describe

Pointers were developed for hunting and mapping Cobalt Strike servers exposed to the Internet. The tool includes a complete method for identifying Cobalt Strike servers. It aims to speed up the process of testing Cobalt Strike servers in a large number of potential targets in a short period of time. The cost of scanning 250,000 targets is about $20, but we are looking for a solution to make it cheaper.

disclaimer

The tool is in beta (being tested). The main components of the tool are detailed in a blog post by Pavel Shabalkin and Michael Kozwala: https://medium.com/@shabarkin/ Poin-hunting-Cobalt-strik-global-a334AC50619a

I recommend using a separate AWS account to scan and map Cobalt Strike servers.

The installation

$PATH if you have installed and configured Go (i.e. in your $GOPATH/bin).

sudo go get -u github.com/shabarkin/pointer
Copy the code

or

sudo git clone https://github.com/shabarkin/pointer.git
Copy the code
sudo go build .
Copy the code

Basic usage

The tool was developed based on AWS SQS, Lambda, and DynamoDB services, primarily based on AWS services. Pointer has a configure subcommand for automatically deploying IAM, Lambda, SQS, DynamoDB and Autoscaling services. In order to configure all of these services, Pointer needs permissions to manage them, and for the sake of simplicity, we recommend providing Pointer with an administration-type account that includes all the necessary permissions. That’s why I recommend using a separate AWS account, especially if you use other Lambda functions in your AWS account.

Create an AWS user account in the AWS console

instruction

  1. AWS Console →IAM→ User Group → Create group →1. Provide a group name 2. Attach the permission policy “AdministratorAccess”.
  2. AWS Console → IAM → User → Add User → 1. Provide user name 2. Select “Access Key – Programmatic Access “→ Add user to group (what we have created).

video

Set the credentials

** Warning: ** Configuration action requires function.zip to be in the directory where the user is running the command. The function.zip file is actually a “Pointer server “that is compiled and compressed into the format required for Lambda deployment.

Pointer has a configure subcommand with two options.

  1. To automatically deploy an AWS environment, you need to provide AWS credentials to manage your accounts.
./pointer configure -aws_access_key_id AKIA85CEHPO3GLIABKZD -aws_secret_access_key LW3bDF8xJvzGgArqMo0h4kuCYsnubU23kGICGp/p
Copy the code

  1. Clear the configured AWS environment
./pointer configure -clear
Copy the code

** Warning: ** It creates a. Env file that is loaded into global variables every time you call a subcommand.

scanning

The scan subcommand has three options. Start the scan. 2. Stop the scan. 3

Start scanning

The pointer tool parses the IP list in the local JSON file (ips.json) to best split it into packets (10 IP addresses), and then adds the packets to be processed to the SQS queue.

./pointer scan -targets ips.json
Copy the code

Ips. json file format.

{
    
Copy the code

Check the scan status

Pointers retrieve information about the SQS queue, how many packets are in the queue waiting to be scanned, and how many packets are being processed at the current moment.

./pointer scan -status
Copy the code

Stop the scan

To stop the scan, Pointer clears all the information (packets) in the SQS queue.

./pointer scan -stop
Copy the code

dumping

All the scan results are stored in the DynamoDB table: 1.Targets; 2.Beacons.

. / pointer dump - outfile 23.09.2021Copy the code

Results The only controllable parameter is the suffix of the output file, and all dumped results are stored in the. CSV, and. Json folders (the current directory).

** Warning: ** After the results dump, Pointer clears the DynamoDB table so you don’t have a backup of the obtained results, only the one saved in the Results folder.

You can find the data sample here: https://docs.google.com/spreadsheets/d/1akSzGDq8ddn97rNfr7BS0w2HcoR52ircFaSMh-OEjTU/edit

Demo video

GitHub

Github.com/shabarkin/p…