Introduction
Cobalt Strike is a powerful penetration testing tool used by security professionals for adversary simulations and red team operations. Its robust feature set allows users to perform a wide range of cyber operations, from reconnaissance and exploitation to post-exploitation and lateral movement. As a command-and-control (C2) platform, Cobalt Strike enables the creation of highly customized attack campaigns and simulations of advanced persistent threat (APT) activities.This guide covers Cobalt Strike’s installation, configuration, and usage in various scenarios, providing a comprehensive look at its capabilities and options.
Table of Contents
- System Requirements
- Installation
- Setting Up the C2 Infrastructure
- Beacon Overview
- HTTP/S Beacon
- DNS Beacon
- SMB Beacon
- Core Modules and Functionalities
- Reconnaissance
- Exploitation and Payload Generation
- Post-Exploitation
- Pivoting and Lateral Movement
- Bypassing Defenses
- Reporting
- Common Use Cases
- Troubleshooting
1. System Requirements
Cobalt Strike can be run on Linux, macOS, and Windows, though it's primarily used on Linux and Windows. Here’s what you’ll need:- Operating System: Linux (Ubuntu, Kali) or Windows Server 2016+
- Java Runtime Environment (JRE): Cobalt Strike requires JRE 8 or higher.
- Memory: At least 4 GB RAM; 8 GB or more recommended for large engagements.
- Disk Space: 100 MB for installation, plus additional space for storing logs and reports.
2. Installation
- Download Cobalt Strike: Cobalt Strike is a commercial tool. After purchase, you will receive a link to download the package. Extract it using:
tar -xvf cobaltstrike.tgz
cd cobaltstrike - Install Java: Cobalt Strike requires Java 8 or higher. Use the following commands on Ubuntu/Debian:
sudo apt update
sudo apt install openjdk-11-jre - License Verification: Place the cobaltstrike.lic license file in the Cobalt Strike directory, as provided by the vendor.
- Launch Cobalt Strike Server: The Cobalt Strike server component, known as the Team Server, allows for multiple users to connect to the same C2 infrastructure.
./teamserver <IP> <PASSWORD> <Malleable C2 profile>- <IP>: The public IP address of the server.
- <PASSWORD>: A secure password.
- <Malleable C2 profile>: Optional. Specifies a C2 profile.
- Connect to the Server: On the client side, connect using:
./cobaltstrike
When prompted, enter the IP address of the Team Server and the set password.
3. Setting Up the C2 Infrastructure
Setting up a C2 infrastructure involves configuring your server to establish a reliable communication channel with beacons on compromised systems. Cobalt Strike uses Malleable C2 Profiles to shape network traffic to appear as legitimate, helping evade detection.Malleable C2 Profile
A Malleable C2 profile allows you to customize network traffic, making it look like legitimate traffic. To load a profile:./teamserver <IP> <PASSWORD> /path/to/profile.profile
Example Profile
Below is a basic C2 profile snippet:plaintext
http-get {
set uri "/news";
client {
header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
}
server {
header "Content-Type" "application/json";
}
}
This profile sets HTTP GET traffic to use /news as the endpoint with a specific User-Agent, making it appear more like typical web traffic.
4. Beacon Overview
Beacons are payloads that serve as backdoors and allow remote command execution. Cobalt Strike supports various types of beacons for different situations:4.1 HTTP/S Beacon
HTTP/S beacons are used for asynchronous communication with C2 servers, sending periodic requests over HTTP/S.4.2 DNS Beacon
DNS Beacons are low and slow, utilizing DNS requests to communicate. These are effective for evading detection, especially in environments with strict HTTP/S monitoring.4.3 SMB Beacon
SMB Beacons are used for lateral movement and are effective on internal networks. They communicate over SMB, making them useful for persistence and data transfer across network shares.Configuring and Deploying Beacons
To generate a beacon, navigate to Attacks > Packages and configure the desired payload options. After generating the payload, deploy it on the target system using social engineering, phishing, or other means.5. Core Modules and Functionalities
Cobalt Strike’s functionality spans across several modules for end-to-end penetration testing and red team activities:5.1 Reconnaissance
- Port Scanning: Identifies open ports and services on the target.
plaintext
Beacon> portscan <target IP> - Service Discovery: Detects service banners and operating systems.
- Screenshot: Captures screenshots from target systems.
5.2 Exploitation and Payload Generation
- Exploitation Options: Cobalt Strike provides a range of pre-configured exploits and payloads for initial access.
- Payload Generator: Creates payloads in various formats, including executable, DLL, and PowerShell.
5.3 Post-Exploitation
Once access is gained, Cobalt Strike enables a range of post-exploitation tools for maintaining control and gathering information:- Credential Harvesting: Extracts passwords, tokens, and other credentials from the system.
- Privilege Escalation: Attempts to elevate privileges using techniques such as token impersonation and process injection.
- Persistence: Creates mechanisms for re-establishing access after a reboot (e.g., registry modifications, service creation).
- Data Exfiltration: Transfers files and other data back to the C2 server.
6. Pivoting and Lateral Movement
Cobalt Strike enables movement within a compromised network to target additional machines:- Pivoting: Use beacons on one machine as a pivot point to reach other machines.
- SOCKS Proxy: Cobalt Strike offers a SOCKS proxy for routing traffic through compromised systems.
plaintext
Beacon> socks 1080
- SOCKS Proxy: Cobalt Strike offers a SOCKS proxy for routing traffic through compromised systems.
- Lateral Movement Techniques: Use tools such as PowerShell remoting, WMI, and SMB beacons to move laterally across the network.
Example: Using a SOCKS Proxy
Set up a SOCKS proxy in Cobalt Strike, then use an external tool like proxychains to route traffic through the compromised machine.7. Bypassing Defenses
Cobalt Strike has built-in capabilities for bypassing traditional defenses:- Obfuscation: Malleable C2 profiles can obfuscate payloads and make traffic appear legitimate.
- Process Injection: Hides beacons by injecting them into legitimate processes.
- AMSIBypass: Bypasses AMSI (Antimalware Scan Interface) to execute payloads without triggering antivirus software.
8. Reporting
Cobalt Strike offers detailed reporting options, allowing red teams to document findings and report them effectively:- Session Logging: Records command history, beacon interactions, and post-exploitation actions.
- HTML and PDF Reports: Generates high-quality reports in HTML and PDF formats to present findings to stakeholders.
- Go to Reporting in the Cobalt Strike interface.
- Choose the desired report type and customize the contents.
9. Common Use Cases
9.1 Simulating a Phishing Campaign
- Set up a phishing server and create a Cobalt Strike beacon.
- Use Spear Phishing modules to send customized phishing emails with embedded payloads.
- Monitor for successful beacons and begin post-exploitation activities.
9.2 Lateral Movement in a Compromised Network
- Deploy a beacon on the initial machine.
- Set up a SOCKS proxy to use the beacon as a pivot point.
- Use proxychains or a similar tool to perform network scans and discover additional targets.
10. Troubleshooting
Common Issues
- License Expired: Ensure that your license is valid. Reach out to support if needed.
- Beacon Detection: If beacons are being detected, try modifying the Malleable C2 profile to evade detection or switch to a different communication channel (e.g., DNS).
- Network Issues: Verify that the Team Server’s IP and firewall settings allow traffic on the specified ports.