def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="bypassuac",
description=cls.__doc__)
cls.arg_parser.add_argument(
'-m',
dest='method',
choices=[
"eventvwr",
"fodhelper",
"tokenimp",
],
default=None,
help=
"By default, a method will be found for you depending on your build version"
)
cls.arg_parser.add_argument('-e',
dest='exe',
default=None,
help="Custom exe to execute as admin")
cls.arg_parser.add_argument('-r',
dest='restart',
action='store_true',
default=False,
help="Restart current executable as admin")
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='edit', description=cls.__doc__)
cls.arg_parser.add_argument(
'remote_file', metavar='<remote_path>',
completer=remote_path_completer)
# -*- encoding: utf-8 -*-
# TODO: Fix stream/interaction
from pupylib.PupyModule import PupyArgumentParser, PupyModuleUsageError
from pupylib.PupyCompleter import module_name_completer, module_args_completer, path_completer
from pupylib.PupyOutput import Error, Success
from pupylib.PupyJob import PupyJob
from argparse import REMAINDER
usage = 'Run a module on one or multiple clients'
parser = PupyArgumentParser(prog='run', description=usage)
parser.add_argument('-1',
'--once',
default=False,
action='store_true',
help='Unload new deps after usage')
parser.add_argument('-o',
'--output',
help='save command output to file.'
'%%t - timestamp, %%h - host, %%m - mac, '
'%%c - client shortname, %%M - module name, '
'%%p - platform, %%u - user, %%a - ip address',
completer=path_completer)
parser.add_argument(
'-f',
'--filter',
metavar='<client filter>',
help=
'filter to a subset of all clients. All fields available in the "info" module can be used. '
# -*- encoding: utf-8 -*-
from pupylib.PupyModule import PupyArgumentParser
from pupylib.PupyOutput import Success
import os
usage = 'Restart pupysh'
parser = PupyArgumentParser(prog='restart', description=usage)
def do(server, handler, config, args):
argv0 = os.readlink('/proc/self/exe')
argv = [ x for x in open('/proc/self/cmdline').read().split('\x00') if x ]
if handler.dnscnc:
handler.display(Success('Stopping DNSCNC'))
handler.dnscnc.stop()
server.stop()
handler.display(Success('Restarting'))
os.execv(argv0, argv)
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="psexec",
description=cls.__doc__)
cls.arg_parser.add_argument(
"-u",
metavar="USERNAME",
dest='user',
default='',
help="Username, if omitted null session assumed")
cls.arg_parser.add_argument("-p",
metavar="PASSWORD",
dest='passwd',
default='',
help="Password")
cls.arg_parser.add_argument("-c",
metavar="CODEPAGE",
dest='codepage',
default='cp437',
help="Codepage")
cls.arg_parser.add_argument("-H",
metavar="HASH",
dest='hash',
default='',
help='NTLM hash')
cls.arg_parser.add_argument("-d",
metavar="DOMAIN",
dest='domain',
default="WORKGROUP",
help="Domain name (default WORKGROUP)")
cls.arg_parser.add_argument("-s",
metavar="SHARE",
dest='share',
default="C$",
help="Specify a share (default C$)")
cls.arg_parser.add_argument("-S",
dest='noout',
action='store_true',
help="Do not wait for command output")
cls.arg_parser.add_argument("-T",
metavar="TIMEOUT",
dest='timeout',
default=30,
type=int,
help="Try to set this timeout")
cls.arg_parser.add_argument("--port",
dest='port',
type=int,
choices={139, 445},
default=445,
help="SMB port (default 445)")
cls.arg_parser.add_argument("target",
nargs=1,
type=str,
help="The target range or CIDR identifier")
sgroup = cls.arg_parser.add_argument_group(
"Command Execution", "Options for executing "
"commands on the specified host")
sgroup.add_argument(
'-execm',
choices={"smbexec", "wmi"},
dest="execm",
default="wmi",
help="Method to execute the command (default: wmi)")
sgroup.add_argument(
"-x",
metavar="COMMAND",
dest='command',
help='Execute a command. Use pupy64/pupy86 for .NET loader. '
'WARNING! There is no autodetection')
# -*- encoding: utf-8 -*-
from pupylib.PupyModule import PupyArgumentParser
from pupylib.PupyOutput import Color, Success, Error, Table
usage = 'list/interact with established sessions'
parser = PupyArgumentParser(prog='sessions', description=usage)
parser.add_argument('-i', '--interact', metavar='<filter>',
help="change the default --filter value for other commands")
parser.add_argument('-g', '--global-reset', action='store_true',
help="reset --interact to the default global behavior")
parser.add_argument('-k', dest='kill', metavar='<id>', type=int, help='Kill the selected session')
parser.add_argument('-K', dest='killall', action='store_true', help='Kill all sessions')
parser.add_argument('-d', dest='drop', metavar='<id>', type=int,
help='Drop the connection (abruptly close the socket)')
parser.add_argument('-D', dest='dropall', action='store_true', help='Drop all connections')
def do(server, handler, config, modargs):
if modargs.global_reset:
handler.default_filter = None
handler.display(Success('Default filter reset to global'))
elif modargs.interact:
handler.default_filter = modargs.interact
handler.display(Success('Default filter set to {}'.format(
handler.default_filter)))
elif modargs.kill:
selected_client = server.get_clients(modargs.kill)
if selected_client:
try:
def init_argparse(cls):
header = """
#####################################################
# _ #
# ___| |__ __ _ _ __ __ _ ___ _ __ ___ ___ #
# / __| '_ \ / _` | '_ \ / _` |/ _ \ '_ ` _ \ / _ \\ #
# | (__| | | | (_| | | | | (_| | __/ | | | | | __/ #
# \___|_| |_|\__,_|_| |_|\__, |\___|_| |_| |_|\___| #
# |___/ #
# #
# Default Credential Scanner #
#####################################################
