Covert VPN – Layer 2 Pivoting for Cobalt Strike

Currently, I’m debating a class of social engineering “packages” to force SMB requests against an attacker controlled system. Ideas include packages to generate LNK files, host a WPAD server, etc.

This created a bit of an identity crisis though. I see Cobalt Strike as a tool for a penetration tester to emulate the capabilities of a motivated external actor. Sadly, many awesome SMB attacks require a physical presence on the target’s network.

To put this issue to rest, I decided to build a feature to allow a motivated external attacker the ability to work as-if they are physically present on the target’s network. This feature is Covert VPN.

Deploy Covert VPN

Covert VPN is a layer 2 pivoting capability for Cobalt Strike. It creates a network interface on your system that is bridged into the target’s network through a channel of your choosing. Covert VPN can tunnel its traffic over UDP, TCP, or HTTP channels

Once an interface is active, you can sniff packets, start rogue services, use external scanners and attack tools–pretty much whatever you want.

Covert VPN is in the latest version of Cobalt Strike. A 21-day trial is available as well. Try it out and let me know what you think.

Cortana: Rise of the Automated Red Team (DEFCON 20 Video)

At DEFCON 20, I released Cortana, a scripting technology for Armitage and Cobalt Strike. This is the talk I gave after losing my voice.

Here’s the actual DEFCON talk:

If you’d like to get started with Cortana, Jason Frank has a great blog post showing how to load and use scripts.

A public collection of scripts is available on Github. To download the latest version of these scripts, type:

git clone https://github.com/rsmudge/cortana-scripts.git

If you’d like to write your own scripts, consult the tutorial to get started.

Cobalt Strike Interview with BYTE

During DEFCON, I sat down with Boonsri, a journalist from BYTE to discuss Cobalt Strike and the hacker process in general. This interview was from the same day I lost my voice. During the demo, I used Cobalt Strike’s website clone tool to copy a site and add an exploit to it. From there, I started to log keystrokes of my “corporate victim”.

The full video is in the BYTE Story – Client-side Hacks: Fake Sites Keep Companies Vulnerable

Here are a few artifacts from the interview, if you’d like to explore the concepts further:

 

Cobalt Strike 1.44 Update

Cobalt Strike 1.44/16 Aug 12 is now available. Here are some of the changes:

  • You may now customize Cobalt Strike’s reports with your own header image and accent color. Go to Cobalt Strike -> Preferences and look for the reporting preferences. Here’s an example of a vulnerability report with a custom header image and a red accent color:

A Customized Report

  • The System Profiler feature now detects Apple iOS and Android operating systems. This update to Cobalt Strike also includes icons for Apple iOS and Android.

This release also fixes several bugs, improves usability for a few Metasploit(r) Framework modules, and updates Cortana. See the releasenotes.txt file for the full story.

Licensed Cobalt Strike users may update using the included update program.

Also, the default Cobalt Strike trial period is now 21 days. Now you have more time to explore the software and follow the Cobalt Strike Training course.

Enjoy the update.

Go Down the Stack Young Man – Story of a Bug

Last week, I released a big improvement to the responsiveness of the Armitage team server on congested networks. This particular case of poor responsiveness was extremely difficult to reproduce. Despite my continued attempts to optimize around the real cause, I failed time and again to nail it. I thought I solved the problem, until I received a “bug report” indicating otherwise. I’m certain I figured it out this time. Here’s the back story:

Armitage is a collaborative hacking tool built on the Metasploit Framework. The collaborative piece is made possible by a team server. This server acts as a proxy between the remote Armitage clients and the one Metasploit Framework server. Through this proxy, I’m able to deconflict multiple clients interacting with a session and offer additional APIs to my clients.

Armitage Collaboration Architecture (New)

As long as I’ve had a team server, I noticed clients connecting from Windows 7 clients always felt slow *. As an experiment, I opted to disable Nagle’s algorithm. Nagle’s algorithm is built into most TCP stacks. It reduces network congestion by holding onto small packets and attempting to combine them into one larger packet. For protocols that generate small packets naturally (e.g., telnet), Nagle’s algorithm may add unnecessary latency. Most socket APIs include a means to disable it.

