| description |
|---|
11/21/22 |
tmux
cd /cobaltstrike
sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile
- Then start the Cobalt Strike Client
- Configure your client as needed and you will land in the Cobalt Strike Client
 (2) (3).png)
- The next step is to setup "listeners", these will listen for incoming connections from Cobalt Strike's Beacons
There are two types of listeners:
- Egress
- Peer-to-Peer
- An egress listener is one that allows Beacon to communicate to outside of the target network to our team server
- The default egress listeners are HTTP/S & DNS where the Beacon will encapsulate all C2 traffic over these protocols
Managing Listeners (add, edit, remove, or restart listeners):
Cobalt Strike > Listeners or click on the headphones icon
- The HTTP listener allows Beacon to send and receive C2 messages over HTTP GET and/or POST requests
- To create a new HTTP listener, click add, and select Beacon HTTP for the payload
 (1) (1) (4) (2).png)
- Once done, select save and you will see "Started Listener"
 (2) (2).png)
- Running a
sudo ss -lntpwill verify that we are listening on port 80
- The DNS listener allows beacon to send and receive C2 messages over different lookup/response types uncluding A, AAAA, and TXT
- TXT is used by default as it can hold the most data
- This requires us to create one or more DNS records for a domain that the team server will be authoritative for
- Select Beacon DNS
 (1) (3) (4).png)
- If you run dig on the dns records, the server's default response is 0.0.0.0
- This is bad because it is defaulted and Cobalt Strike servers can be fingerprinted this way
- This can be changed in the malleable C2 profile
 (4) (2).png)
- Differs from egress listeners because they don't communicate with the team server directly
- Instead, P2P listeners are designed to chain multiple beacons together in parent/child relationships