In Chapter 4, Getting Started with Cobalt Strike, we learned about Cobalt Strike and how to set it up. We also learned about its interface and its different features. In this chapter, we will go into more detail about this tool and learn about how it is used. We will cover the following topics:

• Cobalt Strike listener
• Cobalt Strike payloads
• Beacons
• Pivoting with Cobalt Strike
• Aggressor scripts

• Metasploit Framework (MSF)
• PGSQL (Postgres)
• Oracle Java 1.7 or latest
• Cobalt Strike

First, start the Cobalt Strike team server and connect to it. Once we have the interface up and running, we will start a listener. A listener is a handler that handles all the incoming connections. To do this, go to the Cobalt Strike menu and choose Listeners, as shown in the following image:

This will open a new window where we create a name for this listener. Next, we have to choose the payload. Cobalt Strike has two kinds of listeners:

• Beacon: Beacon-based listeners will listen or connect to the connections coming from the beacon payload. We will learn more about this in the later part of this chapter.
• Foreign: Foreign listeners are basically used to pass sessions to another instance of Cobalt Strike or even to Metasploit or Armitage.

In the new window that opens, we choose a name for our listener. We then choose the type of payload, which in this...

Cobalt Strike supports a lot of different types of attacks and allows you to generate payloads easily from the menu. This is a very useful feature when performing a red team activity because it means you don't have to spend time switching between tools to create different payloads for different attack types, such as spear phishing or drive-bys. In this section, we will look at some of the attack types that are provided by Cobalt Strike and how to generate a payload with them.

To view the different types of payloads that we can generate from Cobalt Strike, click on Attacks from the menu, as shown in the following screenshot:

Cobalt Strike supports payload generation for three types of attack vectors: Packages, Web Drive-Bys, and Spear Phishing. Each of these are explained in more detail below

Packages:

• HTML Application: This generates an HTML application...

Beacons is a payload used by Cobalt Strike. It is flexible and supports both asynchronous and interactive modes of communication.The asynchronous mode can be quite slow. In this mode, the beacon calls home every once in a while, receives a list of the tasks that are assigned to it, downloads them, and goes back to sleep. This helps in avoiding detection on the remote system. In interactive mode, however, everything happens in real time. Beacons have malleable network indicators, which means they have a Malleable C2 profile. This is responsible for transporting the data, transforming it for storage, and reinterpreting it backwards. We will learn more about this in the later chapters of this book. For now, let's look at the different features a beacon has and how to use them.

Cobalt Strike offers two ways to access the beacons:

• The beacon menu
• The beacon console

We have already covered the different ways of pivoting and why this is necessary in Chapter 6, Pivoting. In this section, we will look at the ways we can pivot into a network using Cobalt Strike.

Cobalt Strike allows us to pivot in three ways:

• SOCKS Server
• Listener
• Deploy VPN

The preceding pivot can be explained as follows:

• SOCKS Server: This will create a SOCKS4 proxy on our team server. All the connections that go through this SOCKS proxy will be converted into tasks for the beacon to execute. This allows us to tunnel inside the network through any type of beacon. To set up a SOCKS Server, we right-click the host, choose Pivoting | SOCKS Server, shown as follows:

A new window will then open, asking for the port number on which we want the server to be started. We enter the port and click on the Launch button:

Once the server is started, we...

Aggressor Scripts is the scripting language for Cobalt Strike 3.0 and above. It can be considered as a successor to the Cortana scripting language, which is used by Armitage. Aggressor Scripts is described on Cobalt Strike's official website as follows:

There are a lot of Aggressor Scripts available on the internet which have been developed by users across the globe to perform various tasks. Most of these are available on GitHub. In this section, we will learn how to load the scripts on our Cobalt Strike...

In this chapter, we learned about the listener module of Cobalt Strike along with its type and usage. We then learned about beacons and their features. We also saw examples of different features of beacons, both through the beacon menu and the beacon console. After that, we looked at different methods of pivoting using Cobalt Strike. Finally, we explored Aggressor Script and its use in Cobalt Strike.

1. Is cobalt strike free?
2. Can Cobalt Strike communicate with any other C2?
3. How can we slip through the scanners and Indicator of Compromise (IOCs).
4. Does Cobalt Strike use Metasploit Framework?

For more information on the topics discussed in this chapter, visit the following links:

• A Red Teamer's guide to pivoting: https://artkond.com/2017/03/23/pivoting-guide/
• SSH and Meterpreter Pivoting Techniques: https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
• Aggressor Scripts: https://github.com/bluscreenofjeff/AggressorScripts
• HOWTO: Port Forwards through a SOCKS proxy: https://blog.cobaltstrike.com/2016/06/01/howto-port-forwards-through-a-socks-proxy/
• Kerberos Attacks: https://www.cyberark.com/blog/kerberos-attacks-what-you-need-to-know/