as follows:

 
 

Open our privilege escalation again, and you can see several more privilege escalation methods.

 

Use the controlled host to establish a Socks4 proxy

When the host we control is a server located at the boundary between the public network and the intranet, we want to use this host to continue to infiltrate the intranet, so we can use CS to establish a socks4A proxy

Right-click the controlled host -> Pivoting -> SOCKS Server

 

Here is the port on which the SOCKS proxy runs. Just enter an unoccupied port. The default CS will give one. We can just click Launch.

 
 

So, we set up a Socks4 proxy on our own host. The proxy ip is the ip of our CS server, and the port is 38588.

If we want to view the settings of the entire CS proxy, we can click View->Proxy Pivots

 
 

Process list (injected processes, keyboard monitoring)

Right-click the controlled host -> Explore -> Process List

 

list of processes

 

Select the process, Kill is to kill the process, Refresh is to refresh the process, Inject is to inject beacon into the process, Log Keystrokes is to record the keyboard, Screenshot is to take screenshots, and Stea Token is to steal the user token that runs the specified program.

Here we focus on the injection process and keylogging

Inject injection process

Select the process, click Inject, then select the listener, click choose, you can find that CobaltStrike bounces back a new session of the target machine, which is the beacon session that was successfully injected into a process. This function can inject your beacon session into another program. After injection, unless the normal process is killed, we can always control the host.

 
 
 
 

Keylogging

Select a process arbitrarily, click Log Keystrokes, you can monitor the key record of the host

 
 

View the keylogging results: Click the button like the key, you can see the details of the keylogging below, it will monitor all the keylogging, not just the keylogging of the selected process

 

Keyboard monitoring record, you can also enter directlykeylogger

Related articles

Use force index to force the use of indexes

1. When testing a query according to the time range, although the index is added, it is found that the index cannot be used. You can use this to force the use of the index The test process is to create the following table and create a joint index create

Install Cobbler

Cobbler is a Linux system installation and configuration software surroundings [root@56-201 ~]# hostnamectl Static hostname: 56-201 Icon name: computer-vm Chassis: vm

CPU Load and CPU Utilization

Insufficient system resources such as storage, memory, and CPU (central processing unit) can significantly impact application performance. Therefore, it is critical to monitor these components.