Strategic Cyber Cobalt Strike
Strengths: Built around the powerful Metasploit framework, excellent pre-built training environment.
Weaknesses: A lot of the tool’s functionality is also available via free, open source software.
Verdict: Cobalt Strike adds enough value in the form of pre-compiled attack packages, social engineering features and reporting to make it worth the price.
Despite its colorful marketing approach, Strategic Cyber's Cobalt Strike application is a serious penetration testing and educational tool. Written by the creator of the popular Armitage collaboration tool for Metasploit, this "commercial big brother" to that software takes a targeted attack-focused approach to penetration testing.
The product setup wasn't difficult. It was delivered to us in a retail package containing a printed manual and DVD. This DVD contained a number of virtual machines intended for use in an educational environment, along with the product itself. We imported the included virtual machines into our virtual environment, installed the actual product as specified in the product documentation (a simple .tgz extraction), and we were ready to go. Users choosing to install the software outside of the provided VMs will likely find themselves dealing with a number of software prerequisites. Those users will find familiarity with Linux helpful, although the target audience for this software will already be familiar with multiple operating systems.
A Java application built on top of the open source Metasploit framework and Armitage collaboration applications, Cobalt Strike neatly packages those tools and focuses on leveraging them with its own collection of threat emulation software. Users of Armitage will instantly be familiar with the interface. The GUI enables testers to easily scan target hosts, determine running services and launch attacks against them. This offering makes it easy for testers to create sophisticated phishing attacks by simply cloning legitimate sites and crafting phishing emails to match. Scripting support is enabled via the product's integration with the Cortana scripting language, enabling testers to create bots that can scan targets and launch attacks. Once an attack lands successfully, maneuvering further into the target network is simplified via the use of easy-to-deploy proxy or VPN pivots. When all else fails, the "Hail Mary" option scans the host and launches any exploit it believes will result in a successful attack.
The Cobalt Strike documentation is quite thorough. The DVD contained a PDF with steps designed to teach the basics of using the product by launching exploits against the included exploitable VM hosts. The printed manual provides a higher-level view of the solution, covering the philosophy behind each primary function and basic instruction in their use. This manual is also available as a .PDF file on Strategic Cyber's website, alongside a number of other FAQs, tutorials, and videos covering individual product features. We also found the developer's blog an interesting resource. In it, he covers a number of use cases for the product and penetration testing in general - even discussing methods for cracking his own product.
Strategic Cyber's support is quite limited, with eight-hours-a-day/five-days-a-week email aid as the only direct option - not entirely unexpected considering the fact that the product is developed and maintained by a single individual.
Cobalt Strike is priced at a flat £1,507 per user per year. Support is included with an up-to-date license.
Prices are US-based, thus indicative only.