Initial

2018-04-10 06:12:22 +07:00 · 2018-04-10 06:12:22 +07:00 · 9103fc8e3d
commit 9103fc8e3d
10 changed files with 186 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,67 @@
 # Convert Empire profiles to Apache mod_rewrite .htaccess files to support HTTP C2 Redirection
 This is a quick script that converts a empire profile to a functional mod_rewrite .htaccess file to support HTTP proxy redirection from Apache to a empire server.
 You should test and tune the output as needed before depolying
 __Updates and Features__
 - Rewrite Rules based on valid C2 URIs (HTTP GET, POST, and Stager) and specified User-Agent string. Result: Only requests to valid C2 URIs with a specified UA string will be proxied to the Team Server by default.
 - Uses a custom Malleable C2 profile to build a .htaccess file with corresponding mod_rewrite rules
 - HTTP or HTTPS proxying to the Empire Server
 - HTTP 302 Redirection to a Legitimate Site for Non-Matching Requests	
 ## Example
 ```
 $ python e2modrewrite.py -i profile/comfoo.txt -c 192.168.1.1 -d https://google.com 
 #### Save the following as .htaccess in the root web directory
 ########################################
 ## .htaccess START
 RewriteEngine On
 ## (Optional)
 ## Empire Stager
 ## Uncomment and adjust as needed
 #RewriteCond %{REQUEST_URI} ^/css/style1.css?$
 #RewriteCond %{HTTP_USER_AGENT} ^$
 #RewriteRule ^.*$ "http://192.168.1.1/download/po" [P,L]
 ## Profile URIs
 RewriteCond %{REQUEST_URI} ^/(include/template/isx.php|wp06/wp-includes/po.php|wp08/wp-includes/dtcla.php|modules/mod_search.php|blog/wp-includes/pomo/src.php|includes/phpmailer/class.pop3.php)/?$
 ## Profile UserAgent
 RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Windows;\ U;\ MSIE\ 7\.0;\ Windows\ NT\ 5\.2\)\ Java/1\.5\.0_08?$
 RewriteRule ^.*$ http://192.168.1.1%{REQUEST_URI} [P]
 # Redirect all other traffic here
 RewriteRule ^.*$ https://google.com/? [L,R=302]
 ## .htacess END
 ########################################
 ```
 ----------------------------------------------
 ## Apache Rewrite Setup and Tips
 __Enable Rewrite and Proxy__
    a2enmod rewrite
    a2enmod proxy
    a2enmod proxy_http
    service apache2 reload
 __SSL support requires the following in the site config__
    # Enable SSL
    SSLEngine On
    # Enable Proxy
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
 ## References
 [Apache mod_rewrite](http://httpd.apache.org/docs/current/mod/mod_rewrite.html)
--- a/e2modrewrite.py
+++ b/e2modrewrite.py
@ -0,0 +1,78 @@
 #!/usr/bin/python
 # Convert empire profile to modrewrite script
 import re
 import argparse
 import sys
 description = '''
 Converts Empire profiles to Apache mod_rewrite .htaccess file format by using the User-Agent and URI Endpoint to create rewrite rules.'''
 parser = argparse.ArgumentParser(description=description)
 parser.add_argument('-i', dest='inputfile', help='C2 Profile file')
 parser.add_argument('-c', dest='c2Server', help='C2 Server (http://teamserver)')
 parser.add_argument('-d', dest='destination', help='(Optional) Redirect to this URL (http://google.com)')
 args = parser.parse_args()
 # Check Arguments
 if not args.inputfile:
    print("[!] Missing inputfile")
    parser.print_help()
    sys.exit(1)
 if not args.c2Server:
    print("[!] Missing c2Server")
    parser.print_help()
    sys.exit(1)
 if not args.destination: 
    print("[!] Missing destination")
    parser.print_help()
    sys.exit(1)
 empireC2 = args.c2Server
 redirect = args.destination
 htaccess_template = '''#### Save the following as .htaccess in the root web directory
 ########################################
 ## .htaccess START
 RewriteEngine On
 ## (Optional)
 ## Empire Stager
 ## Uncomment and adjust as needed
 #RewriteCond %{{REQUEST_URI}} ^/css/style1.css?$
 #RewriteCond %{{HTTP_USER_AGENT}} ^$
 #RewriteRule ^.*$ "http://{}/download/po" [P,L]
 ## Profile URIs
 RewriteCond %{{REQUEST_URI}} ^/({})/?$
 ## Profile UserAgent
 RewriteCond %{{HTTP_USER_AGENT}} ^{}?$
 RewriteRule ^.*$ http://{}%{{REQUEST_URI}} [P]
 # Redirect all other traffic here
 RewriteRule ^.*$ {}/? [L,R=302]
 ## .htacess END
 ########################################
 '''
 commProfile = open(args.inputfile, 'r')
 cp_file = commProfile.read()
 commProfile.close()
 profile = re.sub(r'(?m)^\#.*\n?', '', cp_file).strip('\n')
 uri_string = profile.split('|')[0]
 uri = uri_string.replace('\"','').replace(',','|').replace(',','|').strip('/')
 uri = uri.replace('|/','|')
 user_agent_string = profile.split('|')[1]
 user_agent = user_agent_string.replace(' ','\ ').replace('.','\.').replace('(','\(').replace(')','\)')
 rules = (htaccess_template.format(empireC2,uri,user_agent,empireC2,redirect))
 print rules
--- a/profile/bing.txt
+++ b/profile/bing.txt
@ -0,0 +1,3 @@
 "/search?q=news&qs=n&form=QBLH,/search?q=health&qs=n&form=QBLH|Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko|Host:www.bing.com|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
 "Server:Microsoft-IIS/8.5|Cache-Control:private, max-age=0|Content-Type:text/html; charset=utf-8|Vary:Accept-Encoding"
--- a/profile/comfoo.txt
+++ b/profile/comfoo.txt
@ -0,0 +1,5 @@
 # Basic comfoo profile
 #   http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
 #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/comfoo.profile
 "/CWoNaJLBo/VTNeWw11212/|Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)|Keep-Alive:timeout=15, max=90|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*|Accept-Language:en-en|Connection:Keel-Alive|Cache-Control:no-cache"
--- a/profile/fiesta.txt
+++ b/profile/fiesta.txt
@ -0,0 +1,7 @@
 # Fiesta Exploit Kit traffic profile
 #   http://malware-traffic-analysis.net/2014/04/05/index.html
 #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/fiesta.profile
 /rmvk30g/|Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11|Acccept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
 Server:Apache/2.2.15 (CentOS)|X-Powered-By:PHP/5.3.27|Content-Type:application/octet-stream|Connection:close
--- a/profile/havex.txt
+++ b/profile/havex.txt
@ -0,0 +1,3 @@
 "/include/template/isx.php,/wp06/wp-includes/po.php,/wp08/wp-includes/dtcla.php,/modules/mod_search.php,/blog/wp-includes/pomo/src.php,/includes/phpmailer/class.pop3.php|Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08|Referer:http://www.google.com|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
 "Server:Apache/2.2.26 (Unix)|X-Powered-By:PHP/5.3.28|Cache-Control:no-cache|Content-Type:text/html|Keep-Alive:timeout=3, max=100"
--- a/profile/microsoftupdate.txt
+++ b/profile/microsoftupdate.txt
@ -0,0 +1,3 @@
 "/c/msdownload/update/others/2016/12/29136388_,/c/msdownload/update/others/2016/12/3215234_|Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40|Host:download.windowsupdate.com|Accept: */*"
 "Content-Type:application/vnd.ms-cab-compressed|Server:Microsoft-IIS/8.5|MSRegion:N. America|Connection:keep-alive|X-Powered-By:ASP.NET"
--- a/profile/pitty_tiger.txt
+++ b/profile/pitty_tiger.txt
@ -0,0 +1,5 @@
 # Basic Pitty Tiger RAT profile
 #   http://bitbucket.cassidiancybersecurity.com/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf
 #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/pitty_tiger.profile
 "/FC001/JOHN|Microsoft Internet Explorer"
--- a/profile/safebrowsing.txt
+++ b/profile/safebrowsing.txt
@ -0,0 +1,8 @@
 #
 # Safebrowsing Comms profile
 #   https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign
 #
 /safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:en-US,en;q=0.5|Accept-Encoding:gzip, deflate
 Content-Type:application/vnd.google.safebrowsing-chunk|X-Content-Type-Options:nosniff|Content-Encoding:gzip|X-Frame-Options:SAMEORIGIN|Cache-Control:public,max-age=172800|Age:1222|Alternate-Protocol:80
--- a/profile/zeus.txt
+++ b/profile/zeus.txt
@ -0,0 +1,7 @@
 # Basic Zeus variant profile
 #   https://malwr.com/analysis/NjIwNTU2ODA2OTUxNDcwNmJiMTMzYzk4YzU4NWQyZDQ/
 #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile
 "/metro91/admin/1/ppptp.jpg,/metro91/admin/1/secure.php|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)|Host:mahamaya1ifesciences.com|Cache-Control:no-cache|Accept-Encoding: deflate, gzip;q=1.0, *;q=0.5|Accept:*/*"
 "Server:nginx/1.0.4|Content-Type:text/html|Connection:close|X-Powered-By:PHP/5.3.8-1~dotdeb.2"
		`@ -0,0 +1,3 @@`
							`"/search?q=news&qs=n&form=QBLH,/search?q=health&qs=n&form=QBLH\|Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\|Host:www.bing.com\|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8"`

							`"Server:Microsoft-IIS/8.5\|Cache-Control:private, max-age=0\|Content-Type:text/html; charset=utf-8\|Vary:Accept-Encoding"`
		`@ -0,0 +1,3 @@`
							`"/include/template/isx.php,/wp06/wp-includes/po.php,/wp08/wp-includes/dtcla.php,/modules/mod_search.php,/blog/wp-includes/pomo/src.php,/includes/phpmailer/class.pop3.php\|Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08\|Referer:http://www.google.com\|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5"`

							`"Server:Apache/2.2.26 (Unix)\|X-Powered-By:PHP/5.3.28\|Cache-Control:no-cache\|Content-Type:text/html\|Keep-Alive:timeout=3, max=100"`
		`@ -0,0 +1,3 @@`
							`"/c/msdownload/update/others/2016/12/29136388_,/c/msdownload/update/others/2016/12/3215234_\|Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40\|Host:download.windowsupdate.com\|Accept: /"`

							`"Content-Type:application/vnd.ms-cab-compressed\|Server:Microsoft-IIS/8.5\|MSRegion:N. America\|Connection:keep-alive\|X-Powered-By:ASP.NET"`