oplog-sync.cna

import java.io.DataOutputStream;
import java.net.HttpURLConnection;
import java.net.URL;

sub oplog::saveToDisk {
	local('$timestamp $localIP $destIP $userContext $command $operator $oplog_id $logfile $data $header $handle $error');
	$timestamp = $1;
	$localIP = $2;
	$destIP = $3;
	$userContext = $4;
	$command = $5;
	$operator = $6;
	$oplog_id = "CHANGEME";

	$logfile = script_resource("offline_logs.csv");
	if(!-isFile $logfile){
		println("[-] Activity tracker not detected, creating new file");
		$error = createNewFile($logfile);
		$header = "oplog_id,start_date,end_date,source_ip,dest_ip,tool,user_context,command,description,output,comments,operator_name\n";
		if (checkError($error))
		{
			println($error);
		}
		$handle = openf(">>$logfile");
		writeb($handle, $header);
		closef($handle);
	}

	$data = $oplog_id;
	$data .= ",";
	$data .= $timestamp;
	$data .= ",";
	$data .= $timestamp;
	$data .= ",\"";
	$data .= $localIP;
	$data .= "\",\"";
	$data .= $destIP;
	$data .= "\",";
	$data .= "beacon";
	$data .= ",\"";
	$data .= $userContext;
	$data .= "\",\"";
	$data .= $command;
	$data .= "\",";
	$data .= ",";
	$data .= ",";
	$data .= ",\"";
	$data .= $operator;
	$data .= "\"\n";

	$handle = openf(">>$logfile");
	writeb($handle, $data);
	closef($handle);

} 


on beacon_input {
	local('$url $oplog_id $url $operator $data $api_key $urlobj $con $wr $responseCode $resp_code $localIP $destIP $userContext $command $logfile $header');
	$url = "CHANGEME";
	$oplog_id = "CHANGEME";

	if([$url isEmpty]) {
		return;
	}
	if($oplog_id == 0) {
		return;
	}
	if ([$3 startsWith: "<--"] || [$3 startsWith: "#"]) {
		return;
	}

	$url .= "/oplog/api/entries/";
	local('$bid $hostname $user $desc $mtime $hostname');
	$bid = $1;
	$operator = $2;
	$desc = $3;
	$mtime = $4;
	$hostname = binfo($bid, 'computer');
	$user = binfo($bid, 'user');

	$data = "{";
	$data .= "\"source_ip\":\"";
	$data .= localip();
	$data .= "\",";
	$data .= "\"dest_ip\":\"";
	$data .= $hostname;
	$data .= "\",";
	$data .= "\"tool\":\"beacon\",";
	$data .= "\"user_context\":\"";
	$data .= $user;
	$data .= "\",";
	$data .= "\"command\":\"";
	$data .= $desc;
	$data .= "\",";
	$data .= "\"output\":\"\",";
	$data .= "\"comments\":\"\",";
	$data .= "\"operator_name\":\"";
	$data .= $operator;
	$data .= "\",";
	$data .= "\"oplog_id\":";
	$data .= $oplog_id;
	$data .= "}";

	$resp_code = oplog::post_command($data);

	if($resp_code != 201) {
		println("[Error] Response code from Oplog API: " . $responseCode);
		oplog::saveToDisk($mtime, localip(), $hostname, $user, $desc, $operator); 
	}
}

sub oplog::post_command {
	local('$1 $urlobj $con $wr $responseCode $api_key $url');
	$url = "CHANGEME";
	if([$url isEmpty]) {
		return;
	}
	$url .= "/oplog/api/entries/";

	$api_key = "CHANGEME";

	   $urlobj = [new URL: $url];

	try
	{
		$con = [$urlobj openConnection];
		[$con setRequestProperty: "User-Agent", "BEACON"];
		[$con setRequestMethod: "POST"];
		[$con setDoOutput: true];
		[$con setConnectTimeout: 5000];
		[$con setRequestProperty: "Content-Type", "application/json"];
		[$con setRequestProperty: "Authorization", "Api-Key " . $api_key];

		$wr = [new DataOutputStream: [$con getOutputStream]];
		[$wr writeBytes: $1];
		[$wr flush];
		[$wr close];

	}
	catch $exception
	{
		return 0;
	}

	$responseCode = [$con getResponseCode];
	return $responseCode;
}