CobaltStrike + Metasploit 组合安装

1.环境及软件

  • CentOS 7
  • CobaltStrike v2.5
  • Metaspoloit v5.0+

2.程序安装

旧版安装程序下载地址
https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version

CobaltStrike + Metasploit 组合安装

1.使用安装脚本安装MSF

 wget https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb 

以上下载文件为安装bash脚本,实际为检测配置安装环境,下载安装程序


#执行安装脚本 > mv msfupdate.erb install-msf.sh > chmod +x install-msf.sh > ./install-msf.sh

CobaltStrike + Metasploit 组合安装
CobaltStrike + Metasploit 组合安装

2.测试安装完成的MSF

安装完成MASF目录为/opt/metasploit-framework/
执行msfconsole查看MSF是否正常

   > msfconsole

出现没有数据库支持警告,首先创建数据库连接配置文件
CobaltStrike + Metasploit 组合安装

# 内容设置为postgresql数据库信息,如不明白可不修改
> cd /opt/metasploit-framework/embedded/framework/config/
> mv database.yml.example database.yml

再次启动测试

> msfconsole
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
could not connect to server: No route to host
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
[-] ***

这种情况一般是数据库服务没有启动或没有初始化

3.初始化数据库

首先初始化数据库

> cd /opt/metasploit-framework/bin/
> ./msfdb

#不能使用root来初始化数据库
Please run msfdb as a non-root user
#创建账号用于初始化数据库


useradd msf
su msf
./msfdb
……
Commands:
init initialize the component
reinit delete and reinitialize the component
delete delete and stop the component
status check component status
start start the component
stop stop the component
restart restart the component


#初始化数据库

./msfdb init
Creating database at /home/msf/.msf4/db
Starting database at /home/msf/.msf4/db…success
Creating database users
Writing client authentication configuration file /home/msf/.msf4/db/pg_hba.conf
Stopping database at /home/msf/.msf4/db
Starting database at /home/msf/.msf4/db…success
Creating initial database schema
……


#创建完成后在msf用户目录会生成一个.msf目录里面会有一个database.yml文件
#退出msf 账号 回到 root 账号下

cp /home/msf/.msf4/database.yml /opt/metasploit-framework/embedded/framework/config/
cp:是否覆盖”/opt/metasploit-framework/embedded/framework/config/database.yml”?y


以上过程完成后,msf再次启动测试正常,数据库连接正常

4.启动CobaltStrike

上传 CobaltStrike V2.5.zip到/root/ 目录,并解压

#在root账号下启动CobaltStrike
> sudo -E ./teamserver server-IP server-pass [C2-config-File]
> sudo -E ./teamserver 192.168.1.100 test123 c2.profile
[*] Generating X509 certificate and keystore (for SSL)
Enter source keystore password:  #这里输入证书密码无密码将不显示
Entry for alias cobaltstrike successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
Warning:
The original keystore "./cobaltstrike.store" is backed up as "./cobaltstrike.store.old"...
[*] Starting RPC daemon
[*] MSGRPC starting on 127.0.0.1:55554 (NO SSL):Msg...
[*] MSGRPC backgrounding at 2019-06-26 20:37:22 +0800...
[*] MSGRPC background PID 31738
[*] sleeping for 20s (to let msfrpcd initialize)
[*] Starting Cobalt Strike Team Server
[*] 连接到 [ msf , 1J647h4MPTiz3sR3F5yOS9DOtzdVEz2ZaBNGy1FwWl4= ] 127.0.0.1:5433/msf
[*] 使用下面的信息来连接到团队服务器:
主机: 192.168.1.100
端口: 55553
用户: msf
密码: test123
[*] 指纹信息(当您连接到团队服务的时候请检查这串字符):
66fdaeb7c0fe088a14562c5be28ff1f042946bd2
[+] 已准备好接受你或其它客户端的连接。
[+] Beacon 进行 [192541 bytes] x86/shikata_ga_nai 编码耗时 1868ms
[+] 创建 Beacon 为 /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/beacon48744733787608987.dll.enc

CobaltStrike + Metasploit 组合安装
启动 cobaltstrike.jar 连接服务端
CobaltStrike + Metasploit 组合安装
连接效果如下
CobaltStrike + Metasploit 组合安装

关闭ssh或者重启服务器后,重新连接后执行
sudo -E ./teamserver 192.168.1.100 test123 c2.profile会报以下错误
CobaltStrike + Metasploit 组合安装
这是因为没有启动数据库造成的,需要启动数据库,并且每次重启后都需要重新启动数据库,为了节约时间可以用用下命令:

#把启动命令加到开机启动项里,并一直在后台运行
vi /etc/rc.local
su username -l -c "nohup /opt/metasploit-framework/embedded/bin/postgres -D /home/msf/.msf4/db -p 5433 &"

这样只需要每次在root账号下启动CobaltStrike就可以了,不过为了更方便实用,让这条命令也一直执行:

sudo -E ./teamserver 192.168.1.100 test123 c2.profile &

这样一来就不需要连接服务器来启动各种服务,在物理机上打开cobaltstrike,登录就好了

原创文章,作者:scholar,如若转载,请注明出处:http://absec.cn/?p=994

发表评论

电子邮件地址不会被公开。 必填项已用*标注

联系我们

010-61943626

在线咨询:点击这里给我发消息

邮件:marketing@anbai.com

工作时间:电话:周一至周五,10:00-18:30,节假日休息,邮件随时发哦~