Description

The System Profiler is a reconnaissance tool for the client-side attack process. This tool starts a local web-server and fingerprints any one who visits it. The System Profiler discovers the internal IP address of users behind a proxy along with several applications and their version information.

To start the System Profiler, go to Attacks -> Web Drive-by -> System Profiler.

Attack

Local URI URI to host the system profiler script Local Host IP address or domain of the Cobalt Strike team server Local Port Port the local web server is running on Redirect URL If you specify a Redirect URL, Cobalt Strike will redirect visitors to this URL once their profile is taken. Click Launch to start the System Profiler. Enable SSL Check Enable SSL to serve this content over SSL. This option is available when you specify a valid SSL certificate in your Malleable C2 profile. Use Java applet to get information The System Profiler uses an unsigned Java Applet to decloak the target's internal IP address and determine which version of Java the target has. With Java's click-to-run security feature--this could raise suspicion. Uncheck the Use Java Applet to get information box to run the System Profiler without the Java Applet.

To view the results from the System Profiler, go to View -> Applications. Cobalt Strike will list all of the applications it discovered during the system profiling process.

To make it even more plausible, combine it with the Clone Site attack: