def mp_worker(BITS, PORT, HTTP, output_list, host):
print("Checking {}".format(host))
if not host.startswith("http"):
if HTTP == True:
host = "http://{0}:{1}".format(host, PORT)
else:
host = "https://{0}:{1}".format(host, PORT)
if BITS == 64:
uri = "/aad7"
else:
uri = "/aaa9"
try:
r = requests.get(urljoin(host, uri),
headers={'user-agent': ua},
verify=False,
timeout=5)
if r.status_code == 200:
data = r.content
if data.startswith(b"\xfc\xe8"):
beacon = decrypt_beacon(data)
if beacon:
config = decode_config(beacon)
if config:
print(f"Payload {BITS} bits found")
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Found"
output_list.append(config)
else:
config = dict()
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Config Extraction Failed"
output_list.append(config)
print("Config extraction failed")
else:
config = dict()
print("Beacon extraction failed")
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Beacon Extraction Failed"
output_list.append(config)
elif data.startswith(b"MZ"):
config = decode_config(beacon)
if config:
print(f"Payload {BITS} bits found")
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Found"
output_list.append(config)
else:
config = dict()
print("Config extraction failed")
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Config Extraction Failed"
output_list.append(config)
else:
config = dict()
print(f"No {BITS} bits payload")
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Not Found"
output_list.append(config)
else:
config = dict()
print(f"No {BITS} bits payload")
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Not Found"
output_list.append(config)
except Exception as e:
print("Request failed : " + str(e))
config = dict()
config["port"] = int(PORT)
config["host"] = host
config["result"] = "Request Failed"
output_list.append(config)
Author : Etienne Maynier, Amnesty Tech Email: [email protected] Date : March 2020 """ if __name__ == "__main__": parser = argparse.ArgumentParser( description='Extract Cobalt Strike payload') parser.add_argument('PAYLOAD', help='An encrypted Cobalt Strike beacon') args = parser.parse_args() if not os.path.isfile(args.PAYLOAD): print("Not a file") sys.exit(-1) with open(args.PAYLOAD, "rb") as f: data = f.read() if data.startswith(b"\xfc\xe8") or data.startswith(b"\xfc\x48"): # Encrypted beacon payload = decrypt_beacon(data) if payload: with open(args.PAYLOAD + "_payload", "wb+") as f: f.write(payload) print("Payload written in {}".format(args.PAYLOAD + "_payload")) else: print( "Looks like an encrypted beacon but impossible to find the base address" )
def scan(host):
print("Checking {}".format(host))
https_domain = get_subject(host)
# if host.strip() == "":
# continue
host_ori = host
if not host.startswith("http"):
host = "https://{}".format(host)
try:
r = requests.get(urljoin(host, "/aaa9"), headers={'user-agent': ua}, verify=False, timeout=3)
if r.status_code == 200:
data = r.content
if data.startswith(b"\xfc\xe8"):
beacon = decrypt_beacon(data)
if beacon:
config = decode_config(beacon)
if config:
lock.acquire()
csvout.writerow([
host_ori,
"Found",
config["ssl"],
config["port"],
config[".http-get.uri"].split(',')[0],
https_domain,
config[".http-get.uri"].split(',')[1],
config[".http-post.uri"],
config[".user-agent"],
config[".watermark"]
])
lock.release()
print("Payload found")
else:
lock.acquire()
csvout.writerow([host, "Config Extraction Failed", "", "", "", "", "", ""])
lock.release()
print("Config extraction failed")
else:
lock.acquire()
csvout.writerow([host, "Beacon Extraction Failed", "", "", "", "", "", ""])
lock.release()
print("Beacon extraction failed")
elif data.startswith(b"MZ"):
beacon = decrypt_beacon(data)
config = decode_config(beacon)
if config:
lock.acquire()
csvout.writerow([
host,
"Found",
config["ssl"],
config["port"],
config[".http-get.uri"].split(',')[0],
https_domain,
config[".http-get.uri"].split(',')[1],
config[".http-post.uri"],
config[".user-agent"],
config[".watermark"]
])
lock.release()
print("Payload found")
else:
lock.acquire()
