It is (or was, when this was written in 2016) trivial to identify poorly configured hosts running CobaltStrike's TeamServer.
CobaltStrike's TeamServer "operator facing" interface runs on port 50050.
This service is wrapped in TLS.
The certificate presented on the service include static/common information in the Subject and Issuer:
Here's a snippet of the information which we're looking for:
---
Server certificate
subject=/C=Earth/ST=Cyberspace/L=Somewhere/O=cobaltstrike/OU=AdvancedPenTesting/CN=Major Cobalt Strike
issuer=/C=Earth/ST=Cyberspace/L=Somewhere/O=cobaltstrike/OU=AdvancedPenTesting/CN=Major Cobalt Strike
---
Yeah. It's as simple as "we're going to grep for Cobalt Strike on a large dataset
But before you get turned off the idea, lets consider the benefits of identifying a team server.
Since CobaltStrike will present its "target facing" or C2 services on the same IP address.
Once we've identified a TeamServer we can conduct a full service scan to identify any other interesting services which may be running.
In this case, I focussed on:
- Identifying poorly configured TeamServers
- Identifying additional listening services on the TeamServer
- Extracting information from any certificates presented by these services
- Grabbing screenshots of any web services
This project was put together to perform weekly audits of some large internet ranges in an attempt to identify and catalog poorly configured CobaltStrike team servers.
Over a period of a few years, I netted a chunky dataset full of domain names screenshots of phishing pages.
It's an interesting catalog.
In a nutshell, here's the process:
- masscan a bunch of ranges looking for port 50050
- Interrogate the service to retrieve the certificate
- Filter on this "OU=AdvancedPenTesting/CN=Major Cobalt Strike"
- Perform a full port scan
- Interrogate any open ports - grab the certificate information
- Pull out domain information from any recovered certificates
- Grab some screenshots of any web services
🤷 I've no idea if CobaltStrike continues to demonstrate this behaviour.
Lets just assume you should employ good practice and restrict access to the service, rather than hope that this isn't possible any more.
I hunted down the ranges used by some of the biggest cloud providers and built a list of network CIDRS.
I've got a catalog of 4906 networks listed, the CIDRS seem to range from /12-/32. Yikes. Masscan made frighteningly light work out of them.
I've not included the network ranges in this release
If you're using kali, you should be able to run this script with this set of scripts installed:
apt-get -y install libpcap-dev screen nmap eyewitness masscan default-jre exploitdb amap socat supervisor tor proxychains parallel netcat