Exemplo n.º 1
0
def mp_worker(BITS, PORT, HTTP, output_list, host):
    print("Checking {}".format(host))
    if not host.startswith("http"):
        if HTTP == True:
            host = "http://{0}:{1}".format(host, PORT)
        else:
            host = "https://{0}:{1}".format(host, PORT)
    if BITS == 64:
        uri = "/aad7"
    else:
        uri = "/aaa9"
    try:
        r = requests.get(urljoin(host, uri),
                         headers={'user-agent': ua},
                         verify=False,
                         timeout=5)
        if r.status_code == 200:
            data = r.content
            if data.startswith(b"\xfc\xe8"):
                beacon = decrypt_beacon(data)
                if beacon:
                    config = decode_config(beacon)
                    if config:
                        print(f"Payload {BITS} bits found")
                        config["port"] = int(PORT)
                        config["host"] = host
                        config["result"] = "Found"
                        output_list.append(config)
                    else:
                        config = dict()
                        config["port"] = int(PORT)
                        config["host"] = host
                        config["result"] = "Config Extraction Failed"
                        output_list.append(config)
                        print("Config extraction failed")
                else:
                    config = dict()
                    print("Beacon extraction failed")
                    config["port"] = int(PORT)
                    config["host"] = host
                    config["result"] = "Beacon Extraction Failed"
                    output_list.append(config)
            elif data.startswith(b"MZ"):
                config = decode_config(beacon)
                if config:
                    print(f"Payload {BITS} bits found")
                    config["port"] = int(PORT)
                    config["host"] = host
                    config["result"] = "Found"
                    output_list.append(config)
                else:
                    config = dict()
                    print("Config extraction failed")
                    config["port"] = int(PORT)
                    config["host"] = host
                    config["result"] = "Config Extraction Failed"
                    output_list.append(config)
            else:
                config = dict()
                print(f"No {BITS} bits payload")
                config["port"] = int(PORT)
                config["host"] = host
                config["result"] = "Not Found"
                output_list.append(config)
        else:
            config = dict()
            print(f"No {BITS} bits payload")
            config["port"] = int(PORT)
            config["host"] = host
            config["result"] = "Not Found"
            output_list.append(config)
    except Exception as e:
        print("Request failed : " + str(e))
        config = dict()
        config["port"] = int(PORT)
        config["host"] = host
        config["result"] = "Request Failed"
        output_list.append(config)
Exemplo n.º 2
0
Author : Etienne Maynier, Amnesty Tech
Email: [email protected]
Date : March 2020
"""

if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description='Extract Cobalt Strike payload')
    parser.add_argument('PAYLOAD', help='An encrypted Cobalt Strike beacon')
    args = parser.parse_args()

    if not os.path.isfile(args.PAYLOAD):
        print("Not a file")
        sys.exit(-1)

    with open(args.PAYLOAD, "rb") as f:
        data = f.read()

    if data.startswith(b"\xfc\xe8") or data.startswith(b"\xfc\x48"):
        # Encrypted beacon
        payload = decrypt_beacon(data)
        if payload:
            with open(args.PAYLOAD + "_payload", "wb+") as f:
                f.write(payload)
            print("Payload written in {}".format(args.PAYLOAD + "_payload"))
        else:
            print(
                "Looks like an encrypted beacon but impossible to find the base address"
            )
Exemplo n.º 3
0
def scan(host):
    print("Checking {}".format(host))
    https_domain = get_subject(host)
    # if host.strip() == "":
    #     continue
    host_ori = host
    if not host.startswith("http"):
        host = "https://{}".format(host)
    try:
        r = requests.get(urljoin(host, "/aaa9"), headers={'user-agent': ua}, verify=False, timeout=3)
        if r.status_code == 200:
            data = r.content
            if data.startswith(b"\xfc\xe8"):
                beacon = decrypt_beacon(data)
                if beacon:
                    config = decode_config(beacon)
                    if config:
                        lock.acquire()
                        csvout.writerow([
                            host_ori,
                            "Found",
                            config["ssl"],
                            config["port"],
                            config[".http-get.uri"].split(',')[0],
                            https_domain,
                            config[".http-get.uri"].split(',')[1],
                            config[".http-post.uri"],
                            config[".user-agent"],
                            config[".watermark"]
                        ])
                        lock.release()
                        print("Payload found")
                    else:
                        lock.acquire()
                        csvout.writerow([host, "Config Extraction Failed", "", "", "", "", "", ""])
                        lock.release()
                        print("Config extraction failed")
                else:
                    lock.acquire()
                    csvout.writerow([host, "Beacon Extraction Failed", "", "", "", "", "", ""])
                    lock.release()
                    print("Beacon extraction failed")
            elif data.startswith(b"MZ"):
                beacon = decrypt_beacon(data)
                config = decode_config(beacon)
                if config:
                    lock.acquire()
                    csvout.writerow([
                        host,
                        "Found",
                        config["ssl"],
                        config["port"],
                        config[".http-get.uri"].split(',')[0],
                        https_domain,
                        config[".http-get.uri"].split(',')[1],
                        config[".http-post.uri"],
                        config[".user-agent"],
                        config[".watermark"]
                    ])
                    lock.release()
                    print("Payload found")
                else:
                    lock.acquire()
                    csvout.writerow([host, "Config Extraction Failed", "", "", "", "", "", ""])
                    lock.release()
                    print("Config extraction failed")
            else:
                # csvout.writerow([host, "Not Found", "", "", "", "", "", ""])
                print("No x86 payload")
        else:
            # csvout.writerow([host, "Not Found", "", "", "", "", "", ""])
            print("No x86 payload")
    # except (requests.exceptions.ChunkedEncodingError, requests.exceptions.ConnectionError, requests.exceptions.ReadTimeout, requests.exceptions.TooManyRedirects, requests.exceptions.ContentDecodingError):
    except Exception as e:
        # csvout.writerow([host, "Failed", "", "", "", "", "", ""])
        print(str(e))
        print("Request failed")
Exemplo n.º 4
0
    for host in hosts:
        print("Checking {}".format(host))
        if host.strip() == "":
            continue
        if not host.startswith("http"):
            host = "https://{}".format(host)
        try:
            r = requests.get(urljoin(host, "/aaa9"),
                             headers={'user-agent': ua},
                             verify=False,
                             timeout=5)
            if r.status_code == 200:
                data = r.content
                if data.startswith(b"\xfc\xe8"):
                    beacon = decrypt_beacon(data)
                    if beacon:
                        config = decode_config(beacon)
                        if config:
                            csvout.writerow([
                                host, "Found", config["ssl"], config["port"],
                                config[".http-get.uri"],
                                config[".http-post.uri"],
                                config[".user-agent"], config[".watermark"]
                            ])
                            print("Payload found")
                        else:
                            csvout.writerow([
                                host, "Config Extraction Failed", "", "", "",
                                "", "", ""
                            ])
Exemplo n.º 5
0
def scan_beacon(HOST):
    ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

