Cobalt Strike Updates: Host Labels, CVE-2013-0422, and VNCJanuary 28, 2013
Cobalt Strike 01.28.13 is now available. I spent this month teaching, red teaming, and writing a lot of code. Let’s jump into the highlights:
1. I started January 2013 running the Cobalt Strike Advanced Threat Tactics course twice in one week. Several students requested the ability to label hosts and share labels with their teammates. This update makes this wish come true. The host labels feature is also in Armitage too.
2. Earlier this month, the offensive security community was blessed with CVE-2013-0422, aka yet another Java security sandbox bypass opportunity. An attack for this opportunity is now available through Cobalt Strike’s Smart Applet attack and auto-exploit server.
3. One of my personal feature requests, for a long time, is the ability to control a desktop directly from Cobalt Strike. Strategic Cyber LLC licensed a Java VNC Viewer, making this dream come true. Cobalt Strike’s mission is to help you demonstrate and communicate risk–making integrated VNC a nice addition.
To demonstrate the Cobalt Strike VNC Viewer, here’s a video from this past weekend’s Southwest CCDC Qualifier competition. I’m connected to a team server across the country through an SSH tunnel. Here, I play “who controls the mouse? I do.” with a blue team competitor.
While these three changes are the main highlights, there’s a lot more to this release. I encourage you to read the releasenotes.txt file for the full story.
If you haven’t tried Cobalt Strike yet, you should. A 21-day trial is available for download. You just need to provide an email address to get it. I promise not to add you to a mailing list, call you during dinner time, or sell your information to another vendor.
Licensed Cobalt Strike users may grab the latest update using the included update program.