SSH Sessions

Cobalt Strike's SSH client speaks the SMB Beacon protocol and implements a sub-set of Beacon's commands and functions. From the perspective of Aggressor Script, an SSH session is a Beacon session with fewer commands.

What type of session is it?

Much like Beacon sessions, SSH sessions have an ID. Cobalt Strike associates tasks and metadata with this ID. The &beacons function will also return information about all Cobalt Strike sessions (SSH sessions AND Beacon sessions). Use the -isssh predicate to test if a session is an SSH session. The -isbeacon predicate tests if a session is a Beacon session.

Here's a function to filter &beacons to SSH sessions only:

sub ssh_sessions {
   return map({
      if (-isssh $1['id']) {
         return $1;
      }
      else {
         return $null;
      }
   }, beacons());
}

Aliases

You may add commands to the SSH console with the ssh_alias keyword. Here's a script to alias hashdump to grab /etc/shadow if you're an admin.

ssh_alias hashdump {
   if (-isadmin $1) {
      bshell($1, "cat /etc/shadow");
   }
   else {
      berror($1, "You're (probably) not an admin");
   }
}

Put the above into a script, load it into Cobalt Strike, and type hashdump inside of an SSH console. Cobalt Strike will tab complete SSH aliases too.

You may also use the &ssh_alias function to define an SSH alias.

Cobalt Strike passes the following arguments to an alias: $0 is the alias name and arguments without any parsing. $1 is the ID of the session the alias was typed from. The arguments $2 and on contain an individual argument passed to the alias. The alias parser splits arguments by spaces. Users may use "double quotes" to group words into one argument.

You may also register your aliases with the SSH console's help system. Use &ssh_command_register to register a command.

Reacting to new SSH Sessions

Aggressor Scripts may react to new SSH sessions too. Use the ssh_initial event to setup commands that should run when a SSH session becomes available.

on ssh_initial {
   # do some stuff
}

The $1 argument to ssh_initial is the ID of the new session.

Popup Menus

You may also add on to the SSH popup menu. The ssh popup hook lets you add items to the SSH menu. The argument to the SSH popup menu is an array of selected session IDs.

popup ssh {
   item "Run All..." {
      prompt_text("Which command to run?", "w", lambda({
         binput(@ids, "shell $1");
         bshell(@ids, $1);
      }, @ids => $1));
   }
}

You'll notice that this example is very similar to the example used in the Beacon chapter. For example, I use &binput to publish input to the SSH console. I use &bshell to task the SSH session to run a command. This is all correct. Remember, internally, an SSH session is a Beacon session as far as most of Cobalt Strike/Aggressor Script is concerned.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.9 | 202312200338 | December 2023