"""
example = '''
Examples:
>> run changeme -c web --name tomcat --target 192.168.1.10
'''
cls.arg_parser = PupyArgumentParser(prog="changeme",
description=header + cls.__doc__,
epilog=example)
cls.arg_parser.add_argument(
'--protocol',
choices=['ftp', 'http', 'mssql', 'ssh', 'telnet'],
help='Protocol of default creds to scan for',
default=None)
cls.arg_parser.add_argument(
'--category',
'-c',
choices=['webcam', 'web', 'phone', 'printer'],
help='Category of default creds to scan for',
default=None)
cls.arg_parser.add_argument(
'--name',
'-n',
type=str,
help='Narrow testing to the supplied credential name',
default=None)
# Targets to launch scan
cls.arg_parser.add_argument('--target',
type=str,
help='Subnet or IP to scan')
cls.arg_parser.add_argument(
'--targets',
type=str,
help='File of targets to scan (IP or IP:PORT)',
default=None)
cls.arg_parser.add_argument('--port',
type=int,
help='Custom port to connect',
default=None)
cls.arg_parser.add_argument('--ssl',
action='store_true',
help='Use ssl',
default=None)
cls.arg_parser.add_argument(
'--creds',
type=str,
help='File of custom credentials to check (login/password)',
default=None)
# Log and output
cls.arg_parser.add_argument('--proxy',
'-p',
type=str,
help='HTTP(S) Proxy',
default=None)
cls.arg_parser.add_argument('--log',
'-l',
type=str,
help='Write logs to logfile',
default=None)
# cls.arg_parser.add_argument('--output', '-o', type=str, help='Name of file to write CSV results', default=None)
# Verbosity
cls.arg_parser.add_argument('--verbose',
'-v',
action='store_true',
help='Verbose output')
cls.arg_parser.add_argument('--debug',
'-d',
action='store_true',
help='Debug output')
# Advanced options
cls.arg_parser.add_argument(
'--timeout',
type=int,
help='Timeout in seconds for a request, default=10',
default=10)
cls.arg_parser.add_argument('--useragent',
'-ua',
type=str,
help="User agent string to use")
cls.arg_parser.add_argument(
'--delay',
'-dl',
type=int,
help=
"Specify a delay in milliseconds to avoid 429 status codes default=500",
default=500)
def init_argparse(cls):
# changes from original main :
# - argparse.ArgumentParser to PupyArgumentParser
# - parser to cls.arg_parser
# - function name to string (ex: func=get_adobject to func="get_adobject")
cls.arg_parser = PupyArgumentParser(
description=
'Rewriting of some PowerView\'s functionalities in Python')
subparsers = cls.arg_parser.add_subparsers(
title='Subcommands', description='Available subcommands')
# TODO: support keberos authentication
# Credentials parser
credentials_parser = PupyArgumentParser(add_help=False)
credentials_parser.add_argument(
'-w',
'--workgroup',
dest='domain',
default=str(),
help='Name of the domain we authenticate with')
credentials_parser.add_argument(
'-u',
'--user',
required=True,
help='Username used to connect to the Domain Controller')
credentials_parser.add_argument(
'-p',
'--password',
default=str(),
help='Password associated to the username')
credentials_parser.add_argument(
'--hashes',
action='store',
metavar='LMHASH:NTHASH',
help='NTLM hashes, format is LMHASH:NTHASH')
# AD parser, used for net* functions running against a domain controller
ad_parser = PupyArgumentParser(add_help=False,
parents=[credentials_parser])
ad_parser.add_argument(
'-t',
'--dc-ip',
dest='domain_controller',
required=True,
help='IP address of the Domain Controller to target')
# Target parser, used for net* functions running against a normal computer
target_parser = PupyArgumentParser(add_help=False,
parents=[credentials_parser])
target_parser.add_argument('--computername',
dest='target_computername',
required=True,
help='IP address of the computer target')
# Parser for the get-adobject command
get_adobject_parser= subparsers.add_parser('get-adobject', help='Takes a domain SID, '\
'samAccountName or name, and return the associated object', parents=[ad_parser])
get_adobject_parser.add_argument(
'--sid',
dest='queried_sid',
help='SID to query (wildcards accepted)')
get_adobject_parser.add_argument(
'--sam-account-name',
dest='queried_sam_account_name',
help='samAccountName to query (wildcards accepted)')
get_adobject_parser.add_argument(
'--name',
dest='queried_name',
help='Name to query (wildcards accepted)')
get_adobject_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_adobject_parser.add_argument('-a',
'--ads-path',
help='Additional ADS path')
get_adobject_parser.set_defaults(func="get_adobject")
# Parser for the get-netuser command
get_netuser_parser= subparsers.add_parser('get-netuser', help='Queries information about '\
'a domain user', parents=[ad_parser])
get_netuser_parser.add_argument(
'--username',
dest='queried_username',
help='Username to query (wildcards accepted)')
get_netuser_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netuser_parser.add_argument('-a',
'--ads-path',
help='Additional ADS path')
get_netuser_parser.add_argument(
'--unconstrained',
action='store_true',
help='Query only users with unconstrained delegation')
get_netuser_parser.add_argument(
'--admin-count',
action='store_true',
help='Query only users with adminCount=1')
get_netuser_parser.add_argument(
'--allow-delegation',
action='store_true',
help=
'Return user accounts that are not marked as \'sensitive and not allowed for delegation\''
)
get_netuser_parser.add_argument(
'--spn',
action='store_true',
help='Query only users with not-null Service Principal Names')
