forked from aleenzz/Cobalt_Strike_wiki
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
957 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,267 @@ | ||
# 0x00 简介 | ||
|
||
>Cobalt Strike是一款常用于后渗透的神器,这个工具以团队作为主体,共享信息,拥有多种协议上线方式,集成了端口转发,端口扫描,socket代理,提权,钓鱼等。除去自身功能外,Cobalt Strike还利用了Metasploit和Mimikatz等其他知名工具的功能。 | ||
# 0x01 Cobalt Strike 架构 | ||
|
||
![Cobalt Strike 架构](./img/1.png) | ||
|
||
## 文件结构 | ||
``` | ||
│ agscript 拓展应用的脚本 | ||
│ c2lint 检查profile的错误异常 | ||
│ cobaltstrike | ||
│ cobaltstrike.jar 客户端程序 | ||
│ icon.jpg | ||
│ license.pdf | ||
│ readme.txt | ||
│ releasenotes.txt | ||
│ teamserver 服务端程序 | ||
│ update | ||
│ update.jar | ||
│ | ||
└─third-party 第三方工具 | ||
README.vncdll.txt | ||
vncdll.x64.dll | ||
vncdll.x86.dll | ||
``` | ||
|
||
## 个人定制 | ||
|
||
* Cobalt Strike可以使用 AggressorScripts脚本来加强自身,能够扩展菜单栏,Beacon命令行,提权脚本等 | ||
|
||
* Cobalt Strike通信配置文件是 Malleable C2 你可以修改 CS的通讯特征,Beacon payload的一些行为 | ||
|
||
* Cobalt Strike可以引用其他的通讯框架ExternalC2,ExternalC2是由Cobalt Strike提出的一套规范/框架,它允许黑客根据需要对框架提供的默认HTTP(S)/DNS/SMB C2 通信通道进行扩展。 | ||
|
||
总的来说 CS的自定义功能很强大,使用起来很灵活后期,会讲到相关的使用。 | ||
|
||
# 0x02 运行 | ||
|
||
Cobalt Strike 需要团队服务器才能使用,也就是teamserver。 需要文件 teamserver 与 cobaltstrike.jar 可以选择把他放在公网上面 | ||
|
||
## 启动团队服务器 | ||
|
||
``` | ||
执行 sudo ./teamserver | ||
``` | ||
|
||
``` | ||
./teamserver <host> <password> [/path/to/c2.profile] [YYYY-MM-DD] | ||
<host> is the (default) IP address of this Cobalt Strike team server | ||
<password> is the shared password to connect to this server | ||
[/path/to/c2.profile] is your Malleable C2 profile | ||
[YYYY-MM-DD] is a kill date for Beacon payloads run from this server | ||
``` | ||
在没有使用 自己的Malleable C2 profile情况下只填host 与 password即可 | ||
|
||
![](./img/2.png) | ||
|
||
启动CS ./cobaltstrike.jar | ||
|
||
![](./img/3.png) | ||
|
||
其中user就是你想要输入的名字,password 为启动teamserver的密码 | ||
|
||
![](./img/4.png) | ||
|
||
进入主文件 | ||
|
||
# 0x03 菜单栏功能 | ||
|
||
## Cobalt Strike | ||
![](./img/5.png) | ||
|
||
``` | ||
New Connection //新的链接 | ||
Preferences 偏好设置 | ||
Visualization 窗口视图模式 | ||
VPN interfaces VPN接入 | ||
Listeners 监听器 | ||
Sript Manager 脚本管理 | ||
Close 退出 | ||
``` | ||
其中 Preferences 可以删除 登陆记录的账户密码 与team server SSL ,其他的就是软件的一些颜色等。 | ||
|
||
## View | ||
![](./img/6.png) | ||
|
||
``` | ||
Applications 用于显示 System Profiler 获取的目标浏览器,操作系统,flash版本 | ||
Credentials 显示所有已经获取的用户主机hash | ||
Downloads 显示下载的文件 | ||
Event log 事件日志 记录团队 目标上线等记录 | ||
Keystrokes 目标键盘记录 | ||
Proxy Pivots 代理信息 | ||
Screenshots 屏幕截图 | ||
Script Console 加载自定义脚本 | ||
Targets 显示所有主机 | ||
Web log web服务日志 | ||
``` | ||
|
||
## Attack | ||
![](./img/7.png) | ||
|
||
``` | ||
Packages | ||
HTML Application 生成hta文件 | ||
MS Office Macro 宏office文件 | ||
Payload Generator 生成各种语言版本的payload | ||
