-
Notifications
You must be signed in to change notification settings - Fork 5
/
BOF-curated-collection.yaml
415 lines (400 loc) · 12.6 KB
/
BOF-curated-collection.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
---
name: "udpScanner"
description: "Universal UDP port sweeper"
author: "Z-Labs"
tags: ['windows', 'linux','net-recon','z-labs']
OS: "cross"
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/udpScanner.zig'
examples: '
Scanning provided IP range on most common UDP ports with builtin UDP probes:
udpScanner str:192.168.0.1-32
Scanning only cherry-picked ports (if no builtin UDP probe for the chosen port is available then length and content of the packet payload will be randomly generated:
udpScanner str:192.168.0.1:123,161
udpScanner str:102.168.1.1-128:53,427,137
udpScanner str:192.168.0.1:100-200
Example of running with provided UDP probes:
udpScanner str:192.168.0.1-32 int:BUF_LEN str:BUF_MEMORY_ADDRESS
UDP probe syntax (with example):
<portSpec> <probeName> <hexadecimal encoded probe data>\n
53,69,135,1761 dnsReq 000010000000000000000000
Example of running udpScanner using cli4bofs tool and with UDP probes provided from the file:
cli4bofs exec udpScanner 102.168.1.1-4:161,427 file:/tmp/udpPayloads
'
arguments:
- name: IPSpec
desc: "IP addresses specification, ex: 192.168.0.1; 10.0.0-255.1-254; 192.168.0.1:161,427,10-15"
type: string
required: true
- name: BufLen
desc: "length of UDP probes buffer"
type: integer
required: false
- name: BufMemoryAddress
desc: "memory address of UDP probes buffer"
type: string
required: false
---
name: "tcpScanner"
description: "TCP connect() port scanner"
author: "Z-Labs"
tags: ['windows', 'linux','net-recon','z-labs', 'api']
OS: "cross"
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/tcpScanner.zig'
examples: '
Scanning selected hosts and ports:
tcpScanner str:192.168.0.1:80,22,443
tcpScanner str:192.168.0.1:100-200
tcpScanner str:102.168.1.1-128:445,81,8080-8089
'
arguments:
- name: IPSpec
desc: "IP addresses specification, ex: 192.168.0.1; 10.0.0-255.1-254; 192.168.0.1:161,427,10-15"
type: string
required: true
---
name: uname
description: "Print system information. With no flag, same as -s"
author: Z-Labs
tags: ['linux','host-recon','z-labs']
OS: linux
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/coreutils/uname.zig'
examples: '
uname
uname -a
Flags:
-a print all information
-s print the kernel name
-n print the network node hostname
-r print the kernel release
-v print the kernel version
-m print the machine hardware name
'
arguments:
- name: option
desc: "Print only chosen system information. Supported options: -asnrvm"
type: string
required: false
---
name: hostid
description: "Print the numeric identifier for the current host"
author: Z-Labs
tags: ['linux','host-recon','z-labs']
OS: linux
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/coreutils/hostid.zig'
examples: '
hostid
'
---
name: hostname
description: "Show system host name"
author: Z-Labs
tags: ['linux','host-recon','z-labs']
OS: linux
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/coreutils/hostname.zig'
examples: '
hostname
'
---
name: id
description: "Print user and group information for each specified USER, or (when USER omitted) for the current process"
author: Z-Labs
tags: ['linux','host-recon','z-labs']
OS: linux
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/coreutils/id.zig'
examples: '
id
id root
'
arguments:
- name: user
desc: "Prints user and group information for this user"
type: string
required: false
---
name: "ifconfig"
description: "Displays the status of the currently active network interfaces; Manipulates current state of the device (euid = 0 or CAP_NET_ADMIN is required for that)"
author: "Z-Labs"
tags: ['linux','host-recon','z-labs']
OS: 'linux'
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/net-tools/ifconfig.zig'
examples: '
ifconfig
ifconfig eth0 down
ifconfig eth0 promisc
ifconfig eth0 -promisc
'
arguments:
- name: User
desc: "Prints user and group information for this user"
type: string
required: false
---
name: kmodLoader
description: "Loads and unloads Linux kernel modules images directly from memory"
author: Z-Labs
tags: ['linux','post-exploitation','z-labs']
OS: linux
api:
- 'kmodLoad(module_image: [*]const u8, len: usize, param_values: [*:0]const u8) callconv(.C) u8'
- 'kmodRemove(module_name: [*:0]const u8, flags: u32) callconv(.C) u8'
sources:
- 'https://raw.githubusercontent.com/The-Z-Labs/bof-launcher/main/bofs/src/kmodLoader.zig'
examples: '
See BOF-stager for an example of using this BOF.
