Adding files to enable custom URL generation.

No more fingerprinted URLs going through a proxy! Yay!

C2Server.py

@@ -278,6 +278,17 @@ if __name__ == '__main__':
         os.makedirs("%s/payloads" % directory)
       initializedb()
       setupserver(HostnameIP,gen_key(),DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,ROOTDIR,ServerPort,QuickCommand,DownloadURI,"","","",Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referer,APIToken,APIUser,EnableNotifications)
+      rewriteFile = directory + "rewrite-rules.txt"
+      print "Creating Rewrite Rules in: " + rewriteFile
+      print ""
+      rewriteHeader=["RewriteEngine On", "SSLProxyEngine On", "SSLProxyCheckPeerCN Off", "SSLProxyVerify none", "SSLProxyCheckPeerName off", "SSLProxyCheckPeerExpire off","Define PoshC2 " + poshIP, "Define SharpSocks " + sharpIP]
+      rewriteFileContents = rewriteHeader + urlConfig.fetchRewriteRules() + urlConfig.fetchSocksRewriteRules()
+      with open(rewriteFile,'w') as outFile:
+        for line in rewriteFileContents:
+          outFile.write(line)
+          outFile.write('\n')
+        outFile.close()
+
 
       C2 = get_c2server_all()
       newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],

Config.py

@@ -1,17 +1,24 @@
 #!/usr/bin/env python
+from UrlConfig import UrlConfig
+
+urlConfig = UrlConfig("./oldurls.txt") # Instantiate UrlConfig object.
 
 HOST_NAME = '0.0.0.0' 
 PORT_NUMBER = 443
 
 POSHDIR = "/opt/PoshC2_Python/" 
 ROOTDIR = "/opt/PoshC2_Project/" 
-HostnameIP = "https://172.19.131.109" 
+HostnameIP = "https://127.0.0.1" # Point to location of the Server/Proxy/Client Facing
+poshIP = "127.0.0.1" # Needed for URL Rewrite Rules.
+sharpIP = "127.0.0.1" # Needed for URL Rewrite Rules.
 ServerPort = "443"
 DomainFrontHeader = "" # example df.azureedge.net
 DefaultSleep = "5"
 KillDate = "08/06/2019"
-QuickCommand = "adsense/troubleshooter/1631343?id=Ndks8dmsPld"
-DownloadURI = "adsense/troubleshooter/1631343?id=Ndks8dmsPld"
+QuickCommand = urlConfig.fetchQCUrl
+DownloadURI = urlConfig.fetchConnUrl()
+#QuickCommand = "adsense/troubleshooter/1631343?id=Ndks8dmsPld"
+#DownloadURI = "adsense/troubleshooter/1631343?id=Ndks8dmsPld"
 Sounds = "No"
 EnableNotifications = "No"
 # ClockworkSMS - https://www.clockworksms.com
@@ -20,8 +27,10 @@ MobileNumber = '"07777777777","07777777777"'
 # Pushover - https://pushover.net/
 APIToken = ""  
 APIUser = ""  
-URLS = '"adsense/troubleshooter/1631343/","adServingData/PROD/TMClient/6/8736/","advanced_search?hl=en-GB&fg=","async/newtab?ei=","babel-polyfill/6.3.14/polyfill.min.js=","bh/sync/aol?rurl=/ups/55972/sync?origin=","bootstrap/3.1.1/bootstrap.min.js?p=","branch-locator/search.asp?WT.ac&api=","business/home.asp&ved=","business/retail-business/insurance.asp?WT.mc_id=","cdb?ptv=48&profileId=125&av=1&cb=","cis/marketq?bartype=AREA&showheader=FALSE&showvaluemarkers=","classroom/sharewidget/widget_stable.html?usegapi=","client_204?&atyp=i&biw=1920&bih=921&ei=","load/pages/index.php?t=","putil/2018/0/11/po.html?ved=","q/2018/load.php?lang=en&modules=","status/995598521343541248/query=","TOS?loc=GB&hl=en&privacy=","trader-update/history&pd=","types/translation/v1/articles/","uasclient/0.1.34/modules/","usersync/tradedesk/","utag/lbg/main/prod/utag.15.js?utv=","vs/1/vsopts.js?","vs/site/bgroup/visitor/","w/load.php?debug=false&lang=en&modules=","web/20110920084728/","webhp?hl=en&sa=X&ved=","work/embedded/search?oid="'
-SocksURLS = '"GoPro5/black/2018/","Philips/v902/"'
+URLS = urlConfig.fetchUrls()
+#URLS = '"adsense/troubleshooter/1631343/","adServingData/PROD/TMClient/6/8736/","advanced_search?hl=en-GB&fg=","async/newtab?ei=","babel-polyfill/6.3.14/polyfill.min.js=","bh/sync/aol?rurl=/ups/55972/sync?origin=","bootstrap/3.1.1/bootstrap.min.js?p=","branch-locator/search.asp?WT.ac&api=","business/home.asp&ved=","business/retail-business/insurance.asp?WT.mc_id=","cdb?ptv=48&profileId=125&av=1&cb=","cis/marketq?bartype=AREA&showheader=FALSE&showvaluemarkers=","classroom/sharewidget/widget_stable.html?usegapi=","client_204?&atyp=i&biw=1920&bih=921&ei=","load/pages/index.php?t=","putil/2018/0/11/po.html?ved=","q/2018/load.php?lang=en&modules=","status/995598521343541248/query=","TOS?loc=GB&hl=en&privacy=","trader-update/history&pd=","types/translation/v1/articles/","uasclient/0.1.34/modules/","usersync/tradedesk/","utag/lbg/main/prod/utag.15.js?utv=","vs/1/vsopts.js?","vs/site/bgroup/visitor/","w/load.php?debug=false&lang=en&modules=","web/20110920084728/","webhp?hl=en&sa=X&ved=","work/embedded/search?oid="'
+SocksURLS = urlConfig.fetchSocks()
+#SocksURLS = '"GoPro5/black/2018/","Philips/v902/"'
 UserAgent = "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko"
 Referer = "" # optional
 HTTPResponse = """<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
@@ -47,8 +56,6 @@ HTTPResponses = [
 ServerHeader = "Apache"
 Insecure = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}"
 
-
-
 # DO NOT CHANGE #
 FilesDirectory = "%sFiles/" % POSHDIR
 PayloadsDirectory = "%spayloads/" % ROOTDIR
@@ -57,6 +64,8 @@ ReportsDirectory = "%sreports/" % ROOTDIR
 DB = "%s/PowershellC2.SQLite" % ROOTDIR 
   
 # DO NOT CHANGE #
+#These rules aren't needed as you'll find them auto-generated within the project folder now.
+# checkout <project-name>/rewrite-rules.txt but left them here just in case.
 
 '''
 RewriteEngine On

UrlConfig.py

@@ -0,0 +1,123 @@
+#!/usr/bin/env python
+import re
+import random
+import urlparse
+import os.path
+
+class UrlConfig:
+    #urlConfig class represents the necessary URL information for PoshC2.
+
+    def __init__(self, filePath = "", wordList="wordlist.txt"):
+        #by default a filepath is specified when instantiating the object
+        #selecting urls from the old list.
+        #Feel free to change it to work from a fixed list of known URLs
+        #works a treat copying and pasting from burp.
+        self.filePath = filePath
+        self.urlList = []
+        self.sockList = []
+        self.sockRewriteList = []
+        self.urlRewriteList = []
+        self.rewriteFile = "rewrite-rules.txt"
+        if filePath != "":
+            self.wordList = ""
+            self.getUrls()
+        else:
+            #If you remove the filepath, you'll get random word generation based on a wordlist.
+            #Default Example Wordlist from:
+            #https://raw.githubusercontent.com/dominictarr/random-name/master/first-names.txt 
+            #Could use urllib to request this live, but opted for local storage here.
+            self.wordList = open(wordList).read().splitlines()
+            self.getRandomUrls()
+
+        self.qcUrl = ""
+        self.connUrl = ""
+        self.getSockUrls() # Ordering is important. getUrls/getRandomUrls before getSockUrls or getSockurls has nothing to operate on.
+        self.createRewriteRules()
+        self.createSockRewriteRules()
+
+#Internal functions - Intended to generate the various items.
+
+    def createSockRewriteRules(self):
+        #Setter
+        for sockurl in self.sockList:
+            self.sockRewriteList.append("RewriteRule ^/" + urlparse.urlparse(sockurl).path + "(.*) http://${SharpSocks}/" + urlparse.urlparse(sockurl).path + "$1 [NC,L,P]")
+
+    def createRewriteRules(self):
+        #Setter
+        for url in self.urlList:
+            self.urlRewriteList.append("RewriteRule ^/" + urlparse.urlparse(url).path + "(.*) https://${PoshC2}/" + urlparse.urlparse(url).path + "$1 [NC,L,P]")
+
+    def getSockUrls(self):
+        sock1 = random.choice(self.urlList)
+        self.urlList[:] = (value for value in self.urlList if value != sock1)
+        sock2 = random.choice(self.urlList)
+        self.urlList[:] = (value for value in self.urlList if value != sock2)
+        self.sockList = [ sock1, sock2 ]
+
+    def process(self,line):
+        output = urlparse.urlparse(line).path
+        output = output.rpartition('/')[0]
+        output = output.replace("'", "")
+        if output != '':
+            if output[0] == "/":
+                output = output.lstrip('/')
+            if output[-1] != "/":
+                output = output + "/"
+        output = output.replace("'", "")
+        return output
+
+    def getUrls(self):
+        with open(self.filePath, "r") as input:
+            array = []
+            for line in input:
+                toAppend = self.process(line)
+                if toAppend != '':
+                    if toAppend != ' ':
+                        array.append(self.process(line))
+            self.urlList = list(set(array))
+    
+    def generateRandomURL(self):
+        words = self.wordList
+        lengthOfUrl = random.randint(1,10)
+        i = 0 #Length of URL
+        urlStub = ""
+        while i < lengthOfUrl:
+            i = i+1
+            urlStub = urlStub + random.choice(words) + "/"
+
+        if random.randint(0,1) == 1:
+            urlStub = urlStub + random.choice(words) + "?" + random.choice(words) + "=" + random.choice(words)
+            urlStub = urlStub.replace("'","")
+            return urlStub
+        else:
+            urlStub = urlStub.replace("'","")
+            return urlStub
+
+    def getRandomUrls(self):
+        numOfUrls = random.randint(20,75)
+        i = 0
+        while i < numOfUrls:
+            i = i+1
+            self.urlList.append(self.generateRandomURL())
+        
+
+#Outputs - Formatted to work with PoshC2
+    def fetchUrls(self):
+        return '"{0}"'.format('", "'.join(self.urlList))
+    def fetchSocks(self):
+        return '"{0}"'.format('", "'.join(self.sockList))
+    def fetchRewriteRules(self):
+        return self.urlRewriteList
+    def fetchSocksRewriteRules(self):
+        return self.sockRewriteList
+    def fetchQCUrl(self):
+        if self.wordList == "":
+            return random.choice(self.urlList)
+        else:
+            return random.choice(self.urlList) + random.choice(self.wordList) + "?" + random.choice(self.wordList) + "=" + random.choice(self.wordList)
+    def fetchConnUrl(self):
+        if self.wordList == "":
+            return random.choice(self.urlList)
+        else:
+            return random.choice(self.urlList) + random.choice(self.wordList) + "?" + random.choice(self.wordList) + "=" + random.choice(self.wordList)
+

