cedowens/C2-JARM cedowens/C2-JARM

  • Stars
    star
    129
  • Rank 279,262 (Top 6 %)
  • Language
  • Created almost 4 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cedowens/C2-JARM
github

cedowens

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A list of JARM hashes for different ssl implementations used by some C2/red team tools.

C2-JARM

A list of JARM hashes for different ssl implementations used by some C2 tools. Also adding other useful red team tools that use ssl (ex: EvilGinx2). Though I work on the red team side, I thought this would be a good thing to gather both to help blue teams who have the appropriate visibility with additional indicators for identifying C2 activity as well as to help other red teamers understand another method that can be used to detect their C2, depending on how it is set up.

For more info on JARM hashing, check out the work by the Salesforce security team on their JARM github link here: https://github.com/salesforce/jarm

This is a neat way to fingerprint ssl servers by the software implementation. This alone would not be sufficient to detect C2 in a high fidelity manner, but JARM hashes coupled with other high value indicators would certainly be of value. This also highlights the need for red teams to ensure their C2 infra is not exposed for public access.

I plan to add more to this list over time. Feel free to contribute!!

C2/RED TEAM TOOL SSL IMPLEMENTATION TESTED JARM HASH LINK TO TOOL
Mythic python 3 w/aiohttp 3 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/its-a-feature/Mythic
Metasploit ssl listener ruby 2.7.0p0 07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d https://github.com/rapid7/metasploit-framework
Metasploit ssl listener ruby 07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823 https://github.com/rapid7/metasploit-framework
Cobalt Strike Java 11 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 https://www.cobaltstrike.com/
Merlin go 1.15.2 linux/amd64 29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38 https://github.com/Ne0nd0g/merlin
Deimos go 1.15.2 linux/amd64 with github.com/gorilla/websocket package 00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64 https://github.com/DeimosC2/DeimosC2
MacC2 python 3.8.6 w/aiohttp 3 2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261 https://github.com/cedowens/MacC2
MacC2 python 3.8.2 w/aiohttp 3 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/cedowens/MacC2
MacShellSwift python 3.8.6 socket 2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46 https://github.com/cedowens/MacShellSwift
MacShell python 3.8.6 socket 2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46 https://github.com/cedowens/MacShellSwift
Sliver go 1.15.2 linux/amd64 2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883 https://github.com/BishopFox/sliver
EvilGinx2 go 1.10.4 linux/amd64 20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6 https://github.com/kgretzky/evilginx2
Shad0w python 3.8 flask 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/bats3c/shad0w
Get2 N/A 07d19d12d21d21d07c07d19d07d21da5a8ab90bcc6bf8bbc6fbec4bcaa8219
GRAT2 C2 python3 http.server 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/r3nhat/GRAT2
Covenant ASP.net core 21d14d00000000021c21d14d21d21d1ee8ae98bf3ef941e91529a93ac62b8b https://github.com/cobbr/Covenant
SILENTRINITY ironpython 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/byt3bl33d3r/SILENTTRINITY
PoshC2 python3 http.server 2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261 https://github.com/nettitude/PoshC2

More Repositories

1

SwiftBelt

A macOS enumeration tool inspired by harmjoy's Windows-based Seatbelt enumeration tool. Author: Cedric Owens
Swift
301
star
2

MacC2

python-based Mac Command and Control that uses internal API calls instead of command line utilities. Author: Cedric Owens
Python
128
star
3

MacShellSwift

Proof of concept MacOS post exploitation tool written in Swift. Designed as a POC for blue teams to build macOS detections. Author: Cedric Owens
Swift
113
star
4

Swift-Attack

Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods.
Swift
101
star
5

EntitlementCheck

Scripts (python3 and Swift) for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened runtime enablement
Swift
90
star
6

Inject_Dylib

Swift code to programmatically perform dylib injection
Swift
49
star
7

Mod_Rewrite_Automation

Scripts to automate standing up apache2 with mod_rewrite in front of C2 servers.
Shell
47
star
8

Mythic-Macro-Generator

Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens
Python
43
star
9

SwiftBelt-JXA

JXA implementation of some SwiftBelt functions. Author: Cedric Owens
JavaScript
42
star
10

Spotlight-Enum-Kit

JXA and swift code that can perform some macOS situational awareness without generating TCC prompts.
Swift
36
star
11

Persistent-Swift

A Swift port of some of the original PersistentJXA projects by D00MFist. Original PersistentJXA repo: https://github.com/D00MFist/PersistentJXA
Swift
31
star
12

EvilOSX_MacroGenerator

Python3 script to generate Office macros for the EvilOSX framework. Author: Cedric Owens
Python
26
star
13

JXA-Runner

Swift code to programmatically execute local or hosted JXA payloads from Terminal without using the on-disk osascript binary.
Swift
23
star
14

Presentations

Collection of Slides From My Conference Talks
21
star
15

aws_key_triage_tool

Script to automate initial triage/enumeration on a set of aws keys in an input file.
Python
20
star
16

aws-cli-notes

A combined list of helpful awscli commands from Scott Piper's flaws.cloud exercise as well as from Beau Bullock's Breaching the Cloud Training
19
star
17

Dump-Chrome-Cookies

Repo with a modified version of CookieBro and scripts to leverage it to dump Chrome cookies
JavaScript
19
star
18

Terraform_DigitalOcean_Scripts

Scripts to automate standing up C2 infra with firewall settings inside of DigitalOcean.
Shell
17
star
19

Helpful_aws-scripts

python3 scripts to help with aws triage needs
Python
17
star
20

JXA-RemoveQuarantine

JXA script based on research by Jeff Johnson on leveraging TextEdit to remove quarantine attributes on files. Jeff's original research is here: https://lapcatsoftware.com/articles/sandbox-escape.html
JavaScript
17
star
21

