Cobalt Strike

15 May 14 - Cobalt Strike 1.49
---------
- Worked around invisible text selection bug with latest Java on Kali

13 May 14 - Cobalt Strike 1.49
---------
+ Fixed Beacon HTTP Stager bug on Windows XP
+ Worked around VBA syntax error caused by stagers that are too long.

23 Apr 14 - Cobalt Strike 1.49 (NCCDC Edition)
---------
- Keyboard shortcuts to change text size now work in table view
+ Browser Pivoting now uses a self-signed cert that expires in 10 years
+ Added ability to assign a non-persistent note to a Beacon
- Added Copy button to View -> Creds
+ Beacon's process injection now falls back to APC Queue process injection
  technique when CreateRemoteThread fails.
+ Listeners dialog now complains if you try to use an out-of-range port
+ Beacon DNS processor now lowercases all requests. 
+ Beacon's HTTP stager now prompts user for proxy creds when proxy 
  authentication fails. This prompt is the same one Internet Explorer uses.
- Services tab right-click menu now has options to edit a service's info
- YAML parser now gives better errors and forgives errant whitespace
- CS now intercepts shell command with arguments and spawns a command shell.
+ Beacon socks command prints an error if it can't bind the requested port
+ [beacon] -> Sleep menu now lets you specify a jitter factor.
+ Beacon's 'meterpreter' command now automatically changes the sleep time to
  something interactive.
+ Windows Executable (S) Package now has raw and PowerShell output
+ Fixed a bug that broke features when a custom Artifact Kit is loaded
- Logging now deals with IPv6 addresses better for Windows users
- Launching psexec at 4+ hosts will no longer open a tab for each host
- Cobalt Strike no longer allows two buttons with the same name in its team
  server button bar.
+ Listeners dialog now warns when Beacon hosts/domains list is too long
+ Beacon's spawn and meterpreter commands now create processes in a 
  suspended state and inject into rundll32.exe by default.
+ Beacon's spawn and meterpreter commands no longer use the impersonated 
  token to create the process to inject code into. This change reduces 
  "surprises" for you and gives you the flexibility to steal a token or 
  getsystem from the new session 

Cortana Updates (for scripters)
--------
- Added &script_load to load a script (as if the user did this)
- Added &script_unload to unload a script

13 Mar 14 - Cobalt Strike 1.48 (NECCDC Edition)
---------
+ PsExec now waits longer for a session
+ Added timestomp command to Beacon
+ Beacon's bypassuac now waits up to 10s for privileged file copy to complete
+ Beacon's 'meterpreter' command now checks for a pivot that could interfere
  with staging meterpreter through Beacon and presents a warning about it.
- Added Ctrl+L to quickly add an entry to timeline.[xml|tsv] (exported 
  through View -> Reporting -> Export Data)
+ Added Attacks -> Packages -> Windows Executable (S) to export a staged
  Beacon as a DLL or executable.
- Added osx-app to Output: type for payloads. Outputs a zipped MacOS X
  app archive.
+ Auto-Exploit Server now uses MSF's HTTP stager for Beacons. The custom stager
  is too big for most of MSF's client-side attacks.
- Scrubbed Cobalt Strike to eliminate unnecessary blocking calls from Sleep
  source code. This improves Cobalt Strike's responsiveness and takes away
  many opportunities for deadlock.
- Sync Files for Loot and Downloads is now much better with large files
+ Beacon now warns you when you try to upload a file bigger than its 1MB limit
- Cobalt Strike now properly notifies you when you lose a connection to a 
  team server. This was probably a long time coming.

27 Feb 14 - Cobalt Strike 1.48
---------
+ Beacon now reports Windows 8.1 correctly.
+ Beacon's interactive mode (sleep 0) is now 10-100ms delay between requests
+ Windows Dropper attack now uses a language-neutral method to determine
  Documents folder to write dropped file to.
+ Beacon's Task URL command now uses EXITFUNC of process to prevent metasploit
  generated shellcode from crashing after executed program closes.
+ Worked around known Java bug that prevents Spear Phishing HTML Preview from
  displaying text when a META tag is present.
+ Added Pivot Listeners--a listener that calls home through an existing 
  Meterpreter session. Go to [host] -> Meterpreter -> Pivoting -> Listener...
+ Added WebRTC IP address decloak to System Profiler. Based on technique at:
  https://github.com/natevw/ipcalf
+ Beacon's 'meterpreter' command now uses bind_tcp shellcode that binds to 
  127.0.0.1 explicitly. This will prevent some host firewall warnings.
+ Modified MSF's HTTP stager to specify a User-Agent. This is necessary to
  get through proxies that whitelist browsers. This modified stager is used
  to stage Beacon via Social Engineering Packages and when you task a Beacon
  to spawn a new Beacon for you.
+ Added Attacks -> Packages -> Payload Generator to output sourcecode or an
  artifact to deliver a Cobalt Strike payload to a host.
+ Added windows/beacon_smb/reverse_tcp payload to listeners dialog. This 
  will deliver a Beacon peer to a host (staged over a reverse TCP connection).
  You must have an HTTP or DNS Beacon setup before you create this listener.
+ Beacon SMB (reverse_tcp/bind_tcp) now kills the socket used to stage it.
+ Beacon now obfuscates session metadata better.
+ Added several commands for privilege escalation and token stealing to
  Beacon: steal_token, getuid, rev2self, getsystem, and bypassuac. This change
  gets one entry in this log but it was a lot of added grey hair to pull off
+ Beacons tab now shows a * next to user to indicate Beacon is run as admin
+ Type upload[enter] in a Beacon to immediately see a file chooser dialog
- Windows opened by Ctrl+W now show the proper application icon.
- Cobalt Strike now uses a JFrame to display its dialogs. This will give each
  window its own button in the taskbar regardless of window manager.
+ Beacon's inject and spawn commands will now deliver a DNS Beacon over DNS
  [just use spawn [listener] (DNS)]
+ Took steps to suppress "host called home" messages in Beacon console for
  data relayed through a P2P link/SOCKS pivot. 
+ Beacon auto-migrate now spawns a process that isn't notepad.exe ;)

