{"id":13840664,"url":"https://github.com/EncodeGroup/AggressiveProxy","last_synced_at":"2025-07-11T09:32:43.173Z","repository":{"id":201632926,"uuid":"310002139","full_name":"EncodeGroup/AggressiveProxy","owner":"EncodeGroup","description":"Project to enumerate proxy configurations and generate shellcode from CobaltStrike","archived":false,"fork":false,"pushed_at":"2020-11-04T16:08:11.000Z","size":20,"stargazers_count":140,"open_issues_count":1,"forks_count":25,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-08-05T17:25:29.762Z","etag":null,"topics":["cobaltstrike","cobaltstrike-cna","redteam","redteam-tools"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EncodeGroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-11-04T12:53:00.000Z","updated_at":"2023-12-21T23:25:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"eb8d2e18-781d-4f22-9c48-7e08bdf8aec2","html_url":"https://github.com/EncodeGroup/AggressiveProxy","commit_stats":null,"previous_names":["encodegroup/aggressiveproxy"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveProxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveProxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveProxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveProxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EncodeGroup","download_url":"https://codeload.github.com/EncodeGroup/AggressiveProxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712598,"owners_count":17512433,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cobaltstrike","cobaltstrike-cna","redteam","redteam-tools"],"created_at":"2024-08-04T17:00:51.726Z","updated_at":"2024-11-21T10:30:33.961Z","avatar_url":"https://github.com/EncodeGroup.png","language":"C#","funding_links":[],"categories":["C# (212)","C# #"],"sub_categories":[],"readme":"# AggressiveProxy\nAggressiveProxy is a combination of a .NET 3.5 binary (**LetMeOutSharp**) and a Cobalt Strike aggressor script (**AggressiveProxy.cna**). Once LetMeOutSharp is executed on a workstation, it will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations.\n\nThe story behind the tool can be found at [EncodeGroup's Medium](https://medium.com/encode-threat-labs/aggressiveproxy-a-tale-of-two-proxies-and-a-sad-beacon-43042a04a0d0)\n\n## Requirements\n* CobaltStrike 4.1\n* Mono Framework\n\n## Instructions\n* Modify the `$msbuild` value in AggressiveProxy.cna to point to the path of msbuild executable which is part of the Mono Framework\n* Click on the *Proxy Handler-\u003eStart Handler* menu item. At this point the script will request the listener, the proxy handler URL and the expected response content settings.\n* Once these values have been set, the script will then:\n\t* Replace `%C2URL%` and `%RESPONSE%` placeholders inside `Program_template.cs` and create the `Program.cs` file\n\t* Invoke MSBuild in order to build the .NET binary LetMeOutSharp\n* The script will then create a web page at the provided `Check URL`. Once a hit has been made to the specific URL from LetMeOutSharp, it will then:\n\t* Try to decode the base64 parameters of the GET request and extract the proxy address:port, the UserAgent and the architecture (x86/x64).\n\t* Try to match the UserAgent it received and pick a proper Malleable variant. If you want the generated shellcode to use the appropriate User-Agent, you will need to create the following variants:\n\t  * \"chrome\"\n\t  * \"firefox\"\n\t  * \"edge\"\n\t\n\tIf there are no variants configured, the default one should be used. The new variants should have **exactly the same configuration** as the variant your listener is/will be using, with the addition of the appropriate `header \"User-Agent\"` line in the `client` part.\n\tFor example if your listener is using the following profile:\n```\nhttp-get {\n  set uri \"/test/\";\n  set verb \"GET\";\n  client {\n    header \"Accept\" \"*/*\";\n    header \"Accept-Encoding\" \"gzip, deflate\";\n    metadata {\n      base64url;\n      prepend \"user=\";\n      header \"Cookie\";\n    }\n  }\n  server {\n    header \"Server\" \"Server\";\n\theader \"Content-Type\" \"application/text\";\n\theader \"Connection\" \"keep-alive\";\n\toutput {\n\t  print;\n\t}\n  }\n}\n```\nYou will need to define the following variants:\n```\nhttp-get \"chrome\" {\n  ..\u003csame as the main profile\u003e..\n  client {\n    ..\u003csame as the main profile\u003e..\n    header \"User-Agent\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\";\n    ..\u003csame as the main profile\u003e..\n  }\n  server {\n    ..\u003csame as the main profile\u003e..\n  }\n}\nhttp-get \"firefox\" {\n  ..\u003csame as the main profile\u003e..\n  client {\n    ..\u003csame as the main profile\u003e..\n    header \"User-Agent\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0\";\n    ..\u003csame as the main profile\u003e..\n  }\n  server {\n    ..\u003csame as the main profile\u003e..\n  }\n}\nhttp-get \"edge\" {\n  ..\u003csame as the main profile\u003e..\n  client {\n    ..\u003csame as the main profile\u003e..\n    header \"User-Agent\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edge/86.0.622.51\";\n    ..\u003csame as the main profile\u003e..\n  }\n  server {\n    ..\u003csame as the main profile\u003e..\n  }\n}\n```\n\n* AggressiveProxy.cna will then setup a new temporary listener with the custom proxy configuration. The following exception will be logged: `java.lang.RuntimeException: Another Beacon listener exists on your cobalt console`. This is normal and we will be using the temporary listener in order to create the shellcode with the custom proxy configuration. After generating the shellcode, the listener will be deleted.\n* A new URL will be created which will host the shellcode which is XOR encrypted and in HEX form.\n* LetMeOutSharp, will then fetch the shellcode and try to inject it to a new process. Currently as a POC, LetMeOutSharp will perform a QueueUserAPC injection to a newly spawned process of our favorite process `notepad.exe`. Feel free to modify `Injector.cs` to your taste.\n\n## Menu options\nThe CNA will create a menu with the following items:\n  * *Start Handler* is responsible for defining the listener that LetMeOutSharp will try to communicate to, the URL that will try to reach as well as the expected response from the web server. After defining the settings, it will host the proxy handling URL on the Cobalt Strike web server.\n  * *Stop Handler* will remove the proxy handling URL and any hosted generated shellcodes.\n\n## Extra Configuration\n\n* By modifying `$buildver` variable in the AggressiveProxy CNA, you can build a Debug version of LetMeOutSharp, which is more verbose and will print out all the relevant information it gathers. This should be used only for testing purposes.\n* Currently, AggressiveProxy CNA is using unpenetratable encryption for the hosted shellcode, with the use of a hardcoded XOR key. This can be modified the `$xordata` variable. You should also replace the line `values[i] = (byte)(values[i] ^ 0x2a);` in Program_template.cs\n\n## Notes\nAn effort has been made to test multiple cases of proxy configurations / technologies. This however does not mean that all cases have been accounted for. If you feel you have found a case, where LetMeOutSharp does not take into account, feel free to open an issue or a merge request.\n\n## Authors\n\n[@cirrusj](https://github.com/cirrusj)\n\n[@leftp](https://github.com/leftp)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEncodeGroup%2FAggressiveProxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FEncodeGroup%2FAggressiveProxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEncodeGroup%2FAggressiveProxy/lists"}