Cobalt strike
What if you could easily host malicious websites, send phishing emails, and manage compromised hosts across diverse internet addresses?
This week's Cobalt Strike adds the ability to manage multiple attack servers at once.
Here’s how it works:
When you connect to two or more servers, Cobalt Strike will show a switchbar with buttons for each server at the bottom of your window. Click a button to make that server active. It’s a lot like using tabs to switch between pages in a web browser.
To make use of multiple servers, designate a role for each one. Assign names to each server’s button to easily remember its role.
Dumbly connecting to multiple servers isn’t very exciting. The fun comes when you seamlessly use Cobalt Strike features across servers. For example:
Designate one server for phishing and another for reconaissance. Go to the reconaissance server, setup the system profiler application. Use the phishing tool to deliver the reconaissance website through the phishing server. This is easy to do because Cobalt Strike’s phishing dialog lets you embed a site from any server you’re connected to.
Web drive-by exploits are especially interesting. Clone a website and embed an exploit on one server. Set the embedded exploit to reference a Beacon listener on another server. When a vulnerable user visits this site, their system will start beaconing to the beacon server.
This is trivial to do because Cobalt Strike will let you setup an attack that references a listener on any server you’re connected to.
Distributed operations has its drawbacks. Each penetration testing server is a silo with a limited picture of the engagement. Cobalt Strike makes great strides to solve this problem. When you ask for a report, Cobalt Strike queries each server you’re connected to, combines the data, and generates one report. For example, if you send a phishing attack from one server and it references a site on another server, Cobalt Strike will cross-reference the information from both servers and present a coherent picture of the social engineering engagement.
Are you curious what all of this looks like? Watch the video:
This distributed operations capability is in today’s Cobalt Strike update. Grab a 21-day trial to try it out. Licensed users may update Cobalt Strike with the included update program. See the releasenotes.txt file for a full list of changes in today’s update.
Enjoy.
This week's Cobalt Strike adds the ability to manage multiple attack servers at once.
Here’s how it works:
When you connect to two or more servers, Cobalt Strike will show a switchbar with buttons for each server at the bottom of your window. Click a button to make that server active. It’s a lot like using tabs to switch between pages in a web browser.
To make use of multiple servers, designate a role for each one. Assign names to each server’s button to easily remember its role.
Dumbly connecting to multiple servers isn’t very exciting. The fun comes when you seamlessly use Cobalt Strike features across servers. For example:
Designate one server for phishing and another for reconaissance. Go to the reconaissance server, setup the system profiler application. Use the phishing tool to deliver the reconaissance website through the phishing server. This is easy to do because Cobalt Strike’s phishing dialog lets you embed a site from any server you’re connected to.
Web drive-by exploits are especially interesting. Clone a website and embed an exploit on one server. Set the embedded exploit to reference a Beacon listener on another server. When a vulnerable user visits this site, their system will start beaconing to the beacon server.
This is trivial to do because Cobalt Strike will let you setup an attack that references a listener on any server you’re connected to.
Distributed operations has its drawbacks. Each penetration testing server is a silo with a limited picture of the engagement. Cobalt Strike makes great strides to solve this problem. When you ask for a report, Cobalt Strike queries each server you’re connected to, combines the data, and generates one report. For example, if you send a phishing attack from one server and it references a site on another server, Cobalt Strike will cross-reference the information from both servers and present a coherent picture of the social engineering engagement.
Are you curious what all of this looks like? Watch the video:
This distributed operations capability is in today’s Cobalt Strike update. Grab a 21-day trial to try it out. Licensed users may update Cobalt Strike with the included update program. See the releasenotes.txt file for a full list of changes in today’s update.
Enjoy.
Post a Comment