Cobalt Strike and Armitage Updates

Updates to Cobalt Strike and Armitage are available now. I spent the past two weeks testing these programs through unit tests, a class QA focus group, and multiple penetration tests of my local lab from Amazon’s EC2.

This update fixes several bugs in both programs and I was even able to contribute a few fixes to the Metasploit Framework.

As usual, the trial version of Cobalt Strike is available at: (changelog)

Use msfupdate to get your hands on the updated Armitage release, or go to: (changelog)

For either application, I recommend that you update the Metasploit Framework to get revision 15972. A CPU resource starvation condition was mitigated last night. This bug would cause a Ruby thread to take over the CPU for up to 10 minutes at a time, making Armitage and Cobalt Strike barely usable. I have a blog post coming on this particular bug.

P.S. Strategic Cyber (*cough*me*cough*) is at the Maryland Cyber Challenge and Conference today and tomorrow. Stop by our table to get one of the nifty penetration testing lab DVDs with exercises and target VMs paired to our online course.

Advanced Threat Tactics Training

I share a lot from my experiences playing on exercise red teams. I talk about the tactics to collaborate, persist on systems, and challenge network defenders in an artificial environment. Armitage was built for this role.

I speak little about my experience working as a penetration tester. I used to work for a security consulting firm providing “red team services to a DoD customer”. My job was threat emulation. My partner and I would plan and execute actions over a long period of time. All of our activities were double-blind. To protect our work, my boss would meet with our contact in a public area set aside for smokers, hand over our plan, and gain approval to execute at that time.

Last October, I was asked by the LASCON organizers in Austin, TX to teach a one day course at their conference. I opted to teach a course on threat emulation. This is when I wrote Advanced Threat Tactics with Armitage. The course briefly introduced Armitage and the Metasploit Framework. A lot of time was spent on how to get a foothold using tactics these tools don’t directly support. The lecture portion ended with two talks on post-exploitation and how to move inside of a network.

The capabilities missing from our tools made up the Advanced Threat Tactics portion of the course. In these three lectures and labs, I taught:

  • All attacks start with reconnaissance. How do you perform reconnaissance before a targeted phishing campaign? I introduced the concept of a system profiler and how to build one.
  • What do you do if client-side applications are patched? Think like a criminal–you care about the end and not the means. Here, I introduced the idea of hacking with features. It’s important to know how to look at an attack surface and recognize opportunities to get code execution. Sometimes the simple ways work best.
  • Once you have an attack, you need to make sure it passes anti-virus. You also need to think about command and control and how you will go through a restrictive firewall. In this portion of the lecture, I introduced students to these ideas and tools available (at the time) to help them with this process.
  • Once you have your attack put together, it’s important to package it in a convincing way and get it to your target. Here I taught how to send a pixel perfect phishing message. I made students do these steps by hand. Nothing says fun quite like stripping headers from a message in a text editor and then typing SMTP commands by hand to exchange email with the target’s mail server.

My course helped students think creatively about how to get a foothold in a network and use that foothold to achieve a goal. The missing capabilities in the penetration tester’s toolbox have become the road map for Cobalt Strike.

Fast forward one year later. I’m teaching a two-day Advanced Threat Tactics course at OWASP AppSec USA. The heart of the course is still the same. It’s a two-day opportunity to learn how to think creatively about the hacking process and execute the tactics through several guided labs. The two-day time frame allows me to add a lab and lecture on evading defenses. I have also expanded the post-exploitation and maneuver lectures.

The best part of the course is the exercise though. The course ends with an exercise that lasts several hours. You have the opportunity to work with a team and assume the role of different threat actors attacking a simulated enterprise.

  • As a hacktivist, you’ll break into the ACME corporation, discover their dirty secrets, deface their website, and publish their email spool
  • As an actor interested in economic espionage, you will gain access to the ACME corporation, find the source code to their secret project, and steal it.
  • And, as a nation we face risk of sabotage through cyberspace. As this threat, you’ll find and manipulate a control system that leads to the destruction of a nuclear reactor.

I wrote this course for a broad audience to include novice to experienced penetration testers and network defenders. I teach the Advanced Threat Tactics by request to organizations who have the resources for 12-15 students. For individuals, the best opportunity is to attend Advanced Threat Tactics at a conference. The next run of Advanced Threat Tactics is at AppSec USA in Austin, TX. The course is Tuesday, 10/23/12 and Wednesday, 10/24/12. If you’d like to sign up, there’s still space available.

Beacon – A PCI Compliant Payload for Cobalt Strike

TL;DR Beacon is a  new Cobalt Strike payload that uses DNS  to reduce the need to talk directly to Cobalt Strike. Beacon helps you mimic the low and slow command and control popular with APT and malware.

