Receiving Text Messages for your Incoming Beacons

Whether it be through phishing, or some other means, waiting for your incoming beacons can be an anxious moment.  Every time I send off phishing e-mails, I anxiously await to receive the incoming beacons.  I personally want to know and be alerted the second that I receive a beacon, so I figured this would be a great time to work with Raphael Mudge’s scripting language that’s built right into Cobalt Strike – Aggressor.

Aggressor is an event-driven language, very similar to scripts people may have developed for IRC.  One of the events built into Aggressor is “beacon_initial“.  This event is triggered when a beacon is established for the first time.  Using this event, you can have Cobalt Strike do “something” when a beacon first checks in.

Aggressor is based on the language Sleep (also by Raphael Mudge) which supports an “exec” function.  So to tie this all together, we can have Aggressor run a command when each new beacon first checks in.  Sounds like I can just write a script that texts me with some of the information I’m interested in receiving for each new beacon!

The Aggressor script can be found here, so let’s go through this and learn what’s happening.

on beacon_initial { 
    $computer = beacon_info($1, "computer");
    $internal = beacon_info($1, "internal");
    exec("/root/cobaltstrike/ --ip " . $internal . " --computer '" . $computer . "'");

The “beacon_initial” is the event that triggers when a beacon first checks in.  The “local” commands are used to declare the contained string as a local variable.  These will store the internal IP and computer name of the beacon that just checked in.  The “beacon_info” commands allows us to retrieve metadata about the incoming beacon, in this case the internal IP and computer name.  Finally, the “exec” command executes the script at the location I’ve specified. Now, all that is needed is a script that sends the text messages!

This can be easily done using Python, and I have a script here that does it.

#!/usr/bin/env python

import argparse
import smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText

parser = argparse.ArgumentParser(description='beacon info')
args = parser.parse_args()

fromaddr = ""
toaddr = ["", ""]
msg = MIMEMultipart()
msg['From'] = fromaddr
msg['To'] = ", ".join(toaddr)
msg['Subject'] = "INCOMING BEACON"

hostname =
internal_ip = args.ip

body = "Check your teamserver! \nHostname - " + hostname + "\nInternal IP - " + internal_ip
msg.attach(MIMEText(body, 'plain'))

server = smtplib.SMTP('', 587)
server.login(fromaddr, "")
text = msg.as_string()
server.sendmail(fromaddr, toaddr, text)

This script was modified from another script I found online. It uses gmail (you will need to provide a username and password) to send e-mails to addresses that you specify. In this case, it’s sends e-mails to the addresses for AT&T and Verizon that translates e-mails to text messages (just change the phone numbers in the toad variable). Now, anytime that I receive an incoming beacon, this script is triggered and I receive a text message containing the hostname and internal ip of the compromised system!

You can run this one of two ways. While connected to your team server, just load up the Script Console, load your script, and you’re good to go. However, this obviously requires you to stay connected to your team server. Your other option is to use the “agscript” binary that comes with Cobalt Strike. This program lets you connect to a team server and run a script, without requiring the Cobalt Strike client. An easy way to use this is to SSH to your team server, start a screen session, and run the agscript binary in the background with the above Aggressor script. Now, anytime you receive a beacon, your Aggressor script will trigger your e-mail script which texts you to notify you of the new beacon!



Upgrading Your Shells to Beacons

It’s an issue we all encounter, we’re operating in a shell and want to upgrade it to something better. For many, this may be Meterpreter which is absolutely a valid choice. Another option I want to explore in this post is upgrading your shell to a Cobalt Strike Beacon.

In this instance, I’m going to cheat by generating a shell callback with Veil-Evasion to simulate operating in a shell and executing it on a VM.

Shell Callback

Now that I have my shell, it’s time to look into upgrading this to something better! First, I’ll need to setup a Beacon listener within Cobalt Strike. This is pretty simple, just select the headphones icon on the top menu and you’ll be presented with the Listener tab. Just select the “Add” button at the bottom and configure your listener as you see fit.

Beacon Listener

Once you’ve created your listener, it’s time to prep for the shell upgrade. I prefer to use Cobalt Strike’s powershell web-delivery feature to upgrade my shell. To set this up, click the powershell icon on the top menu and configure the attack. In this case, I customized the uri to be “upgrade”, I am using the default port 80, and the listener that I want to utilize was pre-selected.

Powershell Web Delivery

Now, just select launch, and you’ll be given the command that you can run on your victim machine.

Powershell One Liner

All you need to do now is just copy and paste this command into your shell, and you should see your beacon calling back!

Beacon Callback

If you have any questions, be sure to let me know! Hop in #Veil on Freenode or hit me up on twitter @ChrisTruncer.