get_netuser_parser.set_defaults(func='get_netuser')
# Parser for the get-netgroup command
get_netgroup_parser= subparsers.add_parser('get-netgroup', help='Get a list of all current '\
'domain groups, or a list of groups a domain user is member of', parents=[ad_parser])
get_netgroup_parser.add_argument(
'--groupname',
dest='queried_groupname',
default='*',
help='Group to query (wildcards accepted)')
get_netgroup_parser.add_argument('--sid',
dest='queried_sid',
help='Group SID to query')
get_netgroup_parser.add_argument(
'--username',
dest='queried_username',
help=
'Username to query: will list the groups this user is a member of (wildcards accepted)'
)
get_netgroup_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netgroup_parser.add_argument('-a',
'--ads-path',
dest='ads_path',
help='Additional ADS path')
get_netgroup_parser.add_argument(
'--full-data',
action='store_true',
help=
'If set, returns full information on the groups, otherwise, just the samAccountName'
)
get_netgroup_parser.add_argument(
'--admin-count',
action='store_true',
help='Query only users with adminCount=1')
get_netgroup_parser.set_defaults(func='get_netgroup')
# Parser for the get-netcomputer command
get_netcomputer_parser= subparsers.add_parser('get-netcomputer', help='Queries informations about '\
'domain computers', parents=[ad_parser])
get_netcomputer_parser.add_argument('--computername',
dest='queried_computername',
default='*',
help='Computer name to query')
get_netcomputer_parser.add_argument(
'-os',
'--operating-system',
dest='queried_os',
help=
'Return computers with a specific operating system (wildcards accepted)'
)
get_netcomputer_parser.add_argument(
'-sp',
'--service-pack',
dest='queried_sp',
help=
'Return computers with a specific service pack (wildcards accepted)'
)
get_netcomputer_parser.add_argument(
'-spn',
'--service-principal-name',
dest='queried_spn',
help=
'Return computers with a specific service principal name (wildcards accepted)'
)
get_netcomputer_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netcomputer_parser.add_argument('-a',
'--ads-path',
dest='ads_path',
help='Additional ADS path')
get_netcomputer_parser.add_argument('--printers',
action='store_true',
help='Query only printers')
get_netcomputer_parser.add_argument(
'--unconstrained',
action='store_true',
help='Query only computers with unconstrained delegation')
get_netcomputer_parser.add_argument(
'--ping',
action='store_true',
help='Ping computers (will only return up computers)')
get_netcomputer_parser.add_argument(
'--full-data',
action='store_true',
help=
'If set, returns full information on the groups, otherwise, just the dnsHostName'
)
get_netcomputer_parser.set_defaults(func='get_netcomputer')
# Parser for the get-netdomaincontroller command
get_netdomaincontroller_parser= subparsers.add_parser('get-netdomaincontroller', help='Get a list of '\
'domain controllers for the given domain', parents=[ad_parser])
get_netdomaincontroller_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netdomaincontroller_parser.set_defaults(
func='get_netdomaincontroller')
# Parser for the get-netfileserver command
get_netfileserver_parser= subparsers.add_parser('get-netfileserver', help='Return a list of '\
'file servers, extracted from the domain users\' homeDirectory, scriptPath, and profilePath fields', parents=[ad_parser])
get_netfileserver_parser.add_argument(
'--target-users',
nargs='+',
metavar='TARGET_USER',
help=
'A list of users to target to find file servers (wildcards accepted)'
)
get_netfileserver_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netfileserver_parser.set_defaults(func='get_netfileserver')
# Parser for the get-dfsshare command
get_dfsshare_parser= subparsers.add_parser('get-dfsshare', help='Return a list of '\
'all fault tolerant distributed file systems for a given domain', parents=[ad_parser])
get_dfsshare_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_dfsshare_parser.add_argument(
'-v',
'--version',
nargs='+',
choices=['v1', 'v2'],
default=['v1', 'v2'],
help=
'The version of DFS to query for servers: v1, v2 or all (default: all)'
)
get_dfsshare_parser.add_argument('-a',
'--ads-path',
dest='ads_path',
help='Additional ADS path')
get_dfsshare_parser.set_defaults(func='get_dfsshare')
# Parser for the get-netou command
get_netou_parser= subparsers.add_parser('get-netou', help='Get a list of all current '\
'OUs in the domain', parents=[ad_parser])
get_netou_parser.add_argument(
'--ouname',
dest='queried_ouname',
default='*',
help='OU name to query (wildcards accepted)')
get_netou_parser.add_argument(
'--guid',
dest='queried_guid',
help=
'Only return OUs with the specified GUID in their gplink property.'
)
get_netou_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netou_parser.add_argument('-a',
'--ads-path',
help='Additional ADS path')
get_netou_parser.add_argument(
'--full-data',
action='store_true',
help=
'If set, returns full information on the OUs, otherwise, just the adspath'
)
get_netou_parser.set_defaults(func='get_netou')
# Parser for the get-netsite command
get_netsite_parser= subparsers.add_parser('get-netsite', help='Get a list of all current '\
'sites in the domain', parents=[ad_parser])
get_netsite_parser.add_argument(
'--sitename',
dest='queried_sitename',
help='Site name to query (wildcards accepted)')
get_netsite_parser.add_argument(
'--guid',
dest='queried_guid',
help=
'Only return sites with the specified GUID in their gplink property.'
