Interacting with Beacon

Launch an HTTP Beacon payload, such as http_x64.exe, on the Attacker Desktop. After doing so, it will (should?!) appear in the UI.

\

\

The data columns show the Beacon's metadata, most of which are self-explanatory. The sleep column shows how frequently the Beacon should check-in with the team server. By default, this is once every 60 seconds. The last column shows how long it has been since the Beacon checked in. Should a Beacon miss 3 consecutive check-ins', the number in the last column will turn bold/italic to indicate that the Beacon may be lost.

Launch Wireshark and capture traffic on the Ethernet adapter. Type http into the filter box and hit enter. The next time Beacon checks-in, you will see a GET request and a 200 OK response.

\

\

Right-click on the GET request and select Follow > HTTP Stream.

\

\

The red text is the request made by Beacon. It's asking the team server if there are any jobs it needs to execute. The random-looking characters in the URI is the Beacon's encoded metadata. The blue text is the team server's response. Since there were no jobs, it simply sends a "NOP" (no-operation) frame. Everything about how this traffic appears can be customised in the Malleable C2 profile.

To issue a job (or command) to Beacon, double-click it in the UI and a new tab will open. You can get a list of commands by typing help.

beacon> help

Beacon Commands
===============

    Command                   Description
    -------                   -----------
    !                         Run a command from the history
    argue                     Spoof arguments for matching processes
    blockdlls                 Block non-Microsoft DLLs in child processes
    browserpivot              Setup a browser pivot session
    cancel                    Cancel a download that's in-progress
    cd                        Change directory
    ...

\

Issue a pwd command to list the current working directory. This task will pend on the team server until Beacon checks-in, after which time it will be executed and the results sent back.

[08/18 12:36:46] beacon> pwd
[08/18 12:36:46] [*] Tasked beacon to print working directory
[08/18 12:37:28] [+] host called home, sent: 8 bytes
[08/18 12:37:28] [*] Current directory is C:\Payloads

\

The webbug profile that we're using, uses GET to request tasks and POST to send the results back. In Wireshark, we can see how the team server response has changed when it sends the pwd task to Beacon.

\

\

We can also see the output being sent by Beacon in the POST body.

\

\

You can tell Beacon to check-in more frequently by using the sleep command.

[08/18 12:50:46] beacon> sleep 5
[08/18 12:50:47] [*] Tasked beacon to sleep for 5s
[08/18 12:51:38] [+] host called home, sent: 16 bytes

\

OPSEC Although this is nicer for us because we don't have to sit around waiting for as long, you can appreciate how much noisier it is on the wire. The more noise your C2 channel makes, the more likely it is to get caught.

\

\

Unlike the HTTP Beacon, the DNS Beacon does not automatically send its metadata (owing to the lower data bandwidth of DNS), so it will appear in the UI as an "unknown" Beacon.

\

\

You must issue a manual checkin command before the metadata will appear.

PreviousGenerating PayloadsNextPivot Listeners

Last updated