Table of contents
1. The experiment involves reproducing the environment
3.1, put the cobalt_strike_4.5 folder into kali
3.1, Precautions during the placement process
4.2. Give the files in the directory the highest permissions
4.3, start cs on the server side
4.3.1, Check the IP address of kali server
5.1, Information settings before running
6.1, Generate clone phishing website
6.1.1. After the client connection is successful, establish a listener.
6.1.2. After clicking Add, set the listening port parameters.
6.1.4, monitor account password
6.2, Generate Trojans and perform post-infiltration operations
6.2.1, Generate win attack Trojan files
6.2.3, Set the Trojan generation location
6.2.4, Put the Trojan into the target machine
6.2.6, change the connection interval
6.2.7, Obtain the username and password of the target drone
6.2.8, Execute system commands on the target drone
Preface
This article is a practical experience of using CS to deploy phishing websites and post-penetration operations on win7 by generating Trojans. Through actual combat, I will become familiar with some operations that will be encountered during the penetration testing process and lay a solid foundation for my future learning. , you can also learn more about other aspects of knowledge.
List of series articles
Penetration Testing Basics Eternal Blue Vulnerability Recurrence 
http://t.csdn.cn/cdxkg
Mobile phone Trojan remote control reappears http://t.csdn.cn/tLmCM
mind Mapping
1. The experiment involves reproducing the environment
- Kali Platform (Hack): 192.168.223.xxx
- win7(target machine):192.168.
- CS tools
Here I use NAT mode to ensure that the machines are on the same network segment
If you don’t understand Vmware’s link mode, you can read this article of mine.
2. Introduction to CS
2.1, Introduction to CS
CS is the abbreviation of Cobalt Strike . It is a penetration testing artifact and is often called CS artifact by people in the industry. Cobalt Strike no longer uses MSF but is used as a separate platform. It is divided into a client and a server. There is one server and there can be multiple clients, which can be distributed and coordinated by the team .
CS is also known as "online multiplayer sports" in the industry
CS uses a C/S architecture, which is divided into client and server. There is only one server and there can be multiple clients. After multiple people connect to the server, they can test collaboratively and share the shell with others.
2.2, Main functions of CS
CobaltStrike integrates port forwarding, scanning multi-mode port Listener, Windows exe program generation , Windows dll dynamic link library generation, java program generation, office macro code generation, including site cloning to obtain browser -related information, etc.
Port forwarding: Cobalt Strike allows users to create tunnels through port forwarding to bypass network defenses and establish communication with target systems.
Multi-mode port listener: Cobalt Strike provides multiple port listening modes, including HTTP, HTTPS and DNS, etc. to simulate multiple attack scenarios and capture sensitive information of the target system.
Payload generation: Cobalt Strike can generate various types of malicious payloads, such as Windows executable files, Windows dynamic link libraries (DLLs), Java programs, and Office macro codes. These payloads are customized to achieve a variety of attack objectives during penetration testing.
Social engineering tools: Cobalt Strike also provides some social engineering tools, such as site cloning, etc., which are used to obtain browser-related information and conduct phishing attacks and other operations.
3. Installation of CS
Note: A java environment is required to run cs. Next, run cs in kali, that is, both the server and the client are started in kali.
3.1, put the cobalt_strike_4.5 folder into kali
3.1, Precautions during the placement process
If the virtual machine has vmtools, you can directly pull it into the virtual machine after decompressing it locally; you can also pull it in and then decompress it.
Note that during the process of downloading CS, you need to turn off the anti-virus software and firewall. If the tool contains poison, it will be killed and the tool will be damaged.
3.2, as shown in the figure
Here, because I have vmtools, I directly dragged the compressed package in and decompressed it.
4. Configuration tool
4.1, enter the cs directory
4.1.1, Method 1
Because my tool is on the desktop, I directly enter the command in the desktop terminal to enter the file directory of the tool.
cd coablt_strike_4.5 
4.1.2, Method 2
If we open the terminal directly in the tool's folder, we will enter the tool's directory.
4.2. Give the files in the directory the highest permissions
Here we can use the following command
Give all files in this directory readable, writable and executable permissions (777 means readable, writable and executable)
chmod 777 * Let’s enter the command to check. The content in the red box represents readable, writable, and executable.
ls -l
You can also check the files in the directory. This is because I have started it, so there will be more files. If it is normal, there should be 10 folders initially. If not, it means that the tool was killed during the transfer process, which is the file. It is damaged and you need to perform the above operations again.
ls
4.3, start cs on the server side
Here we set a server, where ip refers to the ip of the machine where the server is located.
In layman's terms, it means using cs to change kali into a server.
4.3.1, Check the IP address of kali server
ifconfig
4.3.2, start server cs
./teamserver+kali’s ip+connection password
5. Client runs CS
Note that after completing the above operation, you will be stuck in the interface of the above picture. We need to reopen a terminal under the same file, and then perform the following operation. And the above terminal cannot be closed.
Run the cs executable file (note: ./When running the executable file, the input file name needs to be tab-completed. Manual input is not allowed. Manual input will not recognize the executable operation)
./cobaltstrike The small box in the picture appears to indicate success.
