mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 12:01:37 +01:00
Added cobalt-udrl-hasher
This commit is contained in:
parent
dbcb0f85b5
commit
280399c1b9
@ -57,6 +57,8 @@ cmstp.exe /ni /s cmstp.inf
|
|||||||
|
|
||||||
- **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.
|
- **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.
|
||||||
|
|
||||||
|
- **`cobalt-udrl-hasher`** - A handy utility used to recalculate hashes needed for Cobalt Strike _User Defined Reflective Loaders_
|
||||||
|
|
||||||
- **`CobaltSplunk`** - Originally devised by [Vincent Yiu](https://github.com/vysecurity/CobaltSplunk), heavily reworked by me: a Splunk application that ingests, indexes and exposes several search operators to work with Cobalt Strike logs from within of a Splunk interface. Supports Cobalt Strike 4.3+ log files syntax. Gives a lot of flexibility to work with Teamserver log files, search through them, generate insightful reports/dashboards/pivot tables and much more.
|
- **`CobaltSplunk`** - Originally devised by [Vincent Yiu](https://github.com/vysecurity/CobaltSplunk), heavily reworked by me: a Splunk application that ingests, indexes and exposes several search operators to work with Cobalt Strike logs from within of a Splunk interface. Supports Cobalt Strike 4.3+ log files syntax. Gives a lot of flexibility to work with Teamserver log files, search through them, generate insightful reports/dashboards/pivot tables and much more.
|
||||||
|
|
||||||
- [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS)
|
- [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS)
|
||||||
|
45
red-teaming/cobalt-udrl-hasher/README.md
Normal file
45
red-teaming/cobalt-udrl-hasher/README.md
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
## Cobalt Strike UDRL Hasher
|
||||||
|
|
||||||
|
Simple helper utility recomputing `DLL Reflective Loader` hashes, for offensive engineering needs whenever we want to recompile [User Defined Reflective Loaders](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_user-defined-rdll.htm) and such.
|
||||||
|
|
||||||
|
Ever came across [such hashes](https://github.com/stephenfewer/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.h#L43) before?
|
||||||
|
|
||||||
|
```
|
||||||
|
#define KERNEL32DLL_HASH 0x6A4ABC5B
|
||||||
|
#define NTDLLDLL_HASH 0x3CFA685D
|
||||||
|
|
||||||
|
#define LOADLIBRARYA_HASH 0xEC0E4E8E
|
||||||
|
#define GETPROCADDRESS_HASH 0x7C0DFCAA
|
||||||
|
#define VIRTUALALLOC_HASH 0x91AFCA54
|
||||||
|
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
|
||||||
|
|
||||||
|
[...]
|
||||||
|
|
||||||
|
#define HASH_KEY 13
|
||||||
|
```
|
||||||
|
|
||||||
|
These can be used for a straightforward signaturing.
|
||||||
|
|
||||||
|
We can regenerate them easily with utility included here:
|
||||||
|
|
||||||
|
```
|
||||||
|
cmd> hash 55
|
||||||
|
|
||||||
|
#define KERNEL32DLL_HASH 0xA6154C3A // kernel32.dll
|
||||||
|
#define NTDLLDLL_HASH 0x0521447A // ntdll.dll
|
||||||
|
|
||||||
|
#define LOADLIBRARYA_HASH 0xE0D79FEB // LoadLibraryA
|
||||||
|
#define GETPROCADDRESS_HASH 0x6BAC2F89 // GetProcAddress
|
||||||
|
#define VIRTUALALLOC_HASH 0x9EE2D962 // VirtualAlloc
|
||||||
|
#define VIRTUALPROTECT_HASH 0x9154022F // VirtualProtect
|
||||||
|
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x7353E65D // NtFlushInstructionCache
|
||||||
|
|
||||||
|
#define HASH_KEY 55
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
**Notice** - if you want to get hash for a DLL, be sure to include its extension:
|
||||||
|
|
||||||
|
```
|
||||||
|
hash 55 kernel32.dll
