Clients (like Armitage) interface with the Metasploit Framework through its Remote API. The Remote API is a way for clients to call functions in the Metasploit Framework’s RPC server. To pass different data types to/from the Metasploit Framework, clients use the MessagePack object serialization format. Because clients may interface with the Metasploit Framework in this […]
CTA Type: Blog
Beacon – An Operator’s Guide
Beacon is a payload in Cobalt Strike that has a lot of communication flexibility. This blog post is not a replacement for the documentation, but rather a guide to how I use it. Reading this post will help you get the most out of Beacon during your operations. Setup To use Beacon, you must first create a […]
How to Inject Shellcode from Java
Cobalt Strike’s Java Applet attacks inject shellcode into memory. Injecting into memory is valuable as it helps get past application whitelisting and can help evade anti-virus as well. There are several approaches to inject shellcode into memory from Java. One approach is to drop syringe and call it with your shellcode. If syringe or your […]
Armitage and Cobalt Strike 1.47 Released
Armitage and Cobalt Strike 1.47 are now available. This release improves many aspects of the workflow in both Armitage and Cobalt Strike. Here are some of the highlights. Beacon Type ‘meterpreter’ in a Beacon console to spawn a Meterpreter session and tunnel it through your Beacon in one fell swoop. This gives you the power […]
Phishing System Profiles without Phone Calls
What type of reconnaissance do you do before a phishing attack? Recently, I was having dinner with new friends and inevitably, our conversation became a war story swap. One person started telling funny stories about calling help desk staff, trying to social engineer system information from them. I’m a lousy social engineer. When I was […]
Read More… from Phishing System Profiles without Phone Calls
Why is notepad.exe connecting to the internet?
To the observant network defender, notepad.exe connecting to the internet is a key indicator of compromise. In this blog post, I’d like to explain why attack frameworks inject code into notepad.exe and how you may avoid it in your attack process. Let’s say I email a Microsoft Word document that has a malicious macro to […]
Read More… from Why is notepad.exe connecting to the internet?
Situational Awareness for Meterpreter Users
Hacking involves managing a lot of contextual factors at one time. Most times, the default situation works and a tool will perform beautifully for you. Sometimes though, there are things you have to check on and work around. That’s what this blog post is. I’d like to give you a list of contextual factors you […]
The Origin of Armitage’s Hail Mary Mass Exploitation Feature
Several times now, an author has introduced Armitage, and the main value add to the hacking process that they emphasize is the “devastating” Hail Mary attack. I’m most proud of Armitage’s red team collaboration capability–it’s why I built the tool in the first place. The Hail Mary attack? Meh. That said, I’d like to share with you […]
Read More… from The Origin of Armitage’s Hail Mary Mass Exploitation Feature
Hacking through a Straw (Pivoting over DNS)
Last month, I announced Beacon’s ability to control a host over DNS. I see Beacon as a low and slow lifeline to get an active session, when it’s needed. Sometimes though, Beacon is all you have. There are times when Meterpreter gets caught too quickly or just can’t get past the network egress restrictions. For these […]
Staged Payloads – What Pen Testers Should Know
The Metasploit Framework decouples exploits from the stuff that gets executed after successful exploitation (the payload). Payloads in the Metasploit Framework are also divided into two parts, the stager and the stage. The stager is responsible for downloading a large payload (the stage), injecting it into memory, and passing execution to it. Staging first came […]
Read More… from Staged Payloads – What Pen Testers Should Know