oldurls.txt

@@ -0,0 +1,33 @@
+http://127.0.0.1/adsense/troubleshooter/1631343/
+http://127.0.0.1/adServingData/PROD/TMClient/6/8736/
+http://127.0.0.1/advanced_search?hl=en-GB&fg=
+http://127.0.0.1/async/newtab?ei=
+http://127.0.0.1/babel-polyfill/6.3.14/polyfill.min.js=
+http://127.0.0.1/bh/sync/aol?rurl=/ups/55972/sync?origin=
+http://127.0.0.1/bootstrap/3.1.1/bootstrap.min.js?p=
+http://127.0.0.1/branch-locator/search.asp?WT.ac&api=
+http://127.0.0.1/business/home.asp&ved=
+http://127.0.0.1/business/retail-business/insurance.asp?WT.mc_id=
+http://127.0.0.1/cdb?ptv=48&profileId=125&av=1&cb=
+http://127.0.0.1/cis/marketq?bartype=AREA&showheader=FALSE&showvaluemarkers=
+http://127.0.0.1/classroom/sharewidget/widget_stable.html?usegapi=
+http://127.0.0.1/client_204?&atyp=i&biw=1920&bih=921&ei=
+http://127.0.0.1/load/pages/index.php?t=
+http://127.0.0.1/putil/2018/0/11/po.html?ved=
+http://127.0.0.1/q/2018/load.php?lang=en&modules=
+http://127.0.0.1/status/995598521343541248/query=
+http://127.0.0.1/TOS?loc=GB&hl=en&privacy=
+http://127.0.0.1/trader-update/history&pd=
+http://127.0.0.1/types/translation/v1/articles/
+http://127.0.0.1/uasclient/0.1.34/modules/
+http://127.0.0.1/usersync/tradedesk/
+http://127.0.0.1/utag/lbg/main/prod/utag.15.js?utv=
+http://127.0.0.1/vs/1/vsopts.js?
+http://127.0.0.1/vs/site/bgroup/visitor/
+http://127.0.0.1/w/load.php?debug=false&lang=en&modules=
+http://127.0.0.1/web/20110920084728/
+http://127.0.0.1/webhp?hl=en&sa=X&ved=
+http://127.0.0.1/work/embedded/search?oid=
+http://127.0.0.1/GoPro5/black/2018/
+http://127.0.0.1/Philips/v902/
+