Cobalt Strike手册-环境搭建与基本功能

Ms08067安全实验室

发布于 2019-09-24 07:41:15

2.2K00

代码可运行

文章被收录于专栏：Ms08067安全实验室Ms08067安全实验室

运行总次数：0

代码可运行

0x00 简介

Cobalt Strike是一款常用于后渗透的神器，这个工具以团队作为主体，共享信息，拥有多种协议上线方式，集成了端口转发，端口扫描，socket代理，提权，钓鱼等。除去自身功能外，Cobalt Strike还利用了Metasploit和Mimikatz等其他知名工具的功能。

0x01 Cobalt Strike 架构

文件结构

│  agscript 拓展应用的脚本
│  c2lint  检查profile的错误异常
│  cobaltstrike
│  cobaltstrike.jar 客户端程序
│  icon.jpg
│  license.pdf
│  readme.txt
│  releasenotes.txt
│  teamserver  服务端程序
│  update
│  update.jar
│
└─third-party 第三方工具
        README.vncdll.txt
        vncdll.x64.dll
        vncdll.x86.dll

个人定制

Cobalt Strike可以使用 AggressorScripts脚本来加强自身，能够扩展菜单栏，Beacon命令行，提权脚本等
Cobalt Strike通信配置文件是 Malleable C2 你可以修改 CS的通讯特征，Beacon payload的一些行为
Cobalt Strike可以引用其他的通讯框架ExternalC2，ExternalC2是由Cobalt Strike提出的一套规范/框架，它允许黑客根据需要对框架提供的默认HTTP(S)/DNS/SMB C2 通信通道进行扩展。

总的来说 CS的自定义功能很强大，使用起来很灵活后期，会讲到相关的使用。

0x02 运行

Cobalt Strike 需要团队服务器才能使用，也就是teamserver。需要文件 teamserver 与 cobaltstrike.jar 可以选择把他放在公网上面

启动团队服务器

执行 sudo ./teamserver

./teamserver <host> <password> [/path/to/c2.profile] [YYYY-MM-DD]

	<host> is the (default) IP address of this Cobalt Strike team server
	<password> is the shared password to connect to this server
	[/path/to/c2.profile] is your Malleable C2 profile
	[YYYY-MM-DD] is a kill date for Beacon payloads run from this server

在没有使用自己的Malleable C2 profile情况下只填host 与 password即可

启动CS ./cobaltstrike.jar

其中user就是你想要输入的名字，password 为启动teamserver的密码

进入主文件

0x03 菜单栏功能

Cobalt Strike

New Connection  //新的链接
Preferences 偏好设置
Visualization  窗口视图模式
V** interfaces  V**接入
Listeners  监听器
Sript Manager  脚本管理
Close 退出

其中 Preferences 可以删除登陆记录的账户密码与team server SSL ，其他的就是软件的一些颜色等。

View

Applications 用于显示 System Profiler 获取的目标浏览器，操作系统，flash版本
Credentials 显示所有已经获取的用户主机hash
Downloads 显示下载的文件
Event log 事件日志 记录团队  目标上线等记录
Keystrokes 目标键盘记录
Proxy Pivots 代理信息
Screenshots 屏幕截图
Script Console 加载自定义脚本
Targets 显示所有主机
Web log web服务日志

Attack

Packages
HTML Application 生成hta文件
MS Office Macro  宏office文件
Payload Generator  生成各种语言版本的payload
USB/CD AutoPlay 利用自动播放运行的被控端文件
Windows Dropper 捆绑器可将任意正常的文件
Windows Executable payload生成可执行文件 (一般使用这个)
Windows Executable (S)  把包含payload,Stageless生成可执行文件(包含多数功能)

Web Drive-by
Manage  开启的所有web服务
Clone Site 克隆网站
Host File 提供Web以供下载某文件
Scripted Web Delivery  为payload提供web服务以便于下载和执行
Signed Applet Attack  启动一个Web服务以提供自签名Java Applet的运行环境
Smart Applet Attack  自动检测Java版本并l利用已知的exploits绕过security
System Profiler 获取系统，Flash，浏览器版本等

Spear Phish 鱼叉式网络钓鱼

Reporting

Activity report  活动报告
Hosts report  主机报告
Indicators of Compromise 威胁报告
Sessions report  会话报告
Social engineering report  社会工程学报告

