In Chapter 4, Getting Started with Cobalt Strike, we learned about Cobalt Strike and how to set it up. We also learned about its interface and its different features. In this chapter, we will go into more detail about this tool and learn about how it is used. We will cover the following topics:
First, start the Cobalt Strike team server and connect to it. Once we have the interface up and running, we will start a listener. A listener is a handler that handles all the incoming connections. To do this, go to the Cobalt Strike menu and choose Listeners, as shown in the following image:
This will open a new window where we create a name for this listener. Next, we have to choose the payload. Cobalt Strike has two kinds of listeners:
In the new window that opens, we choose a name for our listener. We then choose the type of payload, which in this...
Cobalt Strike supports a lot of different types of attacks and allows you to generate payloads easily from the menu. This is a very useful feature when performing a red team activity because it means you don't have to spend time switching between tools to create different payloads for different attack types, such as spear phishing or drive-bys. In this section, we will look at some of the attack types that are provided by Cobalt Strike and how to generate a payload with them.
To view the different types of payloads that we can generate from Cobalt Strike, click on Attacks from the menu, as shown in the following screenshot:
Cobalt Strike supports payload generation for three types of attack vectors: Packages, Web Drive-Bys, and Spear Phishing. Each of these are explained in more detail below
Packages:
Beacons is a payload used by Cobalt Strike. It is flexible and supports both asynchronous and interactive modes of communication.The asynchronous mode can be quite slow. In this mode, the beacon calls home every once in a while, receives a list of the tasks that are assigned to it, downloads them, and goes back to sleep. This helps in avoiding detection on the remote system. In interactive mode, however, everything happens in real time. Beacons have malleable network indicators, which means they have a Malleable C2 profile. This is responsible for transporting the data, transforming it for storage, and reinterpreting it backwards. We will learn more about this in the later chapters of this book. For now, let's look at the different features a beacon has and how to use them.
Cobalt Strike offers two ways to access the beacons:
We have already covered the different ways of pivoting and why this is necessary in Chapter 6, Pivoting. In this section, we will look at the ways we can pivot into a network using Cobalt Strike.
Cobalt Strike allows us to pivot in three ways:
The preceding pivot can be explained as follows:
A new window will then open, asking for the port number on which we want the server to be started. We enter the port and click on the Launch button:
Once the server is started, we...
Aggressor Scripts is the scripting language for Cobalt Strike 3.0 and above. It can be considered as a successor to the Cortana scripting language, which is used by Armitage. Aggressor Scripts is described on Cobalt Strike's official website as follows:
There are a lot of Aggressor Scripts available on the internet which have been developed by users across the globe to perform various tasks. Most of these are available on GitHub. In this section, we will learn how to load the scripts on our Cobalt Strike...
In this chapter, we learned about the listener module of Cobalt Strike along with its type and usage. We then learned about beacons and their features. We also saw examples of different features of beacons, both through the beacon menu and the beacon console. After that, we looked at different methods of pivoting using Cobalt Strike. Finally, we explored Aggressor Script and its use in Cobalt Strike.
For more information on the topics discussed in this chapter, visit the following links:
© 2018 Packt Publishing Limited All Rights Reserved
