Peer-to-peer listeners allow Beacons to chain their communications together over SMB or
TCP. These are particularly useful in cases where a machine that you compromise cannot
reach your Team Server directly over HTTP.
To create an HTTP listener, go to Cobalt Strike > Listeners and a new tab will open. Click
the Add button and a New Listener dialogue will appear. Select Beacon HTTP as the
payload type and enter a descriptive name. This listener name is used in several Beacon
commands (such as when moving laterally), so make sure it describes the listener well.
Click the + button next to HTTP Hosts which should autocomplete to the Kali IP address
(10.10.5.120). This is fine, so click OK. Leave everything else as it is and click Save.
Create a listener.
Name: |http-port-80
S—
Payload: [Beacon HTTP -
SE—
Payload Options
HTTP Hosts: 10.10.5.120
—
*po| )
Host Rotation Strategy: "grround-robin v
HTTP Host (Stager): 110.10.5.120 |
Profile \default - |
HTTP Port (C2): 80 |
HTTP Port (Bind): [ |
HTTP Host Header | |
HTTP Proxy I ||
[ Save ” Help ’
Join us now -> hideOl.ir | donate.hide0Ol.ir | t.me/Hide0Ol | t.me/RedBlueHit
, 5. Generating Payloads:
To generate a payload for this listener, go to Attacks > Packages > Windows Executable (S).
Cobalt Strike is able to generated both staged and stageless payloads. Whenever you see
(S) within the Ul,it's an indication that it's using a stageless payload.
OPSEC: Staged payloads are good if your delivery method limits the amount of data you
can send. However,they tend to have more indicators compared to stageless. Given the
choice, go stageless.
Select the HTTP listener created previously, select Windows EXE as the output and tick Use
x64.
OPSEC: The use of 64-bit payloads on 64-bit Operating Systems is preferable to using 32-bit
payloads on 64-bit Operating Systems.
I Windows Executable (Stageless) — O X
Export a stageless Beacon as a Windows =
executable. Use Cobalt Strike Arsenal scripts (Help «
Listener: [http-port-80 )| —
Output: [Windows EXE E ’
X64 7 use x64 payload;?
[_Generate, H Help ]
Click Generate and save the file to C:\Payloads. Now execute that EXE and you should see
a new Beacon appear.
[ Cobatt Strike - o %
obalt Strike View Attacks Reporting Help
DE O E=Zeo B8:fU e Psa B
external internal Iistener user computer note process pid arch Iast
™. 10.10.5.110 10.10.5.110
;emfiogma Listeners X
name - payload host beacons profile
i
23
hitp-port-80 windows/beacon_http/reverse_http 10.10.5.120 10105120 default
[ ada || Eon | Remove | Restan | hep |
Join us now -> hideOl.ir | donate.hide0Ol.ir | t.me/Hide0Ol | t.me/RedBlueHit
TCP. These are particularly useful in cases where a machine that you compromise cannot
reach your Team Server directly over HTTP.
To create an HTTP listener, go to Cobalt Strike > Listeners and a new tab will open. Click
the Add button and a New Listener dialogue will appear. Select Beacon HTTP as the
payload type and enter a descriptive name. This listener name is used in several Beacon
commands (such as when moving laterally), so make sure it describes the listener well.
Click the + button next to HTTP Hosts which should autocomplete to the Kali IP address
(10.10.5.120). This is fine, so click OK. Leave everything else as it is and click Save.
Create a listener.
Name: |http-port-80
S—
Payload: [Beacon HTTP -
SE—
Payload Options
HTTP Hosts: 10.10.5.120
—
*po| )
Host Rotation Strategy: "grround-robin v
HTTP Host (Stager): 110.10.5.120 |
Profile \default - |
HTTP Port (C2): 80 |
HTTP Port (Bind): [ |
HTTP Host Header | |
HTTP Proxy I ||
[ Save ” Help ’
Join us now -> hideOl.ir | donate.hide0Ol.ir | t.me/Hide0Ol | t.me/RedBlueHit
, 5. Generating Payloads:
To generate a payload for this listener, go to Attacks > Packages > Windows Executable (S).
Cobalt Strike is able to generated both staged and stageless payloads. Whenever you see
(S) within the Ul,it's an indication that it's using a stageless payload.
OPSEC: Staged payloads are good if your delivery method limits the amount of data you
can send. However,they tend to have more indicators compared to stageless. Given the
choice, go stageless.
Select the HTTP listener created previously, select Windows EXE as the output and tick Use
x64.
OPSEC: The use of 64-bit payloads on 64-bit Operating Systems is preferable to using 32-bit
payloads on 64-bit Operating Systems.
I Windows Executable (Stageless) — O X
Export a stageless Beacon as a Windows =
executable. Use Cobalt Strike Arsenal scripts (Help «
Listener: [http-port-80 )| —
Output: [Windows EXE E ’
X64 7 use x64 payload;?
[_Generate, H Help ]
Click Generate and save the file to C:\Payloads. Now execute that EXE and you should see
a new Beacon appear.
[ Cobatt Strike - o %
obalt Strike View Attacks Reporting Help
DE O E=Zeo B8:fU e Psa B
external internal Iistener user computer note process pid arch Iast
™. 10.10.5.110 10.10.5.110
;emfiogma Listeners X
name - payload host beacons profile
i
23
hitp-port-80 windows/beacon_http/reverse_http 10.10.5.120 10105120 default
[ ada || Eon | Remove | Restan | hep |
Join us now -> hideOl.ir | donate.hide0Ol.ir | t.me/Hide0Ol | t.me/RedBlueHit
