Port Scanning

Beacon has a built in port scanner. Use portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] to inject into the specified process to run a port scan against the specified hosts. Use portscan [targets] [ports] [arp|icmp|none] [max connections] (without [pid] and [arch] arguments) to spawn a temporary process to run a port scan against the specified hosts.

The [targets] option is a comma separated list of hosts to scan. You may also specify IPv4 address ranges (e.g., 192.168.1.128-192.168.2.240, 192.168.1.0/24)

The [ports] option is a comma separated list or ports to scan. You may specify port ranges as well (e.g., 1-65535)

The [arp|icmp|none] target discovery options dictate how the port scanning tool will determine if a host is alive. The ARP option uses ARP to see if a system responds to the specified address. The ICMP option sends an ICMP echo request. The none option tells the portscan tool to assume all hosts are alive.

The [max connections] option limits how many connections the port scan tool will attempt at any one time. The portscan tool uses asynchronous I/O and it's able to handle a large number of connections at one time. A higher value will make the portscan go much faster. The default is 1024.

The port scanner will run, in between Beacon check ins. When it has results to report, it will send them to the Beacon console. Cobalt Strike will process this information and update the targets model with the discovered hosts.

You can also go to [beacon] -> Explore -> Port Scanner to launch the port scanner tool.

 

Related Topics