Armitage and Cobalt Strike 1.47 are now available. This release improves many aspects of the workflow in both Armitage and Cobalt Strike. Here are some of the highlights.
Type ‘meterpreter’ in a Beacon console to spawn a Meterpreter session and tunnel it through your Beacon in one fell swoop. This gives you the power of Meterpreter and its features with Beacon’s communication flexibility.
You now have the option to specify a jitter factor with Beacon’s sleep command. This jitter factor will vary the sleep time after each check in to make your Beacon harder to see.
You may now use Beacon to manage long term, low and slow exfil. Beacon manages this by delivering files one chunk per checkin. The speed of the download is up to you, just change the sleep time.
Web Drive-by Attacks
The system profiler now annotates 64-bit Windows and a 64-bit Internet Explorer with a *64. This should help your decision making process, when picking the right attack.
Cobalt Strike’s Java Applet attacks now inject shellcode through a Windows 64bit JVM.
CVE-2013-2460 is now part of the Cobalt Strike Smart Applet attack. This makes the Smart Applet attack effective up to Java 1.7u21. The AppletKit in the Cobalt strike arsenal has the source code to these latest Java bits too.
PsExec with PowerShell
Version 4.7 of the Metasploit Framework includes a psexec_psh module and Cobalt Strike supports it. This variation of PsExec uses PowerShell to inject your listener into memory without creating an artifact on disk. This is a great way to sneak past anti-virus on modern Windows systems.
Both Armitage and Cobalt Strike gained a menu item to load mimikatz and run its wdigest command. Mimikatz recovers the plaintext password of users who have interactively logged on to a Windows system since its last reboot. This interface to mimikatz also adds the credentials to the database. ([host] -> Meterpreter -> Access -> Dump Hashes -> wdigest)
This Cobalt Strike release gives you an option to mask email addresses in the Social Engineering Report. You also have the option to mask passwords in the Hosts Report too.
Kali Linux users–you have a reason to cheer too. This update brings back the close button on Armitage and Cobalt Strike’s dialogs. These updates also fix several bugs, tweak several options, and make both programs more robust and faster.
To learn more about what’s new in Armitage 1.47, consult the changelog. .Armitage is available as a direct download from http://www.fastandeasyhacking.com/
To learn more about what’s new in Cobalt Strike 1.47, read the release notes. A 21-day trial of Cobalt Strike is available at http://www.advancedpentest.com. Licensed users simply need to run the update program to get the latest.