'
arguments:
- name: module_image
desc: "memory address of kernel image module"
type: string
required: true
api: kmodLoad
- name: len
desc: "size of kernel module image"
type: integer
required: true
api: kmodLoad
- name: param_values
desc: "kernel module parameters in a form of: name[=value[,value...]] for each parameter"
type: string
required: true
api: kmodLoad
- name: module_name
desc: "kernel module name to remove"
type: string
required: true
api: kmodRemove
- name: flags
desc: "special flags"
type: integer
required: true
api: kmodRemove
errors:
- name: NoRootPermissions
code: 0x1
message: "Root privileges are required to load kernel module"
---
name: cat
description: "Concatenate FILE to stdout"
author: Trustedsec
tags: ['linux', 'host-recon', 'trustedsec']
OS: linux
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/trustedsec/ELFLoader/main/SA/src/cat.c'
examples: '
cat /etc/passwd
'
arguments:
- name: filename
desc: "Filename to display"
type: string
required: true
---
name: tasklist
description: "Report a snapshot of the current processes"
author: Trustedsec
tags: ['linux', 'host-recon', 'trustedsec']
OS: linux
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/trustedsec/ELFLoader/main/SA/src/tasklist.c'
examples: '
tasklist
'
---
name: pwd
description: "Print name of current/working directory"
author: Trustedsec
tags: ['linux', 'host-recon', 'trustedsec']
OS: linux
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/trustedsec/ELFLoader/main/SA/src/pwd.c'
examples: '
pwd
'
---
name: listmods
srcfile: "entry"
description: "List process modules (DLL). Target current process if PID is empty"
author: Trustedsec
tags: ['windows', 'host-recon', 'trustedsec']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/SA/listmods/entry.c'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/common/base.c'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/common/bofdefs.h'
examples: '
listmods 3461
'
arguments:
- name: pid
desc: "Process PID"
type: integer
required: false
---
name: adcs_enum
srcfile: "entry"
description: "Enumerate CAs and templates in the AD using Win32 functions"
author: Trustedsec
tags: ['windows', 'host-recon', 'trustedsec']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/SA/adcs_enum/entry.c'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/SA/adcs_enum/adcs_enum.c'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/SA/adcs_enum/adcs_enum.h'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/SA/adcs_enum/certca.h'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/SA/adcs_enum/certenroll.h'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/common/base.c'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/common/bofdefs.h'
examples: '
adcs_enum <domain>
'
arguments:
- name: domain
desc: "Active directory domain name"
type: wstring
required: true
---
name: arp
srcfile: "entry"
description: "List ARP table"
author: Trustedsec
tags: ['windows', 'host-recon', 'trustedsec']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/SA/arp/entry.c'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/common/base.c'
- 'https://raw.githubusercontent.com/trustedsec/CS-Situational-Awareness-BOF/refs/heads/master/src/common/bofdefs.h'
examples: '
arp
'
---
name: Domaininfo
description: "Enumerate CAs and templates in the AD using Win32 functions"
author: Outflank
tags: ['windows', 'host-recon', 'outflank']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/outflanknl/C2-Tool-Collection/refs/heads/main/BOF/Domaininfo/SOURCE/Domaininfo.c'
