Brinkles Pentesting Notebook

Introduction
Certification Reviews
C2 and Payloads
- Sliver C2
- Cobalt Strike
  - BOFs and Aggressor Scripts
    Situational Awareness BOF
    HOLLOW BOF
    DLL_Version_Enumeration_BOF
    InlineExecute-Assembly BOF
    BOF.NET
    C2-Tool-Collection BOFs
    Inline-Execute-PE
  - Payloads
Tools
- Internal Tools
- Web App Pentesting
  - Payload All The Things
    Directory traversal
    Deep Traversal
    More Directory Traversal Payloads
    SAML Injection
    XXE - XML External Entity
    XSS - Cross Site Scripting
    XSLT Injection
    XPATH injection
    Upload Insecure Files
    SQL injection
    MSSQL Injection
    MYSQL Injection
    Oracle SQL Injection
    PostgreSQL injection
    SQLite Injection
    Server Side Templates Injections
    Server-Side Request Forgery
    Payloads Included in Server-Side Request Forgery
    Request Smuggling
    OAuth
    NoSQL injection
    LDAP injection
    Kubernetes
    JSON Web Token
    HTTP Parameter Pollution
    GraphQL injection
    CORS Misconfiguration
    CRLF
    Cross-Site Request Forgery
    CSV Injection (Formula Injection)
    File Inclusion
    PHPINFOlfi.py
    uploadlfi.py
Network Security

Powered by GitBook

On this page

What is this?
What problem are you trying to solve?
How do I build this?
How do I use this?
Any known downsides?
What does the output look like?

C2 and Payloads

Cobalt Strike

BOFs and Aggressor Scripts

DLL_Version_Enumeration_BOF

PreviousHOLLOW BOF NextInlineExecute-Assembly BOF

Last updated 2 years ago

What is this?

This is a Cobalt Strike BOF file (a mildly massaged port of existing PoC , meant to use ascertain information regarded imported DLLs (via the ENTRY_RESOURCE) within current process that your beacon associated with.

What problem are you trying to solve?

Given my current projects regarding DLLs, this is yet another blindspot I wanted to address after seeing work.
I wanted to support both 32-bit AND 64-bit Beacon sessions.
I wanted to have verbose or minified output, given an operator's desire
I wanted to keep the original design of intact; minimal API calls.
1. This is solved this by rolling our own from groked or cribbed implementations elsewhere.

How do I build this?

In this case, you have two options:
1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
2. Compile from source via the Makefile
  1. cd src
  2. make clean
  3. make
Load the Aggressor file, in the Script Manager, located in the dist directory

How do I use this?

From a given Beacon:

Any known downsides?

We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk", though this is limited to a single comparison function (stricmp).
You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.

What does the output look like?

All known `DLL`s associated with the process

Verbose output of the aforementioned

Verbose output of the aforementioned with `needle`

Page cover image