Disabling Nagle’s algorithm resulted in a big responsiveness boost on Windows 7. Linux and MacOS X clients connected to a team server were snappier too. I noticed that my local unit tests completed two minutes faster with Nagle’s disabled too.

I was pleased with this change until I received a “report” three weeks ago. Some folks were using Armitage during an exercise and… apparently the collaboration piece was very slow for them.

I was about ready to tear my hair out when I received this report. Performance is the one thing I put the most time into. I went back and forth with the user to understand their configuration and environment. He had everything setup as I would have requested it.

This report especially frustrated me because of the amount of testing I do. About once per quarter, I will connect 12 Armitage clients to a node on Amazon’s Elastic Computing Cloud. I will then populate the database with about 5,000 hosts worth of data. From this point, I then proceed to carry out a simulated external engagement against my local test lab.

Here’s a screencast demonstrating this particular test:

So, what could the problem be?

I opted to do, what I should have done a long time ago…  I ran tcpdump to better understand how the team server looked on the network.

tcpdump -i eth2 | grep 55553 | grep -v "length 0"

With this running, I noticed that Armitage placed many small packets on the network, about 20-24 bytes consistently. I expected this because I disabled Nagle’s algorithm. Anything small would go out immediately

15:09:19.132609 IP 192.168.95.241.60153 > 192.168.95.241.55553: Flags [P.], seq 7961:7986, ack 5943, win 770, options [nop,nop,TS val 15794750 ecr 15794750], length 25

15:09:19.132714 IP 192.168.95.241.60153 > 192.168.95.241.55553: Flags [P.], seq 7986:8008, ack 5943, win 770, options [nop,nop,TS val 15794750 ecr 15794750], length 22

I then enabled Nagle’s algorithm and watched the same traffic dump. The result? All of the packets were the same size as before. With Nagle’s enabled, I was paying the penalty of having small packets with the additional latency of Nagle’s holding on to them. Great.

I scratched my head and decided to dig deeper into my code. None of this seemed right. As I dug through, I learned that there is no buffer between my SSL code and the code that serializes an object and writes it to a socket. The team server was serializing Java objects and writing them to the socket one byte at a time, rather than sending them as one byte buffer.

Doh!

I updated my code to write serialized objects to a buffer before sending them to a socket. This reduced the number of packets by a factor of 10-20. I also reenabled Nagle’s algorithm.

14:34:05.179461 IP 192.168.95.241.52289 > 192.168.95.241.55553: Flags [P.], seq 978092:978547, ack 804839, win 770, options [nop,nop,TS val 15266262 ecr 15266137], length 455

14:34:05.180174 IP 192.168.95.241.55553 > 192.168.95.241.52289: Flags [P.], seq 804839:805218, ack 978547, win 770, options [nop,nop,TS val 15266262 ecr 15266262], length 379

At this point, I tested on Windows 7 and noticed performance was good to go. I also ran my unit tests and noticed no performance change.

Here’s likely what happened. I play in a lot of exercises with Armitage. Exercise networks are usually congested. There’s a lot of activity happening. All of the team clients flooding the network with small packets probably made the congestion much worse.

I’m embarrassed that this problem slipped past my radar, but I’m happy that it’s finally fixed.

Lesson learned: when it comes to performance, I can’t treat the network as an invisible abstraction that delivers my data. I have to give my interaction with the network as much attention as I give to optimizing my software.

* Note: Armitage clients used to connect to both the Metasploit Framework and a team server. Only packets sent to the team server were victim to this problem. In May 2012, I changed Armitage’s collaboration setup to proxy everything through the team server. This made the problem noticeable and forced me to start looking at it. This is when I made the change to disable Nagle’s algorithm. 

Cortana: real-time collaborative hacking… with bots

At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana.

