[Backup] How Did I Take Over CobaltStrike Servers Hi folks, today I would like to share how I take over some Cobalt Strike TeamServers with Quake and Password Spray Attack. From the perspective of a threat hunter, it is good to track C2 servers on the Internet. From the perspective of a hacker, it is good to compromise a host, but it is better to compromise a C2 team server and then take over all compromised hosts connected to the team server : D Recon Before exploitation, we need to recon. Here I use Quake(https://quake.360.net) to find a list of Cobalt Strike with weak credentials. Quake is something which is similar to Shodan. The query sentence should be  response:“\x00\x00\xca\xfe” AND port: “50050” What does it mean? Quake will try some very simple passwords to connect to Cobalt Strike Team Server. If the authentication is successful, Cobalt Strike Team Server will return “\x00\x00\xca\xfe” in response. According to search results, there are 417 records, 191 unique IPs currently. Of course, if you do not specify the default port, you could get more results. To get complete and detailed information, a subscription of Quake is recommended. After getting these results, then export IP of these Team Servers as a file. So, let’s use Password Spray Attack against these Team Servers! Exploitation Just a disclaimer, it is unethical and even illegal to actually take over those Team Servers. The article is just a proof of concept, it does not encourage anyone to pwn those servers, even they may belong to unethical hackers. Because Cobalt Strike Team Server has rate limit, it is not wise to brute force a single Team Server with a big password list. Instead, we can use spray a single simple password to a list of Team Servers. I download and modify a script from https://github.com/ryanohoro/csbruter to enable it to launch Password Spray Attack. Oh, among these 158 Team Servers, 24 of them use the same simple password! Just select one and try to log in! Oh no! The version of your client should match target Team Server’s! Actually most of these Team Servers’ version are 4.0 lol. Try another one, cool, there are a lot of bots controlled by the Team Server! By this way we are able to successfully find and take over some Cobalt Strike Team Servers! Tips The list I used is absolutely not an exhaustive list of Team Server with a weak password. If you want to find more Team Servers with a weak password, here are some tips 1: Remove the specified port and modify the script. 2: If a Team Server does not show up in previous search results, it does not mean the Team Server has a strong password, since Quake will only try some simplest passwords like 123123, 123456, password, etc. 3: Just try different fingerprinting methods to get a large list of Cobalt Strike Team Servers, and then spray a single simple password to them. If you are lucky, you will take over many Team Servers from the list : P Thanks for reading! Happy hacking!