Beaconpire - Cobalt Strike and Empire Interoperability with Aggressor Script

Tester flexibility and the ability to adapt to each environment’s unique controls and technologies is critical on assessments. Achieving an assessment’s objective often requires the use of multiple toolsets. Justin Warner (@sixdub) wrote about the importance of tool diversity in his post Empire & Tool Diversity: Integration is Key. Two toolsets I frequently use are Cobalt Strike and Empire. Sometimes, an assessment requires migrating from one toolset to another for a specific task or, worse, if incident responders block your primary toolset. Currently, the most efficient way to pass sessions from one toolset to another is to use an existing session to run a payload for the target toolset. For example, passing a Beacon to Empire requires the tester to start an Empire... [Read More]

Black Magic Parsing with Regular Expressions - Parsing for Pentesters

In a previous post, @Sw4mp_f0x and I discussed the importance of data parsing skills for penetration testers and detailed the basics of how to get started with it. In that post we covered multiple ways to match text and search for specific strings. The examples we used were pretty straightforward, which is not always true to life. In this post we will cover more advanced pattern matching with regular expressions, giving you even greater control and flexibility over your parsing tools. Regular Expressions A regular expression, often referred to as regex, uses metacharacters, wildcards, and literal characters to define patterns that can be used with a wide range of Unix and Windows tools. Sounds simple, right? Regular expressions can prove to be... [Read More]

Adding Easy GUIs to Aggressor Scripts

As pentesters and red teamers, we have lots of commands floating around in our head. As much as the 1337 profess to hate GUIs, they sure do make testing a lot easier. Cobalt Strike provides testers a lot of power with an easy-to-use interface. Aggressor Script offers a wealth of extensibility options to expand Cobalt Strike’s built-in functions, but building out a custom GUI is a bit more difficult. Intro Cobalt Strike’s Aggressor Script is built upon Raphael Mudge’s Sleep language. As Raphael says, “Sleep is a Java-based scripting language heavily inspired by Perl,” and it includes the ability to create and access Java objects while still being an interpreted script. This means we can use a Java IDE with... [Read More]

Finding Diamonds in the Rough- Parsing for Pentesters

Parsing data is a fundamental ability that anyone serious about information security should consider putting time and effort into understanding. It can mean the difference between spamming Ctrl+F in a text editor and pulling out exactly what you need with a Bash one-liner that took a couple of minutes to create and modify. In the long run, the initial investment pays dividends for the rest of your infosec career. In this post, and those that follow we will walk you through the tools and techniques we have used to find what we need when sifting through large amounts of data. This will be done using a Bash terminal from the perspective of a penetration tester, but the information translates to other infosec or IT ops... [Read More]

Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite

Imagine you are performing a Red Team engagement. So far it’s been very hard, fighting tooth and nail to get each step closer to totally owning their network. You finally get internal network access and things are stable. Everything looks good on your end, but on the Blue side of things IT is taking notice of traffic flowing to an unknown domain. A curious IT worker opens their browser and navigates to the site. 404 error. Suspicion++. Five minutes later your Beacons become unresponsive. You’re blocked. Now you have to spin up some new infrastructure and get in again. I am willing to bet we’ve all been in a similar situation at least once. One way we can reduce the risk of being caught is... [Read More]