USB/CD AutoPlay 利用自动播放运行的被控端文件 | ||
Windows Dropper 捆绑器可将任意正常的文件 | ||
Windows Executable payload生成可执行文件 (一般使用这个) | ||
Windows Executable (S) 把包含payload,Stageless生成可执行文件(包含多数功能) | ||
``` | ||
|
||
``` | ||
Web Drive-by | ||
Manage 开启的所有web服务 | ||
Clone Site 克隆网站 | ||
Host File 提供Web以供下载某文件 | ||
Scripted Web Delivery 为payload提供web服务以便于下载和执行 | ||
Signed Applet Attack 启动一个Web服务以提供自签名Java Applet的运行环境 | ||
Smart Applet Attack 自动检测Java版本并l利用已知的exploits绕过security | ||
System Profiler 获取系统,Flash,浏览器版本等 | ||
``` | ||
|
||
``` | ||
Spear Phish 鱼叉式网络钓鱼 | ||
``` | ||
|
||
## Reporting | ||
![](./img/8.png) | ||
``` | ||
Activity report 活动报告 | ||
Hosts report 主机报告 | ||
Indicators of Compromise 威胁报告 | ||
Sessions report 会话报告 | ||
Social engineering report 社会工程学报告 | ||
``` | ||
|
||
# 0x04 右键功能 | ||
![](./img/9.png) | ||
|
||
``` | ||
Interact 打开beacon | ||
Access | ||
dump hashes 获取hash | ||
Elevate 提权 | ||
Golden Ticket 生成黄金票据注入当前会话 | ||
MAke token 凭证转换 | ||
Run Mimikatz 运行 Mimikatz | ||
Spawn As 用其他用户生成Cobalt Strike侦听器 | ||
Explore | ||
Browser Pivot 劫持目标浏览器进程 | ||
Desktop(VNC) 桌面交互 | ||
File Browser 文件浏览器 | ||
Net View 命令Net View | ||
Port scan 端口扫描 | ||
Process list 进程列表 | ||
Screenshot 截图 | ||
Pivoting | ||
SOCKS Server 代理服务 | ||
Listener 反向端口转发 | ||
Deploy VPN 部署VPN | ||
Spawn 新的通讯模式并生成会话 | ||
Session 会话管理,删除,心跳时间,退出,备注 | ||
``` | ||
|
||
# Beacon | ||
|
||
``` | ||
beacon> help | ||
Beacon Commands | ||
=============== | ||
Command Description | ||
------- ----------- | ||
browserpivot Setup a browser pivot session | ||
bypassuac Spawn a session in a high integrity process | ||
cancel Cancel a download that's in-progress | ||
cd Change directory | ||
checkin Call home and post data | ||
clear Clear beacon queue | ||
covertvpn Deploy Covert VPN client | ||
cp Copy a file | ||
dcsync Extract a password hash from a DC | ||
desktop View and interact with target's desktop | ||
dllinject Inject a Reflective DLL into a process | ||
download Download a file | ||
downloads Lists file downloads in progress | ||
drives List drives on target | ||
elevate Try to elevate privileges | ||
execute Execute a program on target | ||
exit Terminate the beacon session | ||
getsystem Attempt to get SYSTEM | ||
getuid Get User ID | ||
hashdump Dump password hashes | ||
help Help menu | ||
inject Spawn a session in a specific process | ||
jobkill Kill a long-running post-exploitation task | ||
jobs List long-running post-exploitation tasks | ||
kerberos_ccache_use Apply kerberos ticket from cache to this session | ||
kerberos_ticket_purge Purge kerberos tickets from this session | ||
kerberos_ticket_use Apply kerberos ticket to this session | ||
keylogger Inject a keystroke logger into a process | ||