8 Jan 14 - Cobalt Strike 1.48
--------
+ You may now assign a host on a per listener basis. Useful if you'd like a 
  listener to call home to a FQDN, an IPv6 host, or a hop point.
+ Added "shell (connect to target)" to PsExec dialogs.
+ Spear Phishing Preview now renders HTML and Plain Text previews of message
+ System Profiler is now compatible with IE11 and it detects Windows 8.1
+ Added an option to disable Java Applet with System Profiler. This will pull
  less information, but it also prevents click-to-run raising suspicion
+ Attacks -> Packages -> Windows EXE now generates an x86 EXE, x86 DLL, 
  x86 Service EXE, and an x64 DLL. These artifacts are generated by Cobalt
  Strike. Source code to this Artifact Kit is in the Cobalt Strike arsenal.
+ Added Attacks -> Packages -> Windows Dropper. This package drops a document
  to disk and opens it, while silently executing a payload.
+ Ported MSF's MS Office Macro Attack to Cobalt Strike with a few enhancements.
  Updated Office Macro now intelligently spawns payload into an x86 process--
  allowing the same macro to work when run on x86 or x64 Office. This also
  keeps your session safe if the user closes Office before you can migrate.
! Removed Attacks -> Packages -> Adobe PDF. This feature references a 
  Metasploit Framework module that is no longer very useful.
! Removed Attacks -> Packages -> MacOS X Trojan. This one was my fault.
+ Cobalt Strike now uses Artifact Kit to generate executables for its lateral
  movement dialogs. [host] -> Login -> psexec and psexec (token)
- Cobalt Strike.app for MacOS X now works with Oracle's Java 1.7
+ Added Microsoft Silverlight detection to the System Profiler
+ Updated client-side attack database with the latest and greatest
- Cobalt Strike console is now a mouse hot spot. Right-click a host in the
  console to see its menu. Click a module to open the module's launcher
- Cobalt Strike module launch console ignores false meterpreter prompt from
  msfrpcd after a successful exploit job is run. This work-around isn't
  perfect but it's much better than doing nothing.
- hashdump and wdigest menus now add usernames with spaces to creds table
+ Attacks -> Web Drive-by -> Firefox Add-on now uses Artifact Kit to generate
  an executable for its payload.
- IPv6 reverse sessions now associate with their host properly.
+ Added [listener] -> Debug... to restart a listener in a console where you
  can directly observe its output (and error messages)
+ Removed Set LHOST from View -> Beacons. Since LHOST no longer affects
  the listener callback address--it made sense to do this.
+ Cobalt Strike web server now uses proper MIME types for MS Office 2007 docs

21 Nov 13 - Cobalt Strike 1.48
---------
- Missing MSF_DATABASE_CONFIG error now gives troubleshooting steps too
- Added another check to detect and correct a corrupt module cache
- [host] -> Operating System -> Firewall works again.
+ Browser Pivoting now supports 64-bit Internet Explorer
+ Added peer-to-peer communication to Beacon. Use 'mode smb' to put turn a
  Beacon into a peer node. Use 'link [ip address]' to link a Beacon to a 
  peer. You may recursively link peers as well.
+ Beacon DNS C2 is now more robust.
+ Default port for MSF exploits in auto-exploit server is now 8080
+ Reporting Engine now links ZDI advisories
- You can now set PAYLOAD for windows/local/wmi exploit
+ Added [host] -> Login -> psexec (token+psh) to run current_user_psexec with
  the PowerShell injection technique.
+ Added [host] -> Login -> wmi (token+psh) to run windows/local/wmi with the
  PowerShell injection techniques. WMI is another option for lateral movement
+ Beacon checkin command now displays output stating the task was added
+ Beacon console now logs to a separate file for each beacon
+ Browser Pivoting now shows output/errors from reflective DLL injection step
+ Updated client-side attack database
+ Listener "sanity check" feature now gives the old non-HTTP listener more time 
  to close before warning that the listener may fail.
+ PsExec windows/meterpreter/bind_tcp payload option now encodes second stage
- Default meterpreter/reverse_tcp listener now encodes its second stage
+ Browser Pivoting can now connect to sites on non-standard ports
+ Added a check to prevent user from creating multiple beacon listeners on one
  Cobalt Strike instance.
+ Added Permissions and Application-Name to Signed Java Applet manifest. This
  supresses a big warning on the latest version of Java 1.7
+ Some PsExec options show 'beacon (connect to target)' as a listener option. 
  This will deliver Beacon setup as a peer. Link to it from another Beacon.
+ Beacon now times out WinINet requests after 4 minutes. If something traumatic
  happens to your poor Beacon, you'll get it back in 4 minutes. This is better
  than the WinINet default of 60 minutes.
+ Beacon now automatically checks in when a file download is in progress.

