Listeners

To manage your listeners, go to Cobalt Strike > Listeners or click on the headphone icon. This will open the Listeners tab, from which you can add, edit, remove and restart listeners.

1. Egress Listeners

An egress listener is one that allows Beacon to communicate outside of the target network to our team server. The default egress listener types in Cobalt Strike are HTTP/S and DNS, where Beacon will encapsulate C2 traffic over these respective protocols.

- HTTP

The HTTP listener allows Beacon to send and receive C2 messages over HTTP GET and/or POST requests.

To create a new HTTP listener, click Add. Click the little + button next to the HTTP Hosts box. Here, you provide the IP addresses and/or domain names that the Beacon payload will call back to.

Once we have downloaded and executed a http payload in the victim machine, we will receive the beacon.

SYSTEM processes cannot authenticate to the web proxy, so we can't use HTTP Beacons. Use P2P or DNS Beacons instead.

- DNS

The DNS listener allows Beacon to send and receive C2 messages over several lookup/response types including A, AAAA and TXT. TXT are used by default because they can hold the most amount of data. This requires we create one or more DNS records for a domain that the team server will be authoritative for.

After clicking Save, we can test the records by performing an arbitrary lookup. The team server's default response is 0.0.0.0. Since 0.0.0.0 is the default response (and also rather nonsensical), Cobalt Strike team servers can be fingerprinted in this way. This can be changed in the Malleable C2 profile.

2. Peer-to-Peer

Peer-to-peer (P2P) listeners differ from egress listeners because they don't communicate with the team server directly. Instead, P2P listeners are designed to chain multiple Beacons together in parent/child relationships. The primary reasons for doing this are:

To reduce the number of hosts talking out to your team server, as the higher the traffic volume, the more likely it is to get spotted.

To run Beacon on machines that can't even talk out of the network, e.g. in cases of firewall rules and other network segregations.

The two P2P listener types in Cobalt Strike are Server Message Block (SMB) and raw TCP. It's important to understand that these protocols do not leave the target network (i.e. the team server is not listening on port 445 for SMB). Instead, a child SMB/TCP Beacon will be linked to an egress HTTP/DNS Beacon, and the traffic from the child is sent to the parent, which in turn sends it to the team server.

- SMB

A Beacon SMB payload will start a new named pipe server with this name and listen for an incoming connection. This named pipe is available both locally and remotely.

This default pipe name is quite well signatured. A good strategy is to emulate names known to be used by common applications or Windows itself. Use PS C:\> ls \\.\pipe\ to list all currently listening pipes for inspiration and choose one, then before adding it, we can change the last 4 characters in order to recognize it, for example: TSVCPIPE-53………….1337

Once we have downloaded and executed a smb payload in the victim machine, to connect to it:

link {target} {pipe we have selected}

- TCP

A Beacon TCP payload will bind and listen on the specified port number. You may also specify whether it will bind to only the localhost (127.0.0.1), otherwise it will bind to all interfaces (0.0.0.0).

Once a tcp local payload is executed in the victim machine (only recommended for privilege escalations), to control that beacon:

connect localhost 4444

Before connecting, we can check if the victim has the port open:

run netstat -anp tcp

3. Pivot Listener

To create a pivot listener, right-click on a Beacon and select Pivoting > Listener. This will open a "New Listener" window.

The payload type is beacon_reverse_tcp, rather than beacon_bind_tcp.

To stop a pivot listener, go to the regular listeners list, highlight it and click the remove button.

Last updated