)
get_netsite_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netsite_parser.add_argument('-a',
'--ads-path',
help='Additional ADS path')
get_netsite_parser.add_argument(
'--full-data',
action='store_true',
help=
'If set, returns full information on the sites, otherwise, just the name'
)
get_netsite_parser.set_defaults(func='get_netsite')
# Parser for the get-netsubnet command
get_netsubnet_parser= subparsers.add_parser('get-netsubnet', help='Get a list of all current '\
'subnets in the domain', parents=[ad_parser])
get_netsubnet_parser.add_argument(
'--sitename',
dest='queried_sitename',
help=
'Only return subnets for the specified site name (wildcards accepted)'
)
get_netsubnet_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netsubnet_parser.add_argument('-a',
'--ads-path',
help='Additional ADS path')
get_netsubnet_parser.add_argument(
'--full-data',
action='store_true',
help=
'If set, returns full information on the subnets, otherwise, just the name'
)
get_netsubnet_parser.set_defaults(func='get_netsubnet')
# Parser for the get-netgpo command
get_netgpo_parser= subparsers.add_parser('get-netgpo', help='Get a list of all current '\
'GPOs in the domain', parents=[ad_parser])
get_netgpo_parser.add_argument(
'--gponame',
dest='queried_gponame',
default='*',
help='GPO name to query for (wildcards accepted)')
get_netgpo_parser.add_argument(
'--displayname',
dest='queried_displayname',
help='Display name to query for (wildcards accepted)')
get_netgpo_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netgpo_parser.add_argument('-a',
'--ads-path',
help='Additional ADS path')
get_netgpo_parser.set_defaults(func='get_netgpo')
# Parser for the get-netgroup command
get_netgroupmember_parser = subparsers.add_parser(
'get-netgroupmember',
help='Return a list of members of a domain groups',
parents=[ad_parser])
get_netgroupmember_parser.add_argument(
'--groupname',
dest='queried_groupname',
help=
'Group to query, defaults to the \'Domain Admins\' group (wildcards accepted)'
)
get_netgroupmember_parser.add_argument('--sid',
dest='queried_sid',
help='SID to query')
get_netgroupmember_parser.add_argument('-d',
'--domain',
dest='queried_domain',
help='Domain to query')
get_netgroupmember_parser.add_argument('-a',
'--ads-path',
dest='ads_path',
help='Additional ADS path')
get_netgroupmember_parser.add_argument(
'-r',
'--recurse',
action='store_true',
help=
'If the group member is a group, try to resolve its members as well'
)
get_netgroupmember_parser.add_argument('--use-matching-rule', action='store_true',
help='Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query when -Recurse is specified.\n' \
'Much faster than manual recursion, but doesn\'t reveal cross-domain groups')
get_netgroupmember_parser.add_argument(
'--full-data',
action='store_true',
help='If set, returns full information on the members')
get_netgroupmember_parser.set_defaults(func='get_netgroupmember')
# Parser for the get-netsession command
get_netsession_parser= subparsers.add_parser('get-netsession', help='Queries a host to return a '\
'list of active sessions on the host (you can use local credentials instead of domain credentials)', parents=[target_parser])
get_netsession_parser.set_defaults(func='get_netsession')
#Parser for the get-localdisks command
get_localdisks_parser = subparsers.add_parser('get-localdisks', help='Queries a host to return a '\
'list of active disks on the host (you can use local credentials instead of domain credentials)', parents=[target_parser])
get_localdisks_parser.set_defaults(func='get_localdisks')
#Parser for the get-netdomain command
get_netdomain_parser = subparsers.add_parser(
'get-netdomain',
help='Queries a host for available domains',
parents=[ad_parser])
get_netdomain_parser.set_defaults(func='get_netdomain')
# Parser for the get-netshare command
get_netshare_parser= subparsers.add_parser('get-netshare', help='Queries a host to return a '\
'list of available shares on the host (you can use local credentials instead of domain credentials)', parents=[target_parser])
get_netshare_parser.set_defaults(func='get_netshare')
# Parser for the get-netloggedon command
get_netloggedon_parser= subparsers.add_parser('get-netloggedon', help='This function will '\
'execute the NetWkstaUserEnum RPC call ti query a given host for actively logged on '\
'users', parents=[target_parser])
get_netloggedon_parser.set_defaults(func='get_netloggedon')
# Parser for the get-netlocalgroup command
get_netlocalgroup_parser= subparsers.add_parser('get-netlocalgroup', help='Gets a list of '\
'members of a local group on a machine, or returns every local group. You can use local '\
'credentials instead of domain credentials, however, domain credentials are needed to '\
'resolve domain SIDs.', parents=[target_parser])
get_netlocalgroup_parser.add_argument(
'--groupname',
dest='queried_groupname',
help=
'Group to list the members of (defaults to the local \'Administrators\' group'
)
get_netlocalgroup_parser.add_argument(
'--list-groups',
action='store_true',
help='If set, returns a list of the local groups on the targets')
get_netlocalgroup_parser.add_argument(
'-t',
'--dc-ip',
dest='domain_controller',
default=str(),
help=
'IP address of the Domain Controller (used to resolve domain SIDs)'
)
get_netlocalgroup_parser.add_argument(
'-r',
'--recurse',
action='store_true',
help=
'If the group member is a domain group, try to resolve its members as well'
)
get_netlocalgroup_parser.set_defaults(func='get_netlocalgroup')
# Parser for the invoke-checklocaladminaccess command
invoke_checklocaladminaccess_parser = subparsers.add_parser('invoke-checklocaladminaccess', help='Checks '\
'if the given user has local admin access on the given host', parents=[target_parser])
invoke_checklocaladminaccess_parser.set_defaults(
func='invoke_checklocaladminaccess')
# Parser for the invoke-userhunter command
invoke_userhunter_parser = subparsers.add_parser('invoke-userhunter', help='Finds '\
'which machines domain users are logged into', parents=[ad_parser])
invoke_userhunter_parser.add_argument('--computername',
dest='queried_computername',
nargs='+',
default=list(),
help='Host to enumerate against')
invoke_userhunter_parser.add_argument(
'--computerfile',
dest='queried_computerfile',
type=FileType('r'),
help='File of hostnames/IPs to search')
