CodeXTF2/Burp2Malleable CodeXTF2/Burp2Malleable

  • Stars
    star
    347
  • Rank 121,453 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created about 2 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CodeXTF2/Burp2Malleable
github

CodeXTF2

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles

Burp2Malleable

Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles. It lets you take captured/crafted requests from BurpSuite (or ZAP, POSTMAN etc.) of what you want your traffic to look like/blend in with, and turns them into CobaltStrike Malleable C2 profiles. It allows the operator to choose where their data is stored and in what format, so that the traffic looks as clean as possible.

Feel free to create issues for feature requests or bugs etc!

Installation

pip install -r requirements.txt

Usage

python burp2malleable.py request.txt response.txt

image

Example request and response

POST /api/v9/auth/login HTTP/1.1
Host: discord.com
X-Super-Properties: eyJvcyI6IldpbH0=
X-Fingerprint: 1008685949565288488.PHKwXlnLkLRgcC2N8fC2zosjGKc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

{"login":"[email protected]","password":"bsdfv","undelete":false,"captcha_key":null,"login_source":null,"gift_code_sku_id":null}



HTTP/1.1 400 Bad Request
Date: Mon, 15 Aug 2022 10:38:13 GMT
Content-Type: application/json
Content-Length: 127
Connection: close
access-control-allow-origin: https://discord.com
access-control-allow-credentials: true
access-control-allow-methods: POST, GET, PUT, PATCH, DELETE
access-control-allow-headers: Content-Type, Authorization, X-Audit-Log-Reason, X-Track, X-Super-Properties, X-Context-Properties, X-Failed-Requests, X-Fingerprint, X-RPC-Proxy, X-Discord-Locale, X-Debug-Options, x-client-trace-id, If-None-Match, Range, X-RateLimit-Precision
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-envoy-upstream-service-time: 40
Via: 1.1 google
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NVkTuc0Tiecsv86A00v9WwDmAGBhWkOIUSbzNAmn7bbAEuwnrV8j1%2BNMu8qkv6yLwwy6izaKGbhzvNCLUrKlKUm1mjN8L3e2qu4mjYSmMI%2Bj5mLbso23JbU1P2Ah"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 73b14ca4bbd187d8-SIN

{"captcha_key": ["captcha-required"], "captcha_sitekey": "f5561ba9-8f1e-40ca-9b5b-a0b3f719ef34", "captcha_service": "hcaptcha"}

Example generated profile


############################################################################
# Generated by Burp2Malleable - https://github.com/CodeXTF2/Burp2Malleable #     
# By: CodeX                                                                #
############################################################################
# Automatically generated with pyMalleableC2
# https://github.com/Porchetta-Industries/pyMalleableC2
#
# !!! Make sure to run this profile through c2lint before using !!!

http-get {
    set verb "POST";
    set uri "/api/v9/auth/login";
    client {
        header "Host" "discord.com";
        header "X-Super-Properties" "eyJvcyI6IldpbH0=";
        header "X-Fingerprint" "1008685949565288488.PHKwXlnLkLRgcC2N8fC2zosjGKc";
        header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36";
        parameter "sad" "yes";
        metadata {
            mask;
            base64url;
            prepend "";
            append "";
            header "a";
        }
    }
    server {
        output {
            mask;
            base64url;
            prepend "{'captcha_key': ['captcha-required'], 'captcha_sitekey': '";
            append "', 'captcha_service': 'hcaptcha'}";
            print;
        }
        header "Date" "Mon, 15 Aug 2022 10:38:13 GMT";
        header "Content-Type" "application/json";
        header "Content-Length" "127";
        header "Connection" "close";
        header "access-control-allow-origin" "https://discord.com";
        header "access-control-allow-credentials" "true";
        header "access-control-allow-methods" "POST, GET, PUT, PATCH, DELETE";
        header "access-control-allow-headers" "Content-Type, Authorization, X-Audit-Log-Reason, X-Track, X-Super-Properties, X-Context-Properties, X-Failed-Requests, X-Fingerprint, X-RPC-Proxy, X-Discord-Locale, X-Debug-Options, x-client-trace-id, If-None-Match, Range, X-RateLimit-Precision";
        header "strict-transport-security" "max-age=31536000; includeSubDomains; preload";
        header "x-envoy-upstream-service-time" "40";
        header "Via" "1.1 google";
        header "Alt-Svc" "h3=':443'; ma=86400, h3-29=':443'; ma=86400";
        header "CF-Cache-Status" "DYNAMIC";
        header "Expect-CT" "max-age=604800, report-uri='https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct'";
        header "Report-To" "{'endpoints':[{'url':'https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=NVkTuc0Tiecsv86A00v9WwDmAGBhWkOIUSbzNAmn7bbAEuwnrV8j1%2BNMu8qkv6yLwwy6izaKGbhzvNCLUrKlKUm1mjN8L3e2qu4mjYSmMI%2Bj5mLbso23JbU1P2Ah'}],'group':'cf-nel','max_age':604800}";
        header "NEL" "{'success_fraction':0,'report_to':'cf-nel','max_age':604800}";
        header "X-Content-Type-Options" "nosniff";
        header "Server" "cloudflare";
        header "CF-RAY" "73b14ca4bbd187d8-SIN";
    }
}
http-post {
    set verb "POST";
    set uri "/API/V9/AUTH/LOGIN";
    client {
        parameter "sad" "yes";
        header "Host" "discord.com";
        header "X-Super-Properties" "eyJvcyI6IldpbH0=";
        header "X-Fingerprint" "1008685949565288488.PHKwXlnLkLRgcC2N8fC2zosjGKc";
        header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36";
        id {
            mask;
            base64url;
            header "b";
        }
        output {
            mask;
            base64url;
            prepend "{'login':'[email protected]','password':'bsdfv','undelete':false,'cap";
            append "tcha_key':null,'login_source':null,'gift_code_sku_id':null}";
            print;
        }
    }
    server {
        output {
            mask;
            base64url;
            prepend "{'captcha_key': ['captcha-required'], 'captcha_sitekey': 'f5561";
            append "ba9-8f1e-40ca-9b5b-a0b3f719ef34', 'captcha_service': 'hcaptcha'}";
            print;
        }
        header "Date" "Mon, 15 Aug 2022 10:38:13 GMT";
        header "Content-Type" "application/json";
        header "Content-Length" "127";
        header "Connection" "close";
        header "access-control-allow-origin" "https://discord.com";
        header "access-control-allow-credentials" "true";
        header "access-control-allow-methods" "POST, GET, PUT, PATCH, DELETE";
        header "access-control-allow-headers" "Content-Type, Authorization, X-Audit-Log-Reason, X-Track, X-Super-Properties, X-Context-Properties, X-Failed-Requests, X-Fingerprint, X-RPC-Proxy, X-Discord-Locale, X-Debug-Options, x-client-trace-id, If-None-Match, Range, X-RateLimit-Precision";
        header "strict-transport-security" "max-age=31536000; includeSubDomains; preload";
        header "x-envoy-upstream-service-time" "40";
        header "Via" "1.1 google";
        header "Alt-Svc" "h3=':443'; ma=86400, h3-29=':443'; ma=86400";
        header "CF-Cache-Status" "DYNAMIC";
        header "Expect-CT" "max-age=604800, report-uri='https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct'";
        header "Report-To" "{'endpoints':[{'url':'https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=NVkTuc0Tiecsv86A00v9WwDmAGBhWkOIUSbzNAmn7bbAEuwnrV8j1%2BNMu8qkv6yLwwy6izaKGbhzvNCLUrKlKUm1mjN8L3e2qu4mjYSmMI%2Bj5mLbso23JbU1P2Ah'}],'group':'cf-nel','max_age':604800}";
        header "NEL" "{'success_fraction':0,'report_to':'cf-nel','max_age':604800}";
        header "X-Content-Type-Options" "nosniff";
        header "Server" "cloudflare";
        header "CF-RAY" "73b14ca4bbd187d8-SIN";
    }
}

./c2lint

===============
default
===============

http-get
--------
POST /api/v9/auth/login?sad=yes HTTP/1.1
Host: discord.com
X-Super-Properties: eyJvcyI6IldpbH0=
X-Fingerprint: 1008685949565288488.PHKwXlnLkLRgcC2N8fC2zosjGKc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
a: xX1eg2uo_iO0ahkT32lKnTqae5A

HTTP/1.1 200 OK
Content-Length: 127
Date: Mon, 15 Aug 2022 10:38:13 GMT
Content-Type: application/json
Connection: close
access-control-allow-origin: https://discord.com
access-control-allow-credentials: true
access-control-allow-methods: POST, GET, PUT, PATCH, DELETE
access-control-allow-headers: Content-Type, Authorization, X-Audit-Log-Reason, X-Track, X-Super-Properties, X-Context-Properties, X-Failed-Requests, X-Fingerprint, X-RPC-Proxy, X-Discord-Locale, X-Debug-Options, x-client-trace-id, If-None-Match, Range, X-RateLimit-Precision
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-envoy-upstream-service-time: 40
Via: 1.1 google
Alt-Svc: h3=':443'; ma=86400, h3-29=':443'; ma=86400
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri='https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct'
Report-To: {'endpoints':[{'url':'https:\/\/a.nel.cloudflare.com\/report\/v3?s=NVkTuc0Tiecsv86A00v9WwDmAGBhWkOIUSbzNAmn7bbAEuwnrV8j1%2BNMu8qkv6yLwwy6izaKGbhzvNCLUrKlKUm1mjN8L3e2qu4mjYSmMI%2Bj5mLbso23JbU1P2Ah'}],'group':'cf-nel','max_age':604800}
NEL: {'success_fraction':0,'report_to':'cf-nel','max_age':604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 73b14ca4bbd187d8-SIN

