Luom · 2014/04/25 12:07
0 x00 background
Cobalt Strike a metasploit-based GUI framework penetration tool, Armitage commercial version, integrated port, service scanning, automatic overflow, multi-mode port listening, WIN EXE Trojan horse generation, WIN DLL Trojan horse generation, Java Trojan horse generation, Office macro virus generation, Trojan binding, MAC OS Trojan generation, phishing attacks include: site cloning, target information acquisition, Java execution, automatic attack on the browser and so on.
Cobalt Strike does not accept Cobalt Strike for download. Author blog has a lot of good things, recommend everyone to collect.
Cobalt Strike was able to connect to metasploit for native Windows in 1.45 and before that, it was not supported and had to be required to connect to metasploit for remote Linux.
Another powerful feature of Cobalt Strike is its community server function, which allows multiple attackers to connect to a community server at the same time to share attack resources and target information and sessions.
This article will share with you my method of community server (my method is not necessarily the best, just refer to it)
0 x01 structures,
1. The server
The server strongly recommends that you choose Ubuntu, with memory of more than 1G and bandwidth of more than 8M. Although I have helped my friends build it successfully on Centos, it is not recommended, because the stability and maintenance are not as good as Ubuntu.
2. Install metasploit
Metasploit have 3 version of professional edition, community edition, and the git version of the above, we use community edition to go, of course the function of the professional version than community edition, but will give money, can only be free to use for a period of time, infinite free use pro has also been used to find the official blocked, the git version suitable for installation of advanced users, Specific can oneself go play.
After downloading and installing the community version of Metasploit, the next step is to enable the first access to metasploit’s Web management page must be localhost. 2. When connecting SSH, enable SOcks5 and then set the browser to access it.
Another quick way to install Cobalt Strike is to upload the Cobalt Strike server. There is a quick-MSF-Setup script that will help you quickly deploy your community server environment, but I don’t like this method, I prefer to mess with it.
3. Deploy Cobalt Strike
Upload the downloaded Cobalt Strike to the server. Unpack it and you’ll find these files
Cobalt Strike is written in JAVA, the server has to have a JAVA environment, there is no need to download JAVA to install metasploit, we already have a JAVA environment, we just need to configure the environment variables to do it, open the root directory. Bashrc file, we recommend backup, At the bottom add:
# JAVA college export JAVA_HOME = / opt/metasploit/JAVACopy the code
export PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH
And then execute
#! bash source .bashrcCopy the code
Finally, let’s see if it works
Go back to the Cobalt Strike directory
Run./ teamServer server IP connection password
There will be a lot of warnings during startup, don’t bother with it, this will be OK in a few minutes or so
Do not close here, then this unit starts the Cobalt Strike connection test
The address is 192.168.10.62, the port is 55553, the username is MSF, and the password is luom.Copy the code
Click connect, it’ll bring up a server authentication, confirm, and set your nickname.
Going back to SSH you can see all kinds of logs, but this one shuts down the team server shuts down, so here we can put it in the background and run it
#! Bash nohup./ teamServer 192.168.10.62 Luom &Copy the code
This directory will generate a nohup.out file, which is the log file for running the program
The reason is that your memory usage exceeds %50 and you cannot start the Java virtual machine.
End all MSFRPCD processes at the same time as Cobalt Strike. Don’t let it fail the next time you start Cobalt Strike.
0x02 Example Cobalt Strike controls target through DNS
DNS to control the target and penetration benefits do not say more, we all know, do not start the mouth, can bypass most firewalls, good concealment and so on. Cobalt Strike has the function of beacons, which can transmit data through DNS,HTTP and SMB. Here I take DNS as an example.
1. Set the domain name
First of all, we have A domain name, and we create an A record to point to our Metasploit server, remember don’t use CDN or anything
Then create two or three NS records to point to the A record you just created
So we can find our Metasploit server through DNS
2. Cobalt Strike Settings
In Cobalt Strike we add a listener
HOST is the IP address of the Metasplit service. When you click Save, you will be asked to fill in your NS record. Here, write the three we just created
Now that we’ve set up the listener, let’s create a Trojan horse test.
3. Trojan horse generation
Find Windows Trojan generation in Attack -> Packages
The Listener selects the one we just created (there are two, choose the one with DNS), and the output is exe, exe with service, DLL, etc. (I have tested the connection mode to DNS generated DLL Trojan horse can beat a large part of the anti-virus software)
We put the generated DNs. EXE into the virtual machine to run.
Port status before running
Port status after running
No new port opened. I’m trying to catch the packet
It’s DNS.
We go back to Cobalt Strike and we open up the Beacons manager and there’s a server that’s responding to us
Right-click the Manage menu, select Sleep to set the corresponding time, and then select Interact to access the interface
First is to set the transfer mode, DNS, DNS TXT, HTTP, SMB four, we used here is that the DNS is in DNS, DNS TXT choice, the former transmitted data is small while the latter transmit more data Here I set to mode DNS – TXT (fill here can use the TAB’s command)
Type help to see the supported commands
Command Description ------- ----------- bypassuac Spawn a session in a high integrity process cd Change directory checkin Call home and post data clear Clear beacon queue download Download a file execute Execute a program on target exit Terminate the beacon session getsystem Attempt to get SYSTEM getuid Get User ID help Help menu inject Spawn a session in a specific process keylogger start Start the keystroke logger keylogger stop Stop the keystroke logger message Display a message to user on desktop meterpreter Spawn a Meterpreter session link Connect to a Beacon peer over SMB mode dns Use DNS A as data channel (DNS beacon only) mode dns-txt Use DNS TXT as data channel (DNS beacon only) mode http Use HTTP as data channel mode smb Use SMB peer-to-peer communication rev2self Revert to original token shell Execute a command via cmd.exe sleep Set beacon sleep time socks Start SOCKS4a server to relay traffic socks stop Stop SOCKS4a server spawn Spawn a session spawnto Set executable to spawn processes into steal_token Steal access token from a process task Download and execute a file from a URL timestomp Apply timestamps from one file to another unlink Disconnect from parent Beacon upload Upload a fileCopy the code
Here are a few common commands
Getuid Obtains the current userCopy the code
Execute Runs an executable program (cannot Execute shell commands)
Shell Runs the Shell commandCopy the code
Meterpreter Returns a Meterpreter sessionCopy the code
The rest is for you to see for yourself.
The advantage of this thing is to compare the control of the target host is more hidden, shortcomings in each command I return the result is slower, in the firewall or good.