Pointer was developed for massive hunting and mapping Cobalt Strike servers exposed on the internet.

Related tags

Security pointer
Overview

Description

The Pointer was developed for hunting and mapping Cobalt Strike servers exposed to the Internet. The tool includes the complete methodology for identifying Cobalt Strike servers. It is intended to speed up the process of detecting Cobalt Strike servers among a large number of potential targets in a short period of time. The cost of scanning 250k targets is about 20$, however we are looking for a solution that will make it cheaper.

Disclaimer

The tool is in beta stage (testing in progress). A detailed overview of main components of the tool is described in the blog post prepared by Pavel Shabarkin and Michael Koczwara: https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a

I recommend using a separate AWS account for scanning and mapping Cobalt Strike servers.

Install

If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):

sudo go get -u github.com/shabarkin/pointer

or

sudo git clone https://github.com/shabarkin/pointer.git
sudo go build .

Basic Usage

The tool is developed and largely based on AWS SQS, Lambda and DynamoDB services. Pointer has a configure subcommand for automatic deployment of IAM, Lambda, SQS, DynamoDB, and Autoscaling services. To configure all of these services Pointer needs permissions to manage them, for simplicity we recommend providing Pointer with an administrative type account that includes all of the necessary permissions. That's why I recommend using a separate AWS account, especially if you use other Lambda functions within your AWS account.

Creating an AWS user account in the AWS Console

Instruction

  1. AWS Console → IAM → User groups → Create Group → 1. Provide name of the group 2. Attach permission policy "AdministratorAccess".
  2. AWS Console → IAM → Users → Add Users → 1. Provide name of the user 2. Select "Access key - Programmatic access" → Add user to group (What we've created)

Video

Alt text

Setting up credentials

WARNING: The configuration action requires the function.zip file to be located within the directory, where a user runs the command. The function.zip file is actually a "Pointer server" compiled and zipped to the format required for a Lambda deployment.

Screenshot 2021-09-23 at 11.00.10.png

Pointer has the configure subcommand with two options:

  1. Automatic deployment of AWS environment where you need to provide AWS credentials of the admin account:
./pointer configure -aws_access_key_id AKIA85CEHPO3GLIABKZD -aws_secret_access_key LW3bDF8xJvzGgArqMo0h4kuCYsnubU23kGICGp/p

Screenshot 2021-09-23 at 10.13.26.png

  1. Cleaning of the configured AWS environment
./pointer configure -clear

Screenshot 2021-09-23 at 10.13.59.png

WARNING: It creates .env file, which is loaded to global variables each time you call subcommands.

Screenshot 2021-09-23 at 10.14.17.png

Scanning

The scan subcommand includes 3 options: 1. launch the scan 2. stop the scan 3. check the status of the scan

Launch the scan

The Pointer tool parses the local json file (ips.json) with a list of IPs, optimally splits them into packets (10 IPs), and then adds the packets to be processed to the SQS queue:

./pointer scan -targets ips.json

The format of the ips.json file:

{
    "ips": [
        "1.116.119.120",
        "1.116.158.193",
        "1.116.186.39",
        "1.116.207.171",
        "1.116.246.188",
        ...
    ]
}

Screenshot 2021-09-23 at 10.30.06.png

View status of the scan

The Pointer retrieves information about the SQS Queue, how many packages are in the queue and waiting to be scanned, and how many packages are being processed at the current moment:

./pointer scan -status

Screenshot 2021-09-23 at 10.31.12.png

Stop the scan

To stop the scan, Pointer purges all the messages (packages) from the SQS Queue:

./pointer scan -stop

Screenshot 2021-09-23 at 10.31.59.png

Dumping

All the scan results are stored in DynamoDB tables: 1. Targets, 2. Beacons.

./pointer dump -outfile 23.09.2021

Screenshot 2021-09-23 at 10.43.03.png

The only controllable parameter is the suffix for the output file, all the dumped results are saved to the to the .csv, and .json files in the results folder (current directory):

Screenshot 2021-09-23 at 10.51.19.png

WARNING: After result dumping, Pointer clears the DynamoDB tables, so you won't have a backup of the results obtained, only the one saved in the results folder.

The data samples you may find here: https://docs.google.com/spreadsheets/d/1akSzGDq8ddn97rNfr7BS0w2HcoR52ircFaSMh-OEjTU/edit#gid=311496774

Demo Video

Alt text

You might also like...
Find secrets and passwords in container images and file systems
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

Build awesome Golang desktop apps and beautiful interfaces with Vue.js, React.js, Framework 7, and more...
Build awesome Golang desktop apps and beautiful interfaces with Vue.js, React.js, Framework 7, and more...

Guark Guark allows you to build beautiful user interfaces using modern web technologies such as Vue.js, React.js..., while your app logic handled and

Scan and analyze OSS dependencies and licenses from compiled Go binaries
Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with 💙 by edoardottt. Share on Twitter! P

Small utility package for stealing tokens from other processes and using them in current threads, or duplicating them and starting other processes

getsystem small utility for impersonating a user in the current thread or starting a new process with a duplicated token. must already be in a high in

Design, compile and deploy your own Endlesss soundpacks with rapid iteration in Studio and iOS
Design, compile and deploy your own Endlesss soundpacks with rapid iteration in Studio and iOS

Squonker is a tool for building and installing your own custom Endlesss instruments.

Optimus is an easy-to-use, reliable, and performant workflow orchestrator for data transformation, data modeling, pipelines, and data quality management.

Optimus Optimus is an easy-to-use, reliable, and performant workflow orchestrator for data transformation, data modeling, pipelines, and data quality

Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

ProjectDiscovery 10.7k Nov 29, 2022
A collection of cool tools used by Mobile hackers. Happy hacking , Happy bug-hunting

A collection of cool tools used by Mobile hackers. Happy hacking , Happy bug-hunting Family project Table of Contents Weapons Contribute Thanks to con

HAHWUL 430 Nov 21, 2022
Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

Gofrette Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

null 25 Oct 31, 2022
PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

PHP Functions for Golang - phpfuncs PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. Y

Serkan Algur 52 Aug 26, 2022
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Xavier Llauca 1 Feb 23, 2022
📧 A go package for writing postfix policy servers

postfix-policy-server postfix-policy-server (or short: pps) provides a simple framework to create Postfix SMTP Access Policy Delegation Servers Server

Winni Neessen 5 Mar 12, 2022
null 7 Nov 9, 2022
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 15.5k Nov 25, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 12.1k Nov 22, 2022