26 Sept 13 - Cobalt Strike 1.47
----------
- Fixed webcam selection logic that I broke last update.
+ Adjusted max RPC messages/second to 200 (from 20). This mitigates a message
  backlog from multiple interactive beacons.
+ Beacon's 'meterpreter' command now initiates a connection to localhost
  (tunneled through Beacon, of course) instead of the host's known external 
  address. This makes a session more likely to happen in most cases.
- Added a helper for PATH option
+ System Profiler now translates internal host 127.0.0.1 -> unknown. If you
  use this information to determine if an applet ran, look in the web log.
  The System Profiler will report a note to state that this change happened.
+ Added CVE-2013-2465 to Smart Applet Attack. This expands the Smart Applet
  Attack coverage to users with Java 1.6.0_45 or earlier.
- Java 1.6 is no longer a supported environment to run Cobalt Strike. Added
  a warning message to indicate as much.
+ Added Browser Pivoting to Cobalt Strike. A Browser Pivot is a proxy server 
  that fulfills requests with a target's browser (Internet Explorer 32-bit 
  only). This setup convienently inherits the user's cookies, HTTP
  authenticated sites, and client-SSL certificates too. To set it up:

	[host] -> Meterpreter -> Explore -> Browser Pivot

+ System Profiler now detects MS Office in some cases.
- Connect dialog now masks the password field.
+ Updated client-side attack database with new additions
- Cobalt Strike no longer allows you to start msfrpcd on Windows. It shows an
  error stating that you need to connect to a team server on Linux.
- Fixed a potential deadlock when opening a module launcher dialog.
+ Small changes to make the applet kit more robust.
+ Cobalt Strike now performs sanity checks when starting a listener. If a port
  is bound, Cobalt Strike will notify you.

21 Aug 13 - Cobalt Strike 1.47
---------
- Fixed a potential deadlock when updating the host display
- Updated multiplexing code to be compatible with enumdesktops command
- Updated multiplexing code to be compatible with webcam_list command
- You may now choose which camera to take a Webcam Shot from
- Close button now shows w/ Cobalt Strike dialogs on Kali Linux.
- Module Launcher dialog is now always active when opened.
- EXE::Custom is no longer treated as an advanced option. When available it's 
  always present for you to modify in a module.
- Meterpreter -> Access -> Persistence now uses the local exploit module
  (default settings now work without tweaks too)
- Meterpreter -> Access -> Pass Session and Process -> Inject now use the
  payload_inject local exploit module.
- Added Meterpreter -> Access -> Dump Hashes -> wdigest to run mimikatz's
  wdigest command, to retrieve plaintext creds.
- Cobalt Strike now uses a better method to shuttle files to team server and
  notify you of the progress of this action.
+ Added [host] -> Login -> psexec (psh) to run PsExec with PowerShell module
+ Added a Help button to psexec dialogs.
+ Added 'meterpreter' command to Beacon--spawns a Meterpreter session that
  tunnels through Beacon's C2 channel.
- Made multiplexing code smarter about load and use commands.
+ Beacon stage encoding process now has a much higher timeout. On slower
  systems, the encoding process could exceed this timeout.
+ Added ability to specify a jitter factor with Beacon's sleep command. The
  jitter factor is a random percentage for Beacon to vary its sleep time with
+ Beacon download command now sends files, one piece with each checkin
- Added a check to detect a corrupt module cache and clean it. If you see a 
  message asking you to restart the Metasploit Framework... please heed it.
- Added ANSI color markup to Cobalt Strike's console output. It's less scary
  than the default messages and it's nicer to look at.
- Added cmd/unix/reverse to payload selection logic.
+ Java Applet attacks now take steps to prevent loading injector DLL twice.
+ Java Applet attacks now inject shellcode on Windows 64bit JVMs too.
+ Added CVE-2013-2460 to Cobalt Strike's Smart Applet Attack
+ Auto-exploit server eliminates "smart applet" attack if system profiler did
  not IP address through Java applet (indicating that applets don't auto run)
+ System Profiler now annotates 64-bit Windows and Internet Explorer
+ Added an option to mask email addresses in the social engineering report
+ Added an option to mask passwords in the hosts report
- Updated the payload output formats to match what's now possible in MSF
+ Fixed bug that sometimes prevented profiler associating info w/ phished user
+ Renamed Beacon -> Download to Beacon -> Task URL
+ Beacon's DNS C2 now recovers from a failed conversation more quickly
+ Beacon SOCKS Proxy capability is now faster and more robust
+ Cobalt Strike Listeners feature now uses a different encoder for the second
  stage of Meterpreter.
- [host] -> Login options set DB_ALL_CREDS to false.

9 Jul 13 - Cobalt Strike 1.46
--------
+ System profiler now uses a fallback measure to detect Java and report its
  version information to you. Necessary for latest IE10 update.
+ Beacon will no longer attempt to report keystrokes if it could not make a
  GET request to checkin. This prevents logged keystrokes from getting lost
  if one of your checkin domains is blocked or otherwise unavailable.
+ Added pivoting capability to Beacon. Use "socks [port]" to start a SOCKS4a
  proxy server that relays traffic through the Beacon instance. This works
  regardless of the type of Beacon or communication strategy in use. Use
  "socks stop" to stop the proxy server for that Beacon. 
+ Added checkin command to ask Beacon to connect to you and dump keystrokes.
  This command is necessary as the DNS Beacon does not connect to you unless 
  one or more tasks are waiting for it.
+ HTTP Beacon now sends output after task execution as a single POST request.
+ Added 'mode dns-txt' to Beacon. This sets the Beacon data channel to use 
  DNS TXT records. This mode transmits ~189 bytes per request versus 4 bytes 
  per request with 'mode dns' which uses DNS A records.
+ Increased Beacon DNS data channel output throughput to 84 bytes/request. Up
  from 28 bytes/request. This output method is used with both DNS channels.
+ Fixed a race that could prevent generation of Beacon stage when setting up
  the listener.
+ Fixed Beacon key generation bug. Some bytes in the key could end up null.
  When this happened, you'd get a non-responsive Beacon (e.g., it will always
  seem to "die" after a task). This is fixed. If you've see this behavior, 
  you'll need to force Cobalt Strike to generate a new key. To do so, stop 
  Cobalt Strike and change to the folder you normally start Cobalt Strike 
  from and type:

	rm -f .cobaltstrike.beacon
+ Updated client-side attack database with new additions
+ Website Clone Tool now follows 301 (permanent) redirects
- Removed sunrpc and dcerpc modules from MSF Scans feature
+ quick-msf-setup's Git option is now based on DarkOperator's msf_install.sh
  script. The updater script now updates quick-msf-setup as well.

