This past weekend, I had the pleasure of red teaming at University of Buffalo’s competition called Lockdown. It was a great competition and I had a lot of fun learning new red team tools and challenging the blue teamers on Windows. This blog post will focus on my C2 infrastructure setup for Cobalt Strike. I did a similar post last semester with PowerShell Empire, which can be found here.

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

Breakdown of DNS beacons

 

Create AWS resource

Create EC2 Empire team server

1. Select “EC2” from the list of services
2. Select “Launch instance”
3. Step 1: Choose an Amazon Machine Image (AMI)
   1. Select “Ubuntu Server 16.04 LTS (HVM), SSD Volume Type”
4. Step 2: Choose an Instance Type
   1. Select “t2.medium”
   2. Select “Configure Instance Details”
5. Step 3: Configure Instance Details
   1. Select “default” for network
   2. Select “No preference” for  Subnet
   3. Select “Enable” for “Auto-assign Public IP”
   4. Select “Next: Add storage”
6. Step 4: Add Storage
   1. Enter “20” for “Size (GiB)”
   2. Select “Add tags”
7. Step 5: Add tags
   1. Select “Add tag”
   2. Enter “Name” for key
   3. Enter “Redteam-teamserver” for value
   4. Select “Configure Security Group”
8. Step 6: Configure Security Group
   1. Enter “Redteam-teamserver” for security group name
   2. For the SSH rule enter YOUR public IP for source
      1. My school has public IP range which I will use
   3. Select “Add rule”
      1. Set type to “HTTP”
      2. Enter “0.0.0.0/0” for source
   4. Select “Add rule”
      1. Set type to “DNS”
      2. Enter “0.0.0.0/0” for source
   5. Select “Review and Launch”
9. Step 7: Review Instance Launch
   1. Select Launch
   2. For the Key pair select “existing key pair” or “new key pair”
      1. Select “Launch instance”
10. Select “View instances”
11. Wait for new instance to initialize completely
    1. The “Status checks” column should be “2/2 checks passed”
12. Copy the “IPv4 Public IP” for the new instance

Setup/Configure Cloudflare for DNS beacons

Create A record for teamserver

1. Browse to https://www.cloudflare.com and login
2. Select the domain you wish to use
3. Select “DNS” at the top
4. Adding DNS A record
   1. Select “A” from dropdown for type
   2. Enter “@” for name
   3. Enter “<Pulic IP addr of EC2>” for name server
   4. Select “5 min” for TTL
   5. Deselect the orange cloud to make it grey
   6. Select “Add record”

Create A record for DNS beacon

1. Adding DNS A record
   1. Select “A” from dropdown for type
   2. Enter “ns1” for name
   3. Enter “<Pulic IP addr of EC2>” for name server
   4. Select “5 min” for TTL
   5. Deselect the orange cloud to make it grey
   6. Select “Add Record”

Create NS record for DNS beacon

1. Adding DNS NS record
   1. Select “NS” from dropdown for type
   2. Enter “dns” for name
   3. Enter “ns1.<domain>” for name server
   4. Select “5 min” for TTL
   5. Select “Add Record”

Final record set

 

Install/Setup Cobalt Strike on Ubuntu Server 18.04

Disable Systemd-resolv(Ubuntu 18.04 ONLY)

1. systemctl disable systemd-resolved
2. systemctl stop systemd-resolved
3. rm /etc/resolv.conf
4. echo "nameserver 8.8.8.8" >  /etc/resolv.conf
5. echo "nameserver 8.8.4.4" >>  /etc/resolv.conf

Install/Setup Java JDK

1. ssh ubuntu@<public IP addr of EC2>
2. sudo add-apt-repository ppa:webupd8team/java
3. sudo apt update -y
4. sudo apt install oracle-java8-installer ca-certificates oracle-java8-set-default -y

Start Cobalt Strike teamserver

1. unzip /opt/cobaltstrike.zip && /opt/cobaltstrike
2. ./teamserver <public IP addr of EC2> <password teamserver>

Configure firewall

1. ufw enable
ufw allow ssh
ufw allow http
ufw allow https
ufw allow 8080/tcp
ufw allow 50050/tcp
ufw allow 53/udp
ufw allow 5353/udp


Setup/Configure Cobalt Strike

Connecting to teamserver with Cobalt Strike

1. ./cobaltstrike
   1. Enter “<public IP addr of EC2>” for Host
   2. Enter “50050” for Port
      1. Default port
   3. Enter “<username>” for User
   4. Enter “<teamserver password from above ^^^^>” for Password
   5. Select “Connect”

