CodeXTF2/cobaltstrike-headless CodeXTF2/cobaltstrike-headless

  • Stars
    star
    144
  • Rank 254,059 (Top 6 %)
  • Language
  • Created about 2 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CodeXTF2/cobaltstrike-headless
github

CodeXTF2

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.



Headless Strike

Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.

Usage

  • connect to your teamserver via the builtin headless aggressor utility (./agscript)
./agscript host port user password
  • load the .cna file
aggressor> 
load headless-strike.cna
[+] Load headless-strike.cna

β–ˆβ–€β–€β€ƒβ–ˆβ–€β–ˆβ€ƒβ–ˆβ–„β–„β€ƒβ–„β–€β–ˆβ€ƒβ–ˆβ–‘β–‘β€ƒβ–€β–ˆβ–€β€ƒβ–ˆβ–€β€ƒβ–€β–ˆβ–€β€ƒβ–ˆβ–€β–ˆβ€ƒβ–ˆβ€ƒβ–ˆβ–„β–€β€ƒβ–ˆβ–€β–€
β–ˆβ–„β–„β€ƒβ–ˆβ–„β–ˆβ€ƒβ–ˆβ–„β–ˆβ€ƒβ–ˆβ–€β–ˆβ€ƒβ–ˆβ–„β–„β€ƒβ–‘β–ˆβ–‘β€ƒβ–„β–ˆβ€ƒβ–‘β–ˆβ–‘β€ƒβ–ˆβ–€β–„β€ƒβ–ˆβ€ƒβ–ˆβ–‘β–ˆβ€ƒβ–ˆβ–ˆβ–„  (headless)
https://github.com/CodeXTF2/cobaltstrike-headless

aggressor>
  • profit!

Commands

Currently, the following beacon commands are implemented:

beacons
blockdlls
cd
clear
dcsync
dir
download
downloads
drives
execute
execute-assembly
exit
getsystem
getuid
hashdump
help
help
history
info
inject
ipconfig
jobkill
jobs
jump
keylogger
keystrokes
kill
link
logonpasswords
make_token
mimikatz
mkdir
mv
net
note
powerpick
powerpick_inject
powershell
powershell_import
powershell_import_clear
ppid
ps
pwd
reload
remove
rev2self
rm
run
runu
screenshot
screenwatch
shell
shinject
shspawn
sleep
socks
socks_stop
spawn
spawnto
steal_token
sync_download
unlink
upload
use

The syntax is the same as in the GUI client. The only ones you should take note of are:

  • ls is replaced with dir due to ./agscript already using ls for listing loaded scripts
  • use [beacon id] - start interacting with a beacon
  • beacons - list beacons
  • info - info about current beacon
  • sync_download - sync the teamserver downloads to local storage

Example

aggressor> 
reload headless-strike.cna
[+] Reload headless-strike.cna

β–ˆβ–€β–€β€ƒβ–ˆβ–€β–ˆβ€ƒβ–ˆβ–„β–„β€ƒβ–„β–€β–ˆβ€ƒβ–ˆβ–‘β–‘β€ƒβ–€β–ˆβ–€β€ƒβ–ˆβ–€β€ƒβ–€β–ˆβ–€β€ƒβ–ˆβ–€β–ˆβ€ƒβ–ˆβ€ƒβ–ˆβ–„β–€β€ƒβ–ˆβ–€β–€
β–ˆβ–„β–„β€ƒβ–ˆβ–„β–ˆβ€ƒβ–ˆβ–„β–ˆβ€ƒβ–ˆβ–€β–ˆβ€ƒβ–ˆβ–„β–„β€ƒβ–‘β–ˆβ–‘β€ƒβ–„β–ˆβ€ƒβ–‘β–ˆβ–‘β€ƒβ–ˆβ–€β–„β€ƒβ–ˆβ€ƒβ–ˆβ–‘β–ˆβ€ƒβ–ˆβ–ˆβ–„  (headless)
https://github.com/CodeXTF2/cobaltstrike-headless

beacons
[+] Listing beacons
______________________
|    beacon id       |
1615823462 ( x64 ) β›“ | IEUser @ MSEDGEWIN10 ( runonce.exe - 3228 ) | last: 49s | listener https  (via 1100299032)
1100299032 ( x64 )  | IEUser @ MSEDGEWIN10 ( beacon.exe - 7048 ) | last: 49s | listener https


use 1615823462
[+] Interacting with beacon 1615823462

Why did I make this?

I had some fun recently with nethunter (mobile kali) and thought it would be a fun thing to be able to task beacons while not at a computer, such as if a slack/discord beacon notification came in while the operator was outside. This was my (hacky) solution :D Feel free to submit issues or PRs etc.

Have fun!

More Repositories

1

Burp2Malleable

Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles
Python
347
star
2

ScreenshotBOF

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
C
339
star
3

WindowSpy

WindowSpy is a Cobalt Strike Beacon Object File meant for automated and targeted user surveillance.
C
254
star
4

maldev-links

My collection of malware dev links
219
star
5

HavocNotion

A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel. Not operationally safe or stable, built as a PoC to showcase Havoc C2's modular C2 channel interface.
Python
81
star
6

PyHmmm

Simple PoC Python agent to showcase Havoc C2's custom agent interface. Not operationally safe or stable. Released with accompanying blog post as a tutorial sample
Python
72
star
7

BusySleepBeacon

This is a simple project made to evade https://github.com/thefLink/Hunt-Sleeping-Beacons by using a busy wait instead of beacon's built in Sleep() call. Most of the structure e.g. Sleep hook, shellcode exec etc. are taken from mgeeky's https://github.com/mgeeky/ShellcodeFluctuation.
C++
29
star
8

evasion-adventures-files

Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"
C++
21
star
9

CobaltStrikeSoundBoard

Python
10
star
10

cobaltstrike-sleepmask-yara

Just a git repo for the sleepmask detection rule i found in https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
YARA
10
star
11

SharpAwareness

Light and more OPSEC friendly way for red teamers to gain quick situational awareness of both the host and the user.
C#
9
star
12

beacon_notify_discordhook

Probably the easiest way to setup new beacon notifications in Cobalt Strike
Python
8
star
13

goautodial-rce-exploit

Pops a shell on a goautodial server
Python
3
star
14

CodeXTF2

2
star
15

my-bashrc

My bashrc file
Shell
1
star
16

Simulated-User

Python
1
star
17

CodeXTF2.github.io

1
star
18

James-Server-RCE

Improved version of the james server RCE. Spawns a reverse shell that can bypass rbash ;)
Python
1
star
19

AM0N-Eye

forked for safekeeping
1
star
20

codexs-useful-utils

Misc utils I made here and there, collected in one place
PowerShell
1
star