Description
The Pointer was developed for hunting and mapping Cobalt Strike servers exposed to the Internet. The tool includes the complete methodology for identifying Cobalt Strike servers. It is intended to speed up the process of detecting Cobalt Strike servers among a large number of potential targets in a short period of time. The cost of scanning 250k targets is about 20$, however we are looking for a solution that will make it cheaper.
Disclaimer
The tool is in beta stage (testing in progress). A detailed overview of main components of the tool is described in the blog post prepared by Pavel Shabarkin and Michael Koczwara: https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a
I recommend using a separate AWS account for scanning and mapping Cobalt Strike servers.
Install
If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):
sudo go get -u github.com/shabarkin/pointer
or
sudo git clone https://github.com/shabarkin/pointer.git
sudo go build .
Basic Usage
The tool is developed and largely based on AWS SQS, Lambda and DynamoDB services. Pointer has a configure subcommand for automatic deployment of IAM, Lambda, SQS, DynamoDB, and Autoscaling services. To configure all of these services Pointer needs permissions to manage them, for simplicity we recommend providing Pointer with an administrative type account that includes all of the necessary permissions. That's why I recommend using a separate AWS account, especially if you use other Lambda functions within your AWS account.
Creating an AWS user account in the AWS Console
Instruction
- AWS Console → IAM → User groups → Create Group → 1. Provide name of the group 2. Attach permission policy "AdministratorAccess".
- AWS Console → IAM → Users → Add Users → 1. Provide name of the user 2. Select "Access key - Programmatic access" → Add user to group (What we've created)
Video
Setting up credentials
WARNING: The configuration action requires the function.zip file to be located within the directory, where a user runs the command. The function.zip file is actually a "Pointer server" compiled and zipped to the format required for a Lambda deployment.
Pointer has the configure subcommand with two options:
- Automatic deployment of AWS environment where you need to provide AWS credentials of the admin account:
./pointer configure -aws_access_key_id AKIA85CEHPO3GLIABKZD -aws_secret_access_key LW3bDF8xJvzGgArqMo0h4kuCYsnubU23kGICGp/p
- Cleaning of the configured AWS environment
./pointer configure -clear
WARNING: It creates .env file, which is loaded to global variables each time you call subcommands.
Scanning
The scan subcommand includes 3 options: 1. launch the scan 2. stop the scan 3. check the status of the scan
Launch the scan
The Pointer tool parses the local json file (ips.json) with a list of IPs, optimally splits them into packets (10 IPs), and then adds the packets to be processed to the SQS queue:
./pointer scan -targets ips.json
The format of the ips.json file:
{
"ips": [
"1.116.119.120",
"1.116.158.193",
"1.116.186.39",
"1.116.207.171",
"1.116.246.188",
...
]
}
View status of the scan
The Pointer retrieves information about the SQS Queue, how many packages are in the queue and waiting to be scanned, and how many packages are being processed at the current moment:
./pointer scan -status
Stop the scan
To stop the scan, Pointer purges all the messages (packages) from the SQS Queue:
./pointer scan -stop
Dumping
All the scan results are stored in DynamoDB tables: 1. Targets, 2. Beacons.
./pointer dump -outfile 23.09.2021
The only controllable parameter is the suffix for the output file, all the dumped results are saved to the to the .csv, and .json files in the results folder (current directory):
WARNING: After result dumping, Pointer clears the DynamoDB tables, so you won't have a backup of the results obtained, only the one saved in the results folder.
The data samples you may find here: https://docs.google.com/spreadsheets/d/1akSzGDq8ddn97rNfr7BS0w2HcoR52ircFaSMh-OEjTU/edit#gid=311496774
