Client-side Exploits
You may use a Metasploit Framework exploit to deliver a Cobalt Strike Beacon. Cobalt Strike’s Beacon is compatible with the Metasploit Framework’s staging protocol. To deliver a Beacon with a Metasploit Framework exploit:
-
Use windows/meterpreter/reverse_http[s] as your PAYLOAD and set LHOST and LPORT to point to your Cobalt Strike listener. You’re not really delivering Meterpreter here, you’re telling the Metasploit Framework to generate the HTTP[s] stager that downloads a payload from the specified LHOST/LPORT.
-
Set DisablePayloadHandler to True. This will tell the Metasploit Framework to avoid standing up a handler within the Metasploit Framework to service your payload connection.
-
Set PrependMigrate to True. This option tells the Metasploit Framework to prepend shellcode that runs the payload stager in another process. This helps your Beacon session survives if the exploited application crashes or if it’s closed by a user.
Here’s a screenshot of msfconsole used to stand up a Flash Exploit to deliver Cobalt Strike’s HTTP Beacon hosted at 192.168.1.5 on port 80:
figure 48 - Using Client-side Attacks from Metasploit