Getting Started With Cobalt Strike

by

Introduction

Cobalt Strike is red team operation program designed by Raphael Mudge . The main use of this program to perform the security assessments that replicate the tactics and techniques of an network . In this blog we are going to interact with this program which you can get from the official website .

Table Of Content

  • Architecture of cobalt strike
  • Installation and setup
  • Interaction with cobalt strike

Architecture of cobalt strike

Cobalt strike have client-server architecture in which a server will hosted by which multiple client profile can connect and perform the task .

Installation and setup

Installation is quite easy as there are two main files to call one is our server which is called teamserver and second one is our client . Each file you will get into the tar file you receive from the cobalt-strike .

once you extract and make your env good you have to find out which ip you want to start our server .you can fire up the server using teamserver file which require two argument one is your interface ip and second one any password .

Teamserver ?

  • Teamserver is the main controller for the payloads that are used in cobalt strike .
  • It logs all the events that are executd by the profiles.

Note : we have some issue with jre i.e we make some changes in our environment using the bash script by passing AggressiveHeap .

sudo ./teamserver <IP> <PASSWORD> :original command 
sudo ./teamserver 192.168.0.5 pentestsky

Once the server is started you get the hash value which help the maintain the integrity of the application .

sudo java -jar PATH/To/cobaltstrike.jar : original command
sudo ./cobaltstrike.sh

Now our connect dialog is up here we can create multiple profiles . In Host section you have to specify your team-server running address and port by default is 50050 , username you can specify any and password you provided while running the server and hit connect . After successful authorization verification window in which you saw the same hash value of server .

Interaction with cobalt strike

The user interface as you see in above image is divided into two section i.e visualization zone and display tab. The visualization tab visually display all the session and give a proper view of the compromised network,host. The display tab is used to view the logs events and other program feature and session for interaction.

Toolbar

Cobalt strike made up in a such a way that the attacker can perform the task very speedy using these common features by clicking the button .

toolbar
  1. To attach other team-server
  2. To detach the client from team-server
  3. To start the listener
  4. These are the different view angle
  5. View credentials
  6. View downloaded files
  7. View keystrokes
  8. View screenshots
  9. Generate a stageless executable or dll
  10. Setup the java signed applet attack
  11. Generate macro code
  12. Scripted web delivery attack
  13. Host a file on strike webserver
  14. Manage file and application on hosted webserver for strike
  15. Support page
  16. About the cobalt strike

Configure the listeners

Just like in metasploit we have handler in strike we have listeners . Listeners are responsible for handling the bind or reverse connections to or from the target/server . We can configure the listener by clicking the headphone box .After clicking in display tab we get the listeners section in which there is a default listeners here we can create multiple listeners id with different port and payload .

After clicking on Add we can create the new listener id or if you want to make changes in existing profile you can also by edit it . Here we are creating the new id with name of srv-1 .

In the payload section we have different type of payload that cobalt strike support which are going to discuss in upcoming series . Here we choose the http once you fill all require parameter you can save the box and listener is ready .

We can confirm the listening by checking the netcat result .

Payload Generation

In cobalt strike different ways are there to generate the payload on that list one of them is stageless window executable .We can create the payload by clicking on the button in toolbar and box appear in which you have to select your listener in this case we have srv-1 listener.

After selecting he listener we have to choice what kind of output we can generate in this case we are using the window exe here right now , in upcoming series we are going to check all of them one by one . Once everything is set our payload is going to be save .

After saving it and transfer to victim using any kind of social engineering we get the session in our visualization tab .

Thankyou more series of blog are coming .

Contact : [email protected] or Twitter

Every feedback is valuable to us .

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.