csvout.writerow([host, "Config Extraction Failed", "", "", "", "", "", ""])
lock.release()
print("Config extraction failed")
else:
# csvout.writerow([host, "Not Found", "", "", "", "", "", ""])
print("No x86 payload")
else:
# csvout.writerow([host, "Not Found", "", "", "", "", "", ""])
print("No x86 payload")
# except (requests.exceptions.ChunkedEncodingError, requests.exceptions.ConnectionError, requests.exceptions.ReadTimeout, requests.exceptions.TooManyRedirects, requests.exceptions.ContentDecodingError):
except Exception as e:
# csvout.writerow([host, "Failed", "", "", "", "", "", ""])
print(str(e))
print("Request failed")
for host in hosts:
print("Checking {}".format(host))
if host.strip() == "":
continue
if not host.startswith("http"):
host = "https://{}".format(host)
try:
r = requests.get(urljoin(host, "/aaa9"),
headers={'user-agent': ua},
verify=False,
timeout=5)
if r.status_code == 200:
data = r.content
if data.startswith(b"\xfc\xe8"):
beacon = decrypt_beacon(data)
if beacon:
config = decode_config(beacon)
if config:
csvout.writerow([
host, "Found", config["ssl"], config["port"],
config[".http-get.uri"],
config[".http-post.uri"],
config[".user-agent"], config[".watermark"]
])
print("Payload found")
else:
csvout.writerow([
host, "Config Extraction Failed", "", "", "",
"", "", ""
])
def scan_beacon(HOST):
ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("Checking {}".format(HOST))
try:
r = requests.get(urljoin(HOST, "/aaa9"),
headers={'user-agent': ua},
verify=False,
timeout=5)
if r.status_code == 200:
data = r.content
if data.startswith(b"\xfc\xe8"):
beacon = decrypt_beacon(data)
if beacon:
config = decode_config(beacon)
if config:
#print("Configuration of the x86 payload:")
for d in config:
if isinstance(config[d], bytearray):
#pass
print("{:30} {}".format(d, config[d].hex()))
else:
#pass
print("{:30} {}".format(d, config[d]))
print("")
return (config["publickey"].strip(b'\x00'),
config[".http-get.uri"], config["port"],
config["ssl"])
else:
print("x86: Impossible to extract the configuration")
else:
print("x86: Impossible to extract beacon")
elif data.startswith(b"MZ"):
# Sometimes it returns a PE directly
config = decode_config(data)
if config:
print("Configuration of the x86 payload")
for d in config:
if "publickey" in d:
pass
#print(config[d])
if isinstance(config[d], bytearray):
pass
#print(d)
#print("{:30} {}".format(d, config[d].hex()))
else:
pass
#print("{:30} {}".format(d, config[d]))
print("")
return (config["publickey"].strip(b'\x00'))
else:
print("x86: Impossible to extract the configuration")
else:
print("x86: Payload not found")
else:
print("x86: HTTP Status code {}".format(r.status_code))
r = requests.get(urljoin(HOST, "aab9"),
headers={'user-agent': ua},
verify=False,
timeout=5)
if r.status_code == 200:
data = r.content
if data.startswith(b"\xfc\xe8"):
beacon = decrypt_beacon(data)
if beacon:
config = decode_config(beacon)
if config:
for d in config:
print("Configuration of the x86_64 payload")
if isinstance(config[d], bytearray):
print("{:30} {}".format(d, config[d].hex()))
else:
print("{:30} {}".format(d, config[d]))
print("")
return (config["publickey"].strip(b'\x00'))
else:
print(
"x86_64: Impossible to extract the configuration")
else:
print("x86_64: Impossible to extract beacon")
elif data.startswith(b"MZ"):
# Sometimes it returns a PE directly
config = decode_config(data)
if config:
print("Configuration of the x86_64 payload:")
for d in config:
if isinstance(config[d], bytearray):
print("{:30} {}".format(d, config[d].hex()))
else:
print("{:30} {}".format(d, config[d]))
print("")
return (config["publickey"].strip(b'\x00'))
else:
print("x86_64: Impossible to extract the configuration")
else:
print("x86_64: Payload not found")
else:
print("x86_64: HTTP Status code {}".format(r.status_code))
except (requests.exceptions.ChunkedEncodingError,
requests.exceptions.ConnectionError,
requests.exceptions.ReadTimeout,
requests.exceptions.TooManyRedirects,
requests.exceptions.ContentDecodingError):
#print("Request failed")
pass
