Cortana: real-time collaborative hacking… with bots

At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana.

You may know Armitage: a red team collaboration tool built on the Metasploit Framework. Cobalt Strike is Armitage’s commercial big brother. Both packages include a team server. Through this team server, multiple hackers may control compromised hosts and launch attacks through one instance of the Metasploit Framework.

Inspired by my days on IRC in the 1990s, I wondered what would happen if I added bots to this collaborative hacking setup. This wondering (and a DARPA contract) led to Cortana, a scripting language for Armitage and Cobalt Strike.

Cortana Architecture

What can I do?

Using Cortana, you may develop stand-alone bots that join your red team. Cortana bots scan hosts, launch exploits, and work on compromised hosts without stepping on each other or getting in the way of their human teammates. Think of this system as Google Wave Apache Wave for hacking.

Cortana scripts may also extend the Armitage and Cobalt Strike clients with new features. Cortana scripts can expose hidden Metasploit features, integrate third-party tools and agents, or control other Cortana bots.

Start Here…

If you’ve ever written scripts for an IRC client such as mIRC, irssi, BitchX, or even jIRCii–you’ll find yourself right at home with Cortana. The best place to start is the Cortana Tutorial. This document is a 55-page tutorial, reference, and collection of examples.

If you’d like to get involved writing Cortana scripts, head over to the Cortana Scripts Github repository. Fork the repository and start hacking away. Several example scripts are available, right now, for your copying and pasting pleasure.

Developer Support

If you have questions, join the Cortana Hackers Mailing list. Send a blank message to cortana@librelist.com and you will be subscribed. You may send a message to cortana-unsubscribe@librelist.com to unsubscribe from the list.

If you’d like to connect on IRC with other Cortana hackers, join #armitage on irc.freenode.net.

Get It

Cortana is now available in Armitage 08.02.12 shipped in the Metasploit Framework. Type msfupdate and you have it. I hope I didn’t freak anyone out with my mega-large pull request.

The latest trial of Cobalt Strike has it too.

Cortana is BSD-licensed and is co-developed with Armitage. This work was made possible by a DARPA Cyber Fast Track contract.

I first announced Cortana at DEFCON 20. The slides from this presentation are available as well.

Cobalt Strike 1.44 / 19 Jul 12 Update

Another Cobalt Strike update is available. This update makes Cobalt Strike compatible with version 4.4 of the Metasploit Framework.

Here are the new features in this update:

  • Cobalt Strike now has a USB attack generator built in. This was fun to put together and I can imagine, even more fun to deploy. The default settings emulate the social engineering attack used by the Conficker worm to spread itself.

  • For those of you hiding behind a NAT device, this release also adds a means to notify Cobalt Strike and the Metasploit Framework of your proper external IP address. Go to Cobalt Strike -> Listeners -> set LHOST to try it out. The old solution was to set up a Cobalt Strike team server and specify the right IP address during startup. Not everyone uses a team server during their engagements (why not?), so for you–I’ve added this ability.

And two notable bug fixes:

  • Recent changes to the Metasploit Framework database schema caused some issues with Cobalt Strike’s vulnerability descriptions. This issue has been fixed. Your hosts and vulnerability reports should look lovely again.
  • This release addresses a configuration issue preventing permanent reverse_http and reverse_https listeners from functioning. Previously, Cobalt Strike would bind to 0.0.0.0 to accept a connection on any interface. Unfortunately, this means the http/https payloads will try to communicate with 0.0.0.0 instead of your system after the initial handshake. If you were experiencing trouble with these payloads using Cobalt Strike before, this fix addresses the issue.

If you’d like to learn more, take a glance at the full release notes. A 7-day trial with these updates is available too. Licensed users may run the update program included with Cobalt Strike to get the latest.

Use Armitage and Cobalt Strike on Amazon’s EC2

James Webb has an interesting blog post on how to use Armitage to manage a pen test through Amazon’s Elastic Computing Cloud.

He does a good job articulating the benefits which include using Amazon’s EC2 to test your security from an outside in perspective or using it as a central point for a distributed red team to work from.

He also explains how to obtain authorization for penetration testing activities from Amazon. They do have a process for this and they’re very good about responding to these requests.

You can use Cobalt Strike or Armitage to work with Amazon’s EC2. If you use Cobalt Strike, I recommend using the quick-msf-setup script included with Cobalt Strike to quickly setup your environment. This process is described in the Cobalt Strike Linux Installation Instructions.

Also, when you run the teamserver, make sure you specify the external IP address of the EC2 node and not the private address bound to the network interface on the system. By specifying an external IP address, you’re telling the Metasploit Framework where it should send reverse connections to by default. It’s really important that this IP address is something your target systems can talk to.

Link

Cobalt Strike Interviews

On Cobalt Strike launch day, I had a couple of opportunities to tell the Cobalt Strike story and share what’s happening with the world. First, I was on PaulDotCom episode 292. In this interview, the PaulDotCom crew asks about Cobalt Strike, what it does, and Carlos Perez posts crazy PowerShell recipes to the Skype chat.

http://youtu.be/umXJdd2w_RA

I was also on the McAfee AudioParasitics podcast discussing Cobalt Strike. Here’s the episode description:

AudioParasitics is on the Offense – Dave and Jim welcome special guest Raphael Mudge!! Known far and wide as the creator and developer of Armitage, Raphael gives us the history behind the tool and touches on some exciting new efforts. We dig deep into the new Cobalt Strike tool, as well upcoming release of Cortana at DC20.

This is a great interview. In it, I get to share how Cortana was funded through the DARPA Cyber Fast Track program. I talk about the history of Armitage and I get a chance to discuss what Cobalt Strike is trying to accomplish. Check out the podcast for more:

Cobalt Strike Video Review

Ryan Linn created a video review of Cobalt Strike for the Ethical Hacker Network. Unfortunately, I can’t embed the video into the blog post, but I encourage you to check it out. It’s 20 minutes with a well-regarded expert taking Cobalt Strike through its paces.

Overall, I enjoyed getting to learn Cobalt Strike. It’s a new release, and it wasn’t perfect. On the other hand, it did all of the things that I needed to do quickly, and it made pass-the-hash a lot easier than going through the console. Having different tables was another nice feature, so that multiple tasks could be done at once and compartmentalized so that the text wasn’t intermixed. As it continues to mature and add features, Cobalt Strike is going to be a good tool for individual testers and teams who aren’t looking to spend $100k on tools.

http://www.ethicalhacker.net/content/view/433/1/

Update 11/27/12: Don at ethicalhacker.net has put the video review on YouTube. Thanks Don! Here it is:

Meet Cobalt Strike: Adaptive Pen Testing

If you’re reading this, you’re likely aware of the Armitage project. Fed by your enthusiasm and feedback, Armitage has enjoyed a rapid pace of development since its inception. I left a security engineer role one year ago to search out how to properly nurture this project and its ideas going forward. This search led to some exciting initiatives, one that I’m announcing, right now.

I’d like to introduce you to Armitage’s big brother: Cobalt Strike

Cobalt Strike is a penetration testing suite built for threat emulation. I say suite, because it’s not just software. It’s documentation, online training, and a set of tools to help you execute an adaptive penetration test.

Cobalt Strike adds client-side reconnaissance, spear phishing, web drive-by attacks, and reporting to Armitage’s red team collaboration and post-exploitation capabilities.

Now that you’ve met Cobalt Strike, here are the next steps:

1. Watch the Cobalt Strike trailer to get a taste of Cobalt Strike

2. Visit the Cobalt Strike website and request a trial to try Cobalt Strike

3. Get Cobalt Strike into your organization: buy online or request a quote.

Live Training at BlackHat USA

If you’re ready to add Adaptive Penetration Testing to your organization’s skill set, I recommend signing up for the BlackHat USA course run by the Veris Group. This course is a vendor neutral offering, but those who attend will have an opportunity to play with Cobalt Strike under the guidance of a seasoned instructor team.

The instructors David, Jason, and Chris are among the early adopters who helped shape this product.

And, what about Armitage?

Armitage, Cobalt Strike, and my security research initiatives are now under the banner of Strategic Cyber LLC. The formation of this company is an exciting opportunity. I can now work more formally with many of you and strengthen new and existing relationships.

Armitage will enjoy the same development pace and it will stay open source, always. Even better, I’m releasing something really big for Armitage at DEFCON 20.

I hope to see you there!

— Raphael


Raphael Mudge
Principal, Strategic Cyber LLC
http://www.advancedpentest.com/
1-888-761-7773

Bloggers and Journalists: More information about Strategic Cyber LLC and Cobalt Strike is available in our press kit.