kill Kill a process | ||
link Connect to a Beacon peer over SMB | ||
logonpasswords Dump credentials and hashes with mimikatz | ||
ls List files | ||
make_token Create a token to pass credentials | ||
mimikatz Runs a mimikatz command | ||
mkdir Make a directory | ||
mode dns Use DNS A as data channel (DNS beacon only) | ||
mode dns-txt Use DNS TXT as data channel (DNS beacon only) | ||
mode dns6 Use DNS AAAA as data channel (DNS beacon only) | ||
mode http Use HTTP as data channel | ||
mode smb Use SMB peer-to-peer communication | ||
mv Move a file | ||
net Network and host enumeration tool | ||
note Assign a note to this Beacon | ||
portscan Scan a network for open services | ||
powerpick Execute a command via Unmanaged PowerShell | ||
powershell Execute a command via powershell.exe | ||
powershell-import Import a powershell script | ||
ppid Set parent PID for spawned post-ex jobs | ||
ps Show process list | ||
psexec Use a service to spawn a session on a host | ||
psexec_psh Use PowerShell to spawn a session on a host | ||
psinject Execute PowerShell command in specific process | ||
pth Pass-the-hash using Mimikatz | ||
pwd Print current directory | ||
rev2self Revert to original token | ||
rm Remove a file or folder | ||
rportfwd Setup a reverse port forward | ||
runas Execute a program as another user | ||
runu Execute a program under another PID | ||
screenshot Take a screenshot | ||
shell Execute a command via cmd.exe | ||
shinject Inject shellcode into a process | ||
shspawn Spawn process and inject shellcode into it | ||
sleep Set beacon sleep time | ||
socks Start SOCKS4a server to relay traffic | ||
socks stop Stop SOCKS4a server | ||
spawn Spawn a session | ||
spawnas Spawn a session as another user | ||
spawnto Set executable to spawn processes into | ||
spawnu Spawn a session under another PID | ||
ssh Use SSH to spawn an SSH session on a host | ||
ssh-key Use SSH to spawn an SSH session on a host | ||
steal_token Steal access token from a process | ||
timestomp Apply timestamps from one file to another | ||
unlink Disconnect from parent Beacon | ||
upload Upload a file | ||
wdigest Dump plaintext credentials with mimikatz | ||
winrm Use WinRM to spawn a session on a host | ||
wmi Use WMI to spawn a session on a host | ||
``` | ||
此部分不做翻译 讲在后期使用中介绍 也可在Beacon 使用`help xxxx`获取更加详细的介绍 | ||
(翻译太累了=.=) | ||
|
||
# 0x06文末 | ||
本文介绍Cobalt Strike3.8版本的运行以及大体功能的翻译,后期功能演示可能会换成其他版本。(本文用时3个小时) | ||
|
||
|
||
### 本文如有错误,请及时提醒,以免误导他人 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
#0x00 简介 | ||
本章介绍的是Spear Phish(鱼叉式网络钓鱼)在Cobalt Strike中给我们提供了 鱼叉邮件的功能 ,配上host file 等实现,进一步攻击。 | ||
|
||
![Cobalt Strike ](./img/7.2.png) | ||
往往我们不能直接入手的时候,鱼叉邮件是一种不错的手段,我们可以在APT攻击上经常看到他的身影 | ||
|
||
#0x01 Spear Phish 配置 | ||