In the interest of helping you verify vulnerabilities for compliance purposes, I’d like to introduce you to Beacon, a new feature in the latest Cobalt Strike update.

Beacon is a PCI compliant payload (if PCI means Payload for Covert Interaction). Beacon offers long-term asynchronous command and control of a compromised host. It works like other Metasploit Framework payloads. You may embed it into an executableadd it to a document, or deliver it with a client-side exploit.

The next time you have to run an exploit to check the box, why don’t you exploit the CEO’s system and use Beacon to quietly maintain a lifeline into the network until everyone is gone for the night? Then you can inject Meterpreter into memory, load Cobalt Strike’s Covert VPN, and run your favorite vulnerability scanner

What is that you say? Your customer has decent network monitoring? They’ll block your beacon before anything can be done about it? OK! Beacon can phone home to multiple domains. If one gets blocked, that’s OK. If you own a few domains and have a few NS records to spare, Beacon can check for tasks using DNS requests. It doesn’t need to communicate with you unless a task is waiting for it.

Beacon’s features include

  • Check task availability using HTTP or DNS
  • Beacon to multiple domains (who cares if that first one is blocked)
  • Capable of automatic migration immediately after staging
  • Tight integration with Cobalt Strike. Deliver beacon with social engineering packages, client-side exploits, and session passing
  • Intuitive console to manage and task multiple beacons at once

Beacon is available in the latest 21-day Cobalt Strike trial. You may download it at

Licensed users may use the update program to update their Cobalt Strike installation to the latest version.

If you’re at DerbyCon, make sure you stop by the Strategic Cyber LLC table for a demo.

Are you headed to OWASP AppSec USA in Austin, TX? I’m teaching a two-day Advanced Threat Tactics course. In this course, I will show you how to evade defense technologies, gain a foothold in a modern network, and carry out post-exploitation. It’s a great way to learn more about how to use technologies like Beacon.

Covert VPN – Layer 2 Pivoting for Cobalt Strike

Currently, I’m debating a class of social engineering “packages” to force SMB requests against an attacker controlled system. Ideas include packages to generate LNK files, host a WPAD server, etc.

This created a bit of an identity crisis though. I see Cobalt Strike as a tool for a penetration tester to emulate the capabilities of a motivated external actor. Sadly, many awesome SMB attacks require a physical presence on the target’s network.

To put this issue to rest, I decided to build a feature to allow a motivated external attacker the ability to work as-if they are physically present on the target’s network. This feature is Covert VPN.

Deploy Covert VPN

Covert VPN is a layer 2 pivoting capability for Cobalt Strike. It creates a network interface on your system that is bridged into the target’s network through a channel of your choosing. Covert VPN can tunnel its traffic over UDP, TCP, or HTTP channels

Once an interface is active, you can sniff packets, start rogue services, use external scanners and attack tools–pretty much whatever you want.

Covert VPN is in the latest version of Cobalt Strike. A 21-day trial is available as well. Try it out and let me know what you think.

Cortana: Rise of the Automated Red Team (DEFCON 20 Video)

At DEFCON 20, I released Cortana, a scripting technology for Armitage and Cobalt Strike. This is the talk I gave after losing my voice.

Here’s the actual DEFCON talk:

If you’d like to get started with Cortana, Jason Frank has a great blog post showing how to load and use scripts.

A public collection of scripts is available on Github. To download the latest version of these scripts, type:

git clone

If you’d like to write your own scripts, consult the tutorial to get started.

Cobalt Strike Interview with BYTE

During DEFCON, I sat down with Boonsri, a journalist from BYTE to discuss Cobalt Strike and the hacker process in general. This interview was from the same day I lost my voice. During the demo, I used Cobalt Strike’s website clone tool to copy a site and add an exploit to it. From there, I started to log keystrokes of my “corporate victim”.

The full video is in the BYTE Story – Client-side Hacks: Fake Sites Keep Companies Vulnerable

Here are a few artifacts from the interview, if you’d like to explore the concepts further:


Cobalt Strike 1.44 Update

Cobalt Strike 1.44/16 Aug 12 is now available. Here are some of the changes:

  • You may now customize Cobalt Strike’s reports with your own header image and accent color. Go to Cobalt Strike -> Preferences and look for the reporting preferences. Here’s an example of a vulnerability report with a custom header image and a red accent color:

A Customized Report

  • The System Profiler feature now detects Apple iOS and Android operating systems. This update to Cobalt Strike also includes icons for Apple iOS and Android.

This release also fixes several bugs, improves usability for a few Metasploit(r) Framework modules, and updates Cortana. See the releasenotes.txt file for the full story.

Licensed Cobalt Strike users may update using the included update program.

Also, the default Cobalt Strike trial period is now 21 days. Now you have more time to explore the software and follow the Cobalt Strike Training course.

Enjoy the update.

Cortana: real-time collaborative hacking… with bots

At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana.

You may know Armitage: a red team collaboration tool built on the Metasploit Framework. Cobalt Strike is Armitage’s commercial big brother. Both packages include a team server. Through this team server, multiple hackers may control compromised hosts and launch attacks through one instance of the Metasploit Framework.

Inspired by my days on IRC in the 1990s, I wondered what would happen if I added bots to this collaborative hacking setup. This wondering (and a DARPA contract) led to Cortana, a scripting language for Armitage and Cobalt Strike.

Cortana Architecture

What can I do?

Using Cortana, you may develop stand-alone bots that join your red team. Cortana bots scan hosts, launch exploits, and work on compromised hosts without stepping on each other or getting in the way of their human teammates. Think of this system as Google Wave Apache Wave for hacking.

Cortana scripts may also extend the Armitage and Cobalt Strike clients with new features. Cortana scripts can expose hidden Metasploit features, integrate third-party tools and agents, or control other Cortana bots.

Start Here…

If you’ve ever written scripts for an IRC client such as mIRC, irssi, BitchX, or even jIRCii–you’ll find yourself right at home with Cortana. The best place to start is the Cortana Tutorial. This document is a 55-page tutorial, reference, and collection of examples.

If you’d like to get involved writing Cortana scripts, head over to the Cortana Scripts Github repository. Fork the repository and start hacking away. Several example scripts are available, right now, for your copying and pasting pleasure.

Developer Support

If you have questions, join the Cortana Hackers Mailing list. Send a blank message to and you will be subscribed. You may send a message to to unsubscribe from the list.

If you’d like to connect on IRC with other Cortana hackers, join #armitage on

Get It

Cortana is now available in Armitage 08.02.12 shipped in the Metasploit Framework. Type msfupdate and you have it. I hope I didn’t freak anyone out with my mega-large pull request.

The latest trial of Cobalt Strike has it too.

Cortana is BSD-licensed and is co-developed with Armitage. This work was made possible by a DARPA Cyber Fast Track contract.

I first announced Cortana at DEFCON 20. The slides from this presentation are available as well.

Cobalt Strike 1.44 / 19 Jul 12 Update

Another Cobalt Strike update is available. This update makes Cobalt Strike compatible with version 4.4 of the Metasploit Framework.

Here are the new features in this update:

  • Cobalt Strike now has a USB attack generator built in. This was fun to put together and I can imagine, even more fun to deploy. The default settings emulate the social engineering attack used by the Conficker worm to spread itself.

  • For those of you hiding behind a NAT device, this release also adds a means to notify Cobalt Strike and the Metasploit Framework of your proper external IP address. Go to Cobalt Strike -> Listeners -> set LHOST to try it out. The old solution was to set up a Cobalt Strike team server and specify the right IP address during startup. Not everyone uses a team server during their engagements (why not?), so for you–I’ve added this ability.

And two notable bug fixes:

  • Recent changes to the Metasploit Framework database schema caused some issues with Cobalt Strike’s vulnerability descriptions. This issue has been fixed. Your hosts and vulnerability reports should look lovely again.
  • This release addresses a configuration issue preventing permanent reverse_http and reverse_https listeners from functioning. Previously, Cobalt Strike would bind to to accept a connection on any interface. Unfortunately, this means the http/https payloads will try to communicate with instead of your system after the initial handshake. If you were experiencing trouble with these payloads using Cobalt Strike before, this fix addresses the issue.

If you’d like to learn more, take a glance at the full release notes. A 7-day trial with these updates is available too. Licensed users may run the update program included with Cobalt Strike to get the latest.

Use Armitage and Cobalt Strike on Amazon’s EC2

James Webb has an interesting blog post on how to use Armitage to manage a pen test through Amazon’s Elastic Computing Cloud.

He does a good job articulating the benefits which include using Amazon’s EC2 to test your security from an outside in perspective or using it as a central point for a distributed red team to work from.

He also explains how to obtain authorization for penetration testing activities from Amazon. They do have a process for this and they’re very good about responding to these requests.

You can use Cobalt Strike or Armitage to work with Amazon’s EC2. If you use Cobalt Strike, I recommend using the quick-msf-setup script included with Cobalt Strike to quickly setup your environment. This process is described in the Cobalt Strike Linux Installation Instructions.

Also, when you run the teamserver, make sure you specify the external IP address of the EC2 node and not the private address bound to the network interface on the system. By specifying an external IP address, you’re telling the Metasploit Framework where it should send reverse connections to by default. It’s really important that this IP address is something your target systems can talk to.