support

SOCKS Proxy Pivoting

Go to [beacon] -> Pivoting -> SOCKS Server to setup a SOCKS4a proxy server on your team server. Or, use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose).

All connections that go through these SOCKS servers turn into connect, read, write, and close tasks for the associated Beacon to execute. You may tunnel via SOCKS through any type of Beacon (even an SMB Beacon).

Beacon's HTTP data channel is the most responsive for pivoting purposes. If you'd like to pivot traffic over DNS, use the DNS TXT record communication mode.

To see the SOCKS servers that are currently setup, go to View -> Proxy Pivots.

Use socks stop in a Beacon console to stop a SOCKS proxy server.

Proxychains

The proxychains tool will force an external program to use a SOCKS proxy server that you designate. You may use proxychains to force third-party tools through Cobalt Strike’s SOCKS server.

 

Metasploit

You may also tunnel Metasploit® Framework exploits and modules through Beacon. Create a Beacon SOCKS proxy server [as described above] and paste the following into your Metasploit® Framework console:

setg Proxies socks4:team server IP:proxy port
setg ReverseAllowProxy true

These commands will instruct the Metasploit® Framework to apply your Proxies option to all modules executed from this point forward. Once you’re done pivoting through Beacon in this way, use unsetg Proxies to stop this behavior.

If you find the above tough to remember, go to View -> Proxy Pivots. Highlight the proxy pivot you setup and press Tunnel. This button will provide the setg Proxies syntax needed to tunnel the Metasploit® Framework through your Beacon.