    print("Checking {}".format(HOST))
    try:
        r = requests.get(urljoin(HOST, "/aaa9"),
                         headers={'user-agent': ua},
                         verify=False,
                         timeout=5)
        if r.status_code == 200:
            data = r.content
            if data.startswith(b"\xfc\xe8"):
                beacon = decrypt_beacon(data)
                if beacon:
                    config = decode_config(beacon)
                    if config:
                        #print("Configuration of the x86 payload:")
                        for d in config:
                            if isinstance(config[d], bytearray):
                                #pass
                                print("{:30} {}".format(d, config[d].hex()))
                            else:
                                #pass
                                print("{:30} {}".format(d, config[d]))
                        print("")
                        return (config["publickey"].strip(b'\x00'),
                                config[".http-get.uri"], config["port"],
                                config["ssl"])
                    else:
                        print("x86: Impossible to extract the configuration")
                else:
                    print("x86: Impossible to extract beacon")
            elif data.startswith(b"MZ"):
                # Sometimes it returns a PE directly
                config = decode_config(data)
                if config:
                    print("Configuration of the x86 payload")
                    for d in config:
                        if "publickey" in d:
                            pass
                            #print(config[d])
                        if isinstance(config[d], bytearray):
                            pass
                            #print(d)
                            #print("{:30} {}".format(d, config[d].hex()))
                        else:
                            pass
                            #print("{:30} {}".format(d, config[d]))
                    print("")
                    return (config["publickey"].strip(b'\x00'))
                else:
                    print("x86: Impossible to extract the configuration")
            else:
                print("x86: Payload not found")
        else:
            print("x86: HTTP Status code {}".format(r.status_code))

        r = requests.get(urljoin(HOST, "aab9"),
                         headers={'user-agent': ua},
                         verify=False,
                         timeout=5)
        if r.status_code == 200:
            data = r.content
            if data.startswith(b"\xfc\xe8"):
                beacon = decrypt_beacon(data)
                if beacon:
                    config = decode_config(beacon)
                    if config:
                        for d in config:
                            print("Configuration of the x86_64 payload")
                            if isinstance(config[d], bytearray):
                                print("{:30} {}".format(d, config[d].hex()))
                            else:
                                print("{:30} {}".format(d, config[d]))
                        print("")
                        return (config["publickey"].strip(b'\x00'))
                    else:
                        print(
                            "x86_64: Impossible to extract the configuration")
                else:
                    print("x86_64: Impossible to extract beacon")
            elif data.startswith(b"MZ"):
                # Sometimes it returns a PE directly
                config = decode_config(data)
                if config:
                    print("Configuration of the x86_64 payload:")
                    for d in config:
                        if isinstance(config[d], bytearray):
                            print("{:30} {}".format(d, config[d].hex()))
                        else:
                            print("{:30} {}".format(d, config[d]))
                    print("")
                    return (config["publickey"].strip(b'\x00'))
                else:
                    print("x86_64: Impossible to extract the configuration")
            else:
                print("x86_64: Payload not found")
        else:
            print("x86_64: HTTP Status code {}".format(r.status_code))
    except (requests.exceptions.ChunkedEncodingError,
            requests.exceptions.ConnectionError,
            requests.exceptions.ReadTimeout,
            requests.exceptions.TooManyRedirects,
            requests.exceptions.ContentDecodingError):
        #print("Request failed")
        pass