SSH Sessions

The SSH Client

Cobalt Strike controls UNIX targets with a built-in SSH client. This SSH client receives tasks from and routes its output through a parent Beacon.

Right-click a target and go to Login -> ssh to authenticate with a username and password. Go to Login -> ssh (key) to authenticate with a key.

From a Beacon console, use ssh [pid] [arch] [target] [user] [password] to inject into the specified process to run an SSH client and attempt to login to the specified target. Use ssh [target] [user] [password] (without [pid] and [arch] arguments) to spawn a temporary process to run an SSH client and attempt to login to the specified target.

You may also use ssh-key [pid] [arch] [target:port] [user] [/path/to/key.pem] to inject into the specified process to run an SSH client and attempt to login to the specified target. Use ssh-key [target:port] [user] [/path/to/key.pem] (without [pid] and [arch] arguments) to spawn a temporary process to run an SSH client and attempt to login to the specified target.

Note: The key file needs to be in the PEM format. If the file is not in the PEM format then make a copy of the file and convert the copy with the following command: /usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p.

These commands run Cobalt Strike’s SSH client. The client will report any connection or authentication issues to the parent Beacon. If the connection succeeds, you will see a new session in Cobalt Strike’s display. This is an SSH session. Right-click on this session and press Interact to open the SSH console.

Type help to see a list of commands the SSH session supports. Type help followed by a command name for details on that command.

Running Commands

The shell command will run the command and arguments you provide. Running commands block the SSH session for up to 20s before Cobalt Strike puts the command in the background. Cobalt Strike will report output from these long running commands as it becomes available.

Use sudo [password] [command + arguments] to attempt to run a command via sudo. This alias requires the target’s sudo to accept the –S flag.

The cd command will change the current working directory for the SSH session. The pwd command reports the current working directory.

Upload and Download Files

The following commands are available:

1) download

• This command downloads the requested file. You do not need to provide quotes around a filename with spaces in it. Beacon is built for low and slow exfiltration of data. During each check-in, Beacon will download a fixed chunk of each file its tasked to get. The size of this chunk depends on Beacon’s current data channel. The HTTP and HTTPS channels pull data in 512KB chunks.

2) downloads

• Use to see a list of file downloads in progress for the current Beacon

3) cancel

• Issue this command, followed by a filename, to cancel a download that’s in progress. You may use wildcards with your cancel command to cancel multiple file downloads at once.

4) upload

• This command uploads a file to the host.

5) timestomp

• When you upload a file, you will sometimes want to update its timestamps to make it blend in with other files in the same folder. This command will do this. The timestomp command matches the Modified, Accessed, and Created times of one file to another file.

Go to View -> Downloads in Cobalt Strike to see the files that your team has downloaded so far. Only completed downloads show up in this tab.

Downloaded files are stored on the team server. To bring files back to your system, highlight them here, and press Sync Files. Cobalt Strike then downloads the selected files to a folder of your choosing on your system.

Peer-to-peer C2

SSH sessions can control TCP Beacons. Use the connect command to assume control of a TCP Beacon waiting for a connection. Use unlink to disconnect a TCP Beacon session.

Go to [session] -> Listeners -> Pivot Listener… to setup a pivot listener tied to this SSH session. This will allow this compromised UNIX target to receive reverse TCP Beacon sessions. This option does require that the SSH daemon’s GatewayPorts option is set to yes or ClientSpecified.

SOCKS Pivoting and Reverse Port Forwards

The following commands are available:

1) socks

• Use this command to create a SOCKS server on your team server that forwards traffic through the SSH session. The rportfwd command will also create a reverse port forward that routes traffic through the SSH session and your Beacon chain.

There is one caveat to rportfwd:the rportfwd command asks the SSH daemon to bind to all interfaces. It’s quite likely the SSH daemon will override this and force the port to bind to localhost. You need to change the GatewayPorts option for the SSH daemon to yes or clientspecified.