You may know Armitage: a red team collaboration tool built on the Metasploit Framework. Cobalt Strike is Armitage’s commercial big brother. Both packages include a team server. Through this team server, multiple hackers may control compromised hosts and launch attacks through one instance of the Metasploit Framework.

Inspired by my days on IRC in the 1990s, I wondered what would happen if I added bots to this collaborative hacking setup. This wondering (and a DARPA contract) led to Cortana, a scripting language for Armitage and Cobalt Strike.

Cortana Architecture

What can I do?

Using Cortana, you may develop stand-alone bots that join your red team. Cortana bots scan hosts, launch exploits, and work on compromised hosts without stepping on each other or getting in the way of their human teammates. Think of this system as Google Wave Apache Wave for hacking.

Cortana scripts may also extend the Armitage and Cobalt Strike clients with new features. Cortana scripts can expose hidden Metasploit features, integrate third-party tools and agents, or control other Cortana bots.

Start Here…

If you’ve ever written scripts for an IRC client such as mIRC, irssi, BitchX, or even jIRCii–you’ll find yourself right at home with Cortana. The best place to start is the Cortana Tutorial. This document is a 55-page tutorial, reference, and collection of examples.

If you’d like to get involved writing Cortana scripts, head over to the Cortana Scripts Github repository. Fork the repository and start hacking away. Several example scripts are available, right now, for your copying and pasting pleasure.

Developer Support

If you have questions, join the Cortana Hackers Mailing list. Send a blank message to cortana@librelist.com and you will be subscribed. You may send a message to cortana-unsubscribe@librelist.com to unsubscribe from the list.

If you’d like to connect on IRC with other Cortana hackers, join #armitage on irc.freenode.net.

Get It

Cortana is now available in Armitage 08.02.12 shipped in the Metasploit Framework. Type msfupdate and you have it. I hope I didn’t freak anyone out with my mega-large pull request.

The latest trial of Cobalt Strike has it too.

Cortana is BSD-licensed and is co-developed with Armitage. This work was made possible by a DARPA Cyber Fast Track contract.

I first announced Cortana at DEFCON 20. The slides from this presentation are available as well.

I lost my voice before speaking at DEFCON… and went on anyways

Thanks to my open source work, I have a lot of opportunities to speak. In 2011, I gave 30 talks between conferences, professional groups, and invitations to private organizations. This week, much of my industry has collectively gone on vacation to Las Vegas for BlackHat USA, BSides Las Vegas, and of course… DEFCON.

I was fortunate to have an opportunity to speak or demonstrate my work at all three events. Wednesday I spoke at the BlackHat arsenal. This event involves standing at a pod in the hallway and speaking over the noise of the conference for one hour. It’s one of my favorite events because it’s focused on demonstrations and I get a chance to interact with everyone in the audience.

Arsenal

Thursday was a mad rush. I spent the morning at the BSides conference. I gave my talk, hung around to answer questions, hopped a cab, and found myself back at Caesar’s Palace to demonstrate Armitage again at BlackHat.

For me, the big show was DEFCON though. This is where I would release the results of my 7-month DARPA effort, Cortana. And, despite the many times I’ve had the opportunity to share my work, something happened that I have never experienced before a talk: I lost my voice.

Thursday night, while I practiced my talk, my voice stopped working. It went to a very harsh whisper and my throat felt sore. I decided to stop practicing and focus on testing my live demonstrations instead.

I woke up at 7:30am Friday morning and I couldn’t speak.

Seriously.

My talk was at noon. I first paid the $6/bottle minibar fee and drank every bottle of water I could find in my room.  I then tried putting a hot towel on my neck.

No voice.

I walked to the Walgreens Pharmacy. I used my phone and pointing to communicate with the pharmacist. She wasn’t too enthusiastic. She told me to take some ibuprofen and suck on cough drops.

As I checked out, I used gestures to communicate with the cashier. She switched to American Sign Language to communicate with me. I don’t know American Sign Language beyond hello. I smiled and left.

