Command & Control
Staged vs stageless handler
Great article about the subject
Staged :
Minimal size payload
Dumb stager
Easily detected by an IDS
Stageless:
Larger payload
Fully encrypted communication
Less likely to get caught by an IDS
Cobalt strike
Run the team server
sudo ./teamserver <server_IP> <password> <malleable_profile_file>
Run cobalt strike client
Create a listener:
Egress listener: egress listener is one that allows Beacon to communicate outside of the target network to our team server. Beacon will encapsulate C2 traffic over HTTP/S or DNS.
Peer-to-peer: P2P listeners differ from egress listeners because they don't communicate with the team server directly. Instead, P2P listeners are designed to chain multiple Beacons together in parent/child relationships. P2P listeners can either use SMB or raw TCP.
Create a payload:
HTML application: a .hta file uses embedded VBScript to run the payload. Only generates payloads for egress listeners and is limited to x86.
MS Office Macro: a piece of VBA that can be dropped into a macro-enabled MS Word or Excel document. Only generates payloads for egress listeners but is compatible with both x86 and x64 Office.
Stager Payload Generator: a payload stager in a variety of languages including C, C#, PowerShell, Python, and VBA. Only generates payloads for egress listeners, but supports x86 and x64.
Stageless Payload Generator: As above, but generates stageless payloads rather than stagers. No PowerShell, but has the added option of specifying an exit function (process or thread). It can also generate payloads for P2P listeners.
Windows Stager Payload: a pre-compiled stager as an EXE, Service EXE or DLL
Windows Stageless Payload: a pre-compiled stageless payload as an EXE, Service EXE, DLL, shellcode, as well as PowerShell. This is also the only means of generating payloads for P2P listeners.
Windows Stageless Generate All Payloads: every stageless payload variant, for every listener, in x86 and x64.
Create a beacon
Run the beacon on the compromised machine, the beacon should now show in cobalt strike
Double click on you beacon, a new tab opens
You can now run cobalt strike commands on the machine from cobalt strike's CLI. To see all the commands use help
. You can also use help <command>
to get help for a specific command.
Use run <command>
to run system commands on the machine Use exit
to kill a beacon.
HTTP beacon
A HTTP beacon will automatically send check-in messages to show Cobalt Strike server that it's still alive. It will be considered dead after 3 missed check-ins. The default delay bewtween check-ins is 60s. You can change the beacon's check-in delay by using sleep <seconds between check-ins>
. You can set delay to 0 to enter interractive mode and have something getting close to a real shell. Use ctrl+k to clear the console
β οΈ Although this is nicer for us because you don't have to sit around waiting for as long, you can appreciate how much noisier it is on the wire. The more noise your C2 channel makes, the more likely it is to get caught.
DNS beacon
Due to the lower databand available of DNS the DNS beacon will not automatically check-in, so it will appear in the UI as "unknown" Beacon. You can use checkin
to do manual check-in and see the metadata appear in Cobalt Strike.
P2P beacons
Unlike the egress beacons, the P2P beacons will not automatically connect back to your Cobalt Strike server. You will need to use the connect
command for tcp or link
command for smb and connect manually to your bacon.
P2P beacons don't have their own sleep time, they inherit the one of their egress beacons. So if you want to change a P2P beacon's sleep time, just change the sleep time of his egress beacons.
Pivot listeners
A pivot listener can only be created on an existing Beacon, and not via the normal Listeners menu. These listeners work in the same way as regular TCP listeners, but in reverse. A standard Beacon TCP payload binds to 127.0.0.1 (or 0.0.0.0) and listens for an incoming connection on the specified port. You then initiate a connection to it from an existing Beacon (with the connect
command). The pivot listener works the other way around by telling the existing Beacon to bind and listen on a port, and the new Beacon TCP payload initiates a connection to it instead.
To create a pivot listener, right-click on a Beacon and select Pivoting > Listener. This will open a "New Listener" window.
Next generate you payload specifying the pivot listener as listener.
The execute the payload and the new pivot beacon should appear in the GUI.
Graph view
Arrow colors:
Green: TCP
Yellow: SMB
Green with dots: HTTP
Yellow with dots: DNS
Cobalt strike server setup
If you want to setup a cobalt strike server on a machine and you want it to start when the vm starts use these commands:
Create a systemd unit file
Then pas the following content
Next reload the systemd manager, start the service and
Metasploit
TCP Payloads
TCP connection workaround
Create a stageless listener:
Create a matching payload for this listener:
Create a staged listener with LPORT
set to <backup port>
and ReverseListenerBindPort
to something different.
Create a second payload for this listener, using <initial port>
for LPORT
.
When the staged payload runs, it will connect to Metasploit on port initial port
. If the session needs to reconnect for any reason, Meterpreter will be responsible for that reconnection. Therefore, the configuration block will be referenced instead of the stager configuration, and it will use port <backup port>
where the stageless listener is active. Hereβs an example:
HTTP/S payloads
For HTTP/S payloads they will automatically reconnect to the listener after a lost of connection wheither they are staged or not.
DNS
You may want to use PowerDNS to register a domain name. PowerDNS might also be usefull for dns exfiltration.
To get a web interface for PowerDNS you can use PowerDNS-Admin
Last updated