Matt Graeber: @mattifestation
Will Schroeder: @harmj0y
how are you?
Let’s go start to prepare the armitage teamserver…What’s? Armitage is to old? You don’t like hacking via GUI?
Is Armitage only a metasploit GUI ? Are you sure? In my idea, Armitage is the way for create a collaborative metasploit platform for starting pentesting e redteaming operation sharing the shells gained via some type of attack…(server side exploits, client side exploits, malware, now this is not very interesting…) If you don’t like this approach…no problem, see you later for the next article: “EC2 collaboration in Empire”, instead, for those who are interested, let’s start:
We can use the Kali EC2 machine created in part 1a, if you don’t have built the machine, you can watch the video now.
After logon via SSH to your EC2 machine, you must change directory and go to armitage root directory
sudo /bin/bash cd /usr/share/armitage
root@kali:/usr/share/armitage# ./teamserver [*] You must provide: <external IP address> <team password> <external IP address> must be reachable by Armitage clients on port 55553 <team password> is a shared password your team uses to authenticate to the Armitage team server
Now we can start the teamserver with the public IP address of our EC2 machine and one password for securing the connection:
./teamserver 22.214.171.124 Passw0rd
In this case we get an error because the database is not initialized, you can initialize the DB with:
After initializing the DB I can try to start my teamserver again:
./teamserver 126.96.36.199 Passw0rd
wonderful, it’s working, now let’s go to start the armitage client, for do this I’m using another kali machine, but in this case is a local machine, the steps are pretty similar to the previous:
The server send you the fingerprinting, if they match you can press yes
and you can choose your nickname…
and voilà, the armitage console is ready for your operation.
For now is all.
Happy hacking and stay tuned
today we’re going to install CobaltStrike Teamserver on our previously installed EC2 Kali machine, after this step, all our team members can connect to it and we can share all compromised machines, remember, as already mentioned in the previous article, in real world operation, normally we have several teamserver machines.
For the installation of CobaltStrike Team Server on EC2 linux machine we can start watching the good video of Raphael Mudge @armitagehacker
At this point I can stop writing my article… 🙂
Raphael’s clip is still very good,but it’s based on an old version of CobaltStrike, so (I’m sorry for you) you’ll have to keep reading my article…
The first step is to get the link to download the tar file, for do this we can go at the URL : https://www.cobaltstrike.com/download
Then click on Accept and after on Linux(.tgz), now if you right click on “Download COBALT STRIKE now!” and choose Copy link address (something like https://www.cobaltstrike.com/downloads/81212b015cd9ae028a769c76a38110e3/cobaltstrike-trial.tgz), At this point we are ready to download the installer on our EC2 machine without GUI.
Log on to your kali machine with your favorite ssh client,
Prior to download the file,I usually prefer to create a folder where I put all my installers,then let’s try to install CobaltStrike in a linux shell :
sudo /bin/bash mkdir /CobaltStrike mkdir /CobaltStrike/Install cd /CobaltStrike/Install wget (paste the URL here with shift+ins) https://www.cobaltstrike.com/downloads/81212b015cd9ae028a769c76a38110e3/cobaltstrike-trial.tgz tar zxvf cobaltstrike-trial.tgz mv cobaltstrike ../ cd ../cobaltstrike
Now you must verify if the java version is the correct one:
java -version javac -version
If so, you can start the teamserver now, otherwise you must upgrade java, depending on the type of virtual machine that you have installed (I talk about recent kali linux machine, but your machine can be different) you can upgrade java in different ways, you can watch this interesting article : http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
these are the recommended commands for debian:
su - echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 apt-get update apt-get install oracle-java8-installer exit
if you want to set Oracle Java 8 as default:
sudo apt-get install oracle-java8-set-default
another way to install java can be:
sudo update-java-alternatives -s java-8-oracle
Remember : It’s not recommended to use OpenJDK in combination with Cobalt Strike on Kali Linux Rolling.
