-
-
Notifications
You must be signed in to change notification settings - Fork 153
/
Forwarded_Ports.cna
265 lines (217 loc) · 8.54 KB
/
Forwarded_Ports.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
#
# Forwarded_Ports.cna
#
# Keeps track of configured remote port forwardings on all Beacons and lets kill them easily.
#
# Using 'rportfwd' here and there quickly consumes pool of available local ports
# from which to forward traffic outbound and keeping track of them manually becomes tedious
# on a long-haul projects. This script aims to fill that gap by collecting these commands
# and presenting them in a nice visualization pane.
#
# CREDIT:
# This script is a reworked version of `leave_no_trace.cna` by Alyssa (ramen0x3f):
# https://github.com/ramen0x3f/AggressorScripts/blob/master/leave_no_trace.cna
#
# who in turn used work made by @001SPARTaN and @r3dqu1nn that came up with `logvis.cna`
# implementation:
# https://github.com/invokethreatguy/AggressorCollection/blob/master/harleyQu1nn/logvis.cna
#
# Author:
# Mariusz Banach / mgeeky, '20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
import ui.*;
import table.*;
import java.awt.*;
import javax.swing.*;
import javax.swing.table.*;
global('$forwarded_ports_model $forwarded_ports_table %forwarded_ports_looking');
sub create_vis {
## This is the fancy code from @001SPARTaN and @r3dqu1nn
local('$sorter $content');
$forwarded_ports_model = [new GenericTableModel: @(
"timestamp",
"beacon_id",
"beacon_pid",
"beacon_ip",
"beacon_user",
"local_port",
"remote_host",
"remote_port"
),
"beacon", 16];
# Create a table from the GenericTableModel
$forwarded_ports_table = [new ATable: $forwarded_ports_model];
# Controls how the column headers will sort the table
$sorter = [new TableRowSorter: $forwarded_ports_model];
# Doubled-toggle will make DESC sort instead of ASC
[$sorter toggleSortOrder: 7];
[$sorter toggleSortOrder: 7];
[$sorter setComparator: 0, {
return $1 cmp $2;
}];
[$sorter setComparator: 1, {
return $1 cmp $2;
}];
[$sorter setComparator: 2, {
return $1 <=> $2;
}];
[$sorter setComparator: 3, {
return $1 cmp $2;
}];
[$sorter setComparator: 4, {
return $1 cmp $2;
}];
[$sorter setComparator: 5, {
return $1 <=> $2;
}];
[$sorter setComparator: 6, {
return $1 <=> $2;
}];
[$sorter setComparator: 7, {
return $1 <=> $2;
}];
# Set $sorter as the row sorter for $forwarded_ports_table
[$forwarded_ports_table setRowSorter: $sorter];
# Create a split pane (divider you can drag around)
$content = [new JScrollPane: $forwarded_ports_table];
# Set popup menu for the table
setup_popup($forwarded_ports_table, "forwarded_ports_menu");
update_table();
# Register the visualization with CS
addVisualization("Forwarded Ports", $content);
return $content;
}
sub search_archives {
## Parses archives to pull out uploads for the Leave No Trace tab
## Returns all the items to add to the model
local('@output $found @linesAdd @linesRemove @bids %entry $bid');
@bids = beacon_ids();
@output = @();
@linesAdd = @();
@linesRemove = @();