invoke_userhunter_parser.add_argument(
'--computer-adspath',
dest='queried_computeradspath',
type=str,
help='ADS path used to search computers against the DC')
invoke_userhunter_parser.add_argument(
'--unconstrained',
action='store_true',
help='Query only computers with unconstrained delegation')
invoke_userhunter_parser.add_argument(
'--groupname',
dest='queried_groupname',
help='Group name to query for target users')
invoke_userhunter_parser.add_argument(
'--targetserver',
dest='target_server',
help=
'Hunt for users who are effective local admins on this target server'
)
invoke_userhunter_parser.add_argument(
'--username',
dest='queried_username',
help='Hunt for a specific user name')
invoke_userhunter_parser.add_argument(
'--user-adspath',
dest='queried_useradspath',
type=str,
help='ADS path used to search users against the DC')
invoke_userhunter_parser.add_argument(
'--userfile',
dest='queried_userfile',
type=FileType('r'),
help='File of user names to target')
invoke_userhunter_parser.add_argument(
'--threads',
type=int,
default=1,
help='Number of threads to use (default: %(default)s)')
invoke_userhunter_parser.add_argument(
'-v',
'--verbose',
action='store_true',
help='Displays results as they are found')
invoke_userhunter_parser.add_argument(
'--admin-count',
action='store_true',
help='Query only users with adminCount=1')
invoke_userhunter_parser.add_argument('--allow-delegation', action='store_true',
help='Return user accounts that are not marked as \'sensitive and '\
'not allowed for delegation\'')
invoke_userhunter_parser.add_argument(
'--stop-on-success',
action='store_true',
help='Stop hunting after finding target user')
invoke_userhunter_parser.add_argument(
'--check-access',
action='store_true',
help=
'Check if the current user has local admin access to the target servers'
)
invoke_userhunter_parser.add_argument(
'-d',
'--domain',
dest='queried_domain',
help='Domain to query for machines')
invoke_userhunter_parser.add_argument(
'--stealth',
action='store_true',
help='Only enumerate sessions from commonly used target servers')
invoke_userhunter_parser.add_argument('--stealth-source', nargs='+', choices=['dfs', 'dc', 'file'],
default=['dfs', 'dc', 'file'],
help='The source of target servers to use, '\
'\'dfs\' (distributed file server), \'dc\' (domain controller), '\
'or \'file\' (file server) (default: all)')
invoke_userhunter_parser.add_argument(
'--show-all',
action='store_true',
help='Return all user location results')
invoke_userhunter_parser.add_argument(
'--foreign-users',
action='store_true',
help='Only return users that are not part of the searched domain')
invoke_userhunter_parser.set_defaults(func='invoke_userhunter')
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='socks5proxy',
description=cls.__doc__)
cls.arg_parser.add_argument('-p', '--port', default='1080')
cls.arg_parser.add_argument('action', choices=['start', 'stop'])
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='psh',
description=cls.__doc__)
commands = cls.arg_parser.add_subparsers(title='actions')
loaded = commands.add_parser('loaded',
help='List preapred powershell contexts')
loaded.add_argument('context',
nargs='?',
help='Check is context with specified name loaded')
loaded.set_defaults(name='loaded')
load = commands.add_parser(
'load',
help=
'Create new powershell context or load more scripts into existing')
load.add_argument('-F',
'--force',
action='store_true',
default=False,
help='Destroy old context if exists')
load.add_argument('-64',
'--try-64',
action='store_true',
default=False,
help='Try amd64 if possible')
load.add_argument('-2',
'--try-v2',
action='store_true',
default=None,
help='Try version 2 if possible')
load.add_argument('-W',
'--width',
default=-1,
type=int,
help='Set output line width')
load.add_argument('-D',
'--daemon',
action='store_true',
default=False,
help='Start in "daemon" mode')
load.add_argument('context', help='Context name')
load.add_argument('source',
nargs='?',
help='Path to PS1 script (local to pupy)')
load.set_defaults(name='load')
iex = commands.add_parser('iex', help='Invoke expression in context')
iex.add_argument('-T',
'--timeout',
default=None,
type=float,
help='Set timeout for result retrieval')
iex.add_argument('-B',
'--background',
default=False,
action='store_true',
help='Evaluate in background (async)')
iex.add_argument('context', help='Context name')
iex.add_argument('expression',
nargs=REMAINDER,
help='Expression to evaluate')
iex.set_defaults(name='iex')
unload = commands.add_parser('unload', help='Destroy context')
unload.add_argument('context', help='Context name')
unload.set_defaults(name='unload')
result = commands.add_parser(
'result', help='Retrieve result by request id from context')
result.add_argument('context', help='Context name')
result.add_argument('rid', type=int, help='Request id')
result.set_defaults(name='result')
results = commands.add_parser(
'results', help='Retrieve ready RIDs from all contexts')
results.set_defaults(name='results')
killall = commands.add_parser('killall',
help='Destroy all powershell contexts')
killall.set_defaults(name='killall')
def init_argparse(cls):
example = 'Examples:\n'
example += '>> run smbspider 192.168.0.1 --pattern password --content\n'
example += '>> run smbspider 192.168.0.1 -u john -p password1 pwd= -d WORKGROUP --content -e txt,ini\n'
example += '>> run smbspider 172.16.0.20/24 -u john --pattern password.* -H \'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d\'\n'
cls.arg_parser = PupyArgumentParser(prog="smbspider",
description=cls.__doc__,
epilog=example)
cls.arg_parser.add_argument(
"-u",
metavar="USERNAME",
dest='user',
default='',
help="Username, if omitted null session assumed")
cls.arg_parser.add_argument("-p",
metavar="PASSWORD",
dest='passwd',
default='',
help="Password")
cls.arg_parser.add_argument("-H",
metavar="HASH",
dest='hash',
default='',
help='NTLM hash')
cls.arg_parser.add_argument("-d",
metavar="DOMAIN",
dest='domain',
default="WORKGROUP",
help="Domain name (default WORKGROUP)")
cls.arg_parser.add_argument("-P",
dest='port',
type=int,
choices={139, 445},
default=445,
help="SMB port (default 445)")
cls.arg_parser.add_argument("target",
nargs=1,
type=str,
help="Target range or IP address")
sgroup = cls.arg_parser.add_argument_group(