5.1, Information settings before running
Alias: You can set it as you like
Host: IP is the IP of the server (kali)
Port: You can see the port number when CS starts
User: This is the name that will be shown to others after logging in. You can write it blindly.
Password: the password you set previously
The following interface is displayed, indicating that the login is successful and the client successfully connects to the server.
5.2, Introduction to toolbar
1. Create a new connection
2. Disconnect the current connection
3. Listener
4. Change the view to PivotGraph (view list)
5. Change the view to SessionTable (session list)
6. Change the view to TargetTable (target list)
7. Display the credentials of all compromised hosts obtained
8. View downloaded files
9. View keylogging results
10. View screenshots
11. Generate stateless executable exe Trojan
12. Use java self-signed programs to conduct phishing attacks
13. Generate office macro virus files
14. Provide web services for payload to download and execute
15. Provide file download, you can choose Mime type
16. Manage web services running on CobaltStrike
17.Help
18.About
6.Usage of CS
6.1, Generate clone phishing website
6.1.1. After the client connection is successful, establish a listener.
Click the CobaltStrike option in the upper left->Select the listener in the drop-down box->Click Add in the pop-up area below
6.1.2. After clicking Add, set the listening port parameters.
Name: is the name of the listener, it can be arbitrary
payload: payload type
HTTP address: The host where the shell bounces, which is our kali’s IP
HTTP address (Stager): The address where Stager’s horse requests to download the payload.
HTTP port (online): the port for online monitoring (default is port 80)
Then click Save and it will be OK if the listener has been started.
6.1.3. Clone phishing website
Click on the attack option and select Web Phishing ---> Website Clone
Clone Url: Select the website to be copied. The one I chose here is a QQ mailbox website without encryption protocol. I suspect it is also a phishing website.
( Note: Clone websites can only clone http websites, https are securely encrypted websites and cannot be cloned )
Local URL: If you have your own website domain name, fill it in
Local port: the local clone port set by yourself
Check the following options. This is the keyboard monitoring option.
After clicking clone, a url will be generated and access the generated url address.
At this point, the phishing website is ready. If you have your own server and domain name, you can make it a website that anyone can access. Of course, it only takes three years to start.
6.1.4, monitor account password
By typing the keyboard arbitrarily, you can know the results of keyboard monitoring by accessing the web log option of the view.
Of course, this is not the real account password used.
And after logging in, the website will jump to the correct QQ mailbox website. It is not easy for ordinary people to find out. They just think that the account and password are entered incorrectly.
6.2, Generate Trojans and perform post-infiltration operations
6.2.1, Generate win attack Trojan files
Select Attack Module--Generate Backdoor--the following windows executable program.
6.2.2, configure
Here we need to add a new listener first, just add one according to the previous operation.
Select the listener and check Use 64 payload below
6.2.3, Set the Trojan generation location
Select the generation address of the exe Trojan, here you choose to save it on the desktop
If it appears that the saved file can only be saved in root, after entering with root privileges, open the terminal and enter the command to move it to the desktop.
mv source directory path target directory path
mv 内心如初.exe /home/kali/Desktop
6.2.4, Put the Trojan into the target machine
Drag the generated Trojan to the target machine, and you can create a new Windows virtual machine by yourself (there is no anti-virus for basic use, remember to turn off anti-virus). After placing it, double-click the Trojan, and then the CS will show that it is online.
You can also use the Eternal Blue vulnerability to upload files from Kali to the target machine, so you don't have to turn off the firewall and anti-virus software.
Penetration Testing Basics Eternal Blue Vulnerability Recurrence
6.2.5, Enter command mode
Right-click on the online target drone, select Session Interaction, and enter command mode
6.2.6, change the connection interval
Right-click the online drone and change the reconnection interval in the session operation to 0
6.2.7, Obtain the username and password of the target drone
Right-click on the credentials to escalate privileges -> grab the clear text password, obtain the username and password of the target machine, and then connect to the remote desktop
6.2.8, Execute system commands on the target drone
desktop #Remote VNC (Virtual Network Console)
sleep x #Set sleep delay time
p wd #Current directory location
ls #List files in the current directory
screenshot #Screenshot _
shell whoami #The name of the user currently logged into the system
Click the screenshot button on the toolbar to view the picture of the target drone captured after executing the screenshot command.
7. Summary
This article is the practical operation of building a phishing website and using Trojan files to penetrate after the last remote control of mobile phone Trojans. During the actual combat, I encountered that I could not open the CS tool, and I also encountered the generated The Trojan file cannot be removed from the root folder. Speaking of which, I still lack practical experience, but I can always calmly analyze problems after encountering them and take the initiative to solve them. I am very glad that I have this ability and I like to rely on others. To solve a problem, although you can seek help from others, if you can solve it yourself, you would rather take the initiative to solve it yourself.
A word a day
A person's entire life is a process of self-improvement.
If my study notes are useful to you, please like and save them. Thank you for your support. Of course, you are also welcome to give me suggestions or supplement the shortcomings in the notes. It will be of great help to my study. Thank you.