Last updated
Last updated
A SOCKS (short for Socket Secure) Proxy exchanges network packets between a client and a server. A common implementation of a proxy server is found in web proxies - where a browser will connect to the proxy, which relays requests to the destination website and back to the browser (performing filtering etc along the way). We can use this idea in an offensive application by turning our C2 server into a SOCKS proxy to tunnel external tooling into an internal network.
This is particularly helpful when we want to leverage toolsets such as . Windows doesn't have a native capability to execute Python, so being able to execute them on our own system and tunnel the traffic through Beacon can expand our arsenal of available tooling. It also carries additional OPSEC advantages - since we're not pushing offensive tooling onto the target or even executing any code on a compromised endpoint, it can shrink our footprint for detection.
Cobalt Strike has both a SOCKS4a and SOCKS5 proxy. The main difference between them is that only SOCKS5 supports authentication and has some additional logging capabilities.
Use the socks
command on the Beacon that you want to act as the pivot point.
To start a SOCKS4a proxy simply run:
For SOCKS5:
The enableLogging
option sends additional logs (such as authentication failures) to the VM console, which you unfortunately can't see easily when the team server running as a service. Instead, you can use journalctl
:
You will now see port 1080 bound on the team server VM.
OPSEC Since this is bound on all interfaces, any device that has network access to the team server VM may, in theory, interact with the SOCKS traffic. Even though this should not be the case, the use of SOCKS5 gives an additional layer of protection.
The speed at which data is transferred over the proxy is determined by the sleep time of the Beacon that executed the socks
command. To set the Beacon to an interactive state, use sleep 0
. In most cases, this is a quality of life vs stealth trade-off. The more frequently your Beacon talks to the team server, the louder it appears on the wire. However, some tools may timeout and fail with longer sleep times so it's up to you to find a balance.