|
||
>使用 Attack>Spear Phish | ||
![Cobalt Strike ](./img/7.1.png) | ||
|
||
* targets 发送的目标信息 格式 [email protected](tab键) name | ||
|
||
``` | ||
[email protected] TOM | ||
[email protected] jim | ||
``` | ||
* tmplate 邮件模板 一般在邮件的更多选项中 ,选择导出,或者显示原文 | ||
|
||
* attachment 附件 | ||
|
||
* Embed URL 要嵌入的网址 | ||
|
||
* Mail server SMTP | ||
|
||
* Bounce to 模仿发件人 | ||
|
||
![Cobalt Strike ](./img/7.3.png) | ||
|
||
preview 预览我们的模板文件 在实际操作过程中 当然是先给自己发一封 | ||
|
||
![Cobalt Strike ](./img/7.4.png) | ||
|
||
send发送成功后我们可以在 send email 看到提示 | ||
![Cobalt Strike ](./img/7.5.png) | ||
对应 目标收到的效果图 | ||
|
||
#0x02 文末 | ||
|
||
本文略短 灵活配合其他钓鱼手法,比如这里的Embed URL 可以换成上一章的flash oday 达到打开网址获得权限(半小时) | ||
|
||
### 本文如有错误,请及时提醒,以免误导他人 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
# 0x00 SMB Beacon简介 | ||
|
||
为什么要把这个监听器单独的拿出来呢,因为它跟DNS beacon都比较特殊,可能在防护墙绕过会用到它。[官网](https://www.cobaltstrike.com/help-smb-beacon )这么介绍它的SMB Beacon使用命名管道通过父级Beacon进行通讯,当两个Beacons链接后,子Beacon从父Beacon获取到任务并发送。因为链接的Beacons使用Windows命名管道进行通信,此流量封装在SMB协议中,所以[SMB Beacon](https://blog.cobaltstrike.com/2013/12/06/stealthy-peer-to-peer-cc-over-smb-pipes/)相对隐蔽。 | ||
|
||
|
||
其中它的原理图我引用作者的博客找到一张图 | ||
|
||
![Cobalt Strike ](./img/3.1.png) | ||
|
||
|
||
# 0x01 SMB Beacon使用 | ||
|
||
这种方法有几个注意事项: | ||
1.具有SMB Beacon的主机必须接受端口445上的连接。 | ||
2.只能链接由同一Cobalt Strike实例管理的Beacon。 | ||
|
||
* 派生一个 SMB Beacon | ||
在 Listeners 生成 SMB Beacon >目标主机>右键>spawn>选中Listeners >choose | ||
|
||
![Cobalt Strike ](./img/3.2.png) | ||
|
||
运行成功后 external 可以看到 ∞∞ 这个字符 ,这就是派生的SMB Beacon | ||
当前是连接状态 你可以主Beacon上 用link host链接它 或者unlink host断开它 。 | ||
|
||
![Cobalt Strike ](./img/3.3.png) | ||
|
||
点击上面的小图标出现透视图,当用命令断开时 链接符号上面出现disconnected | ||
|
||
* 内网横向渗透 SMB | ||
至于内网横向渗透我这里就不讲了 可以使用ipc$ 什么的生成的 SMB Beacon上次到目标主机执行,然后这里是不会直接上线的,需要我们自己用link命令去连接他。 | ||
**环境**: | ||
windows 7 | ||
windows 7 | ||
这里直接克隆的win7两台所以图片主机名一样的 | ||
|
||
![Cobalt Strike ](./img/3.4.png) | ||
![Cobalt Strike ](./img/3.5.png) | ||
|
||
第一个原理图已经完美说明了这两幅图的连接方式 | ||
|
||
|
||
# 0x02 Spawn | ||
|
||
我们在 beacon 运行 help spawn 可以看到它的具体方法 | ||
|
||
``` | ||
beacon> help spawn | ||
Use: spawn [x86|x64] [listener] | ||
spawn [listener] | ||
Spawn an x86 or x64 process and inject shellcode for the listener. | ||
``` | ||
|
||
spawn 这个功能,中文意思是“产卵”,它的功能就是可以派生出更多的Beacon 让一个团队分布式渗入。通常我们在团队主服务器上给队友来派生Beacon 这样只要主服务器权限不掉,还能继续操作。尽量派生出多个Beacon,让我们的操作都在子Beacon。 | ||
|
||
这里我简单叙述下 如何操作从主服务器 派生到 其他队友服务器过程 | ||
|
||
``` | ||
队友服务器Listeners生成 > 团队服务器 Listeners生成 使用队友ip>Spawn | ||
``` | ||
其实很好理解 就是让队友的服务器生成监听 然后团队服务器生成server ip指向队友。 | ||
|
||
灵活的运用Spawn 不仅可以使团队效率提高,也能较好的维持权限,同时还能结合MSF。 | ||
|
||
|
||
# 0x03 文末 | ||
DNS和SMB 都是CS比较不错的Listeners。(用时3小时) | ||
|
||
### 本文如有错误,请及时提醒,以免误导他人 |
Oops, something went wrong.