Cobalt Strike is red team operation program designed by Raphael Mudge . The main use of this program to perform the security assessments that replicate the tactics and techniques of an network . In this blog we are going to interact with this program which you can get from the official website .
Table Of Content
- Architecture of cobalt strike
- Installation and setup
- Interaction with cobalt strike
Architecture of cobalt strike
Cobalt strike have client-server architecture in which a server will hosted by which multiple client profile can connect and perform the task .
Installation and setup
Installation is quite easy as there are two main files to call one is our server which is called teamserver and second one is our client . Each file you will get into the tar file you receive from the cobalt-strike .
once you extract and make your env good you have to find out which ip you want to start our server .you can fire up the server using teamserver file which require two argument one is your interface ip and second one any password .
- Teamserver is the main controller for the payloads that are used in cobalt strike .
- It logs all the events that are executd by the profiles.
Note : we have some issue with jre i.e we make some changes in our environment using the bash script by passing AggressiveHeap .
sudo ./teamserver <IP> <PASSWORD> :original command sudo ./teamserver 192.168.0.5 pentestsky
Once the server is started you get the hash value which help the maintain the integrity of the application .
sudo java -jar PATH/To/cobaltstrike.jar : original command sudo ./cobaltstrike.sh
Now our connect dialog is up here we can create multiple profiles . In Host section you have to specify your team-server running address and port by default is 50050 , username you can specify any and password you provided while running the server and hit connect . After successful authorization verification window in which you saw the same hash value of server .
Interaction with cobalt strike
The user interface as you see in above image is divided into two section i.e visualization zone and display tab. The visualization tab visually display all the session and give a proper view of the compromised network,host. The display tab is used to view the logs events and other program feature and session for interaction.
Cobalt strike made up in a such a way that the attacker can perform the task very speedy using these common features by clicking the button .
- To attach other team-server
- To detach the client from team-server
- To start the listener
- These are the different view angle
- View credentials
- View downloaded files
- View keystrokes
- View screenshots
- Generate a stageless executable or dll
- Setup the java signed applet attack
- Generate macro code
- Scripted web delivery attack
- Host a file on strike webserver
- Manage file and application on hosted webserver for strike
- Support page
- About the cobalt strike
Configure the listeners
Just like in metasploit we have handler in strike we have listeners . Listeners are responsible for handling the bind or reverse connections to or from the target/server . We can configure the listener by clicking the headphone box .After clicking in display tab we get the listeners section in which there is a default listeners here we can create multiple listeners id with different port and payload .
After clicking on Add we can create the new listener id or if you want to make changes in existing profile you can also by edit it . Here we are creating the new id with name of srv-1 .
In the payload section we have different type of payload that cobalt strike support which are going to discuss in upcoming series . Here we choose the http once you fill all require parameter you can save the box and listener is ready .
We can confirm the listening by checking the netcat result .
In cobalt strike different ways are there to generate the payload on that list one of them is stageless window executable .We can create the payload by clicking on the button in toolbar and box appear in which you have to select your listener in this case we have srv-1 listener.
After selecting he listener we have to choice what kind of output we can generate in this case we are using the window exe here right now , in upcoming series we are going to check all of them one by one . Once everything is set our payload is going to be save .
After saving it and transfer to victim using any kind of social engineering we get the session in our visualization tab .
Thankyou more series of blog are coming .
Every feedback is valuable to us .