Skip to content
/ ipv4guard Public

A Cobalt Strike Aggressor Script that aims to help prevent errant Cobalt Strike commands from being executed on non-whitelisted / off-target / out-of-scope / unapproved IPv4 addresses.

8 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SavSanta/ipv4guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
Screenshots
Screenshots
 
 
README.md
README.md
 
 
ipv4guard.cna
ipv4guard.cna
 
 

Repository files navigation

ipv4guard

A Cobalt Strike Aggressor Script that attempts to aid a Cobalt Strike operator from being executing commands on non-whitelisted / off-target/ unapproved IPv4 target addresses.

How It Works

After an operator adds an IP address to the monitoring list, the Cobalt Strike Aggressor Script monitors the beacon_input hook for IPv4 that matches addresses that take the proper action and halts the action when it detects a match.

Usage

Right-Click Beacon in Session Window -> Select "IPv4 Guard". S1

Input CIDR IP (like 192.168.1.1/30). Select "Add" as the action. Click Perform.
S2

S2-1
[10/19 11:43:47] [*] Assuming CIDR address.
[10/19 11:41:41] [+] Add action complete.

Right-Click Beacon in Session Window -> Select "IPv4 Guard". S1

Select "List" as the action. IP is ignored. Click Perform.
S3

S3-1
[10/19 11:43:47] [] Assuming CIDR address.
[10/19 11:43:47] [] Hosts: @('192.168.1.1', '192.168.1.2', '192.168.1.3', '192.168.1.4')
[10/19 11:43:47] [+] List action complete.

Enter into the Beacon Console a command with the off-limit IP.

[10/19 11:45:16] [] Tasked beacon to run: 192.168.1.1
[10/19 11:45:16] [] Line -> shell 192.168.1.1
[10/19 11:45:16] [] IP match - 192.168.1.13 - found in IPGuard.
[10/19 11:45:16] [] Verify your entered command.
S5

Additional helper functions inside a beacon window can run and act as shorthand for determining the number of hosts in a CIDR or listing out all IPs in that range

Examples:

Get number of hosts in a CIDR

[10/19 11:38:46] beacon> ipv4check 192.168.1.1/24 hostcount
[10/19 11:38:46] [] Assuming CIDR address.
[10/19 11:38:46] [] Hostcount: 254

List hosts

[10/19 11:39:55] beacon> ipv4check 192.168.1.1/30 hosts
[10/19 11:39:55] [] Assuming CIDR address.
[10/19 11:39:55] [] Hosts: 192.168.1.1, 192.168.1.2

Caveat and Limitations

  • If an operator is already operating from a non-whitelisted target, one could possibly run commands from that target and the CNA script can not determine its origination point.
  • Similarily, operators should still be aware of where theyre actually operating from (ie be aware if your socks proxying, tunneling into different VLANs, targeting different RFC 1918 IP addresses)
  • Higher memory consumption on large CIDR ( aruond /12 or lower) blocks. Thusly not suggested for low memory systems.

TODOs

  • Investigate adding hostname-based detection/prevention.
  • Investigate common systools output parsing

References

  • Net::IP::Match::Regexp

About

A Cobalt Strike Aggressor Script that aims to help prevent errant Cobalt Strike commands from being executed on non-whitelisted / off-target / out-of-scope / unapproved IPv4 addresses.

Topics

aggressor-script cobaltstrike-cna cobaltstrike offlmit

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

0 forks
Report repository