aggressor_script_examples/examples/tokenToEmail.cna at main · Cobalt-Strike/aggressor_script_examples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
# Originally at https://gist.github.com/rsmudge/c82c02b02347e0153c78024b9f64abd0

# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
	local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
	($method, $uri, $addr, $ua, $response, $size, $handler, $params, $when) = @_;

	$now  = dstamp($when);
	$out  = "$now visit from\cE:\o $addr";

	# add in our email address
	if ($params['id'] ne "") {
		$out .= " (" . tokenToEmail($params['id']) . ")";
	}

	$out .= "\n";
	$out .= "\tRequest\cE:\o $method $uri $+ \n";

	if ($handler ne "") {
		$out .= "\t $+ $handler $+ \n";
	}
	else {
		$out .= "\tResponse\cE:\c4 $response $+ \n";
	}

	$out .= "\t $+ $ua $+ \n";

	if (size($params) > 0) {
		local('$key $value');

		$out .= "\t= Form Data=\n";

		foreach $key => $value ($params) {
			$out .= "\t $+ $[10]key = $value $+ \n";
		}
	}

	return "$out $+ \n";
}

set PROFILER_HIT {
	local('$out $app $ver');

	$out = "\c9[+]\o $1 $+ / $+ $2 [" . tokenToEmail($5) . "] Applications";

	foreach $app => $ver ($4) {
		$out .= "\n\t $+ $[25]app $ver";
	}

	return "$out $+ \n\n";
}