During DEFCON, I sat down with Boonsri, a journalist from BYTE to discuss Cobalt Strike and the hacker process in general. This interview was from the same day I lost my voice. During the demo, I used Cobalt Strike’s website clone tool to copy a site and add an exploit to it. From there, I started to log keystrokes of my “corporate victim”.
Cobalt Strike 1.44/16 Aug 12 is now available. Here are some of the changes:
You may now customize Cobalt Strike’s reports with your own header image and accent color. Go to Cobalt Strike -> Preferences and look for the reporting preferences. Here’s an example of a vulnerability report with a custom header image and a red accent color:
The System Profiler feature now detects Apple iOS and Android operating systems. This update to Cobalt Strike also includes icons for Apple iOS and Android.
This release also fixes several bugs, improves usability for a few Metasploit(r) Framework modules, and updates Cortana. See the releasenotes.txt file for the full story.
Licensed Cobalt Strike users may update using the included update program.
You may know Armitage: a red team collaboration tool built on the Metasploit Framework. Cobalt Strike is Armitage’s commercial big brother. Both packages include a team server. Through this team server, multiple hackers may control compromised hosts and launch attacks through one instance of the Metasploit Framework.
Inspired by my days on IRC in the 1990s, I wondered what would happen if I added bots to this collaborative hacking setup. This wondering (and a DARPA contract) led to Cortana, a scripting language for Armitage and Cobalt Strike.
What can I do?
Using Cortana, you may develop stand-alone bots that join your red team. Cortana bots scan hosts, launch exploits, and work on compromised hosts without stepping on each other or getting in the way of their human teammates. Think of this system as Google WaveApache Wave for hacking.
Cortana scripts may also extend the Armitage and Cobalt Strike clients with new features. Cortana scripts can expose hidden Metasploit features, integrate third-party tools and agents, or control other Cortana bots.
If you’ve ever written scripts for an IRC client such as mIRC, irssi, BitchX, or even jIRCii–you’ll find yourself right at home with Cortana. The best place to start is the Cortana Tutorial. This document is a 55-page tutorial, reference, and collection of examples.
If you’d like to get involved writing Cortana scripts, head over to the Cortana Scripts Github repository. Fork the repository and start hacking away. Several example scripts are available, right now, for your copying and pasting pleasure.
For those of you hiding behind a NAT device, this release also adds a means to notify Cobalt Strike and the Metasploit Framework of your proper external IP address. Go to Cobalt Strike -> Listeners -> set LHOST to try it out. The old solution was to set up a Cobalt Strike team server and specify the right IP address during startup. Not everyone uses a team server during their engagements (why not?), so for you–I’ve added this ability.
And two notable bug fixes:
Recent changes to the Metasploit Framework database schema caused some issues with Cobalt Strike’s vulnerability descriptions. This issue has been fixed. Your hosts and vulnerability reports should look lovely again.
This release addresses a configuration issue preventing permanent reverse_http and reverse_https listeners from functioning. Previously, Cobalt Strike would bind to 0.0.0.0 to accept a connection on any interface. Unfortunately, this means the http/https payloads will try to communicate with 0.0.0.0 instead of your system after the initial handshake. If you were experiencing trouble with these payloads using Cobalt Strike before, this fix addresses the issue.
If you’d like to learn more, take a glance at the full release notes. A 7-day trial with these updates is available too. Licensed users may run the update program included with Cobalt Strike to get the latest.
He does a good job articulating the benefits which include using Amazon’s EC2 to test your security from an outside in perspective or using it as a central point for a distributed red team to work from.
You can use Cobalt Strike or Armitage to work with Amazon’s EC2. If you use Cobalt Strike, I recommend using the quick-msf-setup script included with Cobalt Strike to quickly setup your environment. This process is described in the Cobalt Strike Linux Installation Instructions.
Also, when you run the teamserver, make sure you specify the external IP address of the EC2 node and not the private address bound to the network interface on the system. By specifying an external IP address, you’re telling the Metasploit Framework where it should send reverse connections to by default. It’s really important that this IP address is something your target systems can talk to.
AudioParasitics is on the Offense – Dave and Jim welcome special guest Raphael Mudge!! Known far and wide as the creator and developer of Armitage, Raphael gives us the history behind the tool and touches on some exciting new efforts. We dig deep into the new Cobalt Strike tool, as well upcoming release of Cortana at DC20.
This is a great interview. In it, I get to share how Cortana was funded through the DARPA Cyber Fast Track program. I talk about the history of Armitage and I get a chance to discuss what Cobalt Strike is trying to accomplish. Check out the podcast for more:
Overall, I enjoyed getting to learn Cobalt Strike. It’s a new release, and it wasn’t perfect. On the other hand, it did all of the things that I needed to do quickly, and it made pass-the-hash a lot easier than going through the console. Having different tables was another nice feature, so that multiple tasks could be done at once and compartmentalized so that the text wasn’t intermixed. As it continues to mature and add features, Cobalt Strike is going to be a good tool for individual testers and teams who aren’t looking to spend $100k on tools.
If you’re reading this, you’re likely aware of the Armitage project. Fed by your enthusiasm and feedback, Armitage has enjoyed a rapid pace of development since its inception. I left a security engineer role one year ago to search out how to properly nurture this project and its ideas going forward. This search led to some exciting initiatives, one that I’m announcing, right now.
I’d like to introduce you to Armitage’s big brother: Cobalt Strike
If you’re ready to add Adaptive Penetration Testing to your organization’s skill set, I recommend signing up for the BlackHat USA course run by the Veris Group. This course is a vendor neutral offering, but those who attend will have an opportunity to play with Cobalt Strike under the guidance of a seasoned instructor team.
The instructors David, Jason, and Chris are among the early adopters who helped shape this product.
And, what about Armitage?
Armitage, Cobalt Strike, and my security research initiatives are now under the banner of Strategic Cyber LLC. The formation of this company is an exciting opportunity. I can now work more formally with many of you and strengthen new and existing relationships.
Armitage will enjoy the same development pace and it will stay open source, always. Even better, I’m releasing something really big for Armitage at DEFCON 20.