Pivot Listeners
Last updated
Last updated
A pivot listener can only be created on an existing Beacon, and not via the normal Listeners menu. These listeners work in the same way as regular TCP listeners, but in reverse. A standard Beacon TCP payload binds to 127.0.0.1 (or 0.0.0.0) and listens for an incoming connection on the specified port. You then initiate a connection to it from an existing Beacon (with the connect
command). The pivot listener works the other way around by telling the existing Beacon to bind and listen on a port, and the new Beacon TCP payload initiates a connection to it instead.
To create a pivot listener, right-click on a Beacon and select Pivoting > Listener. This will open a "New Listener" window.
\
\
You will notice the payload type is beacon_reverse_tcp, rather than beacon_bind_tcp. Even though there's a drop-down menu, this is currently the only payload type that you can use with the pivot listener. The listen host and listen port options are the connection details that will be backed into the payloads generated from this listener. These are automatically populated from the Beacon you selected to act as the pivot. Unless you're doing something crazy with additional port forwards, you'll want to leave these as they are.
After clicking save, run netstat and you will see your port (4444 in this example) is now listening.
You will also see a Windows firewall alert, click allow access for now - we'll cover tactics for this in a future chapter.
\
\
The PID 6920 matches the PID of my Beacon.
We can now generate payloads for this listener, and it also becomes available in all the usual commands such as spawn
, elevate
, and jump
, etc. Once executed, the reverse TCP Beacon will appear immediately in the UI and the arrow in the graph view shows the direction of the connection.
\
\
To stop a pivot listener, go to the regular listeners list, highlight it and click the remove button.