VPN Pivoting

Notice: This feature does not work on Windows 10 targets.

Cobalt Strike offers VPN pivoting through its Covert VPN feature. Covert VPN creates a network interface on the Cobalt Strike system and bridges this interface into the target's network.

How to Deploy

To activate Covert VPN, right-click a compromised host, go to [beacon] -> Pivoting -> Deploy VPN. Select the remote interface you would like Covert VPN to bind to. If no local interface is present, press Add to create one.

Deploy VPN Pivoting

Deploy Covert VPN

Check Clone host MAC address to make your local interface have the same MAC address as the remote interface.

Press Deploy to start the Covert VPN client on the target. Covert VPN requires Administrator access to deploy.

Once a Covert VPN interface is active, you may use it like any physical interface on your system. Use ifconfig to configure its IP address. If your target network has a DHCP server, you may request an IP address from it using your operating system's built-in tools.

Manage Interfaces

To manage your Covert VPN interfaces, go to Cobalt Strike -> Interfaces. Here, Cobalt Strike will show the Covert VPN interfaces, how they're configured, and how many bytes were transmitted and received through each interface.

Highlight an interface and press Remove to destroy the interface and close the remote Covert VPN client. Covert VPN will remove its temporary files on reboot and it automatically undoes any system changes right away.

Press Add to configure a new Covert VPN interface.

Configure an Interface

Covert VPN interfaces consist of a network tap and a channel to communicate ethernet frames through. To configure the interface, choose an Interface name (this is what you will manipulate through ifconfig later) and a MAC address.

VPN Pivoting Setup

VPN Interface Setup

You must also configure the Covert VPN communication channel for your interface. Covert VPN may communicate ethernet frames over a UDP connection, TCP connection, ICMP, or using the HTTP protocol. The TCP (Reverse) channel has the target connect to your Cobalt Strike instance. The TCP (Bind) channel has Cobalt Strike tunnel the VPN through Beacon.

Cobalt Strike will setup and manage communication with the Covert VPN client based on the Local Port and Channel you select.

The Covert VPN HTTP channel makes use of the Cobalt Strike web server. You may host other Cobalt Strike web applications and multiple Covert VPN HTTP channels on the same port.

For best performance, use the UDP channel. The UDP channel has the least amount of overhead compared to the TCP and HTTP channels. Use the ICMP, HTTP, or TCP (Bind) channels if you need to get past a restrictive firewall.