• Join CraxPro and earn real money through our Credit Rewards System. Participate and redeem credits for Bitcoin/USDT. Start earning today!
    Read the detailed thread here

Cobalt Strike Detailed Usage Guide

Currently reading:
 Cobalt Strike Detailed Usage Guide

miracle123456

Member
LV
1
Joined
Oct 10, 2024
Threads
10
Likes
2
Awards
4
Credits
567©
Cash
0$

Introduction​

Cobalt Strike is a powerful penetration testing tool used by security professionals for adversary simulations and red team operations. Its robust feature set allows users to perform a wide range of cyber operations, from reconnaissance and exploitation to post-exploitation and lateral movement. As a command-and-control (C2) platform, Cobalt Strike enables the creation of highly customized attack campaigns and simulations of advanced persistent threat (APT) activities.

This guide covers Cobalt Strike’s installation, configuration, and usage in various scenarios, providing a comprehensive look at its capabilities and options.


Table of Contents​

  1. System Requirements
  2. Installation
  3. Setting Up the C2 Infrastructure
  4. Beacon Overview
    • HTTP/S Beacon
    • DNS Beacon
    • SMB Beacon
  5. Core Modules and Functionalities
    • Reconnaissance
    • Exploitation and Payload Generation
    • Post-Exploitation
  6. Pivoting and Lateral Movement
  7. Bypassing Defenses
  8. Reporting
  9. Common Use Cases
  10. Troubleshooting

1. System Requirements​

Cobalt Strike can be run on Linux, macOS, and Windows, though it's primarily used on Linux and Windows. Here’s what you’ll need:

  • Operating System: Linux (Ubuntu, Kali) or Windows Server 2016+
  • Java Runtime Environment (JRE): Cobalt Strike requires JRE 8 or higher.
  • Memory: At least 4 GB RAM; 8 GB or more recommended for large engagements.
  • Disk Space: 100 MB for installation, plus additional space for storing logs and reports.

2. Installation​

  1. Download Cobalt Strike: Cobalt Strike is a commercial tool. After purchase, you will receive a link to download the package. Extract it using:
    tar -xvf cobaltstrike.tgz
    cd cobaltstrike
  2. Install Java: Cobalt Strike requires Java 8 or higher. Use the following commands on Ubuntu/Debian:
    sudo apt update
    sudo apt install openjdk-11-jre
  3. License Verification: Place the cobaltstrike.lic license file in the Cobalt Strike directory, as provided by the vendor.
  4. Launch Cobalt Strike Server: The Cobalt Strike server component, known as the Team Server, allows for multiple users to connect to the same C2 infrastructure.
    ./teamserver <IP> <PASSWORD> <Malleable C2 profile>
    • <IP>: The public IP address of the server.
    • <PASSWORD>: A secure password.
    • <Malleable C2 profile>: Optional. Specifies a C2 profile.
  5. Connect to the Server: On the client side, connect using:
    ./cobaltstrike
    When prompted, enter the IP address of the Team Server and the set password.

3. Setting Up the C2 Infrastructure​

Setting up a C2 infrastructure involves configuring your server to establish a reliable communication channel with beacons on compromised systems. Cobalt Strike uses Malleable C2 Profiles to shape network traffic to appear as legitimate, helping evade detection.

Malleable C2 Profile​

A Malleable C2 profile allows you to customize network traffic, making it look like legitimate traffic. To load a profile:
./teamserver <IP> <PASSWORD> /path/to/profile.profile

Example Profile​

Below is a basic C2 profile snippet:
plaintext
http-get {
set uri "/news";
client {
header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
}
server {
header "Content-Type" "application/json";
}
}

This profile sets HTTP GET traffic to use /news as the endpoint with a specific User-Agent, making it appear more like typical web traffic.


4. Beacon Overview​

Beacons are payloads that serve as backdoors and allow remote command execution. Cobalt Strike supports various types of beacons for different situations:

4.1 HTTP/S Beacon​

HTTP/S beacons are used for asynchronous communication with C2 servers, sending periodic requests over HTTP/S.

