SOCKS Proxy

Go to [beacon] -> Pivoting -> SOCKS Server to setup a SOCKS4 or SOCKS5 proxy server on your team server. Or, use socks 8080 to setup a SOCKS proxy server on port 8080 (or any other port you choose).

All connections that go through these SOCKS servers turn into connect, read, write, and close tasks for the associated Beacon to execute. You may tunnel via SOCKS through any type of Beacon (even an SMB Beacon).

Beacon’s HTTP data channel is the most responsive for pivoting purposes. If you’d like to pivot traffic over DNS, use the DNS TXT record communication mode.

Use socks [port] [socks4 | socks5] [enableNoAuth | disableNoAuth] [user] [password] [enableLogging | disableLogging] to start a SOCKS4a (by default when no server version is specified) or SOCKS5 server on the specified port. This server will relay connections through this Beacon.

SOCKS5 servers can be configured with NoAuth authentication (default), User/Password authentication, and some additional logging.

SOCKS5 Servers currently do not support GSSAPI authentication and IPV6.

To see the SOCKS servers that are currently setup, go to View -> Proxy Pivots.

Use socks stop to stop the SOCKS servers and terminate existing connections.

Traffic will not relay while Beacon is asleep. Change the sleep time with the sleep command to reduce latency.

Proxychains

The proxychains tool will force an external program to use a SOCKS proxy server that you designate. You may use proxychains to force third-party tools through Cobalt Strike’s SOCKS server. To learn more about proxychains, visit: http://proxychains.sourceforge.net/

Metasploit

You may also tunnel Metasploit Framework exploits and modules through Beacon. Create a Beacon SOCKS proxy server [as described above] and paste the following into your Metasploit Framework console:

setg Proxies socks4:team server IP:proxy port

setg ReverseAllowProxy true

These commands will instruct the Metasploit Framework to apply your Proxies option to all modules executed from this point forward. Once you’re done pivoting through Beacon in this way, use unsetg Proxies to stop this behavior.

If you find the above tough to remember, go to View -> Proxy Pivots. Highlight the proxy pivot you setup and press Tunnel. This button will provide the setg Proxies syntax needed to tunnel the Metasploit Framework through your Beacon.

 

Related Topics