Configure Listeners

Introduction

Cobalt Strike has two listeners: egress listeners and peer-to-peer listeners. Egress listeners are for external connections outside of the network. Facilitation occurs either through HTTP or DNS. Peer-to-Peer (P2) listeners to do not communicate with the team server directory like egress listeners, instead, they combine multiple Beacons together in parent/child relationships. The reasons for this is simple: it reduces the number of hosts talking to the team server (which reduces traffic volume and likelihood of getting burned). It also allows machines who cant talk outside the network to communicate through this type of proxy system. P2P listeners can use SMB or TCP. The traffic from the P2P is sent to the parent who transmits it to the team server.

Egress Listeners

Egress listeners are for external connections outside of the network (HTTP or DNS).

HTTP Listener

Communication occurs over HTTP GET & POST requests.

To add a new listener: Click headphones -> Add -> Input details & Save

DNS Listener

DNS listeners allows Beacons to send messages over several lookup types A, AAAA, TXT. To use DNS listeners, we must configure our DNS records. For example:

Name

Type

Data

@

A

<DNS Resolver>

ns1

A

<DNS Resolver>

img

NS

ns1.copperwired.com.

Creating listener

We now have two listeners:

P2P Listeners

Peer (P2) listeners to do not communicate with the team server directory like egress listeners, instead, they combine multiple Beacons together in parent/child relationships.

  • This reduces the number of hosts talking to the team server (which reduces traffic volume and likelihood of getting burned).

  • It also allows machines who cant talk outside the network to communicate through this type of proxy system. P2P listeners can use SMB or TCP. The traffic from the P2P is sent to the parent who transmits it to the team server.

SMB Listener

For SMB listeners, the default named pipe is not going to work. We can list named pipes on the host with the following command. We'll change the last couple numbers to something recognizable.

PS> ls \\.\.pipe\

TCP Listener

Your typical TCP listener. Nothing special.

We now have all our listeners!

Pivot Listener

Setting up a listener for pivoting is different than default listeners. Pivot listeners can only be created through a beacon.

To create a pivot listener right-click on the Beacon and go Pivoting -> Listener -> "Open Listener".

Confirming the port is listening and notice the process ID. It's the same as our Beacon PID.

beacon> run netstat -anop tcp

Active Connections

  Proto  Local Address          Foreign Address        State           PID

  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING       2280

You can run spawn in the beacon promt selected a pivot listener. Optionally, you can create one. The Beacon commandselevate, and jump can also be used for pivoting.

Unfortunately, with Defender enabled, we get burned. We'll have to put some work into our Payload to go undetected.

PreviousStart Team ServerNextBeacons

Last updated