"Spidering shares", "Options for spidering shares")
sgroup.add_argument("-s",
metavar="SHARE",
dest='share',
default="all",
help="Specify a share (default C$)")
sgroup.add_argument("--spider",
metavar='FOLDER',
nargs='?',
default='.',
type=str,
help='Folder to spider (default: root directory)')
sgroup.add_argument("--content",
action='store_true',
help='Enable file content searching')
sgroup.add_argument(
"--pattern",
nargs='+',
help=
'Pattern(s) to search for in folders, filenames and file content')
sgroup.add_argument('-e',
'--extensions',
metavar='ext1,ext2,...',
default='',
help='Limit to some extensions')
sgroup.add_argument("--depth",
type=int,
default=10,
help='Spider recursion depth (default: 10)')
sgroup.add_argument('-m',
'--max-size',
type=int,
default=7000000,
help='max file size in byte (default 7 Mo)')
# -*- encoding: utf-8 -*-
from pupylib.PupyModule import PupyArgumentParser
from pupylib.PupyOutput import Success, Error, Table, Color
import time
usage = 'DNSCNC control'
parser = PupyArgumentParser(prog='dnscnc', description=usage)
parser.add_argument('-n',
'--node',
help='Send command only to this node (or session)')
parser.add_argument('-d',
'--default',
action='store_true',
default=False,
help='Set command as default for new connections')
commands = parser.add_subparsers(title='commands', dest='command')
status = commands.add_parser('status', help='DNSCNC status')
sessions = commands.add_parser('sessions', help='List known DNSCNC sessions')
sessions.add_argument('-r', action='store_true', help='Reverse sorting')
sorting = sessions.add_mutually_exclusive_group()
sorting.add_argument('-b', action='store_true', help='Sort by boot time')
sorting.add_argument('-o', action='store_true', help='Sort by OS')
sorting.add_argument('-i', action='store_true', help='Sort by IP')
sorting.add_argument('-n', action='store_true', help='Sort by node')
sorting.add_argument('-d', action='store_true', help='Sort by duration')
sorting.add_argument('-c',
action='store_true',
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='users', description=cls.__doc__)
action = cls.arg_parser.add_mutually_exclusive_group(required=True)
action.add_argument('-u', '--user', help='Become user')
action.add_argument('-r', '--restore', action='store_true', help='Restore previous user')
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='smbcp',
description=cls.__doc__)
cls.arg_parser.add_argument('-u',
'--username',
default='',
help='Username')
cls.arg_parser.add_argument('-P',
'--port',
default=445,
type=int,
help='Port')
cls.arg_parser.add_argument('-p',
'--password',
default='',
help='Password')
cls.arg_parser.add_argument('-d',
'--domain',
default='',
help='Domain')
cls.arg_parser.add_argument('-H',
'--hash',
default='',
help='NTLM hash')
cls.arg_parser.add_argument('-T',
'--timeout',
default=30,
type=int,
help='Timeout')
cls.arg_parser.add_argument('-c',
'--codepage',
default=None,
help='Codepage')
commands = cls.arg_parser.add_subparsers(dest="command")
cp = commands.add_parser('cp')
cp.add_argument('src', help='Source')
cp.add_argument('dst', help='Destination')
cp.set_defaults(func=cls.cp)
ls = commands.add_parser('ls')
ls.add_argument('dst', help='Destination')
ls.set_defaults(func=cls.ls)
cat = commands.add_parser('cat')
cat.add_argument('remote', help='Remote file (be careful!)')
cat.set_defaults(func=cls.cat)
rm = commands.add_parser('rm')
rm.add_argument('dst', help='Destination')
rm.set_defaults(func=cls.rm)
mkdir = commands.add_parser('mkdir')
mkdir.add_argument('dst', help='Destination')
mkdir.set_defaults(func=cls.mkdir)
rmdir = commands.add_parser('rmdir')
rmdir.add_argument('dst', help='Destination')
rmdir.set_defaults(func=cls.rmdir)
shares = commands.add_parser('shares')
shares.add_argument('host', help='Host')
shares.set_defaults(func=cls.shares)
def init_argparse(cls):
'''
'''
cls.arg_parser = PupyArgumentParser(prog="outlook",
description=cls.__doc__)
cls.arg_parser.add_argument('-i',
dest='information',
action='store_true',
help="Get Outlook configuration")
cls.arg_parser.add_argument('-l',
dest='foldersAndSubFolders',
action='store_true',
help="Get Outlook folders and subfolders")
cls.arg_parser.add_argument(
'-n',
dest='numberOfEmails',
action='store_true',
help=
"Get number of emails stored in the outlook folder choisen (see options below)"
)
cls.arg_parser.add_argument(
'-d',
dest='downloadAllEmails',
action='store_true',
help=
"Download all emails stored in the outlook folder choisen with MAPI (see options below)"
)
cls.arg_parser.add_argument(
'-t',
dest='downloadOST',
action='store_true',
help="Download Outlook OST file (Offline or cached Outlook items)")
cls.arg_parser.add_argument(
'-s',
dest='search',
action='store_true',
help="Search strings in emails, see -strings for options")
cls.arg_parser.add_argument(
'-strings',
dest='strings',
default="password,pwd,credentials",
help=
"Strings to search in emails (use with -s) (default: %(default)s)")
cls.arg_parser.add_argument(
'-output-folder',
dest='localOutputFolder',
default='output/',
help=
"Folder which will contain emails locally (default: %(default)s)")
cls.arg_parser.add_argument(
'-folder-default',
choices=list(cls.OL_DEFAULT_FOLDERS),
default="olFolderInbox",
dest='outlookFolder',
help=
"Choose Outlook Folder using a default folder (default: %(default)s)"
)
cls.arg_parser.add_argument(
'-folder-id',
dest='folderId',
default=None,
help=
"Choose Outlook Folder using a folder ID (default: %(default)s)")
cls.arg_parser.add_argument(
'-otype',
choices=list(cls.OL_SAVE_AS_TYPE),
default="olMSG",
dest='msgSaveType',
help="Email saved as this type (default: %(default)s)")
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='upload', description=cls.__doc__)
cls.arg_parser.add_argument('local_file', metavar='<local_path>', completer=path_completer)
cls.arg_parser.add_argument('remote_file', nargs='?', metavar='<remote_path>',
completer=remote_dirs_completer)
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="exit",
description=cls.__doc__)
cls.arg_parser.add_argument('--yes',
action="store_true",
help='exit confirmation')
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='mimipy', description=cls.__doc__)
cls.arg_parser.add_argument('-v', '--verbose', default=False, action='store_true', help='be more verbose !')
