Need help with csbruter?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

290 Stars 79 Forks 4 Commits 0 Opened issues


Cobalt Strike team server password brute force tool

Services available


Need anything else?

Contributors list

No Data

Script to brute force Cobalt Strike team server passwords.


python3 [-h] [-p PORT] [-t THREADS] host [wordlist]

Default port is 50050. Wordlist can be supplied via stdin as such:

cat wordlist.txt | python3

Tested at up to 138 attempts per second.


Cobalt Strike team server has no mitigation for password brute force attacks.

Mitigation Update

Cobalt Strike 3.10 (Released Dec 11, 2017) imposes a 1 second delay between attempts as a mitigation for this attack.


The Cobalt Strike team server requires two types of authentication. The first is a raw data type of authentication ostensibly used to protect the socket. The second is a Java serialized object based authentication which includes the mostly symbolic user name. This script attempts to brute force the former authentication type, which includes no rate limiting or account lockout mechanism.

Both of these authentication types are wrapped in an SSL socket, with a certificate containing following subject:

/C=Earth/ST=Cyberspace/L=Somewhere/O=cobaltstrike/OU=AdvancedPenTesting/CN=Major Cobalt Strike

This certificate is baked into the Cobalt Strike Java Keystore, which is easier to change if you use one of the default keystore passwords: 123456

The first authentication request is defined roughly as such in a fixed 261 byte length command:

4 Byte Magic \x00\x00\xBE\xEF
1 Byte Password Length (unsigned int)
Password (unsigned int cast char array)
Padding \x65 "A" * ( Length( Password ) - 256 )

Which, on the wire, looks roughly like this, however the padding is ignored and can be anything. The authentication routine will read up to 256 of Length.


If the password supplied matches the password defined when starting the team server, the team server replies with a 4 byte magic. This password can not be empty (zero length).


Otherwise, the team server returns null


Once this phase is completed successfully, the team server expects a serialized object class called Request.

On the team server, the following log entries are sent to stdout during brute force authentication.

Invalid password:

[-] rejected client from invalid password

Valid password:

[!] Trapped during client ( read [Manage: unauth'd user]: null

An error is thrown because the socket is closed immediately after an attempt.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.