Cobalt Strike Updates 03.06.13March 6, 2013
Just in time for this weekend’s North East Collegiate Cyber Defense Competition event, I have a fresh update to Armitage and Cobalt Strike. Here’s the highlights:
1. Beacon now auto-dumps keystrokes every time it wakes up. I found it too cumbersome to issue a command each time I wanted keystrokes.
2. Beacon has a changed traffic profile.
3. I spent significant time testing Beacon’s ability to communicate through a proxy server. It was always a given to me that Beacon would stage and communicate through a transparent proxy. What happens if an explicit server is configured? No problem, Beacon will stage and communicate through that too. What happens if the proxy server requires authentication? Well, it depends. If it requires static credentials, then we’re out of luck for now. If it requires domain credentials, that’s another story altogether. On Windows 7, WinINet will transparently manage NTLM authentication. On older versions of Windows (e.g., XP), there’s a flag that must be set to allow WinINet to authenticate for us. Beacon now sets this flag and the Metasploit Framework’s reverse_http stager uses this flag now too.
4. This update optimizes Armitage and Cobalt Strike’s communication to the team server over high latency networks. These optimizations have the active console tab poll the server more often than inactive ones. This update also creates more connections to the team server, which allows more messages to process in parallel. If you’re connected to a remote team server, these changes will allow Cobalt Strike and Armitage to stay responsive, even if you have a lot of tabs open.
5. Cortana now includes a publish, query, subscribe API to allow scripts to communicate using the team server. Several changes were made to make Cortana scripts more robust when interacting with a compromised host. The documentation was updated as well. A future blog post will document some of the new things that are possible with Cortana. For now, check out the updated Raven folder in the Cortana Github repository for a preview.
Update 3/6/13 2000h: And my editor (me), missed that March is the third month of the year, not the fourth. No time travel technology was invented by Strategic Cyber. Oops.