Cobalt-Strike/Listeners/Beacon-SMB
Jump to navigation
Jump to search
| You are here | Beacon SMB
|
Infrastructure
The SMB Beacon uses named pipes to communicate through a parent Beacon. This peer-to-peer communication works with Beacons on the same host. It also works across the network. Windows encapsulates named pipe communication within the SMB protocol. Hence, the name, SMB Beacon.
┌─────────────┐ Beacon-HTTP or -DNS ┌──────────┐ ┌─────────────┐
│ TEAM SERVER │ <──────────────────────> │ FIREWALL │ <──────> │ COMPROMISED │
└─────────────┘ └──────────┘ │ HOST 1 │
└─────────────┘
▲
│ Beacon SMB
▼
┌─────────────┐
│ COMPROMISED │
│ HOST 2 │
└─────────────┘
▲
│ Beacon SMB
▼
┌─────────────┐
│ COMPROMISED │
│ HOST 3 │
└─────────────┘
Setup
Add new listener
Here is the popup window that appears when you add a new Beacon-SMB listener:
|
|
Errors
If connecting to a host using a Beacon-SMB listener fails, you will get an error message along with an error code. Below are the most common issues:
| Error code | Meaning | Description |
|---|---|---|
| 2 | File Not Found | There is no beacon for you to link to |
| 5 | Access is denied | Invalid credentials or you don't have permission |
| 53 | Bad Netpath | You have no trust relationship with the target system. It may or may not be a beacon there. |
Commands
- link [host] [pipename]
- connect [host] [port]
- Link to beacon peer
- unlink [host] [PID]
- De-link a beacon peer
- jump [exec] [host] [pipe]
- Example:
jump psexec64 172.16.222.135 ec2-smb
Detection
SMB traffic
SMB objects
Example
An example is available here