foreach %entry (data_query("archives")) {
# To speed search up, we only limit enumeration of task-type entries.
if(%entry['type'] ne "task") {
continue;
}
# rportfwd add task
if(indexOf(%entry['data'], "forward port ") == 0) {
if(%entry['data'] ismatch 'forward port (\d+) to ([^:]+):(\d+)') {
($localport, $remotehost, $remoteport) = matched();
$bid = %entry['bid'];
if ( $bid !in @bids ) {
continue;
}
add(@linesAdd, %(
timestamp => %entry['when'],
beacon_id => $bid,
beacon_pid => beacon_info($bid, "pid"),
beacon_ip => beacon_info($bid, "host"),
beacon_user => beacon_info($bid, "user"),
local_port => $localport,
remote_host => $remotehost,
remote_port => $remoteport,
));
}
}
# rportfwd stop task
if(indexOf(%entry['data'], "stop port forward on ") == 0) {
if(%entry['data'] ismatch 'stop port forward on (\d+)') {
$localport = matched()[0];
$bid = %entry['bid'];
if ( $bid !in @bids ) {
continue;
}
add(@linesRemove, %(
timestamp => %entry['when'],
beacon_id => $bid,
local_port => $localport,
));
}
}
}
sort({ return $1['timestamp'] < $2['timestamp']; }, @linesAdd);
sort({ return $1['timestamp'] < $2['timestamp']; }, @linesRemove);
# Unfilter lines that stopped remote port forwarding
foreach $lineAdd (@linesAdd) {
$dontAdd = 0;
foreach $lineRem (@linesRemove) {
if(($lineAdd['local_port'] eq $lineRem['local_port']) && ($lineAdd['beacon_id'] eq $lineRem['beacon_id'])) {
if($lineRem['timestamp'] >= $lineAdd['timestamp']) {
$dontAdd = 1;
break;
}
}
}
if($dontAdd == 0) {
$lineAdd['timestamp'] = dstamp($lineAdd['timestamp']);
add(@output, $lineAdd);
}
}
return @output;
}
sub setup_popup {
# setup_popup provided by Raphael Mudge
# https://gist.github.com/rsmudge/87ce80cd8d8d185c5870d559af2dc0c2
# we're using fork({}) to run this in a separate Aggressor Script environment.
# This reduces deadlock potential due to Sleep's global interpreter lock
#
# this especially matters as our mouse listener will be fired for *everything*
# to include mouse movements.
fork({
[$component addMouseListener: lambda({
if ([$1 isPopupTrigger]) {
# If right click, show popup
show_popup($1, $name, $component);
}
}, \$component, \$name)];
}, $component => $1, $name => $2, $forwarded_ports_model => $forwarded_ports_model, $forwarded_ports_table => $forwarded_ports_table);
}
sub update_table {
## Updates the Leave No Trace tab
## As a note: when you fork() you have to pass all global
## variables (see \$forwarded_ports_model and \%forwarded_ports_looking) or you'll go insane.
fork({
local('%entry');
# Clear the model so we can put new stuff in it.
[$forwarded_ports_model clear: 1024];
foreach %entry (search_archives()) {
# Add the new entry to $forwarded_ports_model
[$forwarded_ports_model addEntry: %entry];
}
# Update with the new table
[$forwarded_ports_model fireListeners];
}, \$forwarded_ports_model, \%forwarded_ports_looking);
}
popup forwarded_ports_menu {
item "Kill port forwarding" {
local('$dir $dest $file $ip');
foreach $row ([$forwarded_ports_table getSelectedRows]) {
$bid = [$forwarded_ports_model getValueAt: $row, 1];
$localip = [$forwarded_ports_model getValueAt: $row, 3];
$localport = [$forwarded_ports_model getValueAt: $row, 5];
$remotehost = [$forwarded_ports_model getValueAt: $row, 6];
$remoteport = [$forwarded_ports_model getValueAt: $row, 7];
prompt_confirm("Are you sure you want to stop remote port forwarding from $localip $+ : $+ $localport to $remotehost $+ : $+ $remoteport $+ ?", "Stop remote port forwarding", lambda({
brportfwd_stop($bid, $localport);
show_message("Remote port forwarding from $localip $+ : $+ $localport stopped.");
}, $bid => $bid, $localip => $localip, $localport => $localport));
}
}
}
popup view {
item "Remote Forwarded Ports" {
addTab("Remote Forwarded Ports", create_vis(), "All forwarded/remote forwarded ports");
}
}
on beacon_error {
if(indexOf($2, "Could not bind to ") == 0) {
# Dummy rportfwd stop to maintain our archives integrity by having both start and stop commands, even
# in a case of failure.
if($2 ismatch 'Could not bind to (\d+)') {
brportfwd_stop!($1, matched()[0]);
}
}
}