Pivot Listeners

It's good tradecraft to limit the number of direct connections from your target's network to your command and control infrastructure. A pivot listener allows you to create a listener that tunnels all of its traffic through a Beacon session. In this way, you can create new reverse sessions without creating more direct connections to your command and control infrastructure.

To setup a pivot listener, go to [beacon] -> Pivoting -> Listener. This will open a dialog where you may define a new pivot listener.

Pivot Listener

Pivot Listener

A pivot listener consists of a Listen Host and a Listen Port. This defines where a pivot listener should stage through and which port the pivot host should listen on. Cobalt Strike's pivot listener will create a foreign listener that references this information.

The Remote Host and Remote Port define where Cobalt Strike's team server should forward connections to your pivot listener to. Cobalt Strike will use this information to create a reverse port forward through a Beacon that forwards connections from Local Port to the specified Remote Host and Remote Port.

Be aware that Beacon is an asynchronous payload. For a Pivot Listener to properly service connections and tunnel traffic—you must speed up the pivot Beacon such that it checks in multiple times each second. This is known as interactive mode.

Pivot Listeners do not change the pivot host's firewall configuration. If a pivot host has a host-based firewall, this may interfere with the reverse port forward. You, the operator, are responsible for anticipating this situation and taking the right steps for it.