breakid / redreaper Goto Github PK

Logonpasswords lists the most recent logons first, but the parsing module will attempt to parse all entries. This may result in older data overwriting newer data.

Add a parser for nslookup that will add DNS data.

Due to the way Cobalt Strike works (i.e., out-of-order execution and logging output with no information linking it to it's associated input), it is non-trivial to link input and output during post-processing. That said, it should be possible to limit the potential matches, potentially down to one in some cases.

Case 1:

• Error output reported by Cobalt Strike appears immediately after an invalid command. This would be an easy win.

Case 2:

• If there is only one input queued before a check-in, all output before the next input should be related to that one input (even if there are multiple output chunks).

Case 3:

• There is only one input of each output type before a check-in. In this case, with accurate output parsing, it should be possible to link the outputs to the inputs, even if they are executed out of order.

If there are multiples of each command, such as multiple dsqueries, it becomes extremely difficult to match input to output.

Figure out how to automatically map a DNS domain to an NT domain. Ideally this would be done using only information available via Cobalt Strike's built-in tools to eliminate the need to run specific commands on target systems. The less we have to rely on users to run specific commands, the better.

Remote dirs are currently logged under the source host rather than the destination. However, the data is related to the destination so it makes more sense to record it there.

Post-process host and domain data before printing. Prompt user for any missing DNS or NT domain data and re-categorize the data eliminate all 'unknowns'.

The way credentials are merged now, it's possible for more recent data to be overwritten by older data when re-categorizing "Unknown" data. This was known at the time, but the re-categorization code was particularly complex, and this was deemed "good enough" for a prototype.

Currently only A and CNAME records are parsed.

The ipconfig parser is currently limited to one IP of each version (4 or 6) per NIC.

The dsquery module currently relies on specific unique fields to be present per object type. Add logic to check for 'objectclass'; this should improve recognition when users run "-attr *".