Currently, I’m debating a class of social engineering “packages” to force SMB requests against an attacker controlled system. Ideas include packages to generate LNK files, host a WPAD server, etc.
This created a bit of an identity crisis though. I see Cobalt Strike as a tool for a penetration tester to emulate the capabilities of a motivated external actor. Sadly, many awesome SMB attacks require a physical presence on the target’s network.
To put this issue to rest, I decided to build a feature to allow a motivated external attacker the ability to work as-if they are physically present on the target’s network. This feature is Covert VPN.
Covert VPN is a layer 2 pivoting capability for Cobalt Strike. It creates a network interface on your system that is bridged into the target’s network through a channel of your choosing. Covert VPN can tunnel its traffic over UDP, TCP, or HTTP channels
Once an interface is active, you can sniff packets, start rogue services, use external scanners and attack tools–pretty much whatever you want.
Covert VPN is in the latest version of Cobalt Strike. A 21-day trial is available as well. Try it out and let me know what you think.
If you’re reading this, you’re likely aware of the Armitage project. Fed by your enthusiasm and feedback, Armitage has enjoyed a rapid pace of development since its inception. I left a security engineer role one year ago to search out how to properly nurture this project and its ideas going forward. This search led to some exciting initiatives, one that I’m announcing, right now.
I’d like to introduce you to Armitage’s big brother: Cobalt Strike
If you’re ready to add Adaptive Penetration Testing to your organization’s skill set, I recommend signing up for the BlackHat USA course run by the Veris Group. This course is a vendor neutral offering, but those who attend will have an opportunity to play with Cobalt Strike under the guidance of a seasoned instructor team.
The instructors David, Jason, and Chris are among the early adopters who helped shape this product.
And, what about Armitage?
Armitage, Cobalt Strike, and my security research initiatives are now under the banner of Strategic Cyber LLC. The formation of this company is an exciting opportunity. I can now work more formally with many of you and strengthen new and existing relationships.
Armitage will enjoy the same development pace and it will stay open source, always. Even better, I’m releasing something really big for Armitage at DEFCON 20.