Install and Configuration

Terminology

Client
TeamServer
Beacon
Redirector
MalleableC2
Aggressor Script

Cobalt Strike download

Download Trial version at https://www.cobaltstrike.com/download, you will be prompted for license key.
Extract the archive and run the update script, you will be prompted for license key again.

Teamserver "install"

Must be a linux (tested on kali only atm, at least needs JAVA, no idea of minimal requirements to run a teamserver).
3 files required
- cobaltstrike.jar, the whole thing
- cobaltstrike.auth, which is the license file
- teamserver, bash wrapper to launch cobalt strike as a teamserver

info

If your profile cannot be compiled due to date issue, you must have a system with EN language.

Execute the following command in a tmux session.

./teamserver <IP> <PASSWORD> [</path/to/my.profile>]

Letsencrypt certificate

Based on https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/HTTPsC2DoneRight.sh

# Option 1: Clone letsencrypt and generate certificate
git clone https://github.com/certbot/certbot /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto --apache -d <DOMAIN> -n --register-unsafely-without-email --agree-tos

# Option 2: install cerbot via apt and generate certificate
apt install certbot python3-certbot-apache
certbot certonly --apache -d <DOMAIN> -n --register-unsafely-without-email --agree-tos --preferred-challenges http

# generate a password for certificate (<PASS> placeholders needs to be replaced with this value)
pwgen 32 -n 1

# certificate have been generated in /etc/letsencrypt
cd /etc/letsencrypt/live/<DOMAIN>
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out <DOMAIN>.p12 -name <DOMAIN> -passout pass:<PASS>
keytool -importkeystore -deststorepass <PASS> -destkeypass <PASS> -destkeystore /opt/cs/<DOMAIN>.store -srckeystore <DOMAIN>.p12 -srcstoretype PKCS12 -srcstorepass <PASS> -alias <DOMAIN>
# kill apache that was started by letsecrypt
pkill apache2

Modify your profile accordingly

sed -i 's/<<domain>>/<fqdn_domain>/g' custom.profile

Add the following line to your custom.profile

set keystore "/opt/cs/<DOMAIN>.store";
set password "<PASS>";

Hardening -- setup ufw

https://www.cloudflare.com/ips/

apt install ufw
ufw default deny incoming
ufw default allow outgoing

ufw allow ssh

# Only if you use a bastion
#ufw allow from <BASTION_IP> to any port 50050

# Allow 80 from cloudflare
ufw allow from 103.21.244.0/22 to any port 80
ufw allow from 103.22.200.0/22 to any port 80
ufw allow from 103.31.4.0/22 to any port 80
ufw allow from 104.16.0.0/13 to any port 80
ufw allow from 104.24.0.0/14 to any port 80
ufw allow from 108.162.192.0/18 to any port 80
ufw allow from 131.0.72.0/22 to any port 80
ufw allow from 141.101.64.0/18 to any port 80
ufw allow from 162.158.0.0/15 to any port 80
ufw allow from 172.64.0.0/13 to any port 80
ufw allow from 173.245.48.0/20 to any port 80
ufw allow from 188.114.96.0/20 to any port 80
ufw allow from 190.93.240.0/20 to any port 80
ufw allow from 197.234.240.0/22 to any port 80
ufw allow from 198.41.128.0/17 to any port 80
# Allow 443 from cloudflare 
ufw allow from 103.21.244.0/22 to any port 443
ufw allow from 103.22.200.0/22 to any port 443
ufw allow from 103.31.4.0/22 to any port 443
ufw allow from 104.16.0.0/13 to any port 443
ufw allow from 104.24.0.0/14 to any port 443
ufw allow from 108.162.192.0/18 to any port 443
ufw allow from 131.0.72.0/22 to any port 443
ufw allow from 141.101.64.0/18 to any port 443
ufw allow from 162.158.0.0/15 to any port 443
ufw allow from 172.64.0.0/13 to any port 443
ufw allow from 173.245.48.0/20 to any port 443
ufw allow from 188.114.96.0/20 to any port 443
ufw allow from 190.93.240.0/20 to any port 443
ufw allow from 197.234.240.0/22 to any port 443
ufw allow from 198.41.128.0/17 to any port 443

ufw enable 

# Allow 1080 from localhost only (AKA don't socks to the world)
iptables -I INPUT ! -i lo -p tcp --dport 1080 -j DROP

# Allow 50050 from localhost only
iptables -I INPUT ! -i lo -p tcp --dport 50050 -j DROP

Connection to C2 without bastion

ssh -i <path/to/your/key> -L 50050:127.0.0.1:50050 kali@<C2_IP>

Connection to C2 via a bastion

Deploy an AWS http node.

On your local machine modify your SSH config as suggested below.

#/root/.ssh/config.d/default
Host c2
    Hostname <ip>
    User  kali
    IdentityFile <~/.ssh/aws_keys/mission>

Host bastion
    Hostname <ip>
    User  ec2-user
    IdentityFile <~/.ssh/aws_keys/mission>

Host fw-50050
    Hostname <ip_bastion>
    User ec2-user
    IdentityFile <~/.ssh/aws_keys/mission>
    LocalForward 50050 <ip_c2>:50050

Client

In a GUI environment, just run cobaltstrike script.

You will be prompted a HOST, USERNAME, PASSWORD, PORT.

note

USERNAME can be anything, this will be used in the servers log to identify you.
PASSWORD is the one defined in the teamserver command line.
If your DNS record are proxified by cloudflare, don't enter a domain name in HOST.

Terminology​

Cobalt Strike download​

Teamserver "install"​

Letsencrypt certificate​

Modify your profile accordingly​

Hardening -- setup ufw​

Connection to C2 without bastion​

Connection to C2 via a bastion​

Client​