- 'https://raw.githubusercontent.com/outflanknl/C2-Tool-Collection/refs/heads/main/BOF/Domaininfo/SOURCE/Domaininfo.h'
examples: '
domaininfo
'
---
name: Smbinfo
description: "Gather remote system version info using the NetWkstaGetInfo API"
author: Outflank
tags: ['windows', 'host-recon', 'outflank']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/outflanknl/C2-Tool-Collection/refs/heads/main/BOF/Smbinfo/SOURCE/Smbinfo.c'
- 'https://raw.githubusercontent.com/outflanknl/C2-Tool-Collection/refs/heads/main/BOF/Smbinfo/SOURCE/Smbinfo.h'
examples: '
smbinfo <computername>
'
arguments:
- name: computername
desc: "Active directory computer name"
type: wstring
required: true
---
name: ReconAD
description: "Query Active Directory objects and attributes using ADSI API"
author: Outflank
tags: ['windows', 'host-recon', 'outflank']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/outflanknl/C2-Tool-Collection/refs/heads/main/BOF/ReconAD/SOURCE/ReconAD.c'
- 'https://raw.githubusercontent.com/outflanknl/C2-Tool-Collection/refs/heads/main/BOF/ReconAD/SOURCE/ReconAD.h'
examples: '
ReconAD (&(objectClass=user)(objectCategory=person)(sAMAccountName=*admin*)) displayName,sAMAccountName 10
ReconAD users *admin* displayName,sAMAccountName 10 -usegc
ReconAD groups "Domain Admins" -all -max -usegc 192.168.1.10
ReconAD computers *srv* name,operatingSystemVersion 20 -ldap 192.168.1.10
'
arguments:
- name: objects
desc: "custom|users|groups|computers"
type: wstring
required: true
- name: ldap_filter
desc: "custom_ldap_filter|username|groupname|computername"
type: wstring
required: true
- name: ldap_attr
desc: "comma separated ldap attributes"
type: wstring
required: false
- name: max_results
desc: "max results"
type: integer
required: false
- name: usegc
desc: "search within the Global Catalogue (set to 1); use LDAP (default)"
type: integer
required: false
- name: server
desc: "IP of custom server; or '-noserver' for serverless binding (default)"
type: wstring
required: false
---
name: KillDefender
description: "make Windows Defender useless by removing its token privileges and lowering the token integrity"
author: Cerbersec
tags: ['windows', 'host-recon', 'cerbersec']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/Cerbersec/KillDefenderBOF/refs/heads/main/KillDefender.c'
- 'https://raw.githubusercontent.com/Cerbersec/KillDefenderBOF/refs/heads/main/KillDefender.h'
- 'https://raw.githubusercontent.com/Cerbersec/KillDefenderBOF/refs/heads/main/syscalls-asm.h'
- 'https://raw.githubusercontent.com/Cerbersec/KillDefenderBOF/refs/heads/main/syscalls.c'
- 'https://raw.githubusercontent.com/Cerbersec/KillDefenderBOF/refs/heads/main/syscalls.h'
examples: '
KillDefender
'
---
name: ppenum
description: "Read the protection level of a process"
author: rasta-mouse
tags: ['windows', 'host-recon']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/rasta-mouse/PPEnum/refs/heads/main/ppenum.c'
examples: '
'
arguments:
- name: pid
desc: "process PID"
type: integer
required: true
---
name: detect-hooks
description: "Attempts to detect userland API hooks in place by AV/EDR"
author: X-Force-Red
tags: ['windows', 'host-recon', 'xforcered']
OS: windows
entrypoint: "go"
sources:
- 'https://raw.githubusercontent.com/xforcered/Detect-Hooks/refs/heads/main/src/detect-hooks.c'
- 'https://raw.githubusercontent.com/xforcered/Detect-Hooks/refs/heads/main/src/detect-hooks.h'
examples: '
detect-hooks
'