At this point, it’s time to head to the Rio. I’m at a loss for options. I thought about emailing the lead speaker liaison and asking to switch my time or give my spot back to an alternate. I couldn’t get behind that option mentally. I had no idea what I would do at this point, but I knew I would make the show go on.

Downstairs, I’m waiting in line for a taxi cab. I exchange several glances with the guy behind me. Finally, he asks if I’m headed to the same place and asks if I want to share a cab. I gesture yes. Thankfully… I was saved the trouble of finding a way to communicate with the driver.

Once we were in the car, I pulled out my laptop and wrote a message explaining my strange behavior at the moment.

I justified continuing to “speak” despite having no voice. I figured at the very least… I had live demonstrations and possibly, I could croak out parts of my talk by keeping the microphone really close.

We get to the hotel and pay the cab. I go to the speaker registration area. I think there is something truly ironic about registering at the speaker registration area with no voice. Again, I used my laptop to communicate with the DEFCON staff.

At this time, it’s 11:15am. I’m on at noon. I have no voice beyond a very harsh sounding whisper that I dare not use for fear of losing even that.

I go to the speaker ready room. The staff manning the room does the usual, “can I help you?” I pull out my laptop and communicate through a text editor. They laugh and send me to the next room to sit with the other speakers. Several folks from the EFF were discussing their Q&A panel that would happen at the same time. The room also had buzz as General Alexander was in our same suite. The tight security kept us planted at our table.

I used the text-to-speech feature on my Macintosh to converse with my fellow speakers. It was funny to type a thought, press enter, and watch for reactions. After a few rounds of this, I felt like I was participating somewhat in the conversation.

I converted my presentation to PDF. I knew, at worse, I could maybe try using the text to speech feature to communicate some things verbally. Having a PDF would allow me to keep my slides up and a terminal for typing text at the same time. I still had no idea what I would do, but a plan was forming.

My DEFCON speaker goon, Bushy, introduced himself and I explained my situation in a text editor. The speaker goon’s role is to make get speaker’s where they’re going, help them watch the clock, and make sure everything goes smooth. I attempted to speak, close to Bushy’s ear, to test my voice and indicate that I still had something left. Sadly… I didn’t. My voice was still a terribly hoarse whisper.

We then started the trek to the Penn and Teller theater where I would deliver my presentation.

Bushy asked if I tried hot tea with honey yet. I had tried a few things, but not the hot tea. I signed that I had not. We went to Starbucks where there was an incredibly long line. Bushy jumps right to the front and states “I’ll pay for all of your drinks if you just order a hot tea”. He immediately followed it up with “I have a speaker here who is on in 10 minutes and he lost his voice”. The nice couple at the front of the line immediately put the order in and they refused anyone’s offer to compensate them for the tea.

I added three packets of honey to the tea and drank such a big initial swig that I… burnt my tongue. Desperate times call for desperate measures?

We then proceed to the Penn and Teller theater. As we walk, hotel security keeps stopping me and explaining that I can’t carry a drink. Each time, I had to look back and get Bushy’s attention to intervene on my behalf. I didn’t have the voice to explain myself after all.

The final guard, right before the theater, shook his head and laughed when he learned about the situation.

We then enter the Penn and Teller theater. This theater has two levels and seats about 1,500 people. I don’t know if it was configured differently for DEFCON. This part’s a blur to me. I do know that I approached a real stage, saw the sophisticated lighting gear around me, and as I looked at the tiered seating to my left and right… the theater was nearly full.

I’ve never spoken at DEFCON before and I did not know what to expect. I didn’t expect I would see such a full room or find myself escorted to such a prominent stage. I felt like a musician who was expected to perform… but couldn’t.

I see friends in the audience who try to greet me. From stage, I point to my voice and make a motion with my hands to indicate that I had no voice. They got the message and I could see the “Oh… my…” look in their face.

I wasn’t nervous at this point but I still had no idea what would happen.