0x04 右键功能

Interact 打开beacon
Access
	dump hashes 获取hash
	Elevate  提权
	Golden Ticket 生成黄金票据注入当前会话
	MAke token  凭证转换
	Run Mimikatz 运行 Mimikatz
	Spawn As 用其他用户生成Cobalt Strike侦听器
Explore
	Browser Pivot 劫持目标浏览器进程
	Desktop(VNC)  桌面交互
	File Browser  文件浏览器
	Net View 命令Net View
	Port scan 端口扫描
	Process list 进程列表
	Screenshot 截图
Pivoting
	SOCKS Server 代理服务
	Listener  反向端口转发
	Deploy V** 部署V**
Spawn  新的通讯模式并生成会话
Session 会话管理，删除，心跳时间，退出，备注

Beacon

beacon> help

Beacon Commands
===============

    Command                   Description
    -------                   -----------
    browserpivot              Setup a browser pivot session
    bypassuac                 Spawn a session in a high integrity process
    cancel                    Cancel a download that's in-progress
    cd                        Change directory
    checkin                   Call home and post data
    clear                     Clear beacon queue
    covertV**                 Deploy Covert V** client
    cp                        Copy a file
    dcsync                    Extract a password hash from a DC
    desktop                   View and interact with target's desktop
    dllinject                 Inject a Reflective DLL into a process
    download                  Download a file
    downloads                 Lists file downloads in progress
    drives                    List drives on target
    elevate                   Try to elevate privileges
    execute                   Execute a program on target
    exit                      Terminate the beacon session
    getsystem                 Attempt to get SYSTEM
    getuid                    Get User ID
    hashdump                  Dump password hashes
    help                      Help menu
    inject                    Spawn a session in a specific process
    jobkill                   Kill a long-running post-exploitation task
    jobs                      List long-running post-exploitation tasks
    kerberos_ccache_use       Apply kerberos ticket from cache to this session
    kerberos_ticket_purge     Purge kerberos tickets from this session
    kerberos_ticket_use       Apply kerberos ticket to this session
    keylogger                 Inject a keystroke logger into a process
    kill                      Kill a process
    link                      Connect to a Beacon peer over SMB
    logonpasswords            Dump credentials and hashes with mimikatz
    ls                        List files
    make_token                Create a token to pass credentials
    mimikatz                  Runs a mimikatz command
    mkdir                     Make a directory
    mode dns                  Use DNS A as data channel (DNS beacon only)
    mode dns-txt              Use DNS TXT as data channel (DNS beacon only)
    mode dns6                 Use DNS AAAA as data channel (DNS beacon only)
    mode http                 Use HTTP as data channel
    mode smb                  Use SMB peer-to-peer communication
    mv                        Move a file
    net                       Network and host enumeration tool
    note                      Assign a note to this Beacon
    portscan                  Scan a network for open services
    powerpick                 Execute a command via Unmanaged PowerShell
    powershell                Execute a command via powershell.exe
    powershell-import         Import a powershell script
    ppid                      Set parent PID for spawned post-ex jobs
    ps                        Show process list
    psexec                    Use a service to spawn a session on a host
    psexec_psh                Use PowerShell to spawn a session on a host
    psinject                  Execute PowerShell command in specific process
    pth                       Pass-the-hash using Mimikatz
    pwd                       Print current directory
    rev2self                  Revert to original token
    rm                        Remove a file or folder
    rportfwd                  Setup a reverse port forward
    runas                     Execute a program as another user
    runu                      Execute a program under another PID
    screenshot                Take a screenshot
    shell                     Execute a command via cmd.exe
    shinject                  Inject shellcode into a process
    shspawn                   Spawn process and inject shellcode into it
    sleep                     Set beacon sleep time
    socks                     Start SOCKS4a server to relay traffic
    socks stop                Stop SOCKS4a server
    spawn                     Spawn a session
    spawnas                   Spawn a session as another user
    spawnto                   Set executable to spawn processes into
    spawnu                    Spawn a session under another PID
    ssh                       Use SSH to spawn an SSH session on a host
    ssh-key                   Use SSH to spawn an SSH session on a host
    steal_token               Steal access token from a process
    timestomp                 Apply timestamps from one file to another
    unlink                    Disconnect from parent Beacon
    upload                    Upload a file
    wdigest                   Dump plaintext credentials with mimikatz
    winrm                     Use WinRM to spawn a session on a host
    wmi                       Use WMI to spawn a session on a host