admin

Cobalt Strike 入门详解
配置运行简介Cobalt Strike集成了端口转发、扫描多模式端口监听Windows exe木马,生成Windo...
扫描右侧二维码阅读全文
08
2018/04

Cobalt Strike 入门详解

配置运行

简介

Cobalt Strike集成了端口转发、扫描多模式端口监听Windows exe木马,生成Windows dll(动态链接库)木马,生成java木马,生成office宏病毒,生成木马捆绑钓鱼攻击,包括站点克隆目标信息获取java执行浏览器自动攻击等等。

配置环境

  1. kali linux 2018.1 192.168.1.103 客户端
  2. Ubuntu 16.04.1 LTS 118.89.xx.xxx 公网Vps 服务端
0x1 配置java环境

由于cobaltstrike为java编写所以需要java运行环境,所以需要在vps中搭建java环境

  1. 更新软件包列表:
    sudo apt-get update
  2. 安装openjdk-8-jdk
    sudo apt-get install openjdk-8-jdk
  3. 查看java安装版本
    java -version 如果显示出java的版本则表明环境配置成功
0X2 CobaltStrike 配置及运行
  1. 上传或者下载cobaltstrike压缩包到vps并解压
  2. 为teamserver增加执行权限 chmod +x teamserver
  3. 运行服务 sudo ./teamserver 118.89.xx.xxx 123123 参数是vps的公网ip地址 以及连接的密码
  4. 运行成功
  5. 切换到kali启动客户端
    java -jar cobaltstrike.jar

QQ截图20180324190711

输入服务端ip地址、密码即可运行客户端

ka

功能详解

菜单栏

QQ图片20180326100322

分为五个菜单栏:

  1. Cobalt Strike
  2. View
  3. Attacks
  4. Reporting
  5. Help

每个主菜单中有很多子菜单

Cobalt Strike

QQ截图20180326101135

New Connection (添加新的团队服务连接)

QQ图片20180326101259

Host:服务端ip地址
port:teamserver 启动后分配的端口
User: 随意输入即可
Password: 在服务端设置的密码

Preferences

QQ截图20180326102507

Perferences设置Cobal Strike界面、控制台、以及输出报告样式、TeamServer连接记录 了解下即可

Visualization

显示输出结果的形式

QQ截图20180326103549

  1. Pivot Graph

QQ截图20180326155652

红色表示为已经得到系统最高权限 蓝色的表示为权限较低

  1. Session Table
    session会话数据表

QQ截图20180326160346

  1. Target Table
    目标数据表

QQ截图20180326160505

VPN Interfaces

创建一个vpn连接作为跳板

Listeners

QQ截图20180326161429

监听器主要是为了接受payload回传的各类数据 分为两种

  1. beacon

为cs内置监听器,也就是说,当我们在目标系统成功执行payload以后,会弹回一个beacon的shell给cs
该shell所支持的通信协议主要包括这几种,dns,https,http,smb[pipe] 其内置功能有很多
QQ截图20180326161806

在目标机出右键选择Interact即可进入beacon 终端
QQ截图20180326162611

输入help即可查看命令

beacon> help
Beacon Commands
===============

    Command                   Description
    -------                   -----------
    browserpivot              Setup a browser pivot session 
    bypassuac                 Spawn a session in a high integrity process
    cancel                    Cancel a download that's in-progress
    cd                        Change directory
    checkin                   Call home and post data
    clear                     Clear beacon queue
    covertvpn                 Deploy Covert VPN client
    cp                        Copy a file
    dcsync                    Extract a password hash from a DC
    desktop                   View and interact with target's desktop
    dllinject                 Inject a Reflective DLL into a process
    download                  Download a file
    downloads                 Lists file downloads in progress
    drives                    List drives on target
    elevate                   Try to elevate privileges
    execute                   Execute a program on target
    exit                      Terminate the beacon session
    getsystem                 Attempt to get SYSTEM
    getuid                    Get User ID
    hashdump                  Dump password hashes
    help                      Help menu
    inject                    Spawn a session in a specific process
    jobkill                   Kill a long-running post-exploitation task
    jobs                      List long-running post-exploitation tasks
    kerberos_ccache_use       Apply kerberos ticket from cache to this session
    kerberos_ticket_purge     Purge kerberos tickets from this session
    kerberos_ticket_use       Apply kerberos ticket to this session
    keylogger                 Inject a keystroke logger into a process
    kill                      Kill a process
    link                      Connect to a Beacon peer over SMB
    logonpasswords            Dump credentials and hashes with mimikatz
    ls                        List files
    make_token                Create a token to pass credentials
    mimikatz                  Runs a mimikatz command
    mkdir                     Make a directory
    mode dns                  Use DNS A as data channel (DNS beacon only)
    mode dns-txt              Use DNS TXT as data channel (DNS beacon only)
    mode dns6                 Use DNS AAAA as data channel (DNS beacon only)
    mode http                 Use HTTP as data channel
    mode smb                  Use SMB peer-to-peer communication
    mv                        Move a file
    net                       Network and host enumeration tool
    note                      Assign a note to this Beacon       
    portscan                  Scan a network for open services
    powerpick                 Execute a command via Unmanaged PowerShell
    powershell                Execute a command via powershell.exe
    powershell-import         Import a powershell script
    ppid                      Set parent PID for spawned post-ex jobs
    ps                        Show process list
    psexec                    Use a service to spawn a session on a host
    psexec_psh                Use PowerShell to spawn a session on a host
    psinject                  Execute PowerShell command in specific process
    pth                       Pass-the-hash using Mimikatz
    pwd                       Print current directory
    rev2self                  Revert to original token
    rm                        Remove a file or folder
    rportfwd                  Setup a reverse port forward
    runas                     Execute a program as another user
    runu                      Execute a program under another PID
    screenshot                Take a screenshot
    shell                     Execute a command via cmd.exe
    shinject                  Inject shellcode into a process
    shspawn                   Spawn process and inject shellcode into it
    sleep                     Set beacon sleep time
    socks                     Start SOCKS4a server to relay traffic
    socks stop                Stop SOCKS4a server
    spawn                     Spawn a session 
    spawnas                   Spawn a session as another user
    spawnto                   Set executable to spawn processes into
    spawnu                    Spawn a session under another PID
    ssh                       Use SSH to spawn an SSH session on a host
    ssh-key                   Use SSH to spawn an SSH session on a host
    steal_token               Steal access token from a process
    timestomp                 Apply timestamps from one file to another
    unlink                    Disconnect from parent Beacon
    upload                    Upload a file
    wdigest                   Dump plaintext credentials with mimikatz
    winrm                     Use WinRM to spawn a session on a host
    wmi                       Use WMI to spawn a session on a host
  1. foreign

主要是提供给外部使用的一些监听器,比如你想利用cs派生一个meterpreter或者armitage的shell回来,来继续后面的内网渗透,这时就选择使用外部监听器

Script Manager

在这里可以加载各种脚本以增强功能 下载连接

View 模块

View模块可以方便测试者查看各个模块,图形化的界面可以方便的看到受害者机器的各个信息。

QQ截图20180326164217

Applications显示受害者机器的应用信息;
Credentials显示受害者机器的凭证信息,能更方便的进行后续渗透;
Downloads 文件下载;
Event Log可以看到事件日志,清楚的看到系统的事件,并且团队可以在这里聊天;
Keystrokes查看键盘记录;
Proxy Pivots查看代理信息;
Screenshots查看屏幕截图;
Script Console在这里可以加载各种脚本以增强功能,脚本地址戳我;
Targets查看目标;
Web Log查看web日志。

Attacks

Attack

Reporting

wwa

ßß

cobaltstrike生成报告有两种格式 一种是PDF 一种是MS office

  1. Activity Report 活动时间表
  2. Hosts Report 所有数据 服务、凭证和漏洞
  3. Indicators of Compromise 类似于威胁情报 包含C2配置文件、使用的域、上传文件的md5hash值
  4. Sessions Report 会话报告 记录会话的活动和基本信息
  5. Social Engineering Report 社会工程报告

    • Reset Report 重置报告 是一个不可恢复操作 执行会清楚所有的数据报告模型
    • Export Report 导出

工具栏

1431528275

经过以上对Cobalt Strike的介绍 可以基本对此工具有了些大致的了解 接下来就是如何Cobalt Strike的一些使用的流程

  1. 监听器的创建->payload的生成
  2. 钓鱼攻击
  3. Beacon的使用(浏览器注入、Socks代理、主机信息的收集、引入powershell的后渗透、BypassUAC提升权限)
  4. 与Msf、empire的联动
  5. CobaltStrike 脚本扩展(Beef_strick、Veil_evasion等)

这里先列个表方便与后续的学习

Referer:
https://klionsec.github.io/
https://evi1cg.me/archives/Cobalt_strike.html
http://www.freebuf.com/sectool/133369.html

Last modification:January 26th, 2019 at 05:12 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment