Beacon is a Cobalt Strike Load used for red queues (professionally trained security experts. Beacon is a stable lifeline and serves the communication layer. Meterpreter is a great proxy for implementing many functional vulnerabilities. Beacon and Meterpreter can be used together to provide more options in silent actions. In this article, I will show you several different ways to use Beacon to make full use of Meterpreter and Metasploit Framework.
#0 without Beacon
First, let's see how we operate without Beacon. In this case, all your operations must pass through Meterpreter. Meterpreter is the first entry point for your load. Ensure that Meterpreter continues to exist. At the same time, Meterpreter is also the load for remote control of the target and pivot point.
If you use Meterpreter as the network entry point, your first action is to back up more Meterpreter sessions to increase the chance. Otherwise, if you lose the only Meterpreter session, you will lose the permission, which is not the best choice for this operation. The Meterpreter session seems to be unstable. To consolidate the permissions we have gained and prevent the loss of Meterpreter sessions, it is imminent !!!
#1 Beacon lifeline
We also have another option, using Beacon as the network entry point. Similar to the design of other Metasploit Framework loads, you also need to use the memory corruption vulnerability or the Cobalt Strike's social engineering toolkit to send Beacon, after Beacon runs in the memory, it will immediately view the task through HTTP or DNS.
Beacon tasks refer to the commands you want to execute through Beacon. For example, the spawn command will request a Meterpreter session from the target. Beacon returns the required Meterpreter session secretly when you need it. If you maintain a low-profile confidentiality that is important to you, you do not need to return a session unless you have to interact with the target.
#2 Beacon Outlet
Meterpreter provides a reverse connection network egress for TCP, HTTP, and HTTPS. Meterpreter often sends an interface to a host. If this host is intercepted or monitored by the network protection team, you will be pitted very quickly ~ This is not a joke!
In this case, use Beacon to pivot the outbound traffic to the target network. Beacon can choose to exit the network through DNS or HTTP. You can even switch between HTTP and DNS during Beacon communication. Make flexible selection and use of the correct protocol when you log on.
Beacon supports multi-host connection. After Beacon is deployed, a list of domain names or hosts to be connected is submitted. Beacon polls these hosts. The protection team of the target network must intercept all hosts in the list to interrupt Communication with its network.
Beacon exposes a SOCKS proxy server that allows you to use a Beacon host as the pivot point. The SOCKS Proxy Server transmits Metasploit Framework attacks, Meterpreter, and other external tools through the Beacon tunnel.
Using Beacon for pivot points, you must make Beacon view multiple times per second. If you are using a high sleep time Beacon to try channel traffic, you will find that most tools will time out due to artificially high communication latency.
Using Beacon for pivot points will help your tool with many boundary protections. Once you enter the network through a stable channel tunnel, you have great freedom without interrupting your work.
#3 Beacon communication layer
Not all systems can Beacon to hosts on the Internet. Sometimes, when you want to control a host that cannot connect to your system, you may use bind Meterpreter load or reverse TCP load of the Meterpreter session. Generally, when the Meterpreter session is lost, you must re-run the Meterpreter to the host.
Fortunately, we can also control these systems by sending the bind load Beacon. The bind Beacon load, also known as Beacon peer, is a backdoor running in the memory of the compromised host, you can connect to or disconnect or reconnect to the Beacon peer backdoor at any time.
Beacon peer backdoors can also be connected through the SMB pipeline. First, you must have another Beacon connected to the target. Connected Beacon will be communicated by mixing to normal SMB network traffic.
You can send a command to any Beacon host to request a Meterpreter session, and its access traffic is transmitted through the Beacon tunnel. Beacon is the communication layer replaced by Meterpreter sessions.
If you lose a Meterpreter session that uses the Beacon peer tunnel, you can request a new Meterpreter session without re-running Meterpreter on the target host, and the target host does not need to be connected to the Internet. Beacon peer can be used as a pivot point and the lifeblood of a deep network!
#4 Beacon Remote Management
Sometimes it is very difficult to obtain a stable Meterpreter session outside the target network. The protection on the host may intercept it, or it may be easier to find a stable Meterpreter session that is connected to the target network through tunnel traffic, beacon can be used as a remote management tool.
If you do not use the Beacon tunnel for network traffic, you can set a high sleep time, such as once every 10 minutes, once every hour, or once a day. In this case, Beacon will view and download your provided commands and add them to the execution queue for one-by-one execution.
Beacon and many remote management tools: upload and download files. Beacon will track the download of all files and capture a file clip each time it is viewed. This makes it possible to retrieve a large file to multiple callback hosts in a low and slow manner.
Metasploit Framework is a common interface for most hacker operations. That is to say, what we do in Metasploit Framework is a standalone and built-in Windows Command. If you have a Obfuscation Vulnerability implementation and exploitation toolkit, you can work with ease-you can use Beacon to execute most daily site commands without reducing sleep time.
If you only use Beacon with a high sleep time to control fallen hosts, it is hard for the network protection team to notice you.
# Final advanced threat countermeasure?
Each of these options is equivalent to a different degree of complexity. When you learn about the "APT" activity, try to match what you are reading about these options. When you read that the actors use the extremely simple beaconing RAT, could you tell me what vulnerabilities he uses to exploit them? When you read about the use of Poison Ivy by actors, what is his foothold and permission maintenance? When you read about an intrusion this year, how do actors protect them from the freedom to restore control of their hosts without any doubt? When you hear about the list of uncaptured actors that are temporarily shelved, what do they do? Finally, when you see senior threat actors, how can I help my customers understand their ability to detect and respond to such advanced threats?
# Translated from Cobalt Strike and Armitage author blog: http://blog.strategiccyber.com/2014/01/31/four-levels-of-hacking-sophistication-with-beacon/
The first translation. If you have any questions, please do not give me some advice.