Good question--in this video, it's not. Cobalt Strike's Java attacks require two listeners. One for Windows targets and a generic Java listener for other targets. Port 8989 was used with the reverse TCP Java Meterpreter listener.
Today, I dropped another Cobalt Strike update. Each feature in Cobalt Strike comes from my wish list, tools I felt I needed when I was doing red team work. One of my biggest wishes--a turn key capability to control a system over DNS. This release has it. Here are the highlights: * It's now possible to control Cobalt Strike's Beacon entirely over DNS. This capability is a feature in the windows/beacon_dns/reverse_http payload. Deploy Beacon, open its console, and type 'mode dns' to switch to DNS communication. Use 'mode http' to switch back to HTTP as a data channel. This mode change is signaled over DNS, use it to recover Beacon if HTTP communication is no longer possible or desirable. blog.strategiccyber.com/2013/06/06/dns-command-and-control-added-to-cobalt-strike/ * The ability to use Beacon over DNS does not solve the problem of getting it to the target. For situations where DNS is the only way out, it's possible to stage Beacon with many of Cobalt Strike's social engineering packages. Generate an executable, send an applet, deliver a smart applet, or create a malicious macro that download Beacon over DNS and inject it into memory. Between this feature and the new DNS communication mode, it's possible to control a compromised system, without it ever communicating directly with the attacker. The following UA-cam video demonstrates this DNS communication capability in action: Covert Command and Control over DNS with Beacon * Cobalt Strike's listener management feature now automatically encodes the second stage of Windows listeners. This is a transparent, but important change. The Metasploit Framework breaks its payloads up into stages. In the past, there was no way to obfuscate the second stage. A successful attack, would result in a compromised system downloading a DLL from the attacker, in the clear. This staging process is a great opportunity for a defense team to catch an attack. This automatic encoding will make it harder for a defender to detect red team activity. * By request, this version of Cobalt Strike adds the ability to manage SSH keys in a team friendly way. Simply right-click a host, go to Login -> ssh (pubkey), and a dialog will pop up. Choose a key to upload to the team server or select from a previously successful key. As usual, there are several fixes and improvements in this update as well. The full change list is at: www.advancedpentest.com/releasenotes.txt
Good question--in this video, it's not. Cobalt Strike's Java attacks require two listeners. One for Windows targets and a generic Java listener for other targets. Port 8989 was used with the reverse TCP Java Meterpreter listener.
The H77P channel is the default Beacon channel. The interface is the same, it just uses H77P to transmit data versus DNS.
Today, I dropped another Cobalt Strike update. Each feature in Cobalt Strike comes from my wish list, tools I felt I needed when I was doing red team work. One of my biggest wishes--a turn key capability to control a system over DNS. This release has it.
Here are the highlights:
* It's now possible to control Cobalt Strike's Beacon entirely over DNS. This capability is a feature in the windows/beacon_dns/reverse_http payload. Deploy Beacon, open its console, and type 'mode dns' to switch to DNS communication. Use 'mode http' to switch back to HTTP as a data channel. This mode change is signaled over DNS, use it to recover Beacon if HTTP communication is no longer possible or desirable.
blog.strategiccyber.com/2013/06/06/dns-command-and-control-added-to-cobalt-strike/
* The ability to use Beacon over DNS does not solve the problem of getting it to the target. For situations where DNS is the only way out, it's possible to stage Beacon with many of Cobalt Strike's social engineering packages. Generate an executable, send an applet, deliver a smart applet, or create a malicious macro that download Beacon over DNS and inject it into memory. Between this feature and the new DNS communication mode, it's possible to control a compromised system, without it ever communicating directly with the attacker.
The following UA-cam video demonstrates this DNS communication capability in action:
Covert Command and Control over DNS with Beacon
* Cobalt Strike's listener management feature now automatically encodes the second stage of Windows listeners. This is a transparent, but important change. The Metasploit Framework breaks its payloads up into stages. In the past, there was no way to obfuscate the second stage. A successful attack, would result in a compromised system downloading a DLL from the attacker, in the clear. This staging process is a great opportunity for a defense team to catch an attack. This automatic encoding will make it harder for a defender to detect red team activity.
* By request, this version of Cobalt Strike adds the ability to manage SSH keys in a team friendly way. Simply right-click a host, go to Login -> ssh (pubkey), and a dialog will pop up. Choose a key to upload to the team server or select from a previously successful key.
As usual, there are several fixes and improvements in this update as well. The full change list is at:
www.advancedpentest.com/releasenotes.txt
Do you also have a video for the covert channel over h77p(obfuscated)? Would b great if you could post one. TIA
Where is the port 8989 used?