In a previous post, I began my exploration of Cobalt Strike. That post served as a sort of general overview of the tool. However, the more I look in to the tool, the more capabilities I learn about. Watching the fantastic Advanced Threat Tactics videos has been tremendously helpful. Taking heavy inspiration from them, I wanted to dig in to these capabilities. For this post, I wanted to learn more about the System Profiler. I figured as long as I was learning about it, I should write it up to share with the class.
Setup
In the earlier post, I went over how to get started with the tool, so reference that for getting your teamserver and client up and running. For this post, I'll start from the main screen of Cobalt Strike. I'll first navigate to Attacks -> Web Drive-By -> System Profiler.
The dialogue box will pop up to configure our profiler. As with most modules within Cobalt Strike, it is pretty self-explanatory. Set up your URI, host, port, and redirect URL.
You'll also notice that I unchecked the "Use Java Applet to get information" box. In this video, it is explained that this is done because modern browsers would require a code-signing certificate in order for Java to work. Once we launch, we'll see a success box showing that the service has been started as well as the URL we should use for our attack.
A quick sidebar to talk about the lab setup. I'll be using a pretty stock Windows Server 2016 with Windows Defender removed. This is really just a result of me being lazy. I hope to eventually cover AV evasion techniques with Cobalt Strike, but for now I'll take the easy route.
Usage
Now that we have our profiler started, we can move over to our victim machine and browse to the provided URL. Browsing to the URL will almost instantly redirect to the chosen redirect.
Back in Cobalt Strike, the connection has been logged in the event log.
Notice how it mentions 3 applications. If I want to find more info about these applications, I'll browse to View -> Applications.
This will show me all the information the System Profiler was able to gather on the target machine's installed applications.
Another source of information is the Web Log. Just go to View -> Web Log and there will be a full log of the actions the victim browser took.
Conclusion
I realize that this has been a rather short post, but that really goes to show just how easy the System Profiler is to use. In a real-world scenario, this would have to be paired with some social engineering to convince your victim to visit the URL. Set up well enough, the user might not even realize they've been tricked into sending over this information. Once the information has been obtained, it can be used to craft a very specific payload based on the running applications and their version numbers. If you're at all interested in learning more about Cobalt Strike, I highly recommend watching the Advanced Threat Tactics videos. Thanks for reading and never stop gathering information!
