Cobalt-Strike/Listeners/Beacon-SMB

From aldeid
Jump to navigation Jump to search
You are here
Beacon SMB

Infrastructure

The SMB Beacon uses named pipes to communicate through a parent Beacon. This peer-to-peer communication works with Beacons on the same host. It also works across the network. Windows encapsulates named pipe communication within the SMB protocol. Hence, the name, SMB Beacon.

┌─────────────┐   Beacon-HTTP or -DNS    ┌──────────┐          ┌─────────────┐
│ TEAM SERVER │ <──────────────────────> │ FIREWALL │ <──────> │ COMPROMISED │
└─────────────┘                          └──────────┘          │    HOST 1   │
                                                               └─────────────┘
                                                                       ▲
                                                                       │ Beacon SMB
                                                                       ▼
                                                               ┌─────────────┐
                                                               │ COMPROMISED │
                                                               │    HOST 2   │
                                                               └─────────────┘
                                                                       ▲
                                                                       │ Beacon SMB
                                                                       ▼
                                                               ┌─────────────┐
                                                               │ COMPROMISED │
                                                               │    HOST 3   │
                                                               └─────────────┘

Setup

Add new listener

Here is the popup window that appears when you add a new Beacon-SMB listener:

  • Pipename (C2): randomly generated pipename

Errors

If connecting to a host using a Beacon-SMB listener fails, you will get an error message along with an error code. Below are the most common issues:

Error code Meaning Description
2 File Not Found There is no beacon for you to link to
5 Access is denied Invalid credentials or you don't have permission
53 Bad Netpath You have no trust relationship with the target system. It may or may not be a beacon there.

Commands

link [host] [pipename]
connect [host] [port]
Link to beacon peer
unlink [host] [PID]
De-link a beacon peer
jump [exec] [host] [pipe]
Example: jump psexec64 172.16.222.135 ec2-smb

Detection

SMB traffic

SMB objects

Example

An example is available here