Home

Awesome

AggressiveProxy

AggressiveProxy is a combination of a .NET 3.5 binary (LetMeOutSharp) and a Cobalt Strike aggressor script (AggressiveProxy.cna). Once LetMeOutSharp is executed on a workstation, it will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations.

The story behind the tool can be found at EncodeGroup's Medium

Requirements

Instructions

http-get {
  set uri "/test/";
  set verb "GET";
  client {
    header "Accept" "*/*";
    header "Accept-Encoding" "gzip, deflate";
    metadata {
      base64url;
      prepend "user=";
      header "Cookie";
    }
  }
  server {
    header "Server" "Server";
	header "Content-Type" "application/text";
	header "Connection" "keep-alive";
	output {
	  print;
	}
  }
}

You will need to define the following variants:

http-get "chrome" {
  ..<same as the main profile>..
  client {
    ..<same as the main profile>..
    header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36";
    ..<same as the main profile>..
  }
  server {
    ..<same as the main profile>..
  }
}
http-get "firefox" {
  ..<same as the main profile>..
  client {
    ..<same as the main profile>..
    header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0";
    ..<same as the main profile>..
  }
  server {
    ..<same as the main profile>..
  }
}
http-get "edge" {
  ..<same as the main profile>..
  client {
    ..<same as the main profile>..
    header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edge/86.0.622.51";
    ..<same as the main profile>..
  }
  server {
    ..<same as the main profile>..
  }
}

Menu options

The CNA will create a menu with the following items:

Extra Configuration

Notes

An effort has been made to test multiple cases of proxy configurations / technologies. This however does not mean that all cases have been accounted for. If you feel you have found a case, where LetMeOutSharp does not take into account, feel free to open an issue or a merge request.

Authors

@cirrusj

@leftp