4.2 DNS Beacon​

DNS Beacons are low and slow, utilizing DNS requests to communicate. These are effective for evading detection, especially in environments with strict HTTP/S monitoring.

4.3 SMB Beacon​

SMB Beacons are used for lateral movement and are effective on internal networks. They communicate over SMB, making them useful for persistence and data transfer across network shares.

Configuring and Deploying Beacons​

To generate a beacon, navigate to Attacks > Packages and configure the desired payload options. After generating the payload, deploy it on the target system using social engineering, phishing, or other means.


5. Core Modules and Functionalities​

Cobalt Strike’s functionality spans across several modules for end-to-end penetration testing and red team activities:

5.1 Reconnaissance​

  • Port Scanning: Identifies open ports and services on the target.
    plaintext
    Beacon> portscan <target IP>
  • Service Discovery: Detects service banners and operating systems.
  • Screenshot: Captures screenshots from target systems.

5.2 Exploitation and Payload Generation​

  • Exploitation Options: Cobalt Strike provides a range of pre-configured exploits and payloads for initial access.
  • Payload Generator: Creates payloads in various formats, including executable, DLL, and PowerShell.

5.3 Post-Exploitation​

Once access is gained, Cobalt Strike enables a range of post-exploitation tools for maintaining control and gathering information:
  • Credential Harvesting: Extracts passwords, tokens, and other credentials from the system.
  • Privilege Escalation: Attempts to elevate privileges using techniques such as token impersonation and process injection.
  • Persistence: Creates mechanisms for re-establishing access after a reboot (e.g., registry modifications, service creation).
  • Data Exfiltration: Transfers files and other data back to the C2 server.

6. Pivoting and Lateral Movement​

Cobalt Strike enables movement within a compromised network to target additional machines:
  • Pivoting: Use beacons on one machine as a pivot point to reach other machines.
    • SOCKS Proxy: Cobalt Strike offers a SOCKS proxy for routing traffic through compromised systems.
      plaintext
      Beacon> socks 1080
  • Lateral Movement Techniques: Use tools such as PowerShell remoting, WMI, and SMB beacons to move laterally across the network.

Example: Using a SOCKS Proxy​

Set up a SOCKS proxy in Cobalt Strike, then use an external tool like proxychains to route traffic through the compromised machine.


7. Bypassing Defenses​

Cobalt Strike has built-in capabilities for bypassing traditional defenses:
  • Obfuscation: Malleable C2 profiles can obfuscate payloads and make traffic appear legitimate.
  • Process Injection: Hides beacons by injecting them into legitimate processes.
  • AMSIBypass: Bypasses AMSI (Antimalware Scan Interface) to execute payloads without triggering antivirus software.

8. Reporting​

Cobalt Strike offers detailed reporting options, allowing red teams to document findings and report them effectively:
  • Session Logging: Records command history, beacon interactions, and post-exploitation actions.
  • HTML and PDF Reports: Generates high-quality reports in HTML and PDF formats to present findings to stakeholders.
To generate a report:
  1. Go to Reporting in the Cobalt Strike interface.
  2. Choose the desired report type and customize the contents.

9. Common Use Cases​

9.1 Simulating a Phishing Campaign​

  1. Set up a phishing server and create a Cobalt Strike beacon.
  2. Use Spear Phishing modules to send customized phishing emails with embedded payloads.
  3. Monitor for successful beacons and begin post-exploitation activities.

9.2 Lateral Movement in a Compromised Network​

  1. Deploy a beacon on the initial machine.
  2. Set up a SOCKS proxy to use the beacon as a pivot point.
  3. Use proxychains or a similar tool to perform network scans and discover additional targets.

10. Troubleshooting​

Common Issues​

  • License Expired: Ensure that your license is valid. Reach out to support if needed.
  • Beacon Detection: If beacons are being detected, try modifying the Malleable C2 profile to evade detection or switch to a different communication channel (e.g., DNS).
  • Network Issues: Verify that the Team Server’s IP and firewall settings allow traffic on the specified ports.
 
  • Like
Reactions: lolzsecc

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Tips
Top Bottom