Starting Cobalt Strike

The Team Server

Cobalt Strike is split into a client and a server component. The server, referred to as the team server, is the controller for the Beacon payload and the host for Cobalt Strike’s social engineering features. The team server also stores data collected by Cobalt Strike and it manages logging.

The Cobalt Strike team server must run, as root, on a supported Linux system. To start a Cobalt Strike team server, use the teamserver script included with the Cobalt Strike Linux package.

The team server has two mandatory parameters and two optional parameters. The first is the externally reachable IP address of the team server. Cobalt Strike uses this value as a default host for its features. The second is the password your team members will use to connect the Cobalt Strike client to the team server.

The third parameter is optional. This parameter specifies a Malleable C2 Communication Profile.

The fourth parameter is also optional. This parameter specifies a kill date in YYYY-MM-DD format. The team server will embed this kill date into each Beacon stage it generates. The Beacon payload will refuse to run on or after this date. The Beacon payload will also exit if it wakes up on or after this date as well.

When the team server starts, it will publish a SHA256 hash of the team server’s SSL certificate. You should distribute this hash to your team members. When your team members connect, their Cobalt Strike client will ask if they recognize this hash before it authenticates to the team server. This is an important protection against man-in-the-middle attacks.

The Cobalt Strike Client

The Cobalt Strike client connects to the team server. To start the Cobalt Strike client, use the launcher included with your platform's package. The launcher takes no arguments.

You will see a connect dialog when the Cobalt Strike client starts.

Specify your team server's address in the Host field. The default Port for the team server is 50050. There's rarely a reason to change this. The User field is your nickname on the team server. Change this to your call sign, handle, or made-up hacker fantasy name. The Password field is the shared password for the team server.

Press Connect to connect to the Cobalt Strike team server.

If this is your first connection to this team server, Cobalt Strike will ask if you recognize the SHA256 hash of this team server's SSL certificate. If you do, press OK, and the Cobalt Strike client will connect to the server. Cobalt Strike will also remember this SHA256 hash for future connections. You may manage these hashes through Cobalt Strike -> Preferences -> Fingerprints.

Cobalt Strike keeps track of the team servers you connect to and remembers your information. Select one of these team server profiles from the left-hand-side of the connect dialog to populate the connect dialog with its information. You may also prune this list through Cobalt Strike -> Preferences -> Team Servers.