CobaltSpam

Tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons

Description

Use spam.py to start spamming a server with fake beacons

Usage

usage: spam.py [-h] [-u URL | -f FILE]

optional arguments:
  -h, --help             show this help message and exit
  -u URL, --url URL      Target a single URL
  -f FILE, --file FILE   Target a list of domains from a text file (One target per line)
  --use_tor              (Optional, uses Tor to send beacons - please see Prerequisites!)
  --print_config         (Optional, prints beacon config)
  --publish_to_threatfox (Optional) Publish your findings to ThreatFox
  --parse_only           (Optional) Only download & parse beacon and parse it without spamming  

Note

You might want to use a tool like TorghostNG on your VM to hide your real IP or use Whonix

Prerequisites

Please install Tor before using this script and make sure it is running and listening on Port 9050

Afterwards install the following package:

pip install PySocks
pip install stem
pip install requests


Please follow these steps to make sure this script is able to change the TOR IP programmatically

$ tor --hash-password MyStr0n9P#D
16:160103B8D7BA7CFA605C9E99E5BB515D9AE71D33B3D01CE0E7747AD0DC

Add this value to /etc/torrc (Path may vary depending on our distribution) for the value HashedControlPassword so it reads
HashedControlPassword 16:160103B8D7BA7CFA605C9E99E5BB515D9AE71D33B3D01CE0E7747AD0DC

Afterwards uncomment the line
ControlPort 9051
Restart your tor service:
$ sudo service tor restart
Finally add your hash-password (In this example MyStr0n9P#D) to spam_utils.py as "tor_password"

Disclaimer

While this should be clear, this tool should be used only against infrastructure you own. Don't mess with systems you don't own!