dissect.cobaltstrike.client =========================== .. py:module:: dissect.cobaltstrike.client .. autoapi-nested-parse:: Beacon client that can actively connect to a Cobalt Strike Team Server. .. danger:: The client actively connects to a Cobalt Strike Team Server, caution should be taken when using this. A default client will perform check-ins and only log the tasks it receives unless implemented otherwise. Attributes ---------- .. autoapisummary:: dissect.cobaltstrike.client.logger dissect.cobaltstrike.client.FIRST_NAMES dissect.cobaltstrike.client.LAST_NAMES dissect.cobaltstrike.client.PROCESS_NAMES dissect.cobaltstrike.client.COMPUTERNAME_TEMPLATES Classes ------- .. autoapisummary:: dissect.cobaltstrike.client.HttpBeaconClient Functions --------- .. autoapisummary:: dissect.cobaltstrike.client.random_computer_name dissect.cobaltstrike.client.random_username_name dissect.cobaltstrike.client.random_windows_ver dissect.cobaltstrike.client.random_process_name dissect.cobaltstrike.client.random_internal_ip dissect.cobaltstrike.client.log_task dissect.cobaltstrike.client.CallbackError dissect.cobaltstrike.client.CallbackDebugMessage dissect.cobaltstrike.client.CallbackOutputMessage dissect.cobaltstrike.client.build_parser dissect.cobaltstrike.client.parse_commandline_options dissect.cobaltstrike.client.main Module Contents --------------- .. py:data:: logger .. py:data:: FIRST_NAMES :value: ['Michael', 'James', 'John', 'Robert', 'David', 'William', 'Mary', 'Christopher', 'Joseph',... .. py:data:: LAST_NAMES :value: ['SMITH', 'JOHNSON', 'WILLIAMS', 'BROWN', 'JONES', 'GARCIA', 'RODRIGUEZ', 'MILLER', 'MARTINEZ',... .. py:data:: PROCESS_NAMES :value: ['rundll32.exe', 'dllhost.exe', 'gpupdate.exe', 'svchost.exe', 'mstsc.exe', 'WerFault.exe',... .. py:data:: COMPUTERNAME_TEMPLATES .. py:function:: random_computer_name(username: Optional[str] = None) -> str Returns a random Windows like computer name, if `username` is set it can also return ``-PC`` .. py:function:: random_username_name() -> str Returns a random username in the form of ``john.smith`` or ``John Smith``. .. py:function:: random_windows_ver() -> Tuple[int, int, int] Return a random Windows version in the form of the tuple (major, minor, build). .. py:function:: random_process_name() -> str Return a random process name. .. py:function:: random_internal_ip() -> ipaddress.IPv4Address Return a random internal RFC1918 IP address. .. py:function:: log_task(task) .. py:function:: CallbackError(code: int, n1: int, n2: int, message: str) -> Tuple[int, bytes] .. py:function:: CallbackDebugMessage(message: str) -> Tuple[int, bytes] This will output ``'[-] DEBUG: '`` to the Team Server console. .. py:function:: CallbackOutputMessage(message: str) -> Tuple[int, bytes] This will output ``'[+] received output: '`` to the Team Server console. .. py:class:: HttpBeaconClient A Beacon Client that can communicate with a Cobalt Strike Team Server over HTTP. .. py:attribute:: task_map .. py:attribute:: logger .. py:method:: run(bconfig: dissect.cobaltstrike.c2.BeaconConfig, dry_run=False, scheme=None, domain=None, port=None, beacon_id=None, pid=None, computer=None, user=None, process=None, internal_ip=None, arch=None, barch=None, ansi_cp=58372, oem_cp=46337, high_integrity=False, sleeptime=None, jitter=None, user_agent=None, host_header=None, verbose=None, silent=None, writer=None) Run the Beacon Client. .. py:method:: _initial_get_request() -> dissect.cobaltstrike.c2.HttpRequest Return the initial HttpRequest object for retrieving tasks from the Team Server. .. py:method:: _initial_post_request() -> dissect.cobaltstrike.c2.HttpRequest Return the initial HttpRequest object for sending callback data to the Team Server. .. py:method:: get_sleep_time() -> float Return the sleep time with jitter for the beacon loop. .. py:method:: register_task(command_id: Union[None, int], func) Register a task handler for a given command ID. :param command_id: The command ID to register the handler for. ``None`` is handler for empty tasks. ``-1`` is a catch-all handler. :param func: The function to call when a task with the given command ID is received. .. py:method:: get_task() -> Optional[dissect.cobaltstrike.c2.TaskPacket] Get a task from the Team Server. .. py:method:: send_callback(callback_id: int, data: bytes) Send callback data to the Team Server. .. py:method:: handle(command: Union[None, int, dissect.cobaltstrike.c2.BeaconCommand]) decorator to register a handler for `command`, if ``None`` it registers a handler for empty tasks .. py:method:: catch_all() decorator to handle all `unhandled` commands. .. py:method:: print_settings() .. py:method:: get_handlers(command_id: Union[int, None]) -> List[Callable] Get a list of handlers for a given command ID. .. py:method:: _beacon_loop() .. py:function:: build_parser() -> argparse.ArgumentParser Return the default ArgumentParser for the beacon client. .. py:function:: parse_commandline_options(parser=None, defaults=None) -> Tuple[argparse.Namespace, Dict[str, Any]] Helper function to parse commandline options and return a tuple of (args, options). This method is useful for creating default commandline options for a Beacon client. The returned options can be passed to :meth:`HttpBeaconClient.run()` as follows: .. code-block:: python from dissect.cobaltstrike.client import HttpBeaconClient, parse_commandline_options beacon = HttpBeaconClient() args, options = parse_commandline_options(defaults={ "beacon_id": 1234, "computer": "dissect", "user": "cobaltstrike", "process": "calc.exe", }) beacon.run(**options) If `parser` is not defined it will use the default argparse parser created by :meth:`build_parser`. The `defaults` dictionary can be used to override the default argparse settings. :param parser: an instance of :class:`argparse.ArgumentParser`, if `None` it will use the parser created by :meth:`client.build_parser`. :param defaults: A dictionary to override the default settings for the argument parser. Unknown keys will be ignored. :returns: Tuple of (args, options) where `args` is the parsed arguments from the commandline and `options` is a dictionary of options that can be passed to :meth:`HttpBeaconClient.run()`. .. py:function:: main()