CobaltStrike is a penetration testing tool, known by the industry people as CS gods. cobaltStrike is divided into client and server, the server is one, the client can have more than one, can be distributed by the team to collaborate group operations.

CobaltStrike integrates port forwarding, service scanning, automatic overflow, multi-mode port monitoring, windows exe Trojan generation, windows dll Trojan generation, java trojan generation, office macro virus generation, and trojan bundling. Phishing attacks include: site cloning, target information acquisition, java execution, browser automatic attacks and other powerful functions!

Installation of CobaltStrike

I take Kali installation as an example here:

Go to download the jdk version first

Upload to Kali and extract: tar -xzvf jdk-8u191-linux-x64.tar.gz
Move to the opt directory: mv jdk1.8.0_191/ /opt/
Go to the jdk directory: cd /opt/jdk1.8.0_191
Execute vim ~/.bashrc and add the following
# install JAVA JDK
export JAVA_HOME=/opt/jdk1.8.0_191
export CLASSPATH=.:${JAVA_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH
Save and exit
Execute: source ~/.bashrc
update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_191/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_191/bin/javac 1
update-alternatives --set java /opt/jdk1.8.0_191/bin/java
update-alternatives --set javac /opt/jdk1.8.0_191/bin/javac
View Results:
update-alternatives --config java
update-alternatives --config javac

After installing java, let's install CobaltStrike!

Upload to Kali, unzip: unzip
Go to cobalstrike: cd cobaltstrike-linux/

Start the server:

Start the server: . /teamserver 123456 # is the ip address of kali, 123456 is the password
The background run, close the current terminal is still running: nohup . /teamserver 123456 &

Here CobaltStrike listens to port 50050 by default. If we want to modify this default port, we can open the teamserver file and modify 50050 to any port number.


Start client:


Here the host fills in the ip of kali, and the password is the password we just started.


Client after startup:

We can also open the cobaltstrike client under windows, and then set the ip to our startup ip.


Use of CobaltStrike

Creating a listener:

Click the CobaltStrike option in the upper left -> select Listeners in the drop-down box -> stand-alone add in the pop-up area below

name: the name of the listener, can be arbitrary
payload: payload type
Host: the host of the shell bounce, which is our kali ip
Port: the bounce port

There are 9 options for Payload here, as follows:

Internal Listener

  • windows/beacon_dns/reverse_dns_txt
  • windows/beacon_dns/reverse_http
  • windows/beacon_http/reverse_http
  • windows/beacon_https/reverse_https
  • windows/beacon_smb/bind_pipe

External Listener

  • windows/foreign/reverse_dns_txt
  • windows/foreign/reverse_http
  • windows/foreign/reverse_https
  • windows/foreign/reverse_tcp Beacon is a built-in Listener, that is, executes the corresponding payload on the target host, and obtains the shell to the CS; it includes DNS, HTTP, HTTPS, and SMB. Beacon can choose to export the network through DNS or HTTP protocol, and you can even switch between HTTP and DNS during communication with Beacon. It supports multi-host connection. After deploying Beacon, submit a list of domain names or hosts to be connected back, and Beacon will poll through these hosts. The protection team of the target network must block all the hosts in the list to interrupt communication with its network. After obtaining the shell in various ways (such as directly running the generated exe), you can use Beacon. Foreign is an externally combined Listener, which is often used in the combination of MSF, such as getting meterpreter to MSF. Different beacons support different system bits, as follows:

Create Attacks:

There are several types of Attacks here, as follows:

  • HTML Application generates a powershell-based malicious HTML Application Trojan with a suffix format of .hta
  • MS Office Macro generates office macro virus files;
  • Payload Generator generates payloads in various languages;
  • USB/CD AutoPlay generates Trojan files that run with AutoPlay;
  • Windows Dropper bundler, capable of bundling document classes;
  • Windows Executable generates executable exe Trojan;
  • Windows Executable(S) generates stateless executable exe Trojans

