diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..26f9fc2 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,28 @@ +name: build + +on: [pull_request, push] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v2 + + - name: Set up MinGW + uses: egor-tensin/setup-mingw@v2 + with: + platform: x64 + + - name: apt update + run: sudo apt-get update + + - name: Install pefile + run: sudo apt-get -y install python3-pefile + + - name: Install nasm + run: sudo apt-get -y install nasm + + - name: Build BOFs + run: make diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..f3acca2 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,16 @@ +[submodule "RemoteOps/CS-Remote-OPs-BOF"] + path = RemoteOps/CS-Remote-OPs-BOF + url = https://github.com/trustedsec/CS-Remote-OPs-BOF + +[submodule "NoConsolation/No-Consolation"] + path = NoConsolation/No-Consolation + url = https://github.com/fortra/No-Consolation + +[submodule "nanodump/nanodump"] + path = nanodump/nanodump + url = https://github.com/fortra/nanodump + +[submodule "SituationalAwareness/CS-Situational-Awareness-BOF"] + path = SituationalAwareness/CS-Situational-Awareness-BOF + url = https://github.com/trustedsec/CS-Situational-Awareness-BOF + diff --git a/Bofbelt/bofbelt.py b/Bofbelt/bofbelt.py index aa7ec3e..85e6890 100644 --- a/Bofbelt/bofbelt.py +++ b/Bofbelt/bofbelt.py @@ -944,7 +944,7 @@ def bofbelt_report( demonID, bof_output ): # output : the content of all CALLBACK_OUTPUT # error : the content of all CALLBACK_ERROR def bofbelt_callback( demonID, TaskID, worked, output, error ): - filename = '/tmp/bofbelt.json' + filename = f'/tmp/bofbelt-{demonID}.json' # first, get the json that contains all the previous BOF output try: diff --git a/Jump-exec/DCOM/Makefile b/Jump-exec/DCOM/Makefile deleted file mode 100644 index fb54649..0000000 --- a/Jump-exec/DCOM/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -BOFNAME := dcom -CC_x64 := x86_64-w64-mingw32-gcc -CC_x86 := i686-w64-mingw32-gcc - -all: - $(CC_x64) -o $(BOFNAME).x64.o -c BOF-IShellWindows-DCOM.c - $(CC_x86) -o $(BOFNAME).x86.o -c BOF-IShellWindows-DCOM.c diff --git a/Jump-exec/Psexec/psexec.py b/Jump-exec/Psexec/psexec.py index 8aaa87c..9b81df9 100644 --- a/Jump-exec/Psexec/psexec.py +++ b/Jump-exec/Psexec/psexec.py @@ -13,17 +13,17 @@ def psexec( demonID, *param ): demon = Demon( demonID ) - if len(param) < 4: + if len(param) < 3: demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough arguments" ) return False - if len(param) > 4: + if len(param) > 3: demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many arguments" ) return False - Host = param[ 1 ] - SvcName = param[ 2 ] - SvcPath = param[ 3 ] + Host = param[ 0 ] + SvcName = param[ 1 ] + SvcPath = param[ 2 ] if exists( SvcPath ) is False: demon.ConsoleWrite( demon.CONSOLE_ERROR, f"Service executable not found: {SvcPath}" ) diff --git a/Jump-exec/WMI/EventSub/Makefile b/Jump-exec/WMI/EventSub/makefile similarity index 100% rename from Jump-exec/WMI/EventSub/Makefile rename to Jump-exec/WMI/EventSub/makefile diff --git a/Jump-exec/WMI/ProcCreate/Makefile b/Jump-exec/WMI/ProcCreate/makefile similarity index 100% rename from Jump-exec/WMI/ProcCreate/Makefile rename to Jump-exec/WMI/ProcCreate/makefile diff --git a/Jump-exec/WMI/ProcCreate/source/WMI-ProcessCreate.cpp b/Jump-exec/WMI/ProcCreate/source/WMI-ProcessCreate.cpp index 4529bb9..43d7885 100644 --- a/Jump-exec/WMI/ProcCreate/source/WMI-ProcessCreate.cpp +++ b/Jump-exec/WMI/ProcCreate/source/WMI-ProcessCreate.cpp @@ -8,7 +8,7 @@ #include #include #include -#include +//#include #include #pragma comment(lib, "wbemuuid.lib") #pragma comment(lib, "comsuppw.lib") @@ -121,7 +121,7 @@ void go(char* buff, int len) { CreateCreds(&authInfo, &authidentity, bwusername, bwpassword, bwdomain, IsCurrent); // Doesnt currently work but should let you use current context - if (IsCurrent == 0) + if (IsCurrent == 1) { authidentity = NULL; } diff --git a/Jump-exec/WMI/makefile b/Jump-exec/WMI/makefile new file mode 100644 index 0000000..6073095 --- /dev/null +++ b/Jump-exec/WMI/makefile @@ -0,0 +1,13 @@ +SUBDIRS := $(wildcard */) + +.PHONY: all $(SUBDIRS) + +all: $(SUBDIRS) + +$(SUBDIRS): + @if [ -f $@/makefile ]; then \ + echo "Building $@"; \ + $(MAKE) -C $@; \ + else \ + echo "Skipping $@ (makefile not found)"; \ + fi diff --git a/Jump-exec/WMI/wmi.py b/Jump-exec/WMI/wmi.py index 0a57f93..8e3e970 100644 --- a/Jump-exec/WMI/wmi.py +++ b/Jump-exec/WMI/wmi.py @@ -106,7 +106,7 @@ def wmi_proccreate( demonID, *params ): packer.addWstr(command) packer.addbool(is_current) - TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to run a VBS script in {target} via wmi" ) + TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to run command on {target} via wmi" ) demon.InlineExecute( TaskID, "go", f"ProcCreate/bin/ProcCreate.{demon.ProcessArch}.o", packer.getbuffer(), False ) diff --git a/Jump-exec/makefile b/Jump-exec/makefile new file mode 100644 index 0000000..6073095 --- /dev/null +++ b/Jump-exec/makefile @@ -0,0 +1,13 @@ +SUBDIRS := $(wildcard */) + +.PHONY: all $(SUBDIRS) + +all: $(SUBDIRS) + +$(SUBDIRS): + @if [ -f $@/makefile ]; then \ + echo "Building $@"; \ + $(MAKE) -C $@; \ + else \ + echo "Skipping $@ (makefile not found)"; \ + fi diff --git a/NoConsolation/No-Consolation b/NoConsolation/No-Consolation new file mode 160000 index 0000000..dbac904 --- /dev/null +++ b/NoConsolation/No-Consolation @@ -0,0 +1 @@ +Subproject commit dbac90486501f8796f622809e261c76eb449e4c5 diff --git a/NoConsolation/makefile b/NoConsolation/makefile new file mode 100644 index 0000000..381fb51 --- /dev/null +++ b/NoConsolation/makefile @@ -0,0 +1,9 @@ +NAME = No-Consolation +BIN = bin + +all: + @ cd $(NAME); make + @ find $(NAME)/dist -name '*.o' -exec cp {} $(BIN)/ \; + +clean: + rm $(BIN)/*.o diff --git a/NoConsolation/no-consolation.py b/NoConsolation/no-consolation.py index aec00eb..d1ee022 100644 --- a/NoConsolation/no-consolation.py +++ b/NoConsolation/no-consolation.py @@ -161,7 +161,7 @@ def noconsolation( demonID, *params ): TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to run {pename} inline" ) - demon.InlineExecute( TaskID, "go", f"/home/user/repositorios/No-Consolation/dist/NoConsolation.{demon.ProcessArch}.o", packed_params, False ) + demon.InlineExecute( TaskID, "go", f"bin/NoConsolation.{demon.ProcessArch}.o", packed_params, False ) return TaskID diff --git a/README.md b/README.md index 64bb378..9153958 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,9 @@ This is the base template for the modules. You can use this to write your own mo ### SituationalAwareness A bunch of Situational Awareness beacon object files. From [Situational Awareness BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF) +### RemoteOps +A bunch of Remote Operation beacon object files. From [Remote Operations BOF](https://github.com/trustedsec/CS-Remote-OPs-BOF) + ### Domaininfo A BOF tool to enumerate domain information using Active Directory Domain Services. Full credit goes to [Cneelis](https://twitter.com/Cneelis). Bof is from his [C2-Tool-Collection](https://github.com/outflanknl/C2-Tool-Collection) diff --git a/RemoteOps/CS-Remote-OPs-BOF b/RemoteOps/CS-Remote-OPs-BOF new file mode 160000 index 0000000..6568038 --- /dev/null +++ b/RemoteOps/CS-Remote-OPs-BOF @@ -0,0 +1 @@ +Subproject commit 6568038a899e2277ed85c5c62c7d970357ac8a6e diff --git a/RemoteOps/makefile b/RemoteOps/makefile new file mode 100644 index 0000000..7625b32 --- /dev/null +++ b/RemoteOps/makefile @@ -0,0 +1,10 @@ +NAME = CS-Remote-OPs-BOF +BIN = bin + +all: + @ cd $(NAME); chmod +x make_all.sh; bash ./make_all.sh + @ find $(NAME)/Injection -name '*.o' -exec cp {} $(BIN)/ \; + @ find $(NAME)/Remote -name '*.o' -exec cp {} $(BIN)/ \; + +clean: + rm $(BIN)/*.o diff --git a/SamDump/Makefile b/SamDump/makefile similarity index 100% rename from SamDump/Makefile rename to SamDump/makefile diff --git a/SituationalAwareness/CS-Situational-Awareness-BOF b/SituationalAwareness/CS-Situational-Awareness-BOF new file mode 160000 index 0000000..9a813b8 --- /dev/null +++ b/SituationalAwareness/CS-Situational-Awareness-BOF @@ -0,0 +1 @@ +Subproject commit 9a813b8f31cd397d7b05211e1d5b378c07fd1b8b diff --git a/SituationalAwareness/makefile b/SituationalAwareness/makefile new file mode 100644 index 0000000..bebef67 --- /dev/null +++ b/SituationalAwareness/makefile @@ -0,0 +1,9 @@ +NAME = CS-Situational-Awareness-BOF +BIN = ObjectFiles + +all: + @cd $(NAME); chmod +x make_all.sh; bash ./make_all.sh + @find $(NAME)/SA -name '*.o' -exec cp {} $(BIN)/ \; + +clean: + rm $(BIN)/*.o diff --git a/makefile b/makefile new file mode 100644 index 0000000..9b0af4f --- /dev/null +++ b/makefile @@ -0,0 +1,17 @@ +SUBDIRS := $(filter-out Template, $(shell echo */)) + +.PHONY: all $(SUBDIRS) + +all: UPDATE $(SUBDIRS) + +UPDATE: + @ echo "Updating submodules" + @ git submodule update --init --recursive + +$(SUBDIRS): + @ if [ -f $@/makefile -o -f $@/Makefile ]; then \ + echo "Building $@"; \ + $(MAKE) -C $@; \ + else \ + echo "Skipping $@ (Makefile not found)"; \ + fi diff --git a/nanodump/makefile b/nanodump/makefile new file mode 100644 index 0000000..b4ea9cb --- /dev/null +++ b/nanodump/makefile @@ -0,0 +1,9 @@ +NAME = nanodump +BIN = bin + +all: + @ make -C $(NAME) -f Makefile.mingw + @ find $(NAME)/dist -name '*.o' -exec cp {} $(BIN)/ \; + +clean: + rm $(BIN)/*.o diff --git a/nanodump/nanodump b/nanodump/nanodump new file mode 160000 index 0000000..f2f4f13 --- /dev/null +++ b/nanodump/nanodump @@ -0,0 +1 @@ +Subproject commit f2f4f13c2e1c1648078f7710a011671f02698fd6