Dylib_Runner

Swift code to run a dylib on disk
Swift
16
star
22

C2_Cradle

Tool to download, install, and run macOS capable command & control servers (i.e., C2s with macOS payloads/clients) as docker containers from a list of options. This is helpful for automating C2 server setup.
Shell
16
star
23

docker-arsenal

Spins up a docker container with several useful tools for offensive security in macOS/cloud environments. Also installs the needed dependencies for each tool/utility during docker setup.
Dockerfile
16
star
24

keygrabber

Automation for grabbing keys from a Linux host. Useful during red team exercises to quickly help assess what access to a Linux host can lead to.
Python
16
star
25

Linode_Terraform_Scripts

Scripts to automate standing up hosts in Linode
Shell
15
star
26

macOS-browserhist-parser

Swift code to parse the quarantine history database, Chrome history database, Safari history database, and Firefox history database on macOS.
Swift
14
star
27

SimpleC2_Server

POC for a basic C2 server using the python aiohttp framework
Python
12
star
28

HELK-automation

Scripts to automate HELK server standup in Digital Ocean and filebeat on macOS to help automation of sending endpoint security logs from macOS hosts into HELK for building detections content
Shell
12
star
29

Gitlab-Searcher

python3 script that pulls gitlab data of interest using a gitlab personal access token
Python
12
star
30

Add-To-TCC-DB

A JXA script that leverages sqlite3 API calls to add items to the user's TCC database at: ~/Library/Application Support/com.apple.TCC/TCC.db
JavaScript
11
star
31

Rolling_Op_Metrics

Skeleton spreadsheet to track rolling red team operation metrics.
11
star
32

ioreg-and-sysctl-examples

Examples of programmatically interacting with ioreg and sysctl to query system info
Swift
9
star
33

Jenkins_Hunter_CSharp

C# implementation of my original Jenkins Hunter script (orig in python). It uses threading to search for unauthenticated Jenkins instances on ports 8080, 80, and 443. Author: Cedric Owens
C#
9
star
34

JXA-Firefox

JXA Scripts for extracting data from Firefox
JavaScript
8
star
35

zshrc-persist-JXA

JXA script to add a macho binary to ~/.zshrc for persistence
JavaScript
8
star
36

PICT-Swift

A Swift (and slightly modified) version of Thomas Reed's PICT (Post Infection Collection Toolkit)
Swift
8
star
37

GoBelt

Golang programmatically invoking my SwiftBelt-JXA macOS system enumerator project (Golang running SwiftBelt-JXA via cgo)
Go
8
star
38

AV_Enum_JXA

JXA code to enumerate security software on a macOS host
JavaScript
7
star
39

LocalAdminChecker

Threaded C# code that uses wmic to quickly check a host's /24 subnet for other hosts the current user has local admin access to. Author: Cedric Owens
C#
7
star
40

SSH-Password-Sprayer

python3 script to spray a username and password against a network range. Author: Cedric Owens
Python
7
star
41

okta-sprayer

Python3 Script to perform a password spray against an okta instance
Python
6
star
42

Metadata_URLs

List of some cloud metadata URLs that return interesting info
6
star
43

dns-TXT-exfil-test

Simple client/server in golang to help with testing data exfil detections over DNS TXT records
Go
5
star
44

find_chrome_tab

For those of us with too many Chrome tabs open on macOS 😳...this is a simple applescript to search all tab titles and urls across all Chrome browser windows for a match string and if found it sets that as the active tab. 😎
5
star
45

kube-unauth-exec-hunter

Python3 script to check a subnet range for kubernetes nodes allowing system:anonymous API command access. Author: Cedric Owens
Python
5
star
46

PhishDifficultyScorer

python3 script that rates the difficulty of a given phishing exercise. Author: Cedric Owens
Python
5
star
47

gitleaks-wrapper

Simple wrapper around gitleaks to enumerate publicly facing repos belonging to an org and then run gitleaks against each in search of exposed secrets/keys.
Python
5
star
48

JAMF_Runner

A wrapper around the on disk jamf binary (for JAMF managed macOS hosts). Useful for unit testing detections of offensive jamf host-based commands.
Swift
5
star
49

JenkinsHunter

python3 script that searches a network range for instances of unauthenticated Jenkins hosts. Author: Cedric Owens
Python
4
star
50

dns-exfil-test

Go
4
star
51

chromedp-remotedebugger-example

An example of how to use chromedp to run Chrome headless with the remote debugger port programmatically (is still a wrapper around the Chrome binary)
Go
4
star
52

SituationalAwarenessTool

C# tool that uses .net to provide situational awareness on a Windows host.
C#
4
star
53

modified-tcc-clickjack

modified version of Ron Masas's TCC-Clickjack Swift project
Swift
3
star
54

Page-Finder

python3 script that searches a network range for hosts hosting interesting pages that an attacker can leverage. Author: Cedric Owens
Python
3
star
55

pritunl-vpn-setup-automation

Bash + terraform scripts to automate standing up pritunl VPN servers.
Shell
2
star
56

AD-Threaded-Port-Sweeper

C# Code to dump all AD computers and then quickly sweep for a given port.
C#
2
star
57

DGA-test

simple code to help with DGA nxdomain response testing
Go
1
star
58

http-uri-test

Go
1
star
59

SlackXtract

Swift code to extract available slack information from macOS hosts. Automates steps identified in Cody Thomas' post: https://posts.specterops.io/abusing-slack-for-offensive-operations-2343237b9282
Swift
1
star