In June 2012, I released Cobalt Strike, a commercial penetration testing package that picks up where Armitage leaves off. Cobalt Strike is a direct expression of what I think a penetration test looks like. If you’re interested in this vision, this post will walk you through it. The term penetration test is overloaded and may mean something different with […]
CTA Type: Blog
One Shot, One Kill – An Intelligent Web Drive-by Exploit Server
One of my favorite features in Cobalt Strike is the system profiler. This web application digs deep into your browser to discover the client-side applications that I, as the attacker, can touch. To go along with the system profiler, I maintain a database that maps these applications to exploits in the Metasploit Framework. The system […]
Read More… from One Shot, One Kill – An Intelligent Web Drive-by Exploit Server
Fresh Paint for the Java Applet Attack
Java is a popular vector for penetration testers and those who penetrate networks without an invitation. An attacker creates a website to host a Java applet. In the simplest case, the Java applet is signed with a certificate. The user is asked “do you want to allow this applet to run?” The user’s yes response […]
My exploits can beat up your exploits
TL;DR Rapid7 wrote a blog post claiming that their exploits are better. I think the Metasploit Framework’s coverage is fine, but some other vendors do better with AV-safe client-side exploits. Over time, memory corruption exploits will become less relevant to penetration testers. Let’s talk about how penetration testing is evolving, not who has “the best” […]
How to Milk a Computer Science Education for Offensive Security Skills
Recently, a poster on reddit asked how to get into offensive security as a student studying Computer Science. Before the post was removed, the poster expressed an interest in penetration testing or reverse engineering. I studied Computer Science at different schools (BSc/MSc/Whateverz). This is timely as a new semester is about to begin and students still […]
Read More… from How to Milk a Computer Science Education for Offensive Security Skills
Hacking like APT
Lately, I’ve seen several announcements, presentations, and blog posts about “hacking like” Advanced Persistent Threat. This new wave of material focuses on mapping features in the Metasploit Framework to the steps shown in Mandiant’s 2010 M-Trends Report: The Advanced Persistent Threat. While this is an interesting thought exercise, there are a few classic treatments of […]
Keystroke Logging with Beacon
I feel asynchronous low and slow C2 is a missing piece in the penetration tester’s toolkit. Beacon is Cobalt Strike’s answer to this problem. Beacon periodically phones home to check for tasks. It can perform this check using the DNS or HTTP protocols. When tasks are available, it’ll download them as an encrypted blob using an […]
Offense in Depth
I regularly receive emails along the lines of “I tried these actions and nothing worked. What am I doing wrong?” Hacking tools are not magical keys into any network you desire. They’re tools to aid you through a process, a process that requires coping with many unknowns. If you’re interested in penetration testing as a […]
Two Years of Fast and Easy Hacking
Today marks the two-year anniversary of the release of Armitage. My goal was to create a collaboration tool for exercise red teams. I wanted to show up to North East CCDC with a new toy. I had no idea Armitage would lead to so many new friends and new adventures. In the past two years, Armitage […]
Using AV-safe Executables with Cortana
Part of a penetration tester’s job is to deal with security products, such as anti-virus. Those of us that use the open source Metasploit Framework know that AV vendors have given the framework more attention in the past year. Now, exotic templates and multiple iterations through the framework’s encoders are not always enough to defeat the […]