h1

Cobalt Strike 1.48 – Peer-to-peer C&C

November 21, 2013

I’m pleased to announce Cobalt Strike 1.48. This release introduces a peer-to-peer data channel for Beacon, improves browser pivoting, and updates the signed applet attack with options the latest Java 1.7 updates require.

Peer-to-Peer Beacon

It’s hard to stay hidden when many compromised systems call out to the internet. To solve this problem, Beacon now supports peer-to-peer command and control. This feature lets you link Beacons to each other. Linked Beacons download tasks and send output through their parent Beacon. To blend in with normal traffic, linked Beacons use SMB pipes to communicate.

What if you need to control a system that can’t connect to the internet? Use the “beacon (connect to target)” listener in the PsExec and PsExec (PowerShell) dialogs. This will run a ready-to-link Beacon on a host, without the need to connect to the internet to stage.

All Beacon features work through this peer-to-peer scheme, including the ability to tunnel Meterpreter and Metasploit Framework attacks through Beacon.

Beacon’s peer-to-peer feature is a quiet way to hold systems and limit your network egress points to one or two hosts.

This feature is similar to the peer-to-peer command and control found in advanced threat malware [12]

Browser Pivoting Updates

Browser Pivoting now works with 64-bit Internet Explorer.

The browser pivoting tab now displays the output of the process injection step too. If your browser pivot setup didn’t work, failed process injection is probably the culprit. If you see the process injection step fail, migrate Meterpreter to explorer.exe and try again.

If you’re not familiar with browser pivoting yet, it’s worth your time to look at it. Once your target authenticates to a website, browser pivoting allows you to inherit their access through your browser. Some dismiss this as equal to simple cookie stealing. This is far from the truth. Browser Pivoting uses your target’s browser to re-authenticate to a site, grab a resource, and display the results in your browser. This method works even when a session is secured with a client SSL certificate or HTTP authentication. Cookie stealing? Pshaw!

Java Applet Updates

New versions of Java 1.7 show a big scary warning for signed applets that lack a few manifest options. This update adds these manifest options to the signed applet in Cobalt Strike. The Applet Kit source in the arsenal is up to date as well. If you use a custom applet with Cobalt Strike, I recommend that you sync changes to avoid this warning.

To learn more about what’s new in Cobalt Strike 1.48, read the release notes. A 21-day trial of Cobalt Strike is available at http://www.advancedpentest.com. Licensed users simply need to run the update program to get the latest.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s