Create a DNS listener

1. Select “Cobalt Strike” in the top left then “Listeners”
   1. A new tab called “Listeners” will be created in the pane below
2. Select “Add” under the “Listeners” tab
   1. Enter “<domain>-listener” for name
   2. Select “windows/beacon_dns/reverse_http” for Payload
   3. Enter “<domain>” for Host
   4. Enter 80 for Port
   5. Select “Save”
3. Input
   1. Enter a list of comma listed FQDNs
   2. Select “ok”

Generate Powershell web driveby

1. Select “Attacks” > “Web Drive-by” > “Scripted Web Delivery”
   1. Enter “/<custom URI>” for URI path
   2. Enter “<domain>” for local host
   3. Leave default port alone
   4. Select “<domain>-listener” for Listener
   5. Select “Powershell”
   6. Select “Launch”
   7. Copy the text generated by Cobalt Strike

Hammer time

Initial compromise of Windows machine

1. Spin up a Windows VM
2. Disable Windows Defender
3. Open a Powershell prompt as Administrator
4. Paste text from above
5. Wait for call back in Cobalt Strike

Registering and interacting with agent

As you can see, the agent initially called back to Cobalt Strike but in the current state you can’t interact with the agent. The agent calls back every 60 secs and it will take a couple of minutes for the agent to be fully downloaded to infect the host. To speed up the process, you may do the following:

1. Right-click the <new agent>, go to “Session”, and then select “Sleep”
2. Enter “0”
   1. This will set the beacon interval to as fast as possible
3. Wait for the 60 second cycle to finish
4. Right-click agent and select “interact”

Traffic analysis

Wireshark analysis

If you open Wireshark on the infected Windows host you will notice the DNS beacon. However, if you enter “ps” into the agent console, the beacon will report the process list using HTTP, as seen in the photo below.

1. Enter “ps” into the agent console

The screenshot below shows the agent requesting new tasks via DNS. However, the agent returns the results of the task via HTTP to Cobalt Strike.

Converting agent from HTTP –> DNS only

1. Enter “mode dns” into the agent console
2. Enter “ps” into agent console

The screenshot below shows the agent requesting new tasks via DNS. The beacon receives the process list and returns the result via DNS to Cobalt Strike.

What and why?!?!!?!?!

You may be asking yourself, I thought we selected the “beacon_dns” listener?!?! Well, we actually selected the “beacon_dns/reverse_http” listener. This may be confusing but let me explain. HTTP allows for a quicker initial compromise of the host because the payload section within HTTP is bigger than DNS.

Downloading the Cobalt Strike agent via DNS will take roughly 3,000 requests and can take up to 5 mins for the agent to fully register. The quickest way to initially compromise a host is to use HTTP to initially download the agent. Once the agent is fully registered, we can switch the C2 protocol to DNS. This process is shown in the photo below. More information on this process can be found here.

Takeaway for Blue teamers

I have been doing Red vs. Blue competitions since my freshmen year (5 years). Being a Blue teamer can be overwhelming, challenging, difficult, stressful, and incredibly complex. Our job as Red teamers is to create an environment that challenges Blue teamers to learn new things, to create unique solutions to problems that arise, and to create stress through various Red team activities. I know that last part may sound terrible, but handling stress is a good avenue to help mature and polish your skills. In the real world, when breaches occur, you need to keep cool, calm, and collected to handle the incident in an appropriate and timely manner. One way to know how you will react to a real-world situation, is to participate in these competitions. Alex Levinson, a National CCDC Red teamer, says it best “You can’t buy experience. It must be earned through sweat, tears, and many sleepless nights.”

During these competitions, you will fail and that is OKAY, but make a list and when you go home, improve upon where you fell short. This is a continuous cycle that I do after EVERY competition. As a Red teamer, I really want you to KICK ME OUT OF YOUR BOX! I will do everything to STOP that from happening, but I genuinely want you to succeed!

Finally, team morale is a HUGE factor that usually dictates if a team will win or not. The teams that have good moral will typically win but not in all cases. The RIT CCDC team that I competed with loved singing Taylor Swift, and when the stress levels were high, we would start singing TSwizzle to reduce the stress. I encourage all teams to do something similar, heck have corny jokes on hand – everyone loves dad jokes. How you and your team handle the stress may be the factor that makes you the winning team or the losing team. As a last and final note, if you walk away learning something YOU ARE A WINNER. Competitions are a place to LEARN and a place to MAKE MISTAKES that won’t impact the lives of others, unlike the real word.

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

Resources/Sources

• Linode UFW guide
• Cobalt Strike homepage
• Cobalt Strike trail download
• Cobalt Strike – DNS Beacon Setup and Use
• Cobalt Strike – Covert Command and Control over DNS with Beacon
• Turn off systemd-resolved
• Cobalt Strike – Hybrid DNS and HTTP beacons
• Redirecting Cobalt Strike DNS Beacons