6 Jun 13 - Cobalt Strike 1.46
--------
+ Added Login -> ssh (key) to let you login to a host with an SSH key file
  or select from a key that worked previously.
+ Added a helper to KEY_FILE to let you select from a known-working SSH key
  or specify one to upload.
- Added vmauthd to the Login menu
+ Fixed Beacon's "automatically migrate option"
+ Spear Phish dialog now warns on missing or incomplete parameters again.
- Increased the number of modules run in response to services found during
  a sweep with the MSF Scans feature.
- Attack menu attached to host now splits menus up if there are more than
  10 items. This will help with the webapp and http menus.
+ Beacon no longer gets confused when a hostname or username contain
  whitespace. I'm now using a better separator for metadata sent to it.
+ Fixed bug preventing Beacon upload from triggering a task request
+ Added DNS as a data channel to Beacon. This option is designed as a way
  to control Beacon when it can't communicate with you over HTTP. Deploy
  the DNS Beacon like normal. Type 'mode dns' in the Beacon console to 
  switch its communication scheme to use DNS. This mode can both transmit 
  and receive data.
+ Cobalt Strike now enables second stage encoding for Windows listeners it
  manages through Cobalt Strike -> Listeners.
+ Added option to stage DNS Beacon over DNS. This option is available with
  certain Cobalt Strike attack packages. Select "listener name (DNS)" to
  have Cobalt Strike stage the listener over DNS. 
+ Added random send delay option to the spear phishing tool. Click ... next 
  to the Mail Server field. Specify the number of seconds to delay to.
+ Spear phishing tool now ignores extra whitespace in targets file
- Added a menu to mark a host as a firewall
+ slight tweak to the Smart Applet attack (arsenal source updated too)
- Added a type-fix hack for MsgPack Long types

Cortana Updates (for scripters)
--------
- Updated &log_resource to account for new log folder layout scheme that
  involves a description of the current Armitage server
- Fixed a potential argument corruption bug with filters

9 May 13 - Cobalt Strike 1.46
--------
+ Fixed data correction issue that could prevent reports from generating
+ Improved formatting of vulnerability description information in reports
- Attacks -> Hail Mary now asks you to confirm the action.
- Fixed a potential table view sorting issue.
+ Added a check to auto-ex server to make sure a listener is defined
+ Updated client-side attack database
- Changed how some tables are updated to minimize blocking of other tasks. 
  This should make UI feel snappier in many cases.
- Credential helper now shows credentials from all servers that you're 
  connected to.
- Updated multiplexing code to be compatible with mimikatz extension's 
  output scheme.
- Meterpreter upload command (with no arguments) now prompts for a file.
  This file will be bounced to team server (if one is present) and
  uploaded to the target for you.
+ Auto-exploit Server now works with listeners defined on another Cobalt
  Strike team server.
- Cred tables no longer show SSH keys (since they're not actionable in
  these contexts yet...)

10 Apr 13 - Cobalt Strike 1.45
---------
+ Beacon now uses a random filename for files to download/execute. This
  works around a problem where subsequent download/execute taskings fail
  because the first downloaded file (with the same name) is still running
- The correct OS icon is now shown for Windows 2012 Server.
- Added an Inject button to the Process Explorer
+ VNC Viewer starts view-only by default. Untoggle the spy button to 
  assume control of the target's desktop
+ Added 'spawnto' command to Beacon. This command gives you control over
  which program Beacon will spawn to inject shellcode inside of.
+ Added checks to prevent a user from defining a listener with incomplete
  information.
- Event log now shows date with timestamp
+ Many fixes to report generation when connected to multiple team servers.
- Messages to your nick in the event log are now highlighted

20 Mar 13 - Cobalt Strike 1.45
---------
- Jobs dialog now queries job info in a separate thread context,
  stopping it from locking up your Cobalt Strike instance.
- Fixed console queue display bug when a required option has no setting
- Hashdump -> lsass method now pops open a Meterpreter tab and shows
  its progress. Should help when there's a lot of hashes coming back.
- Hail Mary attack now gives better feedback about what it's doing
+ Beacon now has a 1MB limit on its output.
+ Fixed a potential memory leak in Beacon (in the output posting)
+ Beacon now uses a different User-Agent string each run
+ Added an upload command to Beacon (to upload files).
+ Added a download command to Beacon. [And renamed the download+exec
  command to task].
- Fixed blank line showing when a host label exists and a session w/o
  any information is associated with the host.
+ Listener dialog now refreshes when updating LHOST
+ Added an execute command to Beacon. This will run a program without 
  posting output back to you.

Cortana Updates (for scripters)
--------
- Added work-around to prevent &psexec failing due to Ruby complaining
  about incompatible encodings.

