System Profiler

The System Profiler is a reconnaissance tool for the client-side attack process. This tool starts a local web-server and fingerprints any one who visits it. The System Profiler discovers the internal IP address of users behind a proxy along with several applications and their version information.

To start the System Profiler, go to Attacks -> Web Drive-by -> System Profiler.

The start the profiler you must specify a URI to bind to and a port to start the Cobalt Strike web-server from.

If you specify a Redirect URL, Cobalt Strike will redirect visitors to this URL once their profile is taken. Click Launch to start the System Profiler.

The System Profiler uses an unsigned Java Applet to decloak the target's internal IP address and determine which version of Java the target has. With Java's click-to-run security feature--this could raise suspicion. Uncheck the Use Java Applet to get information box to run the System Profiler without the Java Applet.

Check Enable SSL to serve this content over SSL. This option is available when you specify a valid SSL certificate in your Malleable C2 profile.

To view the results from the System Profiler, go to View -> Applications. Cobalt Strike will list all of the applications it discovered during the system profiling process.