Attacks——>Web Drive-by

  • Manage manages the opened web services;
  • Clone Site clones websites that can record data submitted by victims;
  • Host File provides a file download, which can modify Mime information; Host File can be used with DNS spoofing to achieve the effect of hanging horses
  • Scripted Web Delivery is similar to msf's web_delivery;
  • Signed Applet Attack starts a web service to provide a runtime environment for self-signed Java Applets;
  • Smart Applet Attack automatically detects the Java version and uses known exploits to bypass security;
  • System Profiler is used to obtain some system information, such as system version, Flash version, browser version, etc.
  • Spear Phish module for email phishing


Click on View in the middle

  • Applications displays the application information of the victim machine;
  • Credentials displays the credential information of the victim's machine, which can make subsequent penetration more convenient;
  • Downloads file download;
  • Event Log can see the event log, clearly see the events of the system, and the team can chat here;
  • Keystrokes to view the keyboard record;
  • Proxy Pivots View proxy information;
  • Screenshots View screenshots;
  • Script Console is where you can load various scripts to enhance functionality, script address:
  • Targets View targets;
  • Web Log View web logs.
  • Reporting is mainly for reporting


Operation on the controlled host

  dump hashes
  Golden Ticket 
  MAke token  
  Run Mimikatz 
  Spawn As      
  Browser Pivot 
  File Browser 
  Net View     
  Port scan    
  Process list 
  SOCKS Server 
  Deploy V

Grab hash and dump plaintext passwords

Both functions require administrator or System privileges

Grab the password hash: right click on the host -> Access -> Dump Hashes

Use mimikatz to grab the plaintext password: right click on the controlled host -> Access -> Run Mimikatz


There are three privilege escalation payloads available by default, namely MS14-058, uac-dll, and uac-token-duplication.


We select MS14-058 and click Launch


After that, it will pop back a beacon with system permissions.


We can also add some privilege escalation scripts ourselves. There is a privilege escalation kit on Github, which can be used to add several privilege escalation methods: . After we download the privilege escalation toolkit

as follows:


Open our privilege escalation again, and you can see several more privilege escalation methods.


Use the controlled host to establish a Socks4 proxy

When the host we control is a server located at the boundary between the public network and the intranet, we want to use this host to continue to infiltrate the intranet, so we can use CS to establish a socks4A proxy

Right-click the controlled host -> Pivoting -> SOCKS Server


Here is the port on which the SOCKS proxy runs. Just enter an unoccupied port. The default CS will give one. We can just click Launch.


So, we set up a Socks4 proxy on our own host. The proxy ip is the ip of our CS server, and the port is 38588.

If we want to view the settings of the entire CS proxy, we can click View->Proxy Pivots


Process list (injected processes, keyboard monitoring)

Right-click the controlled host -> Explore -> Process List


list of processes


Select the process, Kill is to kill the process, Refresh is to refresh the process, Inject is to inject beacon into the process, Log Keystrokes is to record the keyboard, Screenshot is to take screenshots, and Stea Token is to steal the user token that runs the specified program.

Here we focus on the injection process and keylogging

Inject injection process

Select the process, click Inject, then select the listener, click choose, you can find that CobaltStrike bounces back a new session of the target machine, which is the beacon session that was successfully injected into a process. This function can inject your beacon session into another program. After injection, unless the normal process is killed, we can always control the host.



Select a process arbitrarily, click Log Keystrokes, you can monitor the key record of the host


View the keylogging results: Click the button like the key, you can see the details of the keylogging below, it will monitor all the keylogging, not just the keylogging of the selected process


Keyboard monitoring record, you can also enter directlykeylogger

Related articles

Use force index to force the use of indexes

1. When testing a query according to the time range, although the index is added, it is found that the index cannot be used. You can use this to force the use of the index The test process is to create the following table and create a joint index create

Install Cobbler

Cobbler is a Linux system installation and configuration software surroundings [root@56-201 ~]# hostnamectl Static hostname: 56-201 Icon name: computer-vm Chassis: vm

CPU Load and CPU Utilization

Insufficient system resources such as storage, memory, and CPU (central processing unit) can significantly impact application performance. Therefore, it is critical to monitor these components.