6 Mar 13 - Cobalt Strike 1.45
--------
+ Updated quick-msf-setup script to pull framework source code via Git.
+ Spear phishing Preview button works in team server mode again.
+ Updated Beacon to auto-dump keystrokes with each beacon home.
+ Updated HTTP Beacon to change its signature profile.
+ Beacon domains now show in Cobalt Strike -> Listeners table.
- Active console now gets higher priority when polling msf for output
- Improved team server responsiveness in high latency situations by
  creating additional connections to server to balance messages over
+ Updated Web Drive-by -> Manage to allow stopping multiple sites at once
+ Performed client-side db maintenance
+ Added a helper to set URL option from Cobalt Strike hosted stuff.
- Preferences are now shared among each Cobalt Strike connection.
+ Website clone tool no longer validates SSL cert for HTTPs cloned sites

6 Mar 13 (2000h)
--------
+ Fixed a null pointer warning when starting the team server.

Cortana Updates (for scripters)
--------
- Added a &publish, &query, &subscribe API to allow inter-script
  communication across the team server.
- Added &table_update to set the contents of a table tab without
  disturbing the highlighted rows.
- Added an exec_error event. Fired when &m_exec or &m_exec_local fail
  due to an error reported by meterpreter.
- Fixed a bug that sometimes caused session_sync to fire twice (boo!)
- Added a 60s timeout to &s_cmd commands. Cortana will give a shell
  command 60s to execute. If it doesn't finish in that time, Cortana
  will release the lock on the shell so the user can control it.
  (ideally, this shouldn't happen... this is a safety mechanism)
- Changed Meterpreter command timeout to 2m from 12s. This is because
  https meterpreter might not checkin for up to 60s, if it's been
  idle for a long time. This will make &m_cmd less likely to timeout

12 Feb 13 - Cobalt Strike 1.45
---------
- Fixed RPC call cache corruption in team server mode. This bug could lead
  to some exploits defaulting to a shell payload when meterpreter was
  a possibility.
- Slight optimization to some DB queries. I no longer pull unused   
  fields making the query marginally faster. Team server is more 
  efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels.
- Cobalt Strike listener dialogs now size columns properly. 
- Added the ability to manage multiple team server instances through
  Cobalt Strike. Go to Cobalt Strike -> New Connection to connect to 
  another server. A button bar will appear that allows you to switch 
  active Cobalt Strike connections.     
        - Credentials available across instances are pooled when using
          the [host] -> Login menu and the credential helper.
	+ Listeners across instances are pooled in the listener select
	  dialogs. You may seamlessly launch exploits from one instance
	  and have sessions show up in another instance. It's also easy
	  to pass sessions between instances and task beacons to send
	  active sessions to other instances.
	+ Cobalt Strike hosted sites are pooled across instances too.
	+ Cobalt Strike's reporting engine merges data across instances
	  before generating a report for you. 

	You may now pen test through many points of presence and use 
	Cobalt Strike's reports to help tell the full story.

+ Pressing Cancel on a Save dialog will now cancel the action.
+ Performed regular maintenance of client-side attack database.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log window
+ Spear phishing tool now sends phishes from the team server. Now that you
  can connect to multiple Cobalt Strike servers, it makes sense to do this.
+ Revamped spear phishing tool output
- Hosts -> Clear Database now asks you to confirm the action.
+ Hosts -> Clear Database stops all listeners before dropping the database
- Hosts -> Import Hosts announces successful import to event log again.
+ Obfuscated Smart Applet attack
+ Beacon staging no longer shows in Social Engineering report
+ Updated hosts report generation process to use all possible host icons

28 Jan 13 - Cobalt Strike 1.45
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Cobalt Strike -> SOCKS Proxy job management code. The code 
  to check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
  start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
  USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
  in table view or below all info in graph view. Any team member may
  change a label through [host] -> host -> Set Label. You may also use
  dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Cobalt Strike to 'localhost' 
  and not '127.0.0.1'.
+ System profiler now auto-redirects a visitor after 20s if no profile
  is returned. Moved up from 5s.
+ Fixed a bad merge that took away the Login -> psexec (token) menu
+ File hosting feature now works in teamserver mode again. Moved file
  verification logic to the server where it belongs.
+ Ported the CVE-2013-0422 (java_jre17_jmxbean) exploit to the Smart 
  Applet attack. This attack is also available to the auto-exploit server.
+ Fixed a potential deadlock condition with the Beacon viewer.
- Cobalt Strike now centers screenshots/webcam shots in their tab
+ Added a VNC Viewer to Cobalt Strike. [host] -> Meterpreter -> Interact
  -> Desktop (VNC) will now open a tab with the user's desktop.
- Added an alternate .bat file to start msfrpcd on Windows in the
  Metasploit 4.5 installer's environment. *cough* Remember using Cobalt
  Strike to connect to the Framework on Windows is not supported. *cough*
- Added a color-style for [!] warning messages
+ Mitigated race condition that stopped Beacon listeners from restarting
  when connected to a team server.
+ Fixed Beacon -> Download menu. It now properly tasks highlighted items.

Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana functions now avoid core.setg

2 Jan 13 - Cobalt Strike 1.45
--------
- Set postgres_payload exploits to use a reverse payload by default
+ Updated JavaScript keystroke logger to work with IE9 and later. Also
  fixed a regression preventing it from working in IE in general.
+ Added Cobalt Strike Java Attacks. The Signed Applet Attack option is a
  simple self-signed applet. The Smart Applet Attack attempts to disable the
  Java Security Sandbox using an exploit. Both options are available under
  the Attacks -> Web Drive-by menu.

  These Java Attacks use a Cobalt Strike Java Injector Payload. This payload
  accepts both a Windows and Java listener. You don't want to lose a shell
  when a MacOS X user visits your Windows attack, right? The payload injects 
  shellcode into memory on Windows and dynamically links Java meterpreter for 
  other operating systems.

  Source code, build files, and a Cortana script to integrate changes to the
  applet attacks are available in the Cobalt Strike Arsenal. Help -> Arsenal
+ Major overhaul to the Cobalt Strike Auto Exploit feature. This went from 
  being a neglected feature to the most cutting edge exploit guidance system
  outside of the crime kit universe. The Auto Exploit feature now shares 
  code with the system profiler and uses this information to zap visitors
  with the right exploit. The new Auto Exploit feature also takes advantage of 
  the Cobalt Strike-hosted Java attacks.
+ Added a data sanitization pass to the reporting engine. Prevents 
  non-printable characters from disrupting the report generation process.
+ The Applications portion of the Social Engineering reports now sorts the
  applications and removes duplicate entries.
+ The SE report now puts a page break between the end of the Campaigns section
  and the beginning of the Users section.
+ Fixed "incompatible character encodings: ASCII-8BIT and UTF-8" exceptions
  caused by my use of the core.setg RPC-call in Beacon's UI. This RPC call 
  leaks improperly encoded stuff into Metasploit's global datastore.
 
12 Dec 12 - Cobalt Strike 1.45
---------
+ Beacon's spawn command now creates a separate process to inject 
  shellcode into. This way a failure in the shellcode will not cause 
  Beacon process to exit.
+ Beacon download command now uses payload/windows/download_exec module
+ Added a keystroke logger to Beacon. Use:

	keylogger start - to start the keylogger
	keylogger       - to dump collected keystrokes
	keylogger stop  - to stop the keylogger and dump keystrokes.

  Beacon must live inside of a process associated with the desktop and 
  user you want to log keystrokes for.
+ Added inject command to Beacon. Use this to spawn a session by injecting
  shellcode into a specific process id.
+ View -> Beacons table now properly sorts its columns when you ask it to
- Added a helper to set REXE option
+ Web Drive-by -> Host File now complains if file does not exist
+ Performed normal client-side database maintenance
+ Website clone tool now uses an MSIE user agent, instead of the Java one.
+ Website clone tool detects empty cloned site results and shows an error.
  It then instructs you to try the HTTPS version of the URL. Java's URL 
  library will not follow a redirect from one protocol to another.
+ System Profiler now detects and reports Windows 8
+ System Profiler's local IP address detection is much more reliable now
- Added Windows 8 icon
+ Cobalt Strike now starts persistent listers *after* it determines local
  IP address. This is important as the meterpreter reverse_http[s] payloads
  need to be bound to a specific LHOST to work.
- [host] -> Login menu is now built using open services for all highlighted
  hosts, not just the first one.
- [host] -> Login items now escape punctuation characters in passwords 
  before passing them to a framework module.
+ PDF reports properly wordwrap password hashes and other long strings again

Cortana Updates (for scripters)
--------
- &credential_add and &credential_delete no longer break when a password has 
  creative punctuation in it.

26 Nov 12 - Cobalt Strike 1.44
---------
+ Added support for some SMTP authentication schemes to Cobalt Strike's
  spear phishing tool. You may also connect to an SSL enabled SMTP
  server too. Special thanks to Allen Harper who provided infrastructure
  to test all of this against.
+ Spear phishing tool now strips more headers from template messages
+ Editing Targets field in spear phish dialog no longer locks up for 
  several seconds when the value of the field is a folder.
+ Updated client-side attack database (regular maintenance...)
+ You may now export Cobalt Strike reports as MS Word documents. *pHEAR*
- add_user and add_[local]group_user now show all of their output when
  the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
+ Added an import button to the creds viewer to quickly add credentials
+ Fixed a bug that caused Vulnerability report export to fail when a 
  vuln had no associated references.
+ Hosts report no longer shows vulnerability description twice (this 
  would happen when the same vulnerability was exploited against two
  or more ports listening with the vulnerable service).
+ Multiple cosmetic improvements to the display of vulnerabilities in
  hosts and vulnerability reports.

Cortana Updates (for scripters)
--------
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
  file when connected to a teamserver.

8 Nov 12 - Cobalt Strike 1.44
--------
- Windows command shell tab is now friendlier to commands that prompt
  for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
  the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
  and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Cobalt Strike now requests a non-expiring token after connecting to 
  msfrpcd. This makes your connection to msfrpcd more robust.
+ Cobalt Strike psexec dialog now lets you choose one of your configured
  Cobalt Strike reverse listeners
+ You may now select a custom executable in both psexec dialogs
+ Added Help -> Arsenal which will take you to the Cobalt Strike arsenal.
  The Cobalt Strike arsenal will contain scripts to aid your penetration
  testing process. These features will only be available to licensed
  Cobalt Strike users (usually with full source code too). 

  The first arsenal item is topaz, a script to embed shellcode into an 
  anti-virus bypass executable. Topaz will intercept module launches (such as
  psexec and current_user_psexec), generate a new executable, and use the
  new executable with the module. 

  Full source code to topaz is available. You may use it as-is, modify
  it to pass other products, or use it as a template to make your AV 
  bypass executable work with Cobalt Strike.
  
16 Oct 12 - Cobalt Strike 1.44
---------
- Added port 5985 to Scan feature port list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby 
  character encoding conversion error in the framework.
+ Fixed a potential deadlock in the listener management dialogs
+ You can now use Beacon to spawn a Beacon.
- Log Keystrokes, Persist, and Pass Session now use a new thread to
  query module information.
+ Beacon last callback time is now computed on team server. Prevents
  whackiness when client's have different time value from server.
- Cobalt Strike now shows URL/folder in a popup dialog when trying to
  open a file/URL on a desktop where Java's JDesktop is not supported
- Check all credentials option now filters duplicate entries.
- Exploit payload selection now selects cmd/unix/interact when required
- Explore -> Processes works with Java Meterpreter again.
+ Beacon callback events are now suppressed from reports and logs
- MSF Scans feature now runs http_version against port 443

27 Sept 12 - Cobalt Strike 1.44
----------
+ Added Beacon management feature. Beacon is a Cobalt Strike payload 
  that periodically phones home to request taskings. Beacon will check 
  task availability over HTTP or DNS.