Now we just have to start the teamserver:
./teamserver XX.XX.XX.XX somepassword where XX.XX.XX.XX is the IP address of your EC2 instance (external IP, do not use ifconfig) and somepassword is the password that the team will use to join the teamserver
Now we can connect to this teamserver with the cobaltstrike client.
If you don’t have, no problem, now I will tell you how to do:
For client installation, you simply need to extract the same file downloaded for the teamserver and run ./cobaltstrike
You can fill the field with your IP, port, your username and the password used for starting the teamserver
For demo purpose we can use a trial license, but this license is not enought per the real world, because, as Raphael says : The Cobalt Strike 3.0 trial is the full Cobalt Strike product with one [significant] difference. The Cobalt Strike 3.0 trial inserts several “tells” to get caught by standard security products. This change is made possible by Cobalt Strike’s flexibility to change its indicators and artifacts.
If you have a valid commercial license you can just run the ./update command in your teamserver and put your code onto the consolle.
It is not recommended to install a mixed client/server environment with a trial and commercial license,so, go ahead with only one.
Tips : if you want the session persists after closing the ssh terminal , you must use the “screen” command prior to start the teamserver.
For more info : https://www.cobaltstrike.com/help-install
The full CobaltStrike manual is at https://www.cobaltstrike.com/downloads/csmanual36.pdf
For now is all.
Happy hacking and stay tuned
If you missed the first part: http://s0ftwargs.com/blog/2017/01/19/building-a-colla…mazon-ec2-part-1/
For real Red Team Operation we need a complex cloud Infrastructure, in real world the Teamserver machine can have various roles or tier, but this is beyond the scope of this article, for more information you can watch the video of Raphael Mudge @armitagehacker at https://www.youtube.com/watch?v=3gBJOJb8Oi0.
In this three videos we’ll try to build a simple EC2 machine with installed Armitage Teamserver and CobaltStrike teamserver which we will use as needed.
In real world scenarios the EC2 platform is a very clever choice for its scalability, for its bandwidth, because is on-demand and with reasonable costs. We must also consider that the real attackers will use a solution like this, so if we want to emulate the behavior of an attacker we will, in our turn, use cloud platforms. Even the functionality of teamserver usable thanks to the cloud from anywhere, are a convenience for the whole team.
The first step is to create an account on http://aws.amazon.com
This is not an article for script kiddies, we will use one of our real e-mail address and our real credit card number. (If you already have, you can use your Amazon Ec2 account)
We can choose from any VM linux, but for our job I would choose a Kali VM .
After create the new account (or after log in with your existing account) click on AWS services and click on EC2
Now choose instances and Launch instance
If you want to create a Kali Machine, you can’t choose quick start, you must choose AWS Marketplace
and write “kali” in the search field.
Click on select
Now we can choose the machine type, if you want to take advantage of a free tier machine, you must select t2.micro machine, choose the machine and then click Review and Launch, now we can create a new security group, and ssh is the default opened port, but for red teaming operation we need more ports to be opened, if you’d like,you could open all ports (All traffic – all protocol – all port range – all source, not reccomended in production environment ) or only few ports (for example http80, https443, dns53 and TCP 55553 for Armitage Deconfliction Server), for demo purpose we open “any-any-any-permit”
now click on Review and Launch (and the launch, if necessary), at this point,if you already have a key pair,you can just use it,otherwise you can create a new one (it’s very important to save and backup your key pair, if you loose the key, you can’t log on again on your instance)
flag the acknowledgement and then click launch instance
if you click on the instance id you can view your instance list and you can manage y our instance
If you want you can get a new name for your instance or edit the zone where put your instance, for this demo, this details can’t be relevant.
Before installing CobaltStrike you can log on your kali machine with any ssh client, if you are using windows you can download putty.
If your ssh client use .ppk key, you need to convert the .pem certificate, you can follow the official AWS guide at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
The hostname is something like that : firstname.lastname@example.org where 00-00-00-00 is your real IP. Now you can update and upgrade you linux box with :
sudo apt-get update && sudo apt-get upgrade
For today is all.