What is the primary purpose of the adversary tactic known as ‘pivoting’?
Pivoting is used to proxy traffic in or out of a network, when it would normally be disallowed, using a compromised host (Beacon) as the pivot point.
What are the two types of pivoting reviewed in the source material?
The two types are SOCKS Proxies and Reverse Port Forwards.
What does the term SOCKS stand for in the context of network protocols?
SOCKS is short for ‘SOCKet Secure’.
In a Cobalt Strike context, how does a SOCKS proxy function at a high level?
It exchanges network packets between an external adversary and internal machines via a proxy server, using a Beacon as the pivot point.
What Cobalt Strike command is used to start a SOCKS proxy on a specific port?
The ‘socks [port]’ command is used, for example, ‘socks 1080’.
When using a SOCKS proxy, what tool can be used on an adversary’s local machine to route traffic through the team server?
A proxying tool, such as proxychains, is configured to route traffic through the port listening on the team server.
How does the Beacon’s sleep time affect the performance of a SOCKS proxy tunnel?
The lower the Beacon’s sleep time, the quicker the traffic can be tunneled, as the Beacon checks in more frequently to fetch tasks.
What is one advantage of using a SOCKS proxy for tooling in a Windows environment?
It allows the use of tools written in languages like Python that may not be readily available on the compromised Windows host.
How does tunneling tools via a SOCKS proxy reduce the detection surface?
It removes indicators from post-exploitation execution on the compromised host, leaving only the network traffic as evidence.
Besides avoiding host-based detection, what is another key advantage of using SOCKS proxies for an attacker?
It allows the attacker to run GUI tools, such as RSAT, directly on their own machine to interact with the target network.
What is Proxifier and on which operating system does it run?
Proxifier is a tool that runs on Windows and forces TCP traffic from applications through a proxy.
When configuring a proxy server profile in Proxifier for a Cobalt Strike SOCKS proxy, what IP address should be used?
The IP address of the team server should be used.
In Proxifier, what is the best practice for configuring a proxification rule’s ‘Applications’ and ‘Target hosts’ fields?
Leave the applications field as ‘Any’ but specify the IP range of the target hosts to ensure only relevant traffic is proxied.
What are the two most common ways to authenticate to domain resources through a SOCKS proxy?
Authentication is most commonly done with plaintext credentials or Kerberos tickets.
Why is it necessary to add static host entries to the attacking machine when using Kerberos for authentication through a proxy?
It is necessary because Kerberos requires the use of hostnames rather than IP addresses for authentication.
Which PowerShell cmdlet can be used to create a credential object from plaintext credentials for use with RSAT tools?
The ‘Get-Credential’ cmdlet is used to create a credential object.
What tool can be used to leverage Kerberos tickets on an attacker’s Windows machine to authenticate through a proxy?
Rubeus can be used for Kerberos ticket manipulation.
What is the purpose of the Rubeus createnetonly command in the context of SOCKS proxying?
It starts a new process with an injected Kerberos ticket, allowing tools run in that process to authenticate to the domain.
After creating a new logon session with Rubeus, why must an attacker manually request service tickets?
The attacker must manually request them because they are not relying on the Windows OS to automatically handle ticket requests for the new session.
What Rubeus command is used to request a service ticket for a specific service, such as LDAP?
The asktgs command is used to request a Ticket-Granting Service (TGS) ticket for a specific service.
What Linux tool is functionally similar to Proxifier for forcing TCP traffic through a proxy?
The tool proxychains is used on Linux for this purpose.
In the proxychains.conf file, which entry needs to be modified to point to the Cobalt Strike SOCKS proxy?
The default ‘socks4 127.0.0.1 9050’ entry must be replaced with the team server’s IP and the port specified in the ‘socks’ command.
How would you execute nmap through a configured SOCKS proxy using the command line on Linux?
You would prefix the command with ‘proxychains’, for example: ‘proxychains nmap -n -sT -Pn -p 445 lon-dc-1’.
Impacket tools on Linux can use Kerberos tickets, but they require the tickets to be in _____ format.
ccache
-
Module 144
-
Module 243
-
Module 360
-
Module 466
-
Module 550
-
Module 660
-
Module 762
-
Module 856
-
Module 918
-
Module 1052
-
Module 1153
-
Module 1250
-
Module 1336
-
Module 1441
-
Module 1567
-
Module 1653
-
Module 1728
-
Module 1851
-
Module 1954
-
Module 2022
-
Cobalt Strike User Guide161
-
Cobalt Strike Installation Guide37