  To start Beacon listener, go to Cobalt Strike -> Listeners.

  Go to View -> Beacons to see activity and task beacons.

  Use Beacon like any other reverse listener. Embed it in social 
  engineering packages, use it with client-side attacks, etc.
+ Updated client-side database
+ Cobalt Strike only shows token passing dialog if current_user_psexec
  module exists (for 4.4-release compatability)

5 Sept 12 - Cobalt Strike 1.44
---------
+ Added CovertVPN feature. CovertVPN is a Windows client that provides
  the Cobalt Strike host with a virtual interface on a target's network.
  CovertVPN is able to relay raw frames over a TCP, UDP, or HTTP channel.

  To use it:

  [host] -> Meterpreter -> Pivoting -> Deploy VPN

+ Added a helper for INTERFACE option to select a CovertVPN interface
- Setup dialog now trims host, port, user, and pass fields.
- Cobalt Strike now complains when it can't write to your preferences file 
  (versus just hanging without a real error message)
- View -> Jobs now queries jobs in a thread outside of UI thread
- Tab completion now uses a separate thread to call into the RPC server. 
  This prevents a deadlock if server is not responding.
- Login -> psexec now shows when 445 is open on a Windows machine. The old 
  criteria was too restrictive.
- Added a helper to set Wordlist option
+ Updated client-side exploit database with two new exploits
+ Added help button to Cobalt Strike -> Scripts
- Cobalt Strike now sets a random LPORT for non-exploit modules with an
  LPORT option (e.g., post modules that do priv escalation)
- Cobalt Strike now shows an error if it can't open a Windows command shell
- Steal Token dialog now uses incognito module to get token data instead of 
  the MSF post module. This is more reliable.
- current_user_psexec module now allows you to set the payload options
+ Added [host] -> Login -> psexec (token) to use a stolen token to psexec
  into all highlighted hosts.

Cortana Updates (for scripters)
--------
- added an eventlog popup hook

16 Aug 12 - Cobalt Strike 1.44
---------
- Dynamic workspaces now removes closed services from its set of
  hosts matching certain open ports.
- Cortana console now reports a clear error message a built-in
  command is executed without the right number of arguments.
- Added host icons for Android and iOS. You may now set these
  operating systems by going to [host] -> Host -> Operating System
- Cobalt Strike now shows the client-side exploit dialog for exploits
  that do not target an RHOST (for example, windows/smb/smb_relay)
- Added support for remote exploits that use RHOSTS over RHOST
  (this includes the new windows/local/current_user_psexec)
- Added a helper for setting the SESSION option
+ Added preferences for customizing Cobalt Strike reports:
  * reporting.accent.color
	the color of links and the solid bar below the header image
  * reporting.header_image.file
	an 1192x257px/300dpi header image for your reports
+ Added a helper to set file preferences
+ System Profiler now reports Apple iOS and Android operating systems
+ System Profiler now reports host with OS it could not determine

Cortana Updates (for scripters)
--------
- s_cmd no longer times out after 60s. It will wait forever for a 
  command to complete now.
- added shell_read event which fires when a shell s_cmd comes back 
  with intermediate output.
- fixed a potential deadlock with &open_console_tab
- scripts now have the ability to redefine the max size of a workspace: 
  db_workspace(%(size => #####));

08.05.12 - Cobalt Strike 1.44
--------
- Rebuilt the 08.02.12 release with missing internal files used by 
  Cortana. Sorry about this!

08.02.12 - Cobalt Strike 1.44
--------
- Team server now buffers all of its output. SO_NODELAY is no longer
  used. This will improves team performance on a congested network 
  without a hit to responsiveness otherwise.
+ Spear phishing tool now strips CC field from template messages
- Added Cortana, a DARPA funded scripting technology, into Armitage.
  There's a lot of fun to be had here.
- Cobalt Strike now queues messages to destroy a console rather than
  spinning up a new thread for each closed console.
- Rendering of icons for hosts now happens outside of UI thread.
+ Fixed highlight rendering issue in spearphish message preview.
+ Spear phishing tool more aggressively replaces links in template
  messages.
+ Spear phishing tool now displays a message when something goes
  wrong while processing a template file.
- Increased timeout for meterpreter read command
- Cobalt Strike now detects a corrupt module cache and attempts to 
  clear it so it can be rebuilt.

07.19.12 - Cobalt Strike 1.44
--------
+ Updated client-side vulns database (a typical maintenance action)
+ Fixed host report generation failure when there are two hosts with
  the same IP address in the hosts database. 
+ Vulnerability Report and Hosts Report vulnerability descriptions
  are now compatible with the latest Metasploit Framework database
  schema changes.
- Pass-the-Hash and Login dialogs now honor the shift+Launch convention
  which keeps the dialog open after launching the action.
+ Cobalt Strike now binds reverse_http/reverse_https listeners to the
  LHOST value for the host. Previously, they bound to 0.0.0.0 to accept
  connections on any interface. This no longer works though and established
  http/https sessions hang. This change fixes this problem.
+ Added set LHOST button to Cobalt Strike -> Listeners. This button will 
  update the global LHOST option in MSF, update the value saved in Cobalt
  Strike and it will restart all listeners to take advantage of the change
+ Added Attacks -> Packages -> USB/CD AutoPlay feature. This package turns
  a USB stick or CD into an attack vector against Windows XP/Vista