|
||||||
|
```
|
123
red-teaming/cobalt-udrl-hasher/hash.c
Normal file
123
red-teaming/cobalt-udrl-hasher/hash.c
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
//
|
||||||
|
// Simple utility aimed to help regenerating UDRL hashes
|
||||||
|
//
|
||||||
|
// cmd> gcc hash.c -o hash.exe
|
||||||
|
//
|
||||||
|
// Mariusz Banach / mgeeky, '23
|
||||||
|
// binary-offensive.com
|
||||||
|
//
|
||||||
|
|
||||||
|
#include <windows.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <intrin.h>
|
||||||
|
|
||||||
|
BYTE hashKey = 13;
|
||||||
|
|
||||||
|
__forceinline DWORD ror( DWORD d ) {
|
||||||
|
return _rotr( d, hashKey );
|
||||||
|
}
|
||||||
|
|
||||||
|
__forceinline DWORD hash( const char * c ) {
|
||||||
|
register DWORD h = 0;
|
||||||
|
do
|
||||||
|
{
|
||||||
|
h = ror( h );
|
||||||
|
h += *c;
|
||||||
|
} while( *++c );
|
||||||
|
|
||||||
|
return h;
|
||||||
|
}
|
||||||
|
|
||||||
|
__forceinline DWORD hashModule( const char * c ) {
|
||||||
|
register DWORD h = 0;
|
||||||
|
|
||||||
|
size_t counter = strlen(c) * 2;
|
||||||
|
wchar_t * wstr = (wchar_t*)malloc(counter + 2);
|
||||||
|
char * ptr = (char*)wstr;
|
||||||
|
|
||||||
|
mbstowcs(wstr, c, counter);
|
||||||
|
|
||||||
|
do
|
||||||
|
{
|
||||||
|
h = ror( (DWORD)h );
|
||||||
|
|
||||||
|
// normalize to uppercase if the module name is in lowercase
|
||||||
|
if( *((BYTE *)ptr) >= 'a' )
|
||||||
|
h += *((BYTE *)ptr) - 0x20;
|
||||||
|
else
|
||||||
|
h += *((BYTE *)ptr);
|
||||||
|
|
||||||
|
ptr++;
|
||||||
|
|
||||||
|
} while( --counter );
|
||||||
|
|
||||||
|
free(wstr);
|
||||||
|
return h;
|
||||||
|
}
|
||||||
|
|
||||||
|
int endswith(const char *str, const char *suffix)
|
||||||
|
{
|
||||||
|
if (!str || !suffix)
|
||||||
|
return 0;
|
||||||
|
size_t lenstr = strlen(str);
|
||||||
|
size_t lensuffix = strlen(suffix);
|
||||||
|
if (lensuffix > lenstr)
|
||||||
|
return 0;
|
||||||
|
return strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void print(char* str) {
|
||||||
|
DWORD val = 0;
|
||||||
|
|
||||||
|
if(endswith(str, ".dll")) {
|
||||||
|
val = hashModule(str);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
val = hash(str);
|
||||||
|
}
|
||||||
|
|
||||||
|
char str2[256] = "";
|
||||||
|
char *s = str2;
|
||||||
|
|
||||||
|
for(int i = 0; i < strlen(str); i++) {
|
||||||
|
if(isalnum(str[i])) {
|
||||||
|
*(s++) = str[i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
s = str2;
|
||||||
|
while (*s) *(s++) = toupper(*s);
|
||||||
|
|
||||||
|
strncat(str2, "_HASH", sizeof(str2)-1);
|
||||||
|
|
||||||
|
printf("#define %-30s 0x%08X\t// %s\n", str2, val, str);
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char** argv) {
|
||||||
|
if (argc < 2) {
|
||||||
|
printf("Usage: hash.exe <hash_key> [string]\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
hashKey = atoi(argv[1]);
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
|
||||||
|
if (argc == 3) {
|
||||||
|
print(argv[2]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
print("kernel32.dll");
|
||||||
|
print("ntdll.dll");
|
||||||
|
printf("\n");
|
||||||
|
print("LoadLibraryA");
|
||||||
|
print("GetProcAddress");
|
||||||
|
print("VirtualAlloc");
|
||||||
|
print("VirtualProtect");
|
||||||
|
print("NtFlushInstructionCache");
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n#define HASH_KEY %d\n", hashKey);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
BIN
red-teaming/cobalt-udrl-hasher/hash.exe
Normal file
BIN
red-teaming/cobalt-udrl-hasher/hash.exe
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user