grab_beacon_config

nmap -v -Pn -T5 -n -p 80 10.10.26.164 --script=grab_beacon_config_rsa.nse

Nmap scan report for 10.10.26.164
Host is up (0.050s latency).

PORT   STATE SERVICE
80/tcp open  http
| grab_beacon_config_rsa:
|   x64:
|     md5: f88f7afe04c07e874fe7a858a066c0b9
|     config:
|       Spawn To x86: %windir%\syswow64\WerFault.exe
|       Polling: 12022
|       RSA Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoeNuV/KkCl7dHwdyl8CIn1o5nHvVxquEs3k58509cojk+arW8dSzfPa2eVrjHtc4rMd7WGLif4AA9FaBwHgIdZ8J9K4xU1V9wWxF6iIFHcOT04KcFdZnJ4nXgMFrI7j4TYK1ugS9qV8u7C3Necrl38vRvOPi0kMYMiRO5KtT0KwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
|       C2 Server: 10.10.26.164,/jquery-3.3.1.min.js
|       C2 Host Header:
|       HTTP Method Path 2: /jquery-3.3.2.min.js
|       Port: 80
|       Watermark: 1234567890
|       Method 1: GET
|       Spawn To x64: %windir%\sysnative\WerFault.exe
|       Beacon Type: 0 (HTTP)
|       Jitter: 50
|       Method 2: POST
|     time: 1630598058337.9
|     sha1: 68a18dbe5e542cae5f800ace41c2db7c8c018875
|     uri_queried: /4Ovd
|     sha256: 25b8eeecd3d659b4cda622562e2f651647a3f53380c3f0a4accbff5fa13b578b
|   x86:
|     md5: 06fa62912692b2cbb3413eeac5d72b16
|     config:
|       Spawn To x86: %windir%\syswow64\WerFault.exe
|       Polling: 12022
|       RSA Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoeNuV/KkCl7dHwdyl8CIn1o5nHvVxquEs3k58509cojk+arW8dSzfPa2eVrjHtc4rMd7WGLif4AA9FaBwHgIdZ8J9K4xU1V9wWxF6iIFHcOT04KcFdZnJ4nXgMFrI7j4TYK1ugS9qV8u7C3Necrl38vRvOPi0kMYMiRO5KtT0KwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
|       C2 Server: 10.10.26.164,/jquery-3.3.1.min.js
|       C2 Host Header:
|       HTTP Method Path 2: /jquery-3.3.2.min.js
|       Port: 80
|       Watermark: 1234567890
|       Method 1: GET
|       Spawn To x64: %windir%\sysnative\WerFault.exe
|       Beacon Type: 0 (HTTP)
|       Jitter: 50
|       Method 2: POST
|     time: 1630598056700.1
|     sha1: c36944e0972ed8ae7f0b910fa4126c1f25799baa
|     uri_queried: /HjIa
|_    sha256: c7d12f2e8deb0944ab748b908497b6099d6ad91782dc0944419acda605d37f8b

download grab_beacon_config.nes

sudo wget -P /usr/local/share/nmap/scripts https://raw.githubusercontent.com/whickey-r7/grab_beacon_config/main/grab_beacon_config.nse

python demo

import random


def generate_checksum(input):
    trial = ""
    total = 0
    i = 1
    while (total != input):
        total = 0
        trial = ''.join(
            random.choice("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890") for i in range(4))
        for i in range(4):
            total = (total + ord(trial[i: i + 1])) % 256
            i = i + 1
    return "/" + trial


uri_x86 = generate_checksum(92)
uri_x64 = generate_checksum(93)
url = "https://172.16.242.1/"
print("[+] uri_x86= " + url + uri_x86)
print("[+] uri_x64= " + url + uri_x64)

python console

[+] uri_x86= https://172.16.242.1//Jq1p
[+] uri_x64= https://172.16.242.1//UENu

Simple PoC script to scan and acquire CobaltStrike Beacon configurations.

	Based on :
		JPCERT :: cobaltstrikescan.py
		Sentinel-One :: parse_beacon_config.py
		Didier Stevens :: 1768.py
		Roman Emelynaov :: L8_get_beacon.py

lili-ux/grab_beacon_config

grab_beacon_config

download grab_beacon_config.nes

python demo

python console

Simple PoC script to scan and acquire CobaltStrike Beacon configurations.