07.05.12 - Cobalt Strike 1.43 
--------
- Login -> psexec now sets a different LPORT for each host it's
  launched against when using a reverse payload. Fixes a bug where
  using a reverse connect payload against X hosts didn't work.
- Progressbar Cancel button now works with the Sync Files button
  in View -> Downloads and View -> Loot
- Fixed a potential deadlock with the Sync Files feature
- Clicking the Size column in View -> Downloads now sorts properly
+ Fixed a race condition that sometimes prevented the display of 
  the old data in View -> Web Log

06.23.12 - Cobalt Strike 1.43
--------
+ Updated client-side database with latest changes.
- Added View item to File Browser popup menu. Views and logs text files.
+ Added Attacks -> Web Drive-by -> Host File. This feature hosts a file 
  using the Cobalt Strike web server.
+ Web Drive-by options that start a Cobalt Strike server now have blue-ish
  labels.

06.14.12 - Cobalt Strike 1.43
--------
- Meterpreter -> Kill now uses session.stop RPC call
- Cleaned up code to kill jobs acting as a service
- Added an option to disable TCP_NODELAY from the comamnd line:

        java -Darmitage.enable_nagle=true -jar armitage.jar

  Use this if you see "bad mac" SSL errors when connected to a
  team server.
- Log Keystrokes tab now changes color when there is activity
- Randomized filename for USERPASS_FILE to allow multiple brute
  forces to happen at once.
+ Updated client-side database with ms12-037 information

06.07.12 - Cobalt Strike v1.43
--------
- Fixed an exception when killing a session or removing a route
- ps command added a new column to its output. Updated ps parser
- Hosts -> Import Hosts now works under Windows again
- Hail Mary now sets LHOST option. This is necessary for some attacks to 
  work properly
- Tweaked console create code in beginning of Cobalt Strike setup to avoid
  aggravating a deadlock condition
- Disabled Nagles Algorithm for team server and client SSL sockets. This 
  drastically improves responsiveness for Windows 7 clients.
- Starting jobs like the SOCKS Proxy server now shows the Service Started
  message again.
- Fixed a highlighting bug with the find feature in the View tab

05.21.12 - Cobalt Strike v1.43
--------
- Fixed a bug that triggered when resizing text in a Loot/Download View tab.
+ Updated IE date guessing database for more accuracy. This makes the system
  profiler better.
- Cobalt Strike's console now uses color to highlight information and make
  it clearer. This applies to all consoles. Set console.show_colors.boolean to
  false to disable this behavior.
- Default console font color is now grey.
+ Cobalt Strike now catches internal errors related to phishing messages (e.g.,
  a poorly formed template/address) and displays these in the phishing console.
- Fixed a bug preventing input field from getting focus when using Ctrl+W to
  open a console in its own window.
+ Updated entries in client-side attack database that have changed.
- Improved performance of module launches (through a console) when in team mode.
- Improved performance of msf scans feature when in team mode.
+ Spear phishing window no longer piggy backs off of a normal console tab.
- Improved perceived performance of posting chat messages
- Fixed text search feature (Ctrl+F) on Windows
- Fixed View -> Downloads -> Sync Files feature on Windows

05.14.12 - Cobalt Strike v1.43
--------
- Dynamic workspace keyboard shortcuts are now always bound (previously
  you had to visit workspaces menu before they'd bind)
- Improved console pool's ability to detect dead consoles
- Bound Ctrl+Backspace to show all hosts (without a workspace)
- Added Ctrl+T to quickly take a screenshot of the active tab and save it
- Added Ctrl+W to open the active tab in its own window
- Cobalt Strike team server is now SSL enabled. The server will present the
  SHA1 hash of its certificate on startup. When connecting, Cobalt Strike 
  will present the SHA1 hash of the certificate presented to it. You'll have
  the opportunity to trust it or reject it.
+ Updated entries in client-side attack database that have changed.
- Added Ctrl+Left / Ctrl+Right to navigate tabs with the keyboard
+ quick-msf-setup script now downloads 64-bit msf installer on 64-bit systems
- Fixed a bug that prevented command shells from opening on some sessions
+ Web log messages are now delivered in batches (vs. one at a time)
- Team server client now caches some calls to RPC server
- Reworked View button in Download and Loot tabs. The button now displays the
  contents of all the highlighted rows in one tab. Further, I've added a 
  Sync Files button to download the highlighted loot or download files when
  in a team situation.

05.07.12 - Cobalt Strike v1.43
--------
- Cobalt Strike's team server is now compatible with the latest changes to
  Metasploit 4.3.0. 
- Added Ctrl+D keyboard shortcut to close the active tab
- Module description in module launcher dialog is now resizable.
- Cobalt Strike now uses (more robust) console queue for launching post
  modules, handlers, brute force attacks, and other things.
- Fixed a race condition in the Jobs tab refresh after killing a job
- Cobalt Strike now filters smb hashes from non-psexec/smb login dialogs.
+ Dumped the "capture form data" in favor of a Javascript key logger. Logged
  keystrokes show up in the web log (View -> Web Log) and in the social
  engineering report.
+ System Profiler now reports applications grabbed to weblog and not the raw
  stuff posted back. This is a move to make the web log a generic console to
  view Cobalt Strike web activity in.
- Added armitage.log_data_here.folder setting. This setting lets you
  specify where Cobalt Strike will save its logs, downloaded files, and
  screenshots.
+ Cobalt Strike now properly reports "web server" errors when in team mode.
  Previously these weren't making it back to the user.
+ Cobalt Strike web apps (system profiler, cloned site, etc.) now work with or
  without the ending /.