From aldeid
Jump to navigation Jump to search
You are here
System Profiler


The System Profiler is a reconnaissance tool for the client-side attack process. This tool starts a local web-server and fingerprints any one who visits it. The System Profiler discovers the internal IP address of users behind a proxy along with several applications and their version information.

To start the System Profiler, go to Attacks -> Web Drive-by -> System Profiler.


Local URI
URI to host the system profiler script
Local Host
IP address or domain of the Cobalt Strike team server
Local Port
Port the local web server is running on
Redirect URL
If you specify a Redirect URL, Cobalt Strike will redirect visitors to this URL once their profile is taken. Click Launch to start the System Profiler.
Enable SSL
Check Enable SSL to serve this content over SSL. This option is available when you specify a valid SSL certificate in your Malleable C2 profile.
Use Java applet to get information
The System Profiler uses an unsigned Java Applet to decloak the target's internal IP address and determine which version of Java the target has. With Java's click-to-run security feature--this could raise suspicion. Uncheck the Use Java Applet to get information box to run the System Profiler without the Java Applet.

To view the results from the System Profiler, go to View -> Applications. Cobalt Strike will list all of the applications it discovered during the system profiling process.

To make it even more plausible, combine it with the Clone Site attack: