SSH Sessions
The SSH Client
Cobalt Strike controls UNIX targets with a built-in SSH client. This SSH client receives tasks from and routes its output through a parent Beacon.
Right-click a target and go to Login -> ssh to authenticate with a username and password. Go to Login -> ssh (key) to authenticate with a key.
From a Beacon console, use ssh [pid] [arch] [target] [user] [password] to inject into the specified process to run an SSH client and attempt to login to the specified target. Use ssh [target] [user] [password] (without [pid] and [arch] arguments) to spawn a temporary process to run an SSH client and attempt to login to the specified target.
You may also use ssh-key [pid] [arch] [target:port] [user] [/path/to/key.pem] to inject into the specified process to run an SSH client and attempt to login to the specified target. Use ssh-key [target:port] [user] [/path/to/key.pem] (without [pid] and [arch] arguments) to spawn a temporary process to run an SSH client and attempt to login to the specified target.
The key file needs to be in the PEM format. If the file is not in the PEM format then make a copy of the file and convert the copy with the following command: /usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p.
These commands run Cobalt Strike’s SSH client. The client will report any connection or authentication issues to the parent Beacon. If the connection succeeds, you will see a new session in Cobalt Strike’s display. This is an SSH session. Right-click on this session and press Interact to open the SSH console.
Type help to see a list of commands the SSH session supports. Type help followed by a command name for details on that command.