{'captcha_key': ['captcha-required'], 'captcha_sitekey': '--Woyg0lFs9RSmfR69tWlPeDuePXOQ_oxE2EtEvVBAKoILKIS42z2VfnfuGcpiH7LIiIpkiB2wfJpQYUv_jG3Q6BERA', 'captcha_service': 'hcaptcha'}

http-post
---------
POST /API/V9/AUTH/LOGIN?sad=yes HTTP/1.1
Host: discord.com
X-Super-Properties: eyJvcyI6IldpbH0=
X-Fingerprint: 1008685949565288488.PHKwXlnLkLRgcC2N8fC2zosjGKc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
b: 8Qwdy8k1LfnC
Content-Length: 145

{'login':'[email protected]','password':'bsdfv','undelete':false,'capMl6axjTOnr49ZZGv6DTxgTmm8JYtcha_key':null,'login_source':null,'gift_code_sku_id':null}

HTTP/1.1 200 OK
Content-Length: 127
Date: Mon, 15 Aug 2022 10:38:13 GMT
Content-Type: application/json
Connection: close
access-control-allow-origin: https://discord.com
access-control-allow-credentials: true
access-control-allow-methods: POST, GET, PUT, PATCH, DELETE
access-control-allow-headers: Content-Type, Authorization, X-Audit-Log-Reason, X-Track, X-Super-Properties, X-Context-Properties, X-Failed-Requests, X-Fingerprint, X-RPC-Proxy, X-Discord-Locale, X-Debug-Options, x-client-trace-id, If-None-Match, Range, X-RateLimit-Precision
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-envoy-upstream-service-time: 40
Via: 1.1 google
Alt-Svc: h3=':443'; ma=86400, h3-29=':443'; ma=86400
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri='https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct'
Report-To: {'endpoints':[{'url':'https:\/\/a.nel.cloudflare.com\/report\/v3?s=NVkTuc0Tiecsv86A00v9WwDmAGBhWkOIUSbzNAmn7bbAEuwnrV8j1%2BNMu8qkv6yLwwy6izaKGbhzvNCLUrKlKUm1mjN8L3e2qu4mjYSmMI%2Bj5mLbso23JbU1P2Ah'}],'group':'cf-nel','max_age':604800}
NEL: {'success_fraction':0,'report_to':'cf-nel','max_age':604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 73b14ca4bbd187d8-SIN

{'captcha_key': ['captcha-required'], 'captcha_sitekey': 'f5561_kyvKAba9-8f1e-40ca-9b5b-a0b3f719ef34', 'captcha_service': 'hcaptcha'}


[+] POST 3x check passed
[+] .http-get.server.output size is good
[+] .http-get.client size is good
[+] .http-post.client size is good
[+] .http-get.client.metadata transform+mangle+recover passed (1 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (100 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (128 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (256 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (0 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (1 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (48248 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (1048576 byte[s])
[+] .http-post.client.id transform+mangle+recover passed (4 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (0 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (1 byte[s])
[+] .http-post.client.output POSTs results
[+] .http-post.client.output transform+mangle+recover passed (48248 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (1048576 byte[s])

Work in progress, will be updated if I think of ideas. Feel free to submit issues/PRs/suggestions.

TODO

  • Detect base64 strings in original request and response and automatically use those to store beacon data

Credits

More Repositories

1

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
C
339
star
2

WindowSpy

WindowSpy is a Cobalt Strike Beacon Object File meant for automated and targeted user surveillance.
C
254
star
3

maldev-links

My collection of malware dev links
219
star
4

cobaltstrike-headless

Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
144
star
5

HavocNotion

A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel. Not operationally safe or stable, built as a PoC to showcase Havoc C2's modular C2 channel interface.
Python
81
star
6

PyHmmm

Simple PoC Python agent to showcase Havoc C2's custom agent interface. Not operationally safe or stable. Released with accompanying blog post as a tutorial sample
Python
72
star
7

BusySleepBeacon

This is a simple project made to evade https://github.com/thefLink/Hunt-Sleeping-Beacons by using a busy wait instead of beacon's built in Sleep() call. Most of the structure e.g. Sleep hook, shellcode exec etc. are taken from mgeeky's https://github.com/mgeeky/ShellcodeFluctuation.
C++
29
star
8

evasion-adventures-files

Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"
C++
21
star
9

CobaltStrikeSoundBoard

Python
10
star
10

cobaltstrike-sleepmask-yara

Just a git repo for the sleepmask detection rule i found in https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
YARA
10
star
11

SharpAwareness

Light and more OPSEC friendly way for red teamers to gain quick situational awareness of both the host and the user.
C#
9
star
12

beacon_notify_discordhook

Probably the easiest way to setup new beacon notifications in Cobalt Strike
Python
8
star
13

goautodial-rce-exploit

Pops a shell on a goautodial server
Python
3
star
14

CodeXTF2

2
star
15

my-bashrc

My bashrc file
Shell
1
star
16

Simulated-User

Python
1
star
17

CodeXTF2.github.io

1
star
18

James-Server-RCE

Improved version of the james server RCE. Spawns a reverse shell that can bypass rbash ;)
Python
1
star
19

codexs-useful-utils

Misc utils I made here and there, collected in one place
PowerShell
1
star