Cortana Tutorial - Armitage
Cortana Tutorial - Armitage
Cortana Tutorial - Armitage
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3. Post Exploitation<br />
Interacting with Compromised Hosts<br />
<strong>Cortana</strong> scripts may interact with compromised hosts. Compromised hosts are shared<br />
resources between other <strong>Cortana</strong> scripts and red team members. <strong>Cortana</strong> hides this where<br />
possible. Script should never assume they have exclusive control over a compromised host.<br />
Sessions come in two flavors: shell and meterpreter sessions. Sessions are identified by a<br />
unique session id. Throughout an engagement, no two sessions will share the same id.<br />
<strong>Cortana</strong> functions and events that interact with or respond to sessions, identify each<br />
session with this id.<br />
Scripts may use the predicates -ismeterpreter id and -isshell id to quickly distinguish<br />
between a shell session and a meterpreter session. A special predicate -<br />
iswinmeterpreter id identifies Windows meterpreter sessions.<br />
Interacting with a Shell Session<br />
A shell session is a simple connection to a shell process on a compromised host. <strong>Cortana</strong><br />
scripts may send commands to a shell and receive their output.<br />
To send a command, use the &s_cmd function. This function will queue the requested<br />
command, execute it, and fire a shell event when the command completes. <strong>Cortana</strong> will<br />
also attempt to fire a shell_command event when it can figure out the first token of your<br />
command.<br />
on shell_whoami {<br />
println("[ $+ $1 $+ ] I am: $3");<br />
}<br />
on session_open {<br />
if (!-isshell $1) {<br />
return;<br />
}<br />
}<br />
s_cmd($1, "whoami");<br />
<strong>Armitage</strong> and <strong>Cortana</strong> do not allow multiple actors to use a shell session at the same time.<br />
This would create chaos. One person might change the current working directory while<br />
someone else is trying to compile a privilege escalation exploit. It doesn't work.<br />
To share a shell session, <strong>Cortana</strong> and <strong>Armitage</strong> support the concept of a shell lock. Only one<br />
team member may own a shell session at any time. If that team member or bot disconnects,<br />
their lock is automatically released.<br />
The &s_cmd function will queue commands and periodically check if the lock for a shell<br />
session is available. Once the lock is available, the queued commands will execute. After the<br />
commands are complete, <strong>Cortana</strong> will release its lock.<br />
17