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="mimikatz", description=cls.__doc__)
cls.arg_parser.add_argument(
'args', nargs='*', help='run mimikatz commands from argv (let empty to open mimikatz interactively)')
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="hide_process",
description=cls.__doc__)
cls.arg_parser.add_argument('--argv',
default="/bin/bash",
help='change the new process argv')
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='mouselogger',
description=cls.__doc__)
cls.arg_parser.add_argument('action',
choices=['start', 'stop', 'dump'])
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="rm", description=cls.__doc__)
cls.arg_parser.add_argument('path',
type=str,
action='store',
completer=remote_path_completer)
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='apps', description=cls.__doc__)
cls.arg_parser.add_argument('-a', '--get-all', action='store_true', help='get all installed package names')
cls.arg_parser.add_argument('-d', '--get-all-detailed', action='store_true', help='get all applications installed with details')
cls.arg_parser.add_argument('-c', '--contain', dest='contain', default=None, help='get all applications installed when package name contains the string given')
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='ad', description=cls.__doc__)
cls.arg_parser.add_argument('-G',
'--global-catalog',
default=False,
action='store_true',
help='Use AD Global catalg')
cls.arg_parser.add_argument('-r', '--realm', help='Realm to work with')
commands = cls.arg_parser.add_subparsers(title='commands')
bind = commands.add_parser('bind', help='Bind to server')
bind.add_argument('-l',
'--ldap-server',
help='DNS address of LDAP server')
bind.add_argument('-T',
'--recv-timeout',
default=60,
help='Socket read timeout')
bind.add_argument('-u', '--username', help='Username to authenticate')
bind.add_argument('-p', '--password', help='Password to authenticate')
bind.add_argument('-d', '--domain', help='Domain for Username')
bind.add_argument('-r', '--root', help='LDAP root')
bind.set_defaults(func=cls.bind)
unbind = commands.add_parser('unbind',
help='Disconnect and forget realm')
unbind.set_defaults(func=cls.unbind)
bounded = commands.add_parser('list', help='Show bounded realms')
bounded.set_defaults(func=cls.bounded)
info = commands.add_parser('info',
help='Info about current AD context')
info.set_defaults(func=cls.getinfo)
dump = commands.add_parser('dump',
help='Dump results of large searches')
dump.add_argument('-f', '--filter', help='LDAP custom filter')
dump.add_argument('-F',
'--full',
default=False,
action='store_true',
help='Dump all attributes')
dump.add_argument('target',
nargs='?',
help='Categories to dump, i.e.: users,computers OR '
'filter like (&(attr=XYZ)(attr2=CCC))')
dump.set_defaults(func=cls.dump)
childs = commands.add_parser('childs', help='Related AD servers')
childs.set_defaults(func=cls.childs)
search = commands.add_parser(
'search',
help='Search in AD (only small and fast, for large use dump)')
search.add_argument('-T',
'--table',
action='store_true',
default=False,
help='Output as table')
search.add_argument(
'term',
help='Search filter',
default='(objectClass=domain)',
)
search.add_argument(
'attributes',
nargs='?',
help='Attributes to search (Use * for ALL, default none)')
level = search.add_mutually_exclusive_group()
level.add_argument(
'-1',
'--base',
default=False,
action='store_true',
help='Use base search instead of subtree search. Default: False')
level.add_argument(
'-L',
'--level',
default=False,
action='store_true',
help='Use level search instead of subtree search. Default: False')
search.add_argument('-r',
'--root',
help='Use root instead of autodiscovered one')
search.add_argument('-n',
'--amount',
default=5,
type=int,
help='Amount of records. Default: 5')
search.add_argument('-t',
'--timeout',
default=5,
type=int,
help='Timeout (seconds). Default: 5')
search.set_defaults(func=cls.search)
# -*- encoding: utf-8 -*-
from pupylib.PupyModule import PupyArgumentParser
from pupylib.PupyOutput import (
Color, Error, Success, Table,
TruncateToTerm, NewLine, Line, MultiPart
)
from pupylib.utils.credentials import Credentials
usage = 'Credentials manager'
parser = PupyArgumentParser(prog='creds', description=usage)
parser.add_argument('-A', '--all', action='store_true', help='Search/Show info for all machines, not only active ones')
parser.add_argument('-k', '--key', help='Search in key in objects with key')
parser.add_argument('-s', '--sort', action='store_true', help='Search in key in objects with key')
parser.add_argument('--delete-db', action='store_true', help='Delete DB')
parser.add_argument('search', default='', nargs='?', help='Keyword to search')
def do(server, handler, config, modargs):
try:
credentials = Credentials(config=config)
except Exception, e:
handler.display(Error(e))
return
clients = server.get_clients_list()
cids = None
if modargs.delete_db:
credentials.remove()
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="msgbox",
description=cls.__doc__)
cls.arg_parser.add_argument('--title', help='msgbox title')
cls.arg_parser.add_argument('text',
help='text to print in the msgbox :)')
# -*- encoding: utf-8 -*-
from pupylib.PupyModule import PupyArgumentParser
from pupylib.PupyOutput import Success, Color, Table
import logging
levels = [ 'DEBUG', 'INFO', 'WARNING', 'ERROR' ]
levels += [ x.lower() for x in levels ]
usage = "Show/set log level"
parser = PupyArgumentParser(prog='logging', description='change pupysh logging level')
parser.add_argument(
'-L', '--logger', help='Apply log level only for specified logger',
choices=logging.Logger.manager.loggerDict.keys()
)
parser.add_argument('-s', '--set-level', choices=levels, help='Set log level')
parser.add_argument('-g', '--get-level', action='store_true', help='Get log level')
parser.add_argument('level', choices=levels, nargs='?', help='Set log level')
def levelToString(level):
return {
logging.ERROR: 'ERROR',
logging.WARNING: 'WARNING',
logging.INFO: 'INFO',
logging.DEBUG: 'DEBUG'
}.get(level)
def levelToColor(level):
return {
logging.ERROR: 'grey',
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog='reg',
description=cls.__doc__)
commands = cls.arg_parser.add_subparsers(dest='command')
ls = commands.add_parser('ls')
ls.add_argument('key',
default='HKCU',
help='List key (HKCU by default)')
ls.add_argument('-w',
'--wide',
action='store_true',
default=False,
help='Show all the things')
ls.set_defaults(func=cls.ls)
get = commands.add_parser('get')
get.add_argument('key', help='Key path (no default)')
get.add_argument('name',
nargs='?',
default='',
help='Value name (default is Default value)')
get.set_defaults(func=cls.get)
vset = commands.add_parser('set')
vset.add_argument('-c',
'--create',
action='store_true',
default=False,
help='Create key')
vset.add_argument('-i',
'--integer',
action='store_true',
default=False,
help='Set as DWORD/LE32, default SZ (string)')
vset.add_argument('key', help='Key path')
vset.add_argument('name', help='Value name to set')
vset.add_argument('value', help='Value to set')
vset.set_defaults(func=cls.set)
rm = commands.add_parser('rm')
rm.add_argument('key', help='Key path')
rm.add_argument('name',
default='',
nargs='?',
help='Value name or subkey to delete')
rm.set_defaults(func=cls.rm)
search = commands.add_parser('search')
search.add_argument('-r',
'--roots',
default=('HKU', 'HKLM', 'HKCC'),
nargs='+',
help='Roots where to search')
search.add_argument('-K',
'--exclude-key-name',
action='store_false',
default=True,
help='Do not search term in key names')
search.add_argument('-N',
'--exclude-value-name',
action='store_false',
default=True,
help='Do not search term in value names')
search.add_argument('-V',
'--exclude-value',
action='store_false',
default=True,
help='Do not search term in values')
search.add_argument('-R',
'--regex',
action='store_true',
default=False,
help='Search term is regex')
search.add_argument('-E',
'--equals',
action='store_true',
default=False,
help='Show only full matches')
search.add_argument('-i',
'--ignorecase',
action='store_true',
default=False,
help='Ignore case')
search.add_argument('-w',
'--wide',
action='store_true',
default=False,
help='Show all the things')
search.add_argument('-1',
'--first',
action='store_true',
default=False,
help='Return after first match')
search.add_argument('term', help='Term to search')
search.set_defaults(func=cls.search)
def init_argparse(cls):
cls.arg_parser = PupyArgumentParser(prog="w", description=cls.__doc__)
def init_argparse(cls):
example = 'Examples:\n'
example += '- Recursively search strings in files:\n'
example += '>> run search -C .*ini passw.*=.*\n'
example += '>> run search -C .* passw.*=.* -I\n'
example += '- Recursively search string in file names:\n'
example += '>> run search pwdfile.*\n'
cls.arg_parser = PupyArgumentParser(prog="search",
description=cls.__doc__,
epilog=example)
cls.arg_parser.add_argument(
'-p',
'--path',
default='.',
completer=remote_path_completer,
help='root path to start (default: current path)')
cls.arg_parser.add_argument('-m',
'--max-size',
type=int,
default=20000000,
help='max file size (default 20 Mo)')
cls.arg_parser.add_argument('-b',
'--binary',
action='store_true',
help='search content inside binary files')
cls.arg_parser.add_argument('-v',
'--verbose',
action='store_true',
help='show errors')
cls.arg_parser.add_argument('-C',
'--content-only',
action='store_true',
help='show only results with content')
cls.arg_parser.add_argument('-L',
'--links',
action='store_true',
help='follow symlinks')
cls.arg_parser.add_argument(
'-N',
'--no-content',
action='store_true',
help='if string matches, output just filename')
cls.arg_parser.add_argument('-I',
'--insensitive',
action='store_true',
default=False,
help='no case sensitive')
cls.arg_parser.add_argument('-F',
'--no-same-fs',
action='store_true',
default=False,
help='do not limit search to same fs')
cls.arg_parser.add_argument('-D',
'--download',
action='store_true',
help='download found files (imply -N)')
cls.arg_parser.add_argument('-A',
'--archive',
action='store_true',
default=False,
help='search in archive')
cls.arg_parser.add_argument('-U',
'--suid',
action='store_true',
default=False,
help='Search SUID files')
cls.arg_parser.add_argument('-G',
'--sgid',
action='store_true',
default=False,
help='Search SGID files')
cls.arg_parser.add_argument('-u',
'--user',
help='Search files owned by user')
cls.arg_parser.add_argument('-g',
'--group',
help='Search files owned by group')
cls.arg_parser.add_argument(
'-O',
'--own-world-accessible-write',
action='store_true',
help='Search accessible files for current process (write)')
cls.arg_parser.add_argument(
'-t',
'--timestamp-newer',
help='Search files which are newer than date')
cls.arg_parser.add_argument(
'-T',
'--timestamp-older',
help='Search files which are older than date')
cls.arg_parser.add_argument(
'-X',
'--xattr',
default=False,
nargs='?',
help='Search files with extended attributes (can be specified)')
cls.arg_parser.add_argument('filename',
type=str,
metavar='filename',
help='regex to search (filename)')
cls.arg_parser.add_argument('strings',
nargs='*',
default=[],
type=str,
metavar='string',
help='regex to search (content)')