PyBeacon - A Collection Of Scripts For Dealing With Cobalt Strike Beacons In Python

ID KITPLOIT:3581314572234466412
Type kitploit
Reporter KitPloit
Modified 2021-03-04T20:30:07


PyBeacon is a collection of scripts for dealing with Cobalt Strike's encrypted traffic.

It can encrypt/decrypt beacon metadata, as well as parse symmetric encrypted taskings

Scripts included

There is a small library which includes encryption/decoding methods, however some example scripts are included.

  • - this tool will simply decode a beacon DLL from a stager URL (you can use it to extract the public key).
  • - this tool deals with RSA encrypted metadata and can register a new (fake) beacon on a target Teamserver.
  • - this tool deals with AES encrypted taskings to/from the teamserver. Use it to send callbacks to the teamserver, or for decoding taskings from a Teamserver to the beacon.
  • ~~ - This is an implementation of the exploit used to exploit CS < 3.5-hf1, which was used in the wild to hack Cobalt Strike servers. It works by registering a beacon with a directory traversal in the IP address field. It then subsequently registers a download callback which causes the "download" to be uploaded anywhere on the target file system. The ITW exploit used a cronjob to achieve RCE. ~~


  • Add more task types to the task decoding logic
  • Add decoding for beacon taskings. At the moment some "generic" logic is used, but it's not really helpful

Download Pybeacon