Cobalt Strike and Pentest

Cobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of attack capabilities. It can be used to conduct spear-phishing and gain unauthorized access to systems, and can emulate a variety of malware and other advanced threat tactics.

This powerful network attack platform combines social engineering, unauthorized access tools, network pattern obfuscation and a sophisticated mechanism for deploying malicious executable code on compromised systems. It can now be used by attackers to deploy advanced persistent threat (APT) attacks against any organization. 

This threat emulation program has the following capabilities:

• Reconnaissance—discovers which client-side software your target uses, with version info to identify known vulnerabilities.
• Attack Packages—provides a social engineering attack engine, creates trojans poised as innocent files such as Java Applets, Microsoft Office documents or Windows programs, and provides a website clone to enable drive-by downloads.
• Collaboration—Cobalt Team Server allows a group host to share information with a group of attackers, communicate in real time and share control of compromised systems.
• Post Exploitation—Cobalt Strike uses Beacon, a dropper that can deploy PowerShell scripts, log keystrokes, takes screenshots, download files, and execute other payloads.
• Covert Communication—enables attackers to modify their network indicators on the fly. Makes it possible to load C2 profiles to appear like another actor, and egress into a network using HTTP, HTTPS, DNS or SMB protocol.
• Browser Pivoting—can be used to get around two-factor authentication.

It is also interesting task to detect Cobalt Strike even it is difficult to do so most of the time, such as 50050/tcp, DNS with bogus reply, TLS cert, etc.

Cobalt Strike is also a post-exploitation framework tool developed for ethical hackers. It gives a post-exploitation agent and covert channels to emulate an embedded actor in your customer’s network.

It can be extended and customized by the user community. Several excellent tools and scripts have been written and published, but they can be challenging to locate. 

Cobalt strike is a premium product. However, like Metasploit, there’s a free community edition called Community Kit. 

Community Kit is a central repository of extensions written by the user community to extend the capabilities of Cobalt Strike. The Cobalt Strike team acts as the curator and provides this kit to showcase this fantastic work.

Links:

• Cobalt Strike: White Hat Hacker Powerhouse in the Wrong Hands
• How Cobalt Strike Becomes a Favorite Tool of Hackers
• cobaltstrike Community Kit 
  

Dell BIOS Driver Vulnerability (Updated)

Remember Dell BIOS Driver Vulnerability that posted 10 days ago? The vuln risk score was 18.52, and now it is 16.68 (downgraded). 

What's new?

A metasploit module (POC) has been released; CVSS3 has also been downgraded from 8.8 to 7.8. 

Below is the latest threat intelligence (new interface). 🙈🙉🙊

└─$ ./kvi-cli.py -v cve 2021-21551 -cz


 [*] Searching cve-[['2021-21551']] vulnerability definitions within Kenna.VI+....


[ CVE Description ]
 [*] CVE_ID : CVE-2021-21551
 [_] Desc   : Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.

[ Kenna.VM Summary ]
 [*] Vuln Risk              : 16.6855
 [*] Easily_Exploit         : True
 [*] Malware_Exploit        : False
 [*] Popular_Target         : False
 [*] Active_Internet_Breach : False

[ Kenna.VI+ ]
 [*] Successful_Exploitations  : 0
 [*] Velocity (D/W/M)          : 0/0/0
 [*] Daily_Trend               : holding
 [*] Pre_NVD                   : True [_FALSE_]
 [*] RCE                       : True [_FALSE_]
 [*] Predicted_Exploitable     : False (0.2411% confidence)

[ Kenna.VI+ Details ]
 [_] Created_at    : 2021-01-04T18:00:05Z
 [_] Published     : 2021-05-04T16:15:00Z
 [_] Last_Modified : 2021-05-10T21:10:00Z

[ Links / References ]
 [*] Malware sample : 0
 [_] Exploits/POC [1]:
     [ --> ]   created_at : 2021-05-15T06:00:18Z
     [ --> ]  external_id : exploit/windows/local/cve_2021_21551_dbutil_memmove
     [ --> ]         name : Dell DBUtil_2_3.sys IOCTL memmove
     [ --> ]          url : http://www.rapid7.com/db/modules/exploit/windows/local/cve_2021_21551_dbutil_memmove

 [_] Fixes [1]:
     [ --> ]  external_id : dell-driver-cve-2021-21551-dsa-2021-088
     [ --> ]          url : None
     [ --> ]      product : None
     [ --> ] published_at : 2021-05-04T00:00:00Z

 [_] Threat Actors [0]:
     [ --> ] None

[ CVSS2 / CVSS3  Details ]

                | Impact  |   |                | CVSS_Access
================+=========+===+================+==============
   Availability | Partial |   |     Complexity | Low
Confidentiality | Partial |   |         Vector | Local access
      Integrity | Partial |   | Authentication | None required

              |                                   CVSS_V2 |                                                    CVSS_V3
==============+===========================================+===========================================================
   Base Score |                                     4.600 |                                                      7.800
Exploit_Score |                                     3.900 |                                                      1.800
 Impact_Score |                                     6.400 |                                                      5.900
     Temporal |                                     3.400 |                                                       None
       Vector | AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

[ Others ]
 [*] Vulnerable Products [1] :
     [ --> ] cpe:2.3:a:dell:dbutil_2_3.sys:-:*:*:*:*:*:*:*


[ CVE Malware Family Info : None ]

[ CVE Chatter Info : None ]

[ CVE History : CVE-2021-21551 ]
 [*] ID              : 2930594
 [*] Vuln Risk Score : 17
 [*] History         : 2

   [**] changed_at : 2021-05-05T04:14:52.000Z
   [**]       from : 25
   [**]         to : 19

   [**] changed_at : 2021-05-11T04:03:25.000Z
   [**]       from : 19
   [**]         to : 17

[ High_Profile_Vulnerability ]
 [!!!]   CVE-2021-21551 (16.6855) : ['hpv_poc']


 ** [5] threads completed [4 tasks] / [2.23 KB] within [3.98 sec].

Setting Up Metasploit Framework

I just setup my Metasploit Framework on my Ubuntu 12.04 (LTS). Below is the note of what I have been busy with recently.

Installing the dependencies

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev subversion openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3

sudo gem install wirble msgpack sqlite3 pg activerecord nokogiri

Installing NMAP

mkdir ~/Development

cd ~/Development

svn co https://svn.nmap.org/nmap

cd nmap

./configure

make

sudo make install

make clean

Setting up Postgres SQL Server

sudo -s

su postgres

createuser msf -P -S -R -D

createdb -O msf msf

exit

exit

Installing Metasploit Framework

cd /opt

sudo svn co https://www.metasploit.com/svn/framework3/trunk metasploit-framework

cd metasploit-framework

sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

sudo ln -s /opt/metasploit-framework/armitage /usr/local/bin/armitage

cd /opt/metasploit-framework/

cat > database.yml << EOF
>production:
>   adapter: postgresql
>   database: msf
>   username: msf
>   password:
>   host: 127.0.0.1
>   port: 5432
>   pool: 75
>   timeout: 5
>EOF 

sudo echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/database.yml >> /etc/profile

source /etc/profile

cd /opt/metasploit-framework/external/pcaprub

sudo ruby extconf.rb && sudo make && sudo make install

First Run

msfconsole

Mastering The Metasploit Framework

Offensive Security launches a free online Metasploit Framework training. It definitely worth checking it out. Enjoy!

Metasploit Unleashes Ver. 3.1

The latest version of the Metasploit Framework, as well as screen shots, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://metasploit3.com/