A Browser Pivot is a way to browse to websites with the identity of a compromised user. Cobalt Strike implements browser pivoting with a proxy server that injects into 32-bit and 64-bit Internet Explorer. When you browse through this proxy server you inherit cookies, authenticated HTTP sessions, and client SSL certificates. Browser Pivoting is a powerful way to demonstrate risk with a targeted attack.
To setup Browser pivoting, go to [host] -> Meterpreter -> Explore -> Browser Pivot. Choose the Internet Explorer instance that you want to inject into. You may also decide which port to bind the browser pivoting proxy server to as well.
Beware that the process you inject into matters a great deal. Inject into Internet Explorer to inherit a user's authenticted web sessions. Modern versions of Internet Explorer spawn each tab in its own process. If your target uses a modern version of Internet Explorer, you must inject a process associated with an open tab to inherit session state. Which tab process doesn't matter (child tabs share session state). Identify Internet Explorer tab processes by looking at the PPID value in the Browser Pivoting setup dialog. If the PPID references explorer.exe, the process is not associated with a tab. If the PPID references iexplore.exe, the process is associated with a tab.
Once Browser Pivoting is setup, set up your web browser to use the Browser Pivot Proxy server. The Browser Pivot Proxy server is an HTTP proxy server.
You may browse the web as your target user once browser pivoting is started. Beware that the browser pivoting proxy server will present its SSL certificate for SSL-enabled websites you visit. This is necessary for the technology to work.
The browser pivoting proxy server will ask you to add a host to your browser's trust store when it detects an SSL error. Add these hosts to the trust store and press refresh to make SSL protected sites load properly.
Close the Browser Pivot tab to stop the browser pivoting proxy server.
You will need to reinject the browser pivot proxy server if the user closes the tab you're working from. The Browser Pivot tab will warn you when it can't connect to the browser pivot proxy server in the browser.
How it Works
Internet Explorer delegates all of its communication to a library called WinINet. This library, which any program may use, manages cookies, SSL sessions, and server authentication for its consumers. Cobalt Strike's Browser Pivoting takes advantage of the fact that WinINet transparently manages authentication and reauthentication on a per process basis. By injecting Cobalt Strike's Browser Pivoting technology into a user's Internet Explorer instance, you get this transparent reauthentication for free.