Created
October 2, 2020 16:21
-
-
Save hotnops/e19a42a792950f4ef996d75a6e1bae35 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java.io.DataOutputStream; | |
import java.net.HttpURLConnection; | |
import java.net.URL; | |
sub oplog::saveToDisk { | |
local('$timestamp $localIP $destIP $userContext $command $operator $oplog_id $logfile $data $header $handle $error'); | |
$timestamp = $1; | |
$localIP = $2; | |
$destIP = $3; | |
$userContext = $4; | |
$command = $5; | |
$operator = $6; | |
$oplog_id = "CHANGEME"; | |
$logfile = script_resource("offline_logs.csv"); | |
if(!-isFile $logfile){ | |
println("[-] Activity tracker not detected, creating new file"); | |
$error = createNewFile($logfile); | |
$header = "oplog_id,start_date,end_date,source_ip,dest_ip,tool,user_context,command,description,output,comments,operator_name\n"; | |
if (checkError($error)) | |
{ | |
println($error); | |
} | |
$handle = openf(">>$logfile"); | |
writeb($handle, $header); | |
closef($handle); | |
} | |
$data = $oplog_id; | |
$data .= ","; | |
$data .= $timestamp; | |
$data .= ","; | |
$data .= $timestamp; | |
$data .= ",\""; | |
$data .= $localIP; | |
$data .= "\",\""; | |
$data .= $destIP; | |
$data .= "\","; | |
$data .= "beacon"; | |
$data .= ",\""; | |
$data .= $userContext; | |
$data .= "\",\""; | |
$data .= $command; | |
$data .= "\","; | |
$data .= ","; | |
$data .= ","; | |
$data .= ",\""; | |
$data .= $operator; | |
$data .= "\"\n"; | |
$handle = openf(">>$logfile"); | |
writeb($handle, $data); | |
closef($handle); | |
} | |
on beacon_input { | |
local('$url $oplog_id $url $operator $data $api_key $urlobj $con $wr $responseCode $resp_code $localIP $destIP $userContext $command $logfile $header'); | |
$url = "CHANGEME"; | |
$oplog_id = "CHANGEME"; | |
if([$url isEmpty]) { | |
return; | |
} | |
if($oplog_id == 0) { | |
return; | |
} | |
if ([$3 startsWith: "<--"] || [$3 startsWith: "#"]) { | |
return; | |
} | |
$url .= "/oplog/api/entries/"; | |
local('$bid $hostname $user $desc $mtime $hostname'); | |
$bid = $1; | |
$operator = $2; | |
$desc = $3; | |
$mtime = $4; | |
$hostname = binfo($bid, 'computer'); | |
$user = binfo($bid, 'user'); | |
$data = "{"; | |
$data .= "\"source_ip\":\""; | |
$data .= localip(); | |
$data .= "\","; | |
$data .= "\"dest_ip\":\""; | |
$data .= $hostname; | |
$data .= "\","; | |
$data .= "\"tool\":\"beacon\","; | |
$data .= "\"user_context\":\""; | |
$data .= $user; | |
$data .= "\","; | |
$data .= "\"command\":\""; | |
$data .= $desc; | |
$data .= "\","; | |
$data .= "\"output\":\"\","; | |
$data .= "\"comments\":\"\","; | |
$data .= "\"operator_name\":\""; | |
$data .= $operator; | |
$data .= "\","; | |
$data .= "\"oplog_id\":"; | |
$data .= $oplog_id; | |
$data .= "}"; | |
$resp_code = oplog::post_command($data); | |
if($resp_code != 201) { | |
println("[Error] Response code from Oplog API: " . $responseCode); | |
oplog::saveToDisk($mtime, localip(), $hostname, $user, $desc, $operator); | |
} | |
} | |
sub oplog::post_command { | |
local('$1 $urlobj $con $wr $responseCode $api_key $url'); | |
$url = "CHANGEME"; | |
if([$url isEmpty]) { | |
return; | |
} | |
$url .= "/oplog/api/entries/"; | |
$api_key = "CHANGEME"; | |
$urlobj = [new URL: $url]; | |
try | |
{ | |
$con = [$urlobj openConnection]; | |
[$con setRequestProperty: "User-Agent", "BEACON"]; | |
[$con setRequestMethod: "POST"]; | |
[$con setDoOutput: true]; | |
[$con setConnectTimeout: 5000]; | |
[$con setRequestProperty: "Content-Type", "application/json"]; | |
[$con setRequestProperty: "Authorization", "Api-Key " . $api_key]; | |
$wr = [new DataOutputStream: [$con getOutputStream]]; | |
[$wr writeBytes: $1]; | |
[$wr flush]; | |
[$wr close]; | |
} | |
catch $exception | |
{ | |
return 0; | |
} | |
$responseCode = [$con getResponseCode]; | |
return $responseCode; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment