[try to hack] cobalt strike (I)

Blog home page ： Happy star The blog home page of
Series column ：Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time ：2022 year 6 month 28 Japan
The author's level is very limited , If an error is found , Please let me know , thank ！

https://www.bilibili.com/video/BV1Zr4y137bW

CS Introduction and installation

Cobalt Strike It's a penetration test artifact ,Cobalt Strike No longer in use MSF But as a separate platform , It is divided into client and server , The server is a , The client can have multiple , It can be used by the team for distributed cooperative operation .

function ：CS Integrated port forwarding 、 Service scan , Automatic overflow , Multimode port monitoring ,win exe Trojans generate ,win dll Trojans generate ,java Trojans generate ,office Macro virus generation , Horse binding ; Fishing attacks include ： Site cloning , Target information acquisition ,java perform , Browser auto attack and so on .

Early versions Cobalt Srtike rely on Metasploit frame , And now Cobalt Strike No longer in use MSF But as a separate platform .
The community version of this tool is well known Armitage( One MSF Graphical interface tools ), and Cobalt Strike You can understand it as Armitage Commercial version of .

Different versions CS The directory structure is different , What I use here is 4.3
cobaltstrike Download link

Because of startup Cobalt Strike need JDK Support for , So you need to install Java Environmental Science .
kaili By default, it will be installed java Environmental Science
java --version

If not, install it

 install jdk11
apt-get update
apt-get install openjdk-11-jdk

 set default java Program 
update-java-alternatives -s java-1.11.0-openjdk-amd64  

CS start-up

Start server

The team server is best run on Linux On the platform

└─# ./teamserver 
[*] Will use existing X509 certificate and keystore (for SSL)
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[*] ./teamserver <host> <password> [/path/to/c2.profile] [YYYY-MM-DD]

        <host> is the (default) IP address of this Cobalt Strike team server
        <password> is the shared password to connect to this server
        [/path/to/c2.profile] is your Malleable C2 profile
        [YYYY-MM-DD] is a kill date for Beacon payloads run from this server

chmod +x teamserver // When teamserver When you don't have execute permission , Run the command
./teamserver 192.168.88.132 123456

The default connection port of the team server is 50050

Start client

Linux：./cobaltstrike or java -XX:+AggressiveHeap -XX:+UseParallelGC -jar cobaltstrike.jar
Windows： double-click cobaltstrike.exe

windows

host It's the server side IP Address
port The default open port of the server is 50050
user Customize a user name
password It is the password when opening the server

The first connection will appear hash check , there hash It's equal to the previous startup teamserver At the time of the hash, Just click ‘ yes ’ Connect to the team server .

CS Add listener

Monitor type

beacon x The series is Cobalt Strike Oneself , Include dns,http,https,smb Four ways of listening
foreign Series is an external listener usually associated with MSF perhaps Armitagel linkage

CS Create a Trojan

Choose a monitor

You can also generate dll Type of Trojan

We choose EXE

Generate
Choose a save path

The victim double clicked the exe Program , Can be in CS The client is online

CS Generate office Macro file phishing

After selecting a listener ,Generate

open word（WPS no way ）, Create a new blank document

【 View 】-> 【 macro 】

create

Ctrl+S preservation

Victim opens file , That is to say CS The client is online

CS Clone website

clone url For the target site

visit

After entering content , Or jump to the real Baidu