I setup my laptop and opened a text editor. I wrote:

“Life is an adventure. Here I am speaking to ~1,000 of you. We’re going to have fun today, but you should know… I lost my voice”

Some people noticed it and I could immediately here the “haha, oh my” reaction.

I kept drinking my tea and honey.

Bushy introduces me and states that this is the first time in DEFCON history a speaker has… not had their voice.

By this time, I knew I could croak some things. At worse, I could let everyone read my slides and make a short comment about each. This would still get the content across.

I brought the microphone close and found I could croak enough to speak. My tempo was slow at first. As I kept going (and drinking my tea) my voice slowly came back. It never came back all the way, but it was 100x better than I expected.

Defcon 2012
I was able to deliver the entire 50 minute lecture as I intended to. My demonstrations worked. And I had a great experience.

Thank you Bushy for saving the day for me. You went above and beyond as a speaker goon and while I had no idea what I would do, I thank you for helping me get up to the stage where everything worked out.

This is one speaking experience that I will never forget.

Coming to Vegas: My Picks and Schedule

And, like most folks in the security industry, I’m getting ready to head to Las Vegas for the week. I’ll arrive in Sin City on Monday, 23 July 12.

I’m armed with Cobalt Strike comic fliers, business cards, and boring sell sheets. I also have a pile of Armitage stickers to give away.

In this (long) blog post, I recommend a few talks and provide my schedule. If you’d like to meet for a meal or a beverage, I’m definitely open to this. Contact me and we’ll discuss a way to sync up.

My Picks

Hacking into Smartphones

On Wednesday and Thursday at 11:45am in the BlackHat USA Arsenal, Georgia Weidman will demo her Smartphone Penetration Testing framework. This is not a tool for “hacking from” smartphones. It’s a tool set for hacking into smartphones. I highly recommend attending one of these demo sessions. I’m demoing Armitage at the same time, but if you go see Georgia twice, I’ll give you twice as many stickers.

Ambush

At BSides Las Vegas on Wednesday at 11am, Matt Weeks will reveal a new defensive technology called Ambush to the world. We’ve had a few discussions about this technology. As usual, Matt is up to something incredibly novel.

This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API’s, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.

SNSCAT: Social Media Sites as Covert Command and Control

I’m really excited about this. My friends Dan Gunter and Solomon Sonya will reveal SNSCat at BlackHat USA at 2:15pm on Thursday.

“SNSCat provides a simple to use post-penetration data exfiltration/infiltration and C2 (Command and Control) platform using images and documents on social media sites (Facebook, Google Apps, twitter, imgur, etc).”

“will introduce our tool and show how one can easily move files in and out of a network using social media sites. We will next demonstrate how one can use SNSCat along with the implants we have created to establish full command and control between the controller and the listening agents.”

Grab thy Hashes

And, finally my friends Jon Claudius and Ryan Reynolds will present a survey of how different tools extract password hashes on Windows. The twist–most of them do it in a semi-broken way. They’ve analyzed the problem and they’re revealing fixes for key tools that penetration testers take advantage of.

This is extremely important. I feel like a lot of tools released at conferences are one-time things that will never see an update later on. It makes working with them frustrating as the work may be novel, make a great demo, but if it doesn’t work a year from now–what’s the benefit? It’s great to see someone looking at what we use every day, figuring out what’s wrong, and contributing back in a way that will benefit a lot of people immediately.

This talk is happening at 11am on Saturday at DEFCON.

My Schedule

Tuesday, 24 July 12

I’m hanging out at the Adaptive Penetration Testing course taught at BlackHat USA by the Veris Group LLC.

Wednesday, 25 July 12 (BlackHat USA)

I will demo Armitage in the BlackHat Arsenal at 11:45am. My goal during the demo is to explain Armitage to those who haven’t seen it and capture some of the cool tricks few people know about. For example, Ctrl+T takes a screenshot of the current tab and saves it to a preset place.

Thursday, 26 July 12. Morning (BSides Las Vegas)

At 10am, I will present Force Multipliers for Red Team Operations. Each year, in March and April, I spend most of these two months on the road hacking in several exercises. I treat these events as a laboratory for trying out ideas and making observations about how hackers work together. I will break down what I learned from this year’s season with a focus on how we organized ourselves, what worked, and offer ideas of what I’d like to see next.

Thursday, 26 July 12. Afternoon (BlackHat USA)

I’m back at BlackHat at 11:45am demoing in the Arsenal again. If you missed me on Wednesday, come by on Thursday and get a sticker. I really dig these kiosk style demos. It’s easier to connect with you and have a dialog.

Friday, 27 July 12 (DEFCON)

At noon on Friday, I’m presenting Cortana: Rise of the Automated Red Team. During this talk, I will reveal the fully scriptable version of Armitage and its stand-alone interpreter Cortana. You’ll learn how to add bots to your red team or add new features to Armitage. This project was a big effort to put together and I was very fortunate that DARPA’s Cyber Fast Track program helped make it possible.

Here’s a Hak5 segment from last year where I first talked about this next iteration for Armitage:

I also noticed that I’m speaking opposite of General Alexander from US Cyber Command and the NSA. I guarantee I will give far more live demos than he will. That said, I wish I wasn’t speaking at noon, I’d love to see his talk too.

Saturday, 28 July 12 and Sunday 29 July 12 (DEFCON)

I’m at DEFCON all weekend and I fly out Monday morning.

Cobalt Strike 1.44 / 19 Jul 12 Update

Another Cobalt Strike update is available. This update makes Cobalt Strike compatible with version 4.4 of the Metasploit Framework.

Here are the new features in this update:

  • Cobalt Strike now has a USB attack generator built in. This was fun to put together and I can imagine, even more fun to deploy. The default settings emulate the social engineering attack used by the Conficker worm to spread itself.

  • For those of you hiding behind a NAT device, this release also adds a means to notify Cobalt Strike and the Metasploit Framework of your proper external IP address. Go to Cobalt Strike -> Listeners -> set LHOST to try it out. The old solution was to set up a Cobalt Strike team server and specify the right IP address during startup. Not everyone uses a team server during their engagements (why not?), so for you–I’ve added this ability.

And two notable bug fixes:

  • Recent changes to the Metasploit Framework database schema caused some issues with Cobalt Strike’s vulnerability descriptions. This issue has been fixed. Your hosts and vulnerability reports should look lovely again.
  • This release addresses a configuration issue preventing permanent reverse_http and reverse_https listeners from functioning. Previously, Cobalt Strike would bind to 0.0.0.0 to accept a connection on any interface. Unfortunately, this means the http/https payloads will try to communicate with 0.0.0.0 instead of your system after the initial handshake. If you were experiencing trouble with these payloads using Cobalt Strike before, this fix addresses the issue.

If you’d like to learn more, take a glance at the full release notes. A 7-day trial with these updates is available too. Licensed users may run the update program included with Cobalt Strike to get the latest.

Use Armitage and Cobalt Strike on Amazon’s EC2

James Webb has an interesting blog post on how to use Armitage to manage a pen test through Amazon’s Elastic Computing Cloud.

He does a good job articulating the benefits which include using Amazon’s EC2 to test your security from an outside in perspective or using it as a central point for a distributed red team to work from.

He also explains how to obtain authorization for penetration testing activities from Amazon. They do have a process for this and they’re very good about responding to these requests.

You can use Cobalt Strike or Armitage to work with Amazon’s EC2. If you use Cobalt Strike, I recommend using the quick-msf-setup script included with Cobalt Strike to quickly setup your environment. This process is described in the Cobalt Strike Linux Installation Instructions.

Also, when you run the teamserver, make sure you specify the external IP address of the EC2 node and not the private address bound to the network interface on the system. By specifying an external IP address, you’re telling the Metasploit Framework where it should send reverse connections to by default. It’s really important that this IP address is something your target systems can talk to.

Link