Starting the Teamserver
sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profileListeners
There are two main types of listeners.
- egress
- peer to peer
Egress Listener
An egress listener is one that allows Beacon to communicate outside of the target network to our team server. The default egress listener types in Cobalt Strike are HTTP/S and DNS, where Beacon will encapsulate C2 traffic over these respective protocols.
Peer-to-Peer
Peer-to-peer (P2P) listeners differ from egress listeners because they don’t communicate with the team server directly. Instead, P2P listeners are designed to chain multiple Beacons together in parent/child relationships. The primary reasons for doing this are:
- To reduce the number of hosts talking out to your team server, as the higher the traffic volume, the more likely it is to get spotted.
- To run Beacon on machines that can’t even talk out of the network, e.g. in cases of firewall rules and other network segregations.
The two P2P listener types in Cobalt Strike are Server Message Block (SMB) and raw TCP. It’s important to understand that these protocols do not leave the target network (i.e. the team server is not listening on port 445 for SMB). Instead, a child SMB/TCP Beacon will be linked to an egress HTTP/DNS Beacon, and the traffic from the child is sent to the parent, which in turn sends it to the team server.