Pack Scripts for Cobalt Strike
Introduction
Dear subscribers, on our channel we have already told you what it is Aggressor-scripts, also about writing them yourself.
In this article we want to show an example of a repository containing a large number of Aggressor-scripts for Cobalt Strikeso that you don’t waste time writing this functionality.
You can download the repository with scripts from the following link https://github.com/shorefall/LSTAR-EN.
This article is presented for educational purposes only. Red Team community “GISCYBERTEAM” is not responsible for any consequences of its use by third parties.
Installation
Scripts can be downloaded from GitHub:
git clone https://github.com/shorefall/LSTAR-ENNext, we go to our client Cobalt Strike and open Менеджер скриптов (Script Manager).
Import the file LSTAR.cna.
Now in the context menu of our бикона we can use this script.
Overview of features
Let's list the main modules included in the script set:
Information Gathering.
Intranet Scan.
Intranet penetration.
Privilege Escalation.
Credential acquisition.
RDP Related.
Lateral movement.
Trace removal.
Cloning_adding Users.
Misc Desktop Control.
Let's look at some of them using examples:
We check the port and see that it is closed:
Now let's try to enable the service RDP through RDP Related → Turn on RDP service and check with nmap:
Click here Persistence → SharpShadowUser
As we can see, we have created a user.
Let's try to connect using the credentials you provided. бикон Cobalt Strike:
Enter the command that needs to be executed:
Below is the result of executing our command via BadPotato:
It is also possible to run not only commands from the system toolkit, but also processes that will be executed in the context of the account. nt authority\system.
A utility is used to scan ports. fsan. fscan – is a comprehensive network scanning tool, convenient for automatic and omnidirectional scanning of missed objects. It supports port scanning, shared service scanning, ms17-010public key packet recording Redisscheduled task recovery shell, reading network card information Winweb fingerprinting, web vulnerability scanning, detection netbiosdomain management identification, etc.
Before using, you must first download fscan to host via Upload Fscan and run it like this:
GPP — is a tool that provides administrators with some advanced capabilities for configuring and managing account policies in a domain network. Windows.
In this example, there is no password in the group policies. You can also read about decrypting the password, if there is one, in this article: https://infosecwriteups.com/attacking-gpp-group-policy-preferences-credentials-active-directory-pentesting-16d9a65fa01a.
FakeLogonScreen — is a utility for simulating the login screen Windows in order to obtain the user's password. The entered password is checked in Active Directory or on the local computer to ensure it is correct, and then displayed on the console or saved to disk.
The usefulness of this utility is high as it is used by many Red Team teams.
Powerview – This PowerShell– a script needed to collect information in a domain Active Directory.
Before using it within a script LSTAR First you need to upload it to the host and then import it:
Now we can, for example, query users in a domain:
As a result Cobalt Strike will give us a list of the following users:
Conclusion
In this article we have looked at the use of the set Agressor-scripts LSTARthat will make it easier for you to gather information and compromise assets while performing penetration testing projects.